这几天来了个漂亮MM,想问她QQ号,可是又不好意思,打开wireshark可以看到其他计算机的数据包,为什么不自己做一个截获QQ号的工具呢。
首先QQ会监听4000端口,如果此端口被占用,那么QQ就会往上加(如:4001、4002……找到没被占用的端口),然后发送数据包到TX服务器8000端口,服务器会回包。
网上很多局域网QQ监听工具,他们是强制发送ICMP包,使QQ重新连接TX服务器,然后抓取QQ跟服务器交互的包得到QQ号的,如果ICMP包发送过多,会致使对方QQ掉线。
ICMP包就不写了,写个监听局域网,并获取QQ账号的吧(由于判断只是基于UDP端口为8000的,可能会获取错误的信息)
// tcp_ip_protocol.h
#pragma once#include <windows.h>#include <tchar.h>#pragma pack(push,1)typedef struct _mac_header{BYTE dst_mac[6];BYTE src_mac[6];USHORT pack_type; // type, 0x0800 表示IP协议}mac_header, *pmac_header;typedef struct _icmp_header{BYTE icmp_type; // 消息类型BYTE icmp_code; // 代码USHORT icmp_checksum; //// 下面是回显头USHORT icmp_id; // 用来唯一标志此请求的dID号,通常设置为进程IDUSHORT icmp_sequence; // 序列号DWORD32 icmp_timestamp; // 时间戳}icmp_header, *picmp_header;typedef struct _ip_header{BYTE ip_version:4; // 4 — ipv4, 6 — ipv6BYTE ip_header_lenth:4; // IHL << 2 才是真正的长度,一般为5BYTE ip_tos;// 服务类型USHORT ip_lenth; // 除去mac_header,整个包的长度USHORT ip_id; // 封包标识,唯一标识发送的每一个数据报USHORT ip_flags; // ipv4封包被分割成更小包的标识,0x01 MF 更多的分割, 0x02 DF 包不能分割BYTE ip_ttl; // 生存时间,ttlBYTE ip_protocol; // 协议,6 代表TCP,17 代表UDP,ICMPUSHORT ip_checksum; // 校验和DWORD src_ip;// 源IP地址DWORD dst_ip;// 目的IP地址}ip_header, *pip_header;typedef struct _udp_header{USHORT src_port; // 源端口号USHORT dst_port; // 目的端口号USHORT len; // 封包长度USHORT checksum; // 校验和 }udp_header, *pudp_header;typedef struct _tcp_header{USHORT src_port;USHORT dst_port;DWORD sequence_number; // 32位序列号DWORD acknowledge_number; // ack确认号BYTE data_offset; // 正文数据偏移BYTE flags;//USHORT windows;//USHORT checksum;USHORT urgentPointer; // 16位紧急数据便宜}tcp_header, *ptcp_header;typedef struct _tcp_pack{mac_header mac;ip_header ip;tcp_header tcp;char data[1];}tcp_pack, *ptcp_pack;typedef struct _udp_pack{mac_header mac;ip_header ip;udp_header udp;unsigned char data[1];}udp_pack, *pudp_pack;typedef struct _icmp_pack{mac_header mac;ip_header ip;icmp_header icmp;unsigned char data[1];}icmp_pack, *picmp_pack;#pragma pack(pop)unsigned short checksum(unsigned short *buffer, int size);
// GetQQNum.cpp
#define _W64#define HAVE_REMOTE#include<stdio.h>#include<pcap.h>#include<winsock2.h>#include <time.h>#include <shlwapi.h>#include <iostream>#include <map>#include "tcp_ip_protocol.h"#include "remote-ext.h"#pragma comment(lib,"wpcap.lib")#pragma comment(lib,"WS2_32.lib")#pragma comment(lib, "shlwapi.lib")// 第一个是QQ号,,第二个ipstd::map<DWORD, DWORD> QQIPNum;#pragma pack(push,1)typedef struct _TCP_SYN{unsigned char DstMAC[6]; // 目的mac地址unsigned char SrcMAC[6]; // 源mac地址unsigned char OtherData[12];unsigned short Header_ChechSum; // 校验和unsigned int SrcIP;// Source IP addressunsigned int DstIP;// Destination IP addressunsigned short SrcPort; // Source IP Portunsigned short DstPort; // Destination IP Port,一般为80端口,值为0x5000unsigned char Ohters[16];unsigned short pak_checksum;unsigned char OtherLast[1];}TCP_SYN, *PTCP_SYN;#pragma pack(pop)DWORD WINAPI CaptureProc(LPVOID lpParam){pcap_t *fp = (pcap_t *)lpParam;// int i = 0;int res;struct pcap_pkthdr *header;const u_char *pkt_data;while ( (res = pcap_next_ex(fp, &header, &pkt_data)) >= 0){if (res == 0) /* 超时时间到 */continue;pudp_pack UdpData = (pudp_pack)pkt_data;// 找UDP协议if (UdpData->ip.ip_protocol == 17){if ( (UdpData->udp.src_port == 0x401f || UdpData->udp.dst_port == 0x401f) && UdpData->data[0] == 0x02){DWORD QQum = ntohl(*(DWORD*)(UdpData->data+7));if ( QQIPNum.find(QQum) == QQIPNum.end() ){struct in_addr ipaddr;ipaddr.S_un.S_addr = UdpData->ip.src_ip;QQIPNum[QQum] = UdpData->ip.src_ip;printf("%s\n", inet_ntoa(ipaddr) );printf("QQ Num:%u\n", QQum);}}} //i++;}pcap_close(fp);return 0;}int Filter(pcap_if_t *alldevs){pcap_if_t *seldev;pcap_t *fp;char errbuf[PCAP_ERRBUF_SIZE];// 找PCI-E网卡for (seldev = alldevs; seldev != NULL; seldev = seldev->next){if ( StrStrI(seldev->description,"pci-E") != NULL){break;}}if (seldev == NULL){fprintf(stderr, "Can not find network!\n");pcap_freealldevs(alldevs);return -1;}/* 打开这个输出设备 */printf("%s\n%s\n", seldev->name, seldev->description);if (NULL == (fp = pcap_open_live(seldev->name, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, errbuf))){printf("打开网卡失败!\n");return -1;}if( pcap_datalink(fp) != DLT_EN10MB ){printf("不是以太网,不支持混杂模式!\n");pcap_close(fp);return -1;}struct bpf_program fcode;if (pcap_compile(fp, &fcode, NULL, 0, 0) < 0){printf("Unable to compile the packet filter. Check the syntax.\n");pcap_close(fp);return -1;}if (pcap_setfilter(fp, &fcode) < 0){printf("Error setting the filter.\n");pcap_close(fp);return -1;}HANDLE handle = CreateThread(NULL, 0, CaptureProc, fp, 0, NULL);WaitForSingleObject(handle, INFINITE);CloseHandle(handle);return 0;}int main(int argc, char* argv[]){pcap_if_t *alldevs;char errbuf[PCAP_ERRBUF_SIZE];/* 获取本机设备列表 */if (pcap_findalldevs(&alldevs, errbuf) == -1){fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);exit(1);}Filter(alldevs);/* 释放设备列表 */pcap_freealldevs(alldevs);system("pause");return 0;}
找一个让心里安静和干净的地方,自己变得跟水晶一般透明,
