Sniffer search: Use ARP to detect nodes in the hybrid mode in the network. Use ARP to detect nodes in the hybrid mode in the network.

Use ARP to detect hybrid nodes in the Network

Author: refdom
Email: refdom@263.net
Homepage: www.opengram.com

Due to the harm of Sniffer, it is also important to check whether there is sniffer in the network. Anti-sniff is generated accordingly to detect the network
Sniffer In.

There are many ways to detect sniffer. For example, some powerful sniffer will parse the IP address to obtain the machine name, then you can
If the system sends malformed data packets and waits for sniffer to perform DNS resolution, these methods are too limited.

According to the basic working principle of Sniffer, the core is to set the NIC mode to promiscuous (hybrid mode ).
If there is a network adapter in the mixed mode, you can determine that there may be a sniffer. ARP is very useful in in-depth sniffing.
It can also be used for sniffing.

In the hybrid mode, the NIC performs packet filtering differently from the normal mode. In normal mode, only packets with local addresses or broadcasts
(Multicast, etc.) will be submitted to the system core by the NIC. Otherwise, these packets will be discarded directly by the NIC. Now, the mixed mode allows all
All data packets passed to the system core are then used by programs such as sniffer. Therefore, if you can use the intermediate "system core", you can
Effectively checks whether the mode is mixed. The system core also filters some data packets. However, unlike the NIC standard.

Take windows as an example (available in experiments ):

FF-FF-FF-FF-FF-FF: This is a regular broadcast address, whether in normal mode or other mode, will be received by the NIC and passed
System Core.
FF-FF-FF-FF-FF-00: This address is not a broadcast address for the NIC, in normal mode will be discarded by the NIC, but the system core
The heart is that this address is exactly the same as FF-FF-FF-FF-FF-FF. In the hybrid mode, it will be received by the system core and considered as one
Broadcast addresses. This applies to all Windows operating systems.
FF-FF-00-00-00-00: Windows core only to the first two bytes for judgment, the core that this is the same as the FF-FF-FF-FF-FF-FF wide
Playback address. That's why FF-FF-FF-FF-FF-00 is also the broadcast address.
FF-00-00-00-00-00: For Win9x or winme, check the previous byte. Therefore, this is a broadcast address.

I am not sure about the Linux kernel, but I will judge a group bit based on some information. What does it mean?
Basically, I think that FF-00-00-00-00-00 is a category of FF-FF-FF-FF-FF-FF. (Hope you are familiar with Linux)

Therefore, the goal is to discard the test package for NICs in the normal mode, and enable the core of the system in the hybrid mode to process the test. Send a purpose
Address: FF-FF-FF-FF-FF-FE (the system will think of as a broadcast address) ARP request, for normal mode (broadcast, etc.) Nic, this
If the address is not a broadcast address, it will be discarded directly. If the address is in the hybrid mode, ARP requests will be processed as broadcast addresses by the system core.
And then submit it to the sniffer program. The system core will respond to this ARP request.

Antisnifer also uses this method for detection.

The following example is the FF-FF-FF-FF-FF-FE's ARP request, which can be sent to every node in the network. If
If a common sniffer exists and the NIC is set to the hybrid mode, the system core will respond and determine whether these nodes have a sniffer.
. This kind of detection method is also limited. There is no way to modify the sniffer of the kernel, but this kind of sniffer is a minority after all.
In addition, some dynamic packet capture drivers (Winpcap) in Win2k may also respond to NICs that are not in the hybrid mode.

//////////////////////////////////////// ///////////////////////////////////////
//
// Detect promiscuous node in Network
//
// Author: refdom
// Email: refdom@263.net
// Home page: www.opengram.com
//
// 2002/4/14
//
//////////////////////////////////////// ////////////////////////////////////////

# Include "stdafx. H"
# Include "Mac. H" // getmacaddr (). The function I wrote to convert a string to a MAC address is not listed here.
# Include <stdio. h>
# Include <conio. h>
# Include <packet32.h>
# Include <winsock2.h>
# Include <process. h>
# Include <ntddndis. h>

