调戏系列,从上次的硬断梗之后,很久没有更新,今天更新的梗有2个,不过合并成一个了。
第一个:
局域网检测,只是用来检测局域网规模,主要代码从MSDN上复制而来,没啥特别的东西,只是用来举个例子。使用netapi探测局域网主机而已(TODO:进一步完善则是在探测到之后进行连接特定的端口进行某些特殊的确认——类似IDA的局域网授权检测,but IDA的授权检测是广播模式)。
#include "stdafx.h"
#include <windows.h>
#include <WinNetWk.h>
#include <stdio.h>
#include <Shlwapi.h>
#pragma comment(lib,"shlwapi.lib")
#pragma comment(lib,"mpr.lib")
BOOL WINAPI EnumerateFunc(LPNETRESOURCE lpnr);
void DisplayStruct(int i, LPNETRESOURCE lpnrLocal);
ULONG m_Count=0;
int _tmain(int argc, _TCHAR* argv[])
{
LPNETRESOURCE lpnr = NULL;
printf("运行局域网扫描将占用你的一部分时间,请稍等\r\n");
if (EnumerateFunc(lpnr) == FALSE) {
printf("Call to EnumerateFunc failed\n");
return 1;
}
else
{
printf("\n扫描结束\n总共发现主机数量:%d\n按任意键退出\r\n",m_Count);
system("PAUSE");
return 0;
}
}
BOOL WINAPI EnumerateFunc(LPNETRESOURCE lpnr)
{
DWORD dwResult, dwResultEnum;
HANDLE hEnum;
DWORD cbBuffer = 16384; // 16K is a good size
DWORD cEntries = -1; // enumerate all possible entries
LPNETRESOURCE lpnrLocal; // pointer to enumerated structures
DWORD i;
//
// Call the WNetOpenEnum function to begin the enumeration.
//
dwResult = WNetOpenEnum(RESOURCE_GLOBALNET, // all network resources
RESOURCETYPE_ANY, // all resources
0, // enumerate all resources
lpnr, // NULL first time the function is called
&hEnum); // handle to the resource
if (dwResult != NO_ERROR) {
//printf("WnetOpenEnum failed with error %d\n", dwResult);
return FALSE;
}
//
// Call the GlobalAlloc function to allocate resources.
//
lpnrLocal = (LPNETRESOURCE) GlobalAlloc(GPTR, cbBuffer);
if (lpnrLocal == NULL) {
//printf("WnetOpenEnum failed with error %d\n", dwResult);
// NetErrorHandler(hwnd, dwResult, (LPSTR)"WNetOpenEnum");
return FALSE;
}
do {
//
// Initialize the buffer.
//
ZeroMemory(lpnrLocal, cbBuffer);
//
// Call the WNetEnumResource function to continue
// the enumeration.
//
dwResultEnum = WNetEnumResource(hEnum, // resource handle
&cEntries, // defined locally as -1
lpnrLocal, // LPNETRESOURCE
&cbBuffer); // buffer size
//
// If the call succeeds, loop through the structures.
//
if (dwResultEnum == NO_ERROR) {
for (i = 0; i < cEntries; i++) {
// Call an application-defined function to
// display the contents of the NETRESOURCE structures.
//
DisplayStruct(i, &lpnrLocal[i]);
// If the NETRESOURCE structure represents a container resource,
// call the EnumerateFunc function recursively.
if (RESOURCEUSAGE_CONTAINER == (lpnrLocal[i].dwUsage
& RESOURCEUSAGE_CONTAINER))
EnumerateFunc(&lpnrLocal[i]);
}
}
// Process errors.
//
else if (dwResultEnum != ERROR_NO_MORE_ITEMS) {
break;
}
}
//
// End do.
//
while (dwResultEnum != ERROR_NO_MORE_ITEMS);
//
// Call the GlobalFree function to free the memory.
//
GlobalFree((HGLOBAL) lpnrLocal);
//
// Call WNetCloseEnum to end the enumeration.
