荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: hellsolaris (qq), 信区: Security
标 题: how to detect sniffer (2)
发信站: 荔园晨风BBS站 (Sat Oct 25 18:19:23 2003), 站内信件
理论上,ETHERNET协议的数据包广播发送,SNIFFER 可以
轻松的得到他想要的数据。SNIFFER 接收别人的数据包是
合理合法的。想要检测出来,必须了解SNIFFER 程序的行
为特征,找出他的与众不同之处,加以判断。
ETHERNET网卡有一个特殊的工作状态,就是开放侦听状态。
当它出于非侦听状态时,并不接收不属于自己的数据包。
SNIFFER 程序无法工作在非侦听状态下。而这正是ETHERNET
网卡的缺省工作状态。所以,SNIFFER 想运行,就要把自
己设成侦听状态。这为我们检测提供了一个机会:只要查
一查哪个IP的网卡工作在这个不怀好意的状态就行了。
不幸,理论上,检查别的网卡的工作状态是不可能的。幸
运的是,一个小小的TRICK 就可以做到。发一个伪造的数
据包,用不正确的MAC 地址,使得只有侦听状态的网卡才
能收到,绝大多数的SNIFFER 没有那么高的智商去分辨这
种伪造的数据包,它会做出回答,这正是我们所要的!
下面这个程序就是一个非常漂亮检测程序。在LINUX 下编
译。如果运行后你发现本网段有人在监听,立刻打电话给
DARKY ,没错!要注意的是,你检察到的IP也许是曾经运
行过SNIFFER 的机器,因为许多SNIFFER 笨到停止运行后
并没有把网卡的工作状态设回来!
----------------- Cut here ----------------------
/* -----------------------------------------
Network Promiscuous Ethernet Detector.
Linux 2.0.x / 2.1.x, libc5 & GlibC
-----------------------------------------
(c) 1998 savage@apostols.org
-----------------------------------------
Scan your subnet, and detect promiscuous
linuxes. It really works, not a joke.
----------------------------------------- */
/*
* $Id: neped.c,v 1.4 1998/07/20 22:31:52 savage Exp $
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <malloc.h>
#include <ctype.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>
#include <net/if.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <time.h>
#define ETH_P_ARP 0x0806
#define MAX_PACK_LEN 2000
#define ETHER_HEADER_LEN 14
#define ARPREQUEST 1
#define ARPREPLY 2
#define perr(s) fprintf(stderr,s)
struct arp_struct
{
u_char dst_mac[6];
u_char src_mac[6];
u_short pkt_type;
u_short hw_type;
u_short pro_type;
u_char hw_len;
u_char pro_len;
u_short arp_op;
u_char sender_eth[6];
u_char sender_ip[4];
u_char target_eth[6];
u_char target_ip[4];
};
union
{
u_char full_packet[MAX_PACK_LEN];
struct arp_struct arp_pkt;
}
a;
#define arp_pkt a.arp_pkt
inetaddr ( u_int32_t ip )
{
struct in_addr in;
in.s_addr = ip;
return inet_ntoa(in);
}
hwaddr (u_char * s)
{
static char buf[30];
sprintf (buf, "%02X:%02X:%02X:%02X:%02X:%02X", s[0], s[1], s[2], s[3], s[4], s
[5]);
return buf;
}
}
void
main (int argc, char **argv)
{
int rec;
int len, from_len, rsflags;
struct ifreq if_data;
struct sockaddr from;
u_int8_t myMAC[6];
u_int32_t myIP, myNETMASK, myBROADCAST, ip, dip, sip;
if (getuid () != 0)
{
perr ("You must be root to run this program!\n");
exit (0);
}
if ((rec = socket (AF_INET, SOCK_PACKET, htons (ETH_P_ARP))) < 0)
{
perror("socket");
exit (0);
}
printf ("----------------------------------------------------------\n");
strcpy (if_data.ifr_name, argv[1]);
