为了顺应当前形势和更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

在TCP三次握手后插入伪造的TCP包

2005-7-31 10:08| 投稿: security

摘要: 一、说明用Socket的API Connect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插入第四个包即可,从对端返回的第五个包来看插入成功了,但因为插入了一个TCP包,之后的连...
一、说明用Socket的API Connect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插入第四个包即可,从对端返回的第五个包来看插入成功了,但因为插入了一个TCP包,之后的连接将发生混乱。可以将插入的那个包Data设置为HTTP Request,向WEB服务器提交请求。又如果目标系统的TCP序列号是可预计算的,那么是否可以做带伪源地址的Blind TCP three-time handshakes和插入,值得试验!二、脚本1、用到几个模块Net::RawIP Net::Pcap Net::PcapUtils NetPacket;2、pretty_table()函数是我原来做的,用来在命令行下打印表格(Table);3、测试环境-Linux、ADSL拨号,抓包的接口是ppp0,帧的结构和Eth帧结构不同,不能使用NetPacket::Ethernet模块中的strip函数处理帧首部,根据ethereal抓包的结构,我使用unpack函数取得了帧中的IP包;三、源代码#!/usr/bin/perl#By i_am_jojo@msn.com, 2005/04use strict;use warnings;use Net::RawIP;use Net::PcapUtils;use NetPacket::Ethernet;use NetPacket::IP;use NetPacket::TCP;use Socket;use Getopt::Std;use POSIX qw(strftime);my %opts;getopts('ht:p:u:n:', \%opts);print_help() and exit if(defined($opts{'h'}));print_help() and exit if(not defined($opts{'t'}) or not defined($opts{'p'}));die "\tInvalid Target Ipaddress!\n"    if(defined($opts{'t'}) and $opts{'t'} !~ m/^\d+.\d+.\d+.\d+$/);die "\tInvalid Service Port!\n"    if(defined($opts{'p'}) and $opts{'p'} !~ m/^\d+$/);my $request;if(defined($opts{'u'})) {    $request = "GET $opts{'u'} HTTP/1.1\r\n";    $request.= "Accept: text/html; text/plain\r\n";    $request.= "\r\n";} else {    $request = "GET / HTTP/1.1\r\n";    $request.= "Accept: text/html; text/plain\r\n";    $request.= "\r\n";}my $child = fork();if($child == 0) {    #child process    my ($next_packet, %next_header);    my ($frame_hdr, $ip_packet);    my ($ip_obj, $tcp_obj);    my $counter = 0;    my $pkt_descriptor = Net::PcapUtils::open(        FILTER  => 'ip',        PROMISC => 0,        DEV     => 'ppp0',        #DEV    => 