# Pragma comment (Lib, "packet. lib ")
# Pragma comment (Lib, "ws2_32.lib ")

# Define ept_ip 0x0800/* type: IP */
# Define ept_arp 0x0806/* type: ARP */
# Define ept_rarp 0x8035/* type: RARP */
# Define arp_hardware 0x0001/* dummy type for 802.3 frames */
# Define arp_request 0x0001/* ARP request */
# Define arp_reply 0x0002/* ARP reply */

# Define max_num_adapter 10

# Pragma pack (push, 1)

Typedef struct ehhdr
{
Unsigned char eh_dst [6];/* destination Ethernet addrress */
Unsigned char eh_src [6];/* Source Ethernet addresss */
Unsigned short eh_type;/* Ethernet pachet type */
} Ehhdr, * pehhdr;

Typedef struct arphdr
{
Unsigned short arp_hrd;/* Format of hardware address */
Unsigned short arp_pro;/* Format of Protocol address */
Unsigned char arp_hln;/* length of hardware address */
Unsigned char arp_pln;/* length of Protocol address */
Unsigned short arp_op;/* arp/RARP operation */

Unsigned char arp_sha [6];/* sender hardware address */
Unsigned long arp_spa;/* sender Protocol address */
Unsigned char arp_tha [6];/* target hardware address */
Unsigned long arp_tpa;/* Target Protocol address */
} Arphdr, * parphdr;

Typedef struct arppacket
{
Ehhdr;
Arphdr;
} Arppacket, * parppacket;

# Pragma pack (POP)

// The thread for listening
Void listenthread (void * adapter );
// The function of sending packet
Void sendarppacket (void * adapter );
Bool detectpoliciffer (lppacket );

Char g_szmymacaddr [] = "aaaaaaaaaaaa ";
Char g_szmyip [] = "192.168.1.1 ";
Char g_sztargetip [] = "192.168.1.2 ";

Int main (INT argc, char * argv [])
{
Static char adapterlist [max_num_adapter] [1024];
Lpadapter;
Wchar adaptername [2048];
Wchar * temp, * temp1;

Ulong adapterlength = 1024;

Int adapternum = 0;
Int nretcode, I;

// Get the list of adapter
If (packetgetadapternames (char *) adaptername, & adapterlength) = false)
{
Printf ("unable to retrieve the list of the adapters! /N ");
Return 0;
}

Temp = adaptername;
Temp1 = adaptername;
I = 0;
While (* temp! = '/0') | (* (temp-1 )! = '/0 '))
{
If (* temp = '/0 ')
{
Memcpy (adapterlist [I], temp1, (temp-temp1) * 2 );
Temp1 = temp + 1;
I ++;
}

Temp ++;
}

Adapternum = I;
For (I = 0; I <adapternum; I ++)
Wprintf (L "/n % d-% s/n", I + 1, adapterlist [I]);
Printf ("/N ");

// Default open the 0
Lpadapter = (lpadapter) packetopenadapter (lptstr) adapterlist [0]);
If (! Lpadapter | (lpadapter-> hfile = invalid_handle_value ))
{
Nretcode = getlasterror ();
Printf ("unable to open the driver, error code: % LX/N", nretcode );
Return 0;
}

// Begin listening
_ Beginthread (listenthread, 0, (void *) lpadapter );

Sleep (500 );

// Send the packet
_ Beginthread (sendarppacket, 0, (void *) lpadapter );

Sleep (2000 );

Printf ("/n/ndetecting end./N ");

// Close the adapter and exit
Packetcloseadapter (lpadapter );

Return 0;
}

Void sendarppacket (void * adapter)
{
Char macaddr [6];
Char szpacketbuf [600];
Lpadapter = (lpadapter) Adapter;
Lppacket;
Arppacket;

Lppacket = packetallocatepacket ();
If (lppacket = NULL)
{
Printf ("/nerror: failed to allocate the lppacket structure./N ");
Return;
}

Zeromemory (szpacketbuf, sizeof (szpacketbuf ));

// The fake mac of Multicast
If (! Getmacaddr ("fffffffffffe", macaddr ))
{
Printf ("Get MAC address error! /N ");
Goto exit0;
}
Memcpy (arppacket. ehhdr. eh_dst, macaddr, 6 );

