WinPcap: Packet Capture + Analysis + ARP attack (3), winpcaparp
WinPcap: Self-made packet capture + Analysis + ARP Attack Scanning for internal hosts
Continue with yesterday's arrival, and we can do it today.
First, let's take a look at the scanning of active hosts in the network. My general idea is to send ARP packets to all IP addresses in the CIDR Block, determine whether there is an active host based on the response received, and record it. This is actually not difficult. traverse the IP address of the host in the network segment carefully, and use a thread to accept the ARPreply response package and parse it. I think it is difficult to determine the gateway, the subnet mask, and the mac and IP addresses of the local machine. Only by knowing these three points can we send packets correctly, collect packets correctly, and traverse all hosts in this segment correctly.
Obtain local information
This section is located in ScanHostDlg. cpp
/* Obtain the IP address and netmask */pcap_addr * paddr = adp_info.usedDevs-> addresses; for (; paddr = paddr-> next) from the pointer of the initial adapter) {if (paddr-> addr-> sa_family! = AF_INET) // As long as IPV4continue; if (paddr-> addr) g_localip = ntohl (struct sockaddr_in *) paddr-> addr)-> sin_addr.s_addr ); if (paddr-> netmask) g_netmask = ntohl (struct sockaddr_in *) paddr-> netmask)-> sin_addr.s_addr );}
Note that the host can have multiple adapters, each of which may contain multiple IP protocols and addresses. Therefore, you must select the one you have been using, traverse until we find the required IP information and netmask information.
Obtain gateway Information
WSADATA wsadata; char buff [20] = "find mac! "; Unsigned long destIP = inet_addr (" 9.2.0.5 "); // enable the accept thread _ beginthread (recvThread, 0, (void *) this) in advance by using an IP address other than this segment ); WSAStartup (MAKEWORD (2, 2,), & wsadata); SOCKET sock = socket (AF_INET, SOCK_DGRAM, 0); int err = GetLastError (); SOCKADDR_IN addr; addr. sin_family = AF_INET; addr. sin_port = htons (8888); addr. sin_addr.S_un.S_addr = destIP; sendto (sock, buff, strlen (buff), 0, (SOCKADDR *) & addr, sizeof (SOCKADDR_IN); Sleep (2000 );
Here is what we call: Use UPD to find the gateway information and the MAC address of my local machine (there may be other better methods ...... I chose a method and had to study hard ). Next, send an ARP packet to the host on the network and use another thread to check whether you have responded. (You can check the source code and put the link later ).
Homemade packets (ARP spoofing)
Well, I told you that it was the first thing I wanted to do with ARP spoofing. After learning about it, I wanted to know more about the protocol and then made this little tool. This was my initial motivation.
Do you know ARP spoofing? In fact, ARP is used to respond to requests, bind fake mac and IP addresses, and send them to the spoofed object until it refresh its ARP cache. Is that easy? For example, if you want to spoof a guy with a MAC address of 12-34-56-78-90-22 and an IP address of 192.168.1.100 and tell him that you are a gateway (192.168.1.1, all you need to do is set "Send hardware address" in the ARP datagram to your MAC, "Send IP Address" to 192.168.1.1, and set the operation code to 0x0002 (response ), then, it is always sent to the spoofed object.
For the above problems, I believe you can see that there is no problem, and the rest is robustness and friendliness. Let you complete it!
Feelings
As a junior, I have been engaged in programming for a year. I think I should dare to do it. Of course, technology and knowledge still need to be well accumulated.
Source code
Pain is in your mind.