if (ioctl (rec, SIOCGIFHWADDR, &if_data) < 0) {
perr ("can't get HW addres of my interface!\n");
exit(1);
}
memcpy (myMAC, if_data.ifr_hwaddr.sa_data, 6);
printf ("> My HW Addr: %s\n", hwaddr (myMAC));
if (ioctl (rec, SIOCGIFADDR, &if_data) < 0) {
perr ("can't get IP addres of my interface!\n");
exit(1);
}
memcpy ((void *) &ip, (void *) &if_data.ifr_addr.sa_data + 2, 4);
myIP = ntohl (ip);
printf ("> My IP Addr: %s\n", inetaddr(ip));
if (ioctl (rec, SIOCGIFNETMASK, &if_data) < 0)
perr ("can't get NETMASK addres of my interface!\n");
memcpy ((void *) &ip, (void *) &if_data.ifr_netmask.sa_data + 2, 4);
myNETMASK = ntohl (ip);
printf ("> My NETMASK: %s\n", inetaddr(ip));
if (ioctl (rec, SIOCGIFBRDADDR, &if_data) < 0)
perr ("can't get BROADCAST addres of my interface!\n");
memcpy ((void *) &ip, (void *) &if_data.ifr_broadaddr.sa_data + 2, 4);
myBROADCAST = ntohl (ip);
printf ("> My BROADCAST: %s\n", inetaddr(ip));
if ((rsflags = fcntl (rec, F_GETFL)) == -1)
{
perror ("fcntl F_GETFL");
exit (1);
}
if (fcntl (rec, F_SETFL, rsflags | O_NONBLOCK) == -1)
{
{
perror ("fcntl F_SETFL");
exit (1);
}
printf ("----------------------------------------------------------\n");
printf ("> Scanning ....\n");
for (dip = (myIP & myNETMASK) + 1; dip < myBROADCAST; dip++)
{
bzero(full_packet, MAX_PACK_LEN);
memcpy (arp_pkt.dst_mac, "\0\6\146\3\23\67", 6); /* 00:06:66:03:13:37 :) */
memcpy (arp_pkt.src_mac, myMAC, 6);
arp_pkt.pkt_type = htons( ETH_P_ARP );
arp_pkt.hw_type = htons( 0x0001 );
arp_pkt.hw_len = 6;
arp_pkt.pro_type = htons( 0x0800 );
arp_pkt.pro_len = 4;
arp_pkt.arp_op = htons (ARPREQUEST);
memcpy (arp_pkt.sender_eth, myMAC, 6);
ip = htonl (myIP);
memcpy (arp_pkt.sender_ip, &ip, 4);
memcpy (arp_pkt.target_eth, "\0\0\0\0\0\0", 6);
ip = htonl (dip);
memcpy (arp_pkt.target_ip, &ip, 4);
strcpy(from.sa_data, argv[1]);
from.sa_family = 1;
if( sendto (rec, full_packet, sizeof (struct arp_struct), 0, &from, sizeof(f
rom)) < 0)
usleep (50);
len = recvfrom (rec, full_packet, MAX_PACK_LEN, 0, &from, &from_len);
if (len <= ETHER_HEADER_LEN)
continue;
memcpy (&ip, arp_pkt.target_ip, 4);
memcpy (&sip, arp_pkt.sender_ip, 4);
if (ntohs (arp_pkt.arp_op) == ARPREPLY
&& ntohl (ip) == myIP
&& ( dip - ntohl(sip) >= 0 )
&& ( dip - ntohl(sip) <= 2 ) )
{
printf ("*> Host %s, %s **** Promiscuous mode detected !!!\n",
inetaddr (sip),
hwaddr (arp_pkt.sender_eth));
}
}
printf ("> End.\n");
exit (0);
}
----------------- Cut here ----------------------
注:在LINUX 上测试通过,但没有关于检测IPMAN 的数据
资料,请哪位测试一下IPMAN 及其他监听软件,把结果
POST出来。谢谢。
--
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.44.223]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店