|
 | 作者: lih [lih]
 论坛用户 |
登录 |
| 我在此网站上下载了一篇文章,内含检测嗅探器的代码。我补充完整之后,却检测不到安装嗅探器的主机(装了不同的嗅探器)。代码如下: /////////////////////////////////////////////////////////////////////////////// // // Detect Promiscuous Node In Network // // Author: Refdom // Email: refdom@263.net // Home Page: www.opengram.com // // 2002/4/14 // //////////////////////////////////////////////////////////////////////////////// #include "stdafx.h" #include "Mac.h" //包含工具函数GetMacAddr(),我自己编的 #include <stdio.h> #include <conio.h> #include <Packet32.h> #include <Winsock2.h> #include <process.h> #include <ntddndis.h> #pragma comment (lib, "packet.lib") #pragma comment (lib, "ws2_32.lib") #define EPT_IP 0x0800 /* type: IP */ #define EPT_ARP 0x0806 /* type: ARP */ #define EPT_RARP 0x8035 /* type: RARP */ #define ARP_HARDWARE 0x0001 /* Dummy type for 802.3 frames */ #define ARP_REQUEST 0x0001 /* ARP request */ #define ARP_REPLY 0x0002 /* ARP reply */ #define Max_Num_Adapter 10 #pragma pack(push, 1) typedef struct ehhdr { unsigned char eh_dst[6]; /* destination ethernet addrress */ unsigned char eh_src[6]; /* source ethernet addresss */ unsigned short eh_type; /* ethernet pachet type */ }EHHDR, *PEHHDR; typedef struct arphdr { unsigned short arp_hrd; /* format of hardware address */ unsigned short arp_pro; /* format of protocol address */ unsigned char arp_hln; /* length of hardware address */ unsigned char arp_pln; /* length of protocol address */ unsigned short arp_op; /* ARP/RARP operation */ unsigned char arp_sha[6]; /* sender hardware address */ unsigned long arp_spa; /* sender protocol address */ unsigned char arp_tha[6]; /* target hardware address */ unsigned long arp_tpa; /* target protocol address */ }ARPHDR, *PARPHDR; typedef struct arpPacket { EHHDR ehhdr; ARPHDR arphdr; } ARPPACKET, *PARPPACKET; #pragma pack(pop) //the thread for listening void ListenThread(void* Adapter); //the function of sending packet void SendARPPacket(void* Adapter); BOOL DetectIsSniffer(LPPACKET lpPacket); char g_szMyMacAddr[] = "AAAAAAAAAAAA"; char g_szMyIP[] = "192.168.1.1"; char g_szTargetIP[] = "192.168.1.2"; int main(int argc, char* argv[]) { static char AdapterList[Max_Num_Adapter][1024]; LPADAPTER lpAdapter; WCHAR AdapterName[2048]; WCHAR *temp,*temp1; ULONG AdapterLength = 1024; int AdapterNum = 0; int nRetCode, i; //Get The list of Adapter if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE) { printf("Unable to retrieve the list of the adapters!\n"); return 0; } temp = AdapterName; temp1 = AdapterName; i = 0; while ((*temp != '\0')||(*(temp-1) != '\0')) { if (*temp == '\0') { memcpy(AdapterList[i],temp1,(temp-temp1)*2); temp1 = temp+1; i++; } temp++; } AdapterNum = i; for (i = 0; i < AdapterNum; i++) wprintf(L"\n%d- %s\n", i+1, AdapterList[i]); printf("\n"); //Default open the 0 lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[0]); if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE)) { nRetCode = GetLastError(); printf("Unable to open the driver, Error Code : %lx\n", nRetCode); return 0; } //begin listening _beginthread(ListenThread, 0, (void*) lpAdapter); Sleep(500); //send the packet _beginthread(SendARPPacket, 0, (void*) lpAdapter); Sleep(2000); printf ("\n\nDetecting end.\n"); // close the adapter and exit PacketCloseAdapter(lpAdapter); return 0; } void SendARPPacket(void* Adapter) { char MacAddr[6]; char szPacketBuf[600]; LPADAPTER lpAdapter = (LPADAPTER) Adapter; LPPACKET lpPacket; ARPPACKET ARPPacket; lpPacket = PacketAllocatePacket(); if(lpPacket == NULL) { printf("\nError:failed to allocate the LPPACKET structure.