WinArpAttacker 3.50 Readme Jun. 4th 2006 Author : unshadow Email : asia_message@hotpop.

com Website: no, i'm looking for free websi te, if you have good advice you ca n tell me. ----------------------------------------------------------------------------Caution: This program is dangerous, it is released just for research, any possib le loss caused by this program is no relation with the author (unshadow), if you don't permit this, you must delete it immediately. If you use this program, I think you permit all of these. ----------------------------------------------------------------------------WinArpAttacker is based on wpcap, you must install wpcap driver before running i t. wpcap: http://winpcap.polito.it/install/bin/WinPcap_3_1.exe If you had installed old version of winpcap, just install WinPcap_3_1.exe overwr ite it. ----------------------------------------------------------------------------Contents 1. Overview 2. System Requirement 3. What's New 4. Getting Started 5. Known Issues 6. Revision History 7. To do ----------------------------------------------------------------------------1. Overview -----------------------------------WinArpAttacker is a program that can scan,attack,detect and protect computers on local area network. The features as following: 1.1 Scan -. It can scan and show the active hosts on the LAN within a very short time (~2-3 seconds). It has two scan mode, one is normal scanning, the other is antisniff scann ing. The later is to find who is sniffing on the lan. -. It can save and load computer list file. -. It can scan the Lan regularly for new computer list. -. It can update the computer list in passive mode using sniffing technology, that is, it can update the computer list from the sender's address of arp reque st packets without scanning the lan. -. It can perform advanced scanning when you open advanced scanning dialg on menu. -. It can scan a B class ip range in advanced scan dialg. -. It can scan acthost listed in event listview.

1.2 Attack -. It can pull and collect all the packets on the LAN. -. It can perform six attacking actions as following: (1) Arp Flood - Send ip conflict packets to target computers as fast as po ssible, if you send too much, the target computers will down. :-( (2) BanGateway - Tell the gateway a wrong mac address of target computers, so the targets can't receive packet from the internet. This attack is to forbid the targets access the internet. (3) IPConflict - Like Arp Flood, send ip conflict packets to target compute rs regularly, maybe the users can't work because of regular ip conflict message. what's more, the targets can't access the lan. (4) SniffGateway - Spoof the targets and the gateway, you can use sniffer t o collect packets between them. (5) SniffHosts - Spoof among two or above targets, you can use sniffer to collect packets among all of them. (dangerous!!!!) (6) SniffLan - Just like SniffGateway, the difference is that SniffLan sends broadcast arp packets to tell all computers on the lan that this host is j ust the gateway, So you can sniff all the data between all hosts with the gatewa y.(dangerous!!!!!!!!!!!!!!) -. While spoofing ARP tables, it can act as another gateway (or ip-forwarder) without other users' recognition on the LAN. -. It can collect and forward packets through WinArpAttacker's ipforward func tion, you had best check disable system ipforward function because WinArpAttacke r can do well. -. All data sniffed by spoofing and forwarded by WinArpAttacker ipforward fun ction will be counted, as you can see on main interface. -. As your wish, the arp table is recovered automatically in a little time (a bout 5 seconds). Your also can select not to recover. 1.3 Detect -. What is the most important function, it can detect almost all attacking ac tions metioned as above as well as host status. the event WinArpAttacker can det ect is listed as following: SrcMac_Mismath - Host sent an arp packet, its src_mac doesn't match,so t he packet will be ignored. DstMac_Mismath - Host recv an arp packet, its dst_mac doesn't match,so t he packet will be ignored. Arp_Scan - Host is scanning the lan by arp request for a hosts list. Arp_Antisniff_Scan - Host is scanning the lan for sniffing host,thus the scanner can know who is sniffing. Host_Online - Host is online now. Host_Modify_IP - Host modified its ip to or added a new IP. Host_Modify_MAC - Host modified its mac address. New_Host - New gost was found. Host_Add_IP - Host added a new ip address. Multi_IP_Host - Host has multi-ip addresses. Multi_Mac_Host - Host has multi-mac addresses. Attack_Flood - Host sends a lot of arp packets to another host ,so the t arget computer maybe slow down. Attack_Spoof - Host sends special arp packets to sniff the data two targ ets , so the victims' data exposed. Attack_Spoof_Lan - Host lets all host on the lan believe that it's just a gateway, so the intruder can sniff all hosts' data to the real gateway. Attack_Spoof_Ban_Access - Host told host that host has a inexist mac,so the targets can't communicate with each other. Attack_Spoof_Ban_Access_GW - Host told host that the gateway has a inexi st mac, so the target can't access the internet through the gateway. Attack_Spoof_Ban_Access_Lan - Host broadcast host's mac as a inexist mac , so the target can't communicate with all hosts on the lan.