// The MAC of sender
If (! Getmacaddr (g_szmymacaddr, macaddr ))
{
Printf ("Get MAC address error! /N ");
Goto exit0;
}
Memcpy (arppacket. ehhdr. eh_src, macaddr, 6 );

Arppacket. ehhdr. eh_type = htons (ept_arp );

// ARP Header
Arppacket. arphdr. arp_hrd = htons (arp_hardware );
Arppacket. arphdr. arp_pro = htons (ept_ip );
Arppacket. arphdr. arp_hln = 6;
Arppacket. arphdr. arp_pln = 4;
Arppacket. arphdr. arp_op = htons (arp_request );

If (! Getmacaddr (g_szmymacaddr, macaddr ))
{
Printf ("Get MAC address error! /N ");
Goto exit0;
}
Memcpy (arppacket. arphdr. arp_sha, macaddr, 6 );
Arppacket. arphdr. arp_spa = inet_addr (g_szmyip );

If (! Getmacaddr ("000000000000", macaddr ))
{
Printf ("Get MAC address error! /N ");
Goto exit0;
}
Memcpy (arppacket. arphdr. arp_tha, macaddr, 6 );
Arppacket. arphdr. arp_tpa = inet_addr (g_sztargetip );

Memcpy (szpacketbuf, (char *) & arppacket, sizeof (arppacket ));
Packetinitpacket (lppacket, szpacketbuf, 60 );

If (packetsetnumwrites (lpadapter, 1) = false)
{
Printf ("Warning: unable to send more than one packet in a single write! /N ");
}

If (packetsendpacket (lpadapter, lppacket, true) = false)
{
Printf ("error sending the packets! /N ");
Goto exit0;
}

Printf ("Send OK! /N ");

Exit0:
Packetfreepacket (lppacket );
_ Endthread ();
}

Void listenthread (void * adapter)
{
Lppacket;
Lpadapter = (lpadapter) Adapter;
Char buffer [256000];

If (lppacket = packetallocatepacket () = NULL ){
Printf ("/nerror: failed to allocate the lppacket structure .");
Return;
}
Packetinitpacket (lppacket, (char *) buffer, 256000 );

// Set the network adapter in promiscuous mode

If (packetsethwfilter (lpadapter, ndis_packet_type_directed) = false ){
Printf ("Warning: unable to set promiscuous mode! /N ");
}

// Set buffer in the driver
If (packetsetbuff (lpadapter, 512000) = false ){
Printf ("unable to set the kernel buffer! /N ");
Return;
}

// Set second read timeout
If (packetsetreadtimeout (lpadapter, 200) = false ){
Printf ("Warning: unable to set the read tiemout! /N ");
}
// Main capture Loop
Printf ("Listen.../N ");
While (true)
{
// Capture the packets
If (packetreceivepacket (lpadapter, lppacket, true) = false ){
Printf ("error: packetreceivepacket failed ");
Return;
}
//
Detecteffeciffer (lppacket );
}

Packetfreepacket (lppacket );

// Close the adapter and exit
Packetcloseadapter (lpadapter );
_ Endthread ();
}

Bool detectpoliciffer (lppacket)
{
Bool bflag = false;
Parphdr parpheader;
Parppacket;
Char macaddr [6];

Getmacaddr (g_szmymacaddr, macaddr );
Parppacket = (parppacket) (char *) lppacket-> buffer + 20 );

If (parppacket-> ehhdr. eh_type = htons (ept_ip ))
Return false;

If (strcmp (char *) (parppacket-> ehhdr. eh_dst), macaddr) = 0
& Parppacket-> ehhdr. eh_type = htons (ept_arp ))
{
Char sztemp [10];

Parpheader = (parphdr) (char *) lppacket-> buffer + 20 + sizeof (ehhdr ));

Memcpy (sztemp, & parpheader-> arp_spa, sizeof (parpheader-> arp_spa ));
Printf ("a promiscuous node exists !! /N ");
Printf ("/tip: % s/n", inet_ntoa (* (struct in_addr *) (sztemp ))));
Return true;
}
Return false;
}

Reference:

1. securiteam detecting sniffers on your network,
AntiSniff-find sniffers on your local network
2. l0pht.com antisnifer Manual