��̽ԭ��뷴��̽��_�й�IT��ά��www.cnitom.com

һ��̽��Ļ��֪ʶ

1��1 ʲô��̽��

��̽��Ӣ��д��Sniff��Ϊһ��װ�ڼ��ϵ��豸��ڶ��Ϣ��һ��ͣ�һ��绰��װ��, ��˫��ͨ��ݣ��̽��Ϸ��ͺͽ��յ��ݡ�

��ǣ��ֱ��͵��ݣ��ʵ��Ǵ��Ķ��ݡ��, һ��Ҳʹ��ض��Э��ֽ��̽��ݣ��̽��Ҳ�ͱ��ܹ�ʶ��Ǹ�Э��Ӧ��Ƭ�ϣ�ֻ��ܹ��ȷ�Ľ��롣

��̽��绰��ص��ƣ��ܶ�ļ��õ��ǡ��ý��"�� Ҳ��˵��㲻��ж��ͨѶ��ر��·��ٰ�װ��̽��㼸��κ��ŵ��ֱ��ͬһ��뷶Χ�ڵļ��ݡ��ǳ��ʽΪ��ڻ��ģʽ��̽��promiscuous mode�� ˣ��֡�� ļ��չ�ĺܿ죬��ת�򡰽�� ּ��᳤��ڻ��ʹ��ȥ�� ʵ��Ŀ��ѡ��շ��ݡ�

1��2��̽��ι��

1��2��1��ϵ��Ϣ

�ղ�˵�ˣ��̫��ݴ��ǻ��ڡ��ԭ��ģ��е�ͬһ��Χ�ڵļ��ͬ��յ��ͬ��ݰ��ζ�ż��ֱ�ӵ�ͨѶ��͸��ɼ��ġ�

��Ϊ��ԭ��̫��Ӳ��ġ��Ե�һ�к��Լ��޹ص��Ϣ��ʵ��Ǻ��Ե��MAC��ַ��ϵ��Ϣ��

��̽��ص㣬��Ĺر��̽��Ҳ��ǰ��ᵽ��ģʽ��ˣ��̽��ܹ��յ��̫��ڵ��Ϣ�ˡ�

1��2��2ʲô��̫��MAC��ַ

MAC��Media Access Control.

��ڴ��ļ��̫��ڡ��Ա��һ��ͳһ�İ취��ִ��ݸ��ͬ��ġ��ⲻ�ᷢ��ڲ��û��ϣ��Ϊ��ٶ�һ��ݶ��㷢��modemȻ��ͨ��绰�ߴ��ͳ�ȥ��ǣ��㷢��ݵ��̫��ϵ�ʱ��Ū��̨��㷢��ݵĶ��󡣵�ȷ��д��˫��ͨѶ��ˣ��ȥ��Ǻ��ֻ��̨��ڽ��Ϣ��Ҫ��ף��̫��Ϣ�ǹ��ģ��û��ʵһ��յ��㷢�͵��ݣ�ֻ��Ǳ��Ե��ˡ�

MAC��ַ��һ��6��16��ɵģ��ÿһ��̫��С��½ڽ��β鿴�Լ��MAC��ַ��

��ṹ��̫��Ϥ��ο�һ��OSI 7-Layer Model��⽫��Ķ��̫��ʹ�õ�Э��Ҫ��TCP/IP��TCP/IPҲ��ģ�ͣ��粦��û�,��ǲ��Ǵ��һ��̫��У��һ�£��ܶ��С��û��Ϊʵ��ļ��ʹ�ӡ��װ�ˡ�NetBEUI�� Ϊ��ǻ��TCP/IPЭ��ģ� ��ĺڿ�һ��޷��֪��ǵ��豸��

��RawЭ�飬��ͽ��ն��̫��֧��á��㲻��ֱ�ӷ��һ��Raw��ݸ��̫��һЩ��飬��̫��ܹ��˼��е��ʼ��ż��ķ��㲻��ֱ�Ӱ�һ��Ͷ�ݳ�ȥ��װ�ŷ⣬д��ַ��Ʊ��ϵĴ��Ҳ��ġ�

��һ��򵥵�ͼʾ��ݴ��͵�ԭ��

_________

�� /..........\

�� /..Internet.\��

��+-----+ +----+.............+-----+

��|UserA|-----|·��|.............|UserB|

��+-----+ ^ +----+.............+-----+

�� |\................/��

�� | \---------/��

+------+

|��̽��|

+------+

UserA IP ��ַ: 10.0.0.23

UserB IP ��ַ: 192.168.100.54

��֪��UserAҪ��UserB��м��ͨѶ��UserA��ҪΪ10.0.0.23��192.168.100.54��ͨѶ��һ��IP��

��IP��ϴ��䣬��ܹ��͸·��ˣ� UserA��ύ��·��ÿ��·��Ŀ��IP��ַȻ��·��

UserA ��֪��ֻ�Ǳ��·�ɵ��ӣ��UserB��IP��ַ��UserA��Ľṹ��·��

UserA��·��Ԥ��͵��ݰ��̫��ݴ��ṹ��ģ�

+--+--+--+--+--+--+

| Ŀ�� MAC|

+--+--+--+--+--+--+

| Դ MAC |

+--+--+--+--+--+--+

|08 00|

+--+--+-----------+

| |

. .

. IP �� .

. .

| |

+--+--+--+--+-----+

| CRCУ�� |

+--+--+--+--+

��һ��ṹ��UserA�ļ��һ��100��ֽڵĳ��ȣ��Ǽ��һ�£�20 ��ֽ��IP��Ϣ��20��ֽ��TCP��Ϣ��60��ֽ�Ϊ��͵��ݣ��ڰ��̫��,��14��ֽ��Ŀ��MAC��ַ֮ǰ��ԴMAC��ַ��Ҫ��һ��0x0800�ı�ǣ��ָʾ��TCP/IPջ��ݽṹ��ͬʱ��Ҳ��4��ֽ��CRCУ�� CRCУ��鴫��ݵ��ȷ�ԣ��

��ڷ��ݵ��硣

��ڵļ��ͨ��ܹ��Ƭ��Ҳ��·��̽��һЩ��ͨ��һ��оƬ��ṹ�Ƚϵģ��ṹ�е�Ŀ��MAC��ַ��Լ��MAC��ַ��ͬ��ᶪ��ṹ��Ӳ��ɣ��ԣ��ڼ��ڵĳ��˵��ʱ��޲��ġ�

��·��̫��ṹ��ȡ��Ϣ��ȥ��ǰ14��ֽڣ��4��ֽڡ��0x8000��ǣ�Ȼ��ṹ��д��״��Ʋ��һ��·�ɽڵ㣬�Ӷ��촫��ݵ�Ԥ��Ŀ��ַ��

��룬ֻ��·�ɻ��ܹ��ṹ��Ļ�� ṹ��̽��Ҳ�޷��⵽��ṹ�ġ�

1.3.1 MAC��ַ�ĸ�ʽ��ʲô��

��̫��MAC��ַ��һ��48��ص��֣��48��ط�Ϊ��ɣ�ǰ��24��ڱ�ʾ��̫��ļ��24��һ��кţ��ɼ��֧�ɵġ��Ե��û��κ��MAC��ַ��ͬ�ģ��Ȼ��ͨ��ķ��ʵ�֣��ͬ�ĵ�ַ��⣬��һ��Ƿǳ��Ҫ�ġ��24��ر��֮ΪOUI��Organizationally Unique Identifier��

��ǣ�OUI��ʵ��ֻ��22��أ��һ��У��Ƿ��ǹ㲥��߶ಥ��ַ��һ��䱾��ִ�е�ַ��һЩ��Ա��Ծ��ٷ��MAC��ַ��

�ٸ��ӣ��MAC��ַ��б�ʾΪ 03 00 00 00 00 01 ��һ��ֽ��ֵ��Ʊ�ʾ��Ϊ00000011�� Կ��ض��Ϊ��ֵ��ָ��һ��ಥģʽ��еļ��й㲥��ʹ��ˡ�NetBEUI��Э�飨һ��ģ��Windows��У��ļ��ǲ�ʹ��TCP/IPЭ��ģ��

1��3��2 ��εõ��Լ��MAC��ַ��

Win9x

Win9x�Դ��򽫸��𰸣��winipcfg.exe��

WinNT

��е�״̬��"ipconfig /all"

��ʾ��MAC��ַ��һ��ӣ�

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : bigball

Primary DNS Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter ��:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Legend/D-Link DFE-530TX PCI Fast Eth

ernet Adapter ��Rev B��

Physical Address. . . . . . . . . : 00-50-BA-25-5D-E8

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.10.254

Subnet Mask . . . . . . . . . . . : 255.255.128.0

Default Gateway . . . . . . . . . : 192.168.10.3

Ethernet adapter SC12001:

Description . . . . . . . . : DEC DC21140 PCI Fast Ethernet

Linux

��С�ifconfig��£�

eth0 Link encap:Ethernet HWaddr 08:00:17:0A:36:3E

inet addr:192.0.2.161 Bcast:192.0.2.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1137249 errors:0 dropped:0 overruns:0

TX packets:994976 errors:0 dropped:0 overruns:0

Interrupt:5 Base address:0x300

Solaris

�� arp�� netstat �Cp��

1��3��3��β��֪��Щ��ҵ�MAC��ֱַ�ӹ��

��WinNT��Unix��ֱ��ʹ�á�arp �Ca��鿴��

1��3��4��ܹ��ı��ҵ�MAC��ַ��

��ԡ��򵥵�˵һ�£�

��һ�ַ��Ҫ��ַ��ƭ��ΪMAC��ַ��ݰ��ṹ��һ��֣� ��ˣ��̫��һ��ݰ��ʱ��Ը��Դʼ��MAC��Ϣ��

�ڶ��ַ��,�ܶ��һ��ʱ��޸��ڲ��MAC��ַ��

�ڵ��ַ��ͨ��¼EEPROM��ʵ��MAC��ַ��޸ġ��ַ��Ҫ��ض��Ӳ��豸��õ�оƬ��޸ģ��ַ��Զ��޸��MAC��ַ��

��̽��

2��1��β��ܼ��Ƿ��̽��

��ϣ��̽��ǲ��ܱ��ģ��Ϊ��̽��һ�ֱ��Ľ��ճ��ڱ��ģ��ֻ��ռ��ݰ��ͳ��κ��ݣ��ˣ��̽��ʱ��ܹ��ġ�

һ��̽��򣬲��ᷢ��κ��ݣ��ǵ��װ��һ̨��ľ��ڵļ��ϵ�ʱ��һЩ��ٸ��ӣ��ܷ��һ��ʼDNS��IP��ַ��з��в��ҡ�

��һ�ּ򵥵ļ�ⷽ��

ping ��

�ܶ��̽��㷢��һ��̨��̽��Ļ��Ӧ��

˵��

1.��IP��ַΪ10.0.0.1�Ļ��װ��̽��MAC��ַȷ��Ϊ00-40-05-A4-79-32.

2.ȷ��м䡣

3.��޸�MAC��ַΪ00-40-05-A4-79-33.