Attack_IP_Conflict - Host found another host has same ip as its, so the target would be disturbed by ip conflict messages. Local_Arp_Entry_Change - now WinArpAttacker can watch local arp entry, w hen a host's mac address in local arp table is changed, WinArpAttacker can repor t. Local_Arp_Entry_Add - When a mac address of a host is added to local arp table, WinArpAttacker can report. -. It can explain each event which WinArpAttacker detected. -. It can save events to file. 1.4 Protect -. Support arp table protect. when WinArpAttacker detects local or remote hos t's is being arp-spoofing, it will recover local or remote host's arp tables as you wish. 1.5 Proxy Arp -. When hosts on your lan request other hosts' mac address, WinArpAttacker wi ll tell it a certain mac address as you wish. -. It aims to realize accessing the internet without changing your ip on a ne w lan, but it also can make your lan in a big mass if you assign a wrong mac add ress. 1.6 Save arp packets -. It can save all sniffed arp packets to file. 1.7 other features. -. Support multi-network adapter and multi-ip address and multi-gateway on a computer, you can select different adapter and ip address to scan different lan. -. Support DHCP and fixed ip address. -. Count all the arp packets for each host, including sent and recieved arp p ackets. Arp R/S | Action(Recive/Send) meaning: meaning: meaning: meaning: The The The The Q/P | Arp packets type(ReQuest/RePly) of of or or arp arp arp arp request reply request reply packets packets packets packets recieved recieved sent sent

ArpRQ ArpRP ArpSQ ArpSP

number number number number

2. System Requirement. ------------------------------------. Local : Windows XP/2000/2003(But I hadn't tested it under Windows XP/2003) -. Remote : All computers including network devices -. WinPcap driver 3.1/lastest must be needed. 3. What's New -----------------------------------+ It can scan a large ip range for online hosts by advanced scanning mode. + It can protect local and reomte hosts from arp-spoofing. + It can enable proxy arp, act as a arp proxy. + It can save all sniffed arp packets to file. 4. Getting Started ------------------------------------

-. -. -. -. -. -. -.

Firtly, install the latest WinPcap driver. second, just run WinArpAttacker.exe click scan button and start button look at arp information on remote computer with "arp -a" to stop attack, click stop button. to select adapter or ip address, click options button. to modify attacking setup, click options button.

5. Known Issues 1) This program should be run with administrator privilege. If not, the program will work abnormally. 2) The attacking action is dangerous, so you must be caution. 3) If there are many active hosts (more than 50) and the real gateway may be d own on LAN. 6. Revision History -----------------------------------= bug fixed + improvement/modification [Start of Versions History] Version 3.50 ( Jun. 4,2006) + It can detect local arp table's change. + It can protect local and reomte hosts from arp-spoofing. + It can enable proxy arp, act as a arp proxy. + It can save all sniffed arp packets to file. + It allows you send arp packets manunally. Version 3.02 ( Apr. 26,2006) + It can scan a large ip range for online hosts by advanced scanning mode. Version 3.00 ( Oct. 07, 2005) -------------------------------+ It can detect attacking actions. + Add serval scanning mode. + It can update the host list from ip packets. Version 1.50 ( May. 16, 2005) -------------------------------+ It can scan the Lan regularly for new computer list. + It can update the computer list in passive mode using sniffing technology, tha t is, it can update the computer list from the sender's address of arp request p ackets without scanning the lan. + Add two options: auto scan and update in passive mode. + It can diplay localhost's ip address , mac address, gateway ip address and cur rent computer list status on status bar. + Add taskbar icon support, if you close the WinArpAttacker's window, it will le ave a icon on taskbar, not really close, thus it can update computer list on the background. Version 1.10 ( April. 27, 2005) -------------------------------+ Support DHCP and fixed ip address. = When flood attack started, to click stop can't really stop flood attacking. = IP address is incorrectly sorted when 10.1.0.1 and 192.168.1.1 coexists. = When PacketSendPacket failed, to exit program will encounter an invalid operat or.

Version 1.00 ( April. 16, 2005) -------------------------------This program is released. [End of Versions History] 7. To do none now, if you have good advice you can mailto me(asia_message@hotpop.com).