428.htm

unix高级编程原吗

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center">               ● UNIX网络编程                       (BM: clown)                </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p   align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="317.htm">上一层</a>][<a href="429.htm">下一篇</a>]
<hr><p align="left"><small>发信人: skyfly (飞~~自由之鹰), 信区: Security <br>
标  题: 检测Sniffer <br>
发信站: 武汉白云黄鹤站 (Tue Dec 28 21:39:09 1999), 站内信件 <br>
  <br>
                       如何检测Sniffer <br>
  <br>
    技术细节　L0pht　公司已经说明了，如下： <br>
Win9x/NT <br>
　　正常情况下，就是说不在混乱模式，网卡检测是不是广播地址 <br>
要比较看收到的目的以太网址是否等于ff.ff.ff.ff.ff.ff <br>
是则认为是广播地址。 <br>
　　在混乱模式时，网卡检测是不是广播地址只看收到包的目的以太 <br>
网址的第一个八位组值，是0xff则认为是广播地址。 <br>
利用这点细微差别就可以检测出Sniffer. <br>
Linux <br>
　　以前就提出过，一些版本内核有这种问题： <br>
　　当混杂模式时，每个包都被传到了操作系统内核以处理。 <br>
在处理某些包，只看IP地址而不看以太网头中的源物理地址。 <br>
所以： <br>
　　使用一个不存在的目的MAC，正确的目的IP，受影响 <br>
的内核将会由于是混杂模式而处理它，并将之交给相应系统 <br>
堆栈处理。从而实现检测Sniffer <br>
　　总之，只要发一个以太网头中目的地址是ff.00.00.00.00.00 <br>

的ARP包(l0pht公司是ff.ff.ff.ff.ff.00)就可以检测出Linux和 <br>
Windows网卡处于混乱状态的计算机. <br>
　　以下是一个Linux下用于检测Linux下Sniffer的程序，很多地方都贴 <br>
过了，我只改了一句话，这样也可以检测出Windows机器。:) <br>
----------------- Cut here ---------------------- <br>
/* ----------------------------------------- <br>
Network Promiscuous Ethernet Detector. <br>
Linux 2.0.x / 2.1.x, libc5 & GlibC <br>
----------------------------------------- <br>
(c) 1998 savage@apostols.org <br>
----------------------------------------- <br>
Scan your subnet, and detect promiscuous <br>
Windows & linuxes. It really works, not a joke. <br>
----------------------------------------- */ <br>
/* <br>
* $Id: neped.c,v 1.4 1998/07/20 22:31:52 savage Exp $ <br>
*/ <br>
#include <br>
#include <br>
#include <br>
#include <br>
#include <br>

#include <br>
#include <br>
#include <br>
#include <br>
#include <br>
#define ETH_P_ARP 0x0806 <br>
#define MAX_PACK_LEN 2000 <br>
#define ETHER_HEADER_LEN 14 <br>
#define ARPREQUEST 1 <br>
#define ARPREPLY 2 <br>
#define perr(s) fprintf(stderr,s) <br>
struct arp_struct <br>
{ <br>
u_char dst_mac[6]; <br>
u_char src_mac[6]; <br>
u_short pkt_type; <br>
u_short hw_type; <br>
u_short pro_type; <br>

u_char hw_len; <br>
u_char pro_len; <br>
u_short arp_op; <br>
u_char sender_eth[6]; <br>
u_char sender_ip[4]; <br>
u_char target_eth[6]; <br>
u_char target_ip[4]; <br>
}; <br>
union <br>
{ <br>
u_char full_packet[MAX_PACK_LEN]; <br>
struct arp_struct arp_pkt; <br>
} <br>
a; <br>
#define full_packet a.full_packet <br>
#define arp_pkt a.arp_pkt <br>
char * <br>
inetaddr ( u_int32_t ip ) <br>
{ <br>
struct in_addr in; <br>
in.s_addr = ip; <br>
return inet_ntoa(in); <br>