//
dwResult = WNetCloseEnum(hEnum);
if (dwResult != NO_ERROR) {
return FALSE;
}
return TRUE;
}
void DisplayStruct(int i, LPNETRESOURCE lpnrLocal)
{
if (lpnrLocal->lpRemoteName!=NULL
&&_tcsstr(lpnrLocal->lpRemoteName,_T("\\\\"))!=NULL)
{
printf("发现主机 %S\n",lpnrLocal->lpRemoteName);
if(_tcsstr(&lpnrLocal->lpRemoteName[2],_T("\\"))==NULL)
InterlockedIncrement(&m_Count);
}
}
第二个梗是网关特征,最初在某一个商业软件的注册上见到的,然后自己顺手山寨了一下
(硬件注册绑定的mac地址收集方式不仅仅是直接获取本机,还可以是获取网关gateway,DNS的mac)。下面的代码,不仅仅扫描了网关的mac,还包括了其他同网段机器(呵呵,山寨并加强,好有一种那啥的感觉啊)。
#include "stdafx.h"
#define _WINSOCK_DEPRECATED_NO_WARNINGS 1
#include <WinSock2.h>
#include <IPHlpApi.h>
#pragma comment(lib, "iphlpapi.lib")
#pragma comment(lib, "ws2_32.lib")
#define IT_TIME 3
//来战个痛快!C++
#include <thread>
#include <vector>
#include <iostream>
#include <sstream>
#include <iomanip>
#include <queue>
#include <memory>
typedef std::pair<std::string, std::string> ip_mac;
std::vector<ip_mac> hostlist;
std::queue<MIB_IPADDRROW> network;
void scanip(DWORD ip, DWORD gate)
{
DWORD dwSize = 6;
BYTE mac[6] = {};
in_addr in;
in.S_un.S_addr = ntohl(ip);
std::string ip_str = std::string(inet_ntoa(in));
DWORD RetD = SendARP(ntohl(ip),gate, mac, &dwSize);
if (RetD == NO_ERROR){
std::ostringstream ostr;
for (auto j = 0; j < 6; j++){
ostr << std::hex << std::setw(2) << std::setfill('0') << DWORD(mac[j]);
}
//std::cout << ip_str << " " << ostr.str().c_str() << std::endl;
hostlist.push_back(ip_mac(ip_str, ostr.str()));
}
else
{
std::cout << "failed "<<ip_str << std::endl;
}
}
void scan(MIB_IPADDRROW ipRow)
{
DWORD LowAddr;
DWORD HighAddr;
LowAddr = ntohl((ipRow.dwAddr & ipRow.dwMask)) + 1;
HighAddr = ntohl(ipRow.dwAddr | ~ipRow.dwMask) - 1;
for (auto i = LowAddr; i <= HighAddr; i++)
{
std::thread scanipthread(scanip, i, ipRow.dwAddr);
scanipthread.detach();
std::this_thread::sleep_for(std::chrono::milliseconds(300));
}
}
int _tmain(int argc, _TCHAR* argv[])
{
PMIB_IPADDRTABLE IpTable;
int it = IT_TIME;
ULONG dwSize = 0x1000;
system("color 02");
while (it-- > 0)
{
IpTable = (PMIB_IPADDRTABLE)new char[dwSize];
if (!IpTable){
std::cout<<"内存不足"<<std::endl;
return 0;
}
//注意得到的是网络字节序,即ip的msb在底地址
DWORD RetD = GetIpAddrTable(IpTable, &dwSize, FALSE);
if (RetD == NO_ERROR)
break;
else if (RetD == ERROR_INSUFFICIENT_BUFFER){
delete IpTable;
}
else{
delete IpTable;
std::cout<<"发生未知错误"<<std::endl;
return 0;
}
}
for (auto i = 0UL; i < IpTable->dwNumEntries; i++)
{
//char *p = inet_ntoa(*(in_addr*)&(IpTable->table[i].dwAddr));
//std::cout << i << " " << p << std::endl;
//std::cout << std::hex <<std::setw(8)<<std::setfill('0')<<IpTable->table[i].dwMask << std::endl;
if (IpTable->table[i].dwMask &0x00FF0000)//包含了C段!
network.push(IpTable->table[i]);
}
while (!network.empty())
{
auto it = network.front();
network.pop();
std::thread scanthread(scan,it);
scanthread.join();
}
system("color 04");
for (auto const &it:hostlist)
{
std::cout << "ip= " << it.first << " mac= " << it.second << std::endl;
}
system("PAUSE");
return 0;
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!
