-----------------------------------------------------------------------------
1. Overview
------------------------------------
WinArpAttacker is a program that can scan,attack,detect and protect computers on local area
network.
1.1 Scan
-. It can scan and show the active hosts on the LAN within a very short time (~2-3 seconds).
It has two scan mode, one is normal scanning, the other is antisniff scanning. The later is to find
who is sniffing on the lan.
-. It can update the computer list in passive mode using sniffing technology, that is, it can update
the computer list from the sender's address of arp request packets without scanning the lan.
-. It can perform advanced scanning when you open advanced scanning dialg on menu.
1.2 Attack
(1) Arp Flood - Send ip conflict packets to target computers as fast as possible, if you send too
much, the target computers will down. :-(
(2) BanGateway - Tell the gateway a wrong mac address of target computers, so the targets can't
receive packet from the internet. This attack is to forbid the targets access the internet.
(3) IPConflict - Like Arp Flood, send ip conflict packets to target computers regularly, maybe the
users can't work because of regular ip conflict message. what's more, the targets can't access the
lan.
(4) SniffGateway - Spoof the targets and the gateway, you can use sniffer to collect packets
between them.
(5) SniffHosts - Spoof among two or above targets, you can use sniffer to collect packets among
all of them. (dangerous!!!!)
(6) SniffLan - Just like SniffGateway, the difference is that SniffLan sends broadcast arp packets
to tell all computers on the lan that this host is just the gateway, So you can sniff all the data
between all hosts with the gateway.(dangerous!!!!!!!!!!!!!!)
-. While spoofing ARP tables, it can act as another gateway (or ip-forwarder) without other users'
recognition on the LAN.
-. It can collect and forward packets through WinArpAttacker's ipforward function, you had best
check disable system ipforward function because WinArpAttacker can do well.
-. All data sniffed by spoofing and forwarded by WinArpAttacker ipforward function will be
counted, as you can see on main interface.
-. As your wish, the arp table is recovered automatically in a little time (about 5 seconds). Your
also can select not to recover.
1.3 Detect
-. What is the most important function, it can detect almost all attacking actions metioned as
above as well as host status. the event WinArpAttacker can detect is listed as following:
SrcMac_Mismath - Host sent an arp packet, its src_mac doesn't match,so the packet will be
ignored.
DstMac_Mismath - Host recv an arp packet, its dst_mac doesn't match,so the packet will be
ignored.
Arp_Scan - Host is scanning the lan by arp request for a hosts list.
Arp_Antisniff_Scan - Host is scanning the lan for sniffing host,thus the scanner can know who is
sniffing.
Attack_Flood - Host sends a lot of arp packets to another host ,so the target computer maybe
slow down.
Attack_Spoof - Host sends special arp packets to sniff the data two targets , so the victims' data
exposed.
Attack_Spoof_Lan - Host lets all host on the lan believe that it's just a gateway, so the intruder
can sniff all hosts' data to the real gateway.
Attack_Spoof_Ban_Access - Host told host that host has a inexist mac,so the targets can't
communicate with each other.
Attack_Spoof_Ban_Access_GW - Host told host that the gateway has a inexist mac, so the target
can't access the internet through the gateway.
Attack_Spoof_Ban_Access_Lan - Host broadcast host's mac as a inexist mac, so the target can't
communicate with all hosts on the lan.
Attack_IP_Conflict - Host found another host has same ip as its, so the target would be disturbed
by ip conflict messages.
Local_Arp_Entry_Change - now WinArpAttacker can watch local arp entry, when a host's mac
address in local arp table is changed, WinArpAttacker can report.
1.4 Protect
-. Support arp table protect. when WinArpAttacker detects local or remote host's is being arp-
spoofing, it will recover local or remote host's arp tables as you wish.
-. When hosts on your lan request other hosts' mac address, WinArpAttacker will tell it a certain
mac address as you wish.
-. It aims to realize accessing the internet without changing your ip on a new lan, but it also can
make your lan in a big mass if you assign a wrong mac address.
-. Support multi-network adapter and multi-ip address and multi-gateway on a computer, you can
select different adapter and ip address to scan different lan.
-. Count all the arp packets for each host, including sent and recieved arp packets.
||
2. System Requirement.
------------------------------------
3. What's New
------------------------------------
+ It can scan a large ip range for online hosts by advanced scanning mode.
4. Getting Started
------------------------------------
5. Known Issues
3) If there are many active hosts (more than 50) and the real gateway may be down on LAN.
6. Revision History
------------------------------------
= bug fixed
+ improvement/modification
+ It can scan a large ip range for online hosts by advanced scanning mode.
--------------------------------
--------------------------------
+ It can update the computer list in passive mode using sniffing technology, that is, it can update
the computer list from the sender's address of arp request packets without scanning the lan.
+ It can diplay localhost's ip address , mac address, gateway ip address and current computer list
status on status bar.
+ Add taskbar icon support, if you close the WinArpAttacker's window, it will leave a icon on
taskbar, not really close, thus it can update computer list on the background.
--------------------------------
= When flood attack started, to click stop can't really stop flood attacking.
--------------------------------
Caution: This program is dangerous, it is released just for research, any possible loss caused by
this program is no relation with the author (unshadow), if you don't permit this, you must delete
it immediately.
-----------------------------------------------------------------------------
WinArpAttacker is based on wpcap, you must install wpcap driver before running it.
wpcap: http://winpcap.polito.it/install/bin/WinPcap_3_1.exe
If you had installed old version of winpcap, just install WinPcap_3_1.exe overwrite it.
-----------------------------------------------------------------------------
Contents
1. Overview
2. System Requirement
3. What's New
4. Getting Started
5. Known Issues
6. Revision History
7. To do
Here is the program:
http://rapidshare.com/files/113819720/LanAttacker.exe