4.��ping��ping��IP��ַ��

5.û��κ��ܹ��͵��ݰ��Ϊÿ̨��MAC��ַ�޷��ݰ��е�Ŀ��MAC��ԣ��Ӧ�ûᱻ��

6.��㿴��Ӧ��˵��MAC��û�б��Ҳ��˵��п��̽��ڡ�

��ڣ��ַ��Ѿ��õ��˹㷺��Ƴ����һ��ĺڿ��Ҳѧ��ǵĴ��м��MAC��ַ��ܶ�ļ��ϵͳ��Windows��֧��MAC��ܶ��ֻ��MAC�ĵ�һ��ֽڣ��һ��MAC��ַFF-00-00-00-00-00��FF-FF-FF-FF-FF-FF��û��ˡ��㲥��ַ��Ϣ�ᱻ��еļ��գ��ּ��ͨ��ڽ��ģ�͵��̫��С��һ��δ֪��MAC��ַ��ʱ��ִ��ơ�flood��Ĳ��͸�ÿ��ڵ㡣

2��2��̽��ļ��

��̽�ĳ��ⷽ��Ƚϼ򵥣�ֻҪ��һ��Ƿ��ڻ��ģʽ�Ϳ��ˣ��Linux�£��Ƚ��ʵ�֣��Windowsƽ̨�ϣ��û��ֳɵĺ��ɹ��ʵ��ܣ��һ��С��ɣ�

#include <winsock2.h>

#define MAX_PACK_LEN 65535

#define MAX_HOSTNAME_LAN 255

#pragma comment ��lib , "ws2_32.lib"��

int main��

{

SOCKET SockRaw,Sock��

WSADATA wsaData��

int ret=0��

struct sockaddr_in sAddr,addr��

char RecvBuf[MAX_PACK_LEN]��

char FAR name[MAX_HOSTNAME_LAN]��

struct hostent FAR * pHostent��

char *Buf=��char *��malloc��128��

int settimeout=1000��//��һ��ӳ�ʱ

printf��"UNSniffer for Win2k v1.0\nPower by BigBall\nHomePage:http:\/\/www.patching.net\/liumy\nEmail:liumy@patching.net\nOicq:9388920\n\nChecking your system ,wait a moment please...\n"��

WSAStartup��MAKEWORD��2,2��,&wsaData��

//��һ��RawSocket

SockRaw=socket��AF_INET,SOCK_RAW,IPPROTO_IP��

�ٽ��һ��UDP

Sock=socket��AF_INET,SOCK_DGRAM,IPPROTO_UDP��

memset��&sAddr,0,sizeof��sAddr��

memset��&addr,0,sizeof��addr��

sAddr.sin_family=AF_INET��

sAddr.sin_port=htons��5257��

addr.sin_family=AF_INET��

addr.sin_port=htons��5258��

//��IP��ַָ�򱾻�

addr.sin_addr.S_un.S_addr=inet_addr��"127.0.0.1"��

memset��RecvBuf,0, sizeof��RecvBuf��

pHostent=malloc��sizeof��struct hostent��

gethostname��name, MAX_HOSTNAME_LAN��

pHostent=gethostbyname��name��

//ȡ��Լ��IP��ַ

memcpy��&sAddr.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length��

free��pHostent��

//��һ��Ľ��ն˿�

bind��SockRaw, ��struct sockaddr *��&sAddr, sizeof��sAddr��

//��ӵ��һ��δ�򿪵Ķ˿�

connect��Sock,��struct sockaddr *��&addr,sizeof��addr��

Buf="1234567890!@#$%^&*"��

//��ó�ʱ

setsockopt��SockRaw,SOL_SOCKET,SO_RCVTIMEO,��char *��&settimeout,sizeof��int��

//��Ӷ˿ڷ��һ��ݰ�

send��Sock,Buf,strlen��Buf��,0��

//ʹ��SockRaw��Խ��ݰ�

ret=recv��SockRaw,RecvBuf,sizeof��RecvBuf��,0��

if��ret==SOCKET_ERROR || ret==0��

printf��"No found any sniffer in your system!\n"��

else

{

//��ChkSum

if��Buf=="1234567890!@#$%^&*"��

printf��"Warning!!! Found sniffer!!!\n"��

}

closesocket��Sock��

closesocket��SockRaw��

free��pHostent��

free��Buf��

WSACleanup��

return 0��

}

��̽ԭ���뷴��̽�������

��̽ԭ��뷴��̽��