} <br>
char * <br>
hwaddr (u_char * s) <br>
{ <br>
static char buf[30]; <br>
sprintf (buf, "%02X:%02X:%02X:%02X:%02X:%02X", s[0], s[1], s[2], s[3], <br>
s[4], s[5]); <br>
return buf; <br>
} <br>
void <br>
main (int argc, char **argv) <br>
{ <br>
int rec; <br>
int len, from_len, rsflags; <br>
struct ifreq if_data; <br>
struct sockaddr from; <br>
u_int8_t myMAC[6]; <br>
u_int32_t myIP, myNETMASK, myBROADCAST, ip, dip, sip; <br>
if (getuid () != 0) <br>
{ <br>
perr ("You must be root to run this program!\n"); <br>
exit (0); <br>
exit (0); <br>
} <br>
if (argc != 2) <br>
{ <br>
fprintf(stderr,"Usage: %s eth0\n", argv[0]); <br>
exit (0); <br>
} <br>
if ((rec = socket (AF_INET, SOCK_PACKET, htons (ETH_P_ARP))) < 0) <br>
{ <br>
perror("socket"); <br>
exit (0); <br>
} <br>
printf ("----------------------------------------------------------\n"); <br>
strcpy (if_data.ifr_name, argv[1]); <br>
if (ioctl (rec, SIOCGIFHWADDR, &if_data) < 0) { <br>
perr ("can't get HW addres of my interface!\n"); <br>
exit(1); <br>
} <br>
memcpy (myMAC, if_data.ifr_hwaddr.sa_data, 6); <br>
printf ("> My HW Addr: %s\n", hwaddr (myMAC)); <br>
if (ioctl (rec, SIOCGIFADDR, &if_data) < 0) { <br>
perr ("can't get IP addres of my interface!\n"); <br>
exit(1); <br>
exit(1); <br>
} <br>
memcpy ((void *) &ip, (void *) &if_data.ifr_addr.sa_data + 2, 4); <br>
myIP = ntohl (ip); <br>
printf ("> My IP Addr: %s\n", inetaddr(ip)); <br>
if (ioctl (rec, SIOCGIFNETMASK, &if_data) < 0) <br>
perr ("can't get NETMASK addres of my interface!\n"); <br>
memcpy ((void *) &ip, (void *) &if_data.ifr_netmask.sa_data + 2, 4); <br>
myNETMASK = ntohl (ip); <br>
printf ("> My NETMASK: %s\n", inetaddr(ip)); <br>
if (ioctl (rec, SIOCGIFBRDADDR, &if_data) < 0) <br>
perr ("can't get BROADCAST addres of my interface!\n"); <br>
memcpy ((void *) &ip, (void *) &if_data.ifr_broadaddr.sa_data + 2, 4); <br>
myBROADCAST = ntohl (ip); <br>
printf ("> My BROADCAST: %s\n", inetaddr(ip)); <br>
if ((rsflags = fcntl (rec, F_GETFL)) == -1) <br>
{ <br>
perror ("fcntl F_GETFL"); <br>
exit (1); <br>
} <br>
if (fcntl (rec, F_SETFL, rsflags | O_NONBLOCK) == -1) <br>
{ <br>
perror ("fcntl F_SETFL"); <br>

exit (1); <br>
} <br>
printf ("----------------------------------------------------------\n"); <br>
printf ("> Scanning ....\n"); <br>
for (dip = (myIP & myNETMASK) + 1; dip < myBROADCAST; dip++) <br>
{ <br>
bzero(full_packet, MAX_PACK_LEN); <br>
memcpy (arp_pkt.dst_mac, "\255\255\255\255\255\0", 6); /* ff:ff:ff:ff:ff:00 <br>
:) */ <br>
               /* Only change this line! */ <br>
memcpy (arp_pkt.src_mac, myMAC, 6); <br>
arp_pkt.pkt_type = htons( ETH_P_ARP ); <br>
arp_pkt.hw_type = htons( 0x0001 ); <br>
arp_pkt.hw_len = 6; <br>
arp_pkt.pro_type = htons( 0x0800 ); <br>
arp_pkt.pro_len = 4; <br>
arp_pkt.arp_op = htons (ARPREQUEST); <br>
memcpy (arp_pkt.sender_eth, myMAC, 6); <br>
ip = htonl (myIP); <br>
memcpy (arp_pkt.sender_ip, &ip, 4); <br>
memcpy (arp_pkt.target_eth, "\0\0\0\0\0\0", 6); <br>
ip = htonl (dip); <br>

memcpy (arp_pkt.target_ip, &ip, 4); <br>
strcpy(from.sa_data, argv[1]); <br>
from.sa_family = 1; <br>
if( sendto (rec, full_packet, sizeof (struct arp_struct), 0, &from, <br>
sizeof(from)) < 0) <br>
perror ("sendto"); <br>
usleep (50); <br>
len = recvfrom (rec, full_packet, MAX_PACK_LEN, 0, &from, &from_len); <br>
if (len <= ETHER_HEADER_LEN) <br>
continue; <br>
memcpy (&ip, arp_pkt.target_ip, 4); <br>
memcpy (&sip, arp_pkt.sender_ip, 4); <br>
if (ntohs (arp_pkt.arp_op) == ARPREPLY <br>
&& ntohl (ip) == myIP <br>
&& ( dip - ntohl(sip) >= 0 ) <br>
&& ( dip - ntohl(sip) <= 2 ) ) <br>
{ <br>
printf ("*> Host %s, %s **** Promiscuous mode detected !!!\n", <br>
inetaddr (sip), <br>
hwaddr (arp_pkt.sender_eth)); <br>
} <br>
} <br>

printf ("> End.\n"); <br>
exit (0); <br>
} <br>
----------------- Cut here -------------------- <br>
  <br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="317.htm">上一层</a>][<a href="429.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>