\n"); return; } ZeroMemory(szPacketBuf, sizeof(szPacketBuf)); // the fake mac of multicast if (!GetMacAddr("FFFFFFFFFFFE", MacAddr)) { printf ("Get Mac address error!\n"); goto Exit0; } memcpy(ARPPacket.ehhdr.eh_dst, MacAddr, 6); //the MAC of sender if (!GetMacAddr(g_szMyMacAddr, MacAddr)) { printf ("Get Mac address error!\n"); goto Exit0; } memcpy(ARPPacket.ehhdr.eh_src, MacAddr, 6); ARPPacket.ehhdr.eh_type = htons(EPT_ARP); //arp header ARPPacket.arphdr.arp_hrd = htons(ARP_HARDWARE); ARPPacket.arphdr.arp_pro = htons(EPT_IP); ARPPacket.arphdr.arp_hln = 6; ARPPacket.arphdr.arp_pln = 4; ARPPacket.arphdr.arp_op = htons(ARP_REQUEST); if (!GetMacAddr(g_szMyMacAddr, MacAddr)) { printf ("Get Mac address error!\n"); goto Exit0; } memcpy(ARPPacket.arphdr.arp_sha, MacAddr, 6); ARPPacket.arphdr.arp_spa = inet_addr(g_szMyIP); if (!GetMacAddr("000000000000", MacAddr)) { printf ("Get Mac address error!\n"); goto Exit0; } memcpy(ARPPacket.arphdr.arp_tha , MacAddr, 6); ARPPacket.arphdr.arp_tpa = inet_addr(g_szTargetIP); memcpy(szPacketBuf, (char*)&ARPPacket, sizeof(ARPPacket)); PacketInitPacket(lpPacket, szPacketBuf, 60); if(PacketSetNumWrites(lpAdapter, 1)==FALSE) { printf("warning: Unable to send more than one packet in a single write!\n"); } if(PacketSendPacket(lpAdapter, lpPacket, TRUE)==FALSE) { printf("Error sending the packets!\n"); goto Exit0; } printf ("Send ok!\n\n"); Exit0: PacketFreePacket(lpPacket); _endthread(); } void ListenThread(void* Adapter) { LPPACKET lpPacket; LPADAPTER lpAdapter = (LPADAPTER) Adapter; char buffer[256000]; if((lpPacket = PacketAllocatePacket())==NULL){ printf("\nError: failed to allocate the LPPACKET structure."); return; } PacketInitPacket(lpPacket,(char*)buffer,256000); // set the network adapter in promiscuous mode if(PacketSetHwFilter(lpAdapter, NDIS_PACKET_TYPE_DIRECTED)==FALSE){ printf("Warning: unable to set promiscuous mode!\n"); } // set buffer in the driver if(PacketSetBuff(lpAdapter,512000)==FALSE){ printf("Unable to set the kernel buffer!\n"); return; } // set second read timeout if(PacketSetReadTimeout(lpAdapter, 200)==FALSE){ printf("Warning: unable to set the read tiemout!\n"); } //main capture loop printf("Listen....\n"); while(true) { // capture the packets if(PacketReceivePacket(lpAdapter, lpPacket, TRUE)==FALSE){ printf("Error: PacketReceivePacket failed"); return ; } // DetectIsSniffer(lpPacket); } PacketFreePacket(lpPacket); // close the adapter and exit PacketCloseAdapter(lpAdapter); _endthread(); } BOOL DetectIsSniffer(LPPACKET lpPacket) { BOOL bFlag = FALSE; PARPHDR pARPHeader; PARPPACKET pARPPacket; char MacAddr[6]; GetMacAddr(g_szMyMacAddr, MacAddr); pARPPacket = (PARPPACKET) ((char*)lpPacket->Buffer + 20); if (pARPPacket->ehhdr.eh_type == htons(EPT_IP)) return FALSE; //*************************************************************** if (strcmp((char*)(pARPPacket->ehhdr.eh_dst), MacAddr) == 0 && pARPPacket->ehhdr.eh_type == htons(EPT_ARP)) { char szTemp[10]; pARPHeader = (PARPHDR)((char*)lpPacket->Buffer + 20 + sizeof(EHHDR)); memcpy(szTemp, &pARPHeader->arp_spa, sizeof(pARPHeader->arp_spa)); printf ("A PROMISCUOUS NODE EXISTS!!\n"); printf ("\tIP:%s\n\n", inet_ntoa(*((struct in_addr *)(szTemp)))); return TRUE; } //************************************************************** return FALSE; } 其中,以***围起来的部分最关键,是检测ARP响应包的匹配条件。但运行之后,却检测不到安装嗅探器的主机。是不是匹配条件有问题,请各位高手分析一下,谢谢!!! |
| 地主 发表时间: 12/04 20:05 |
 | 回复: coki [coki]  论坛用户 |
登录 |
|
我要先下载回去研究一下,下次再谈 |
| B1层 发表时间: 06/01 15:27 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 黑客进阶 标题: 检测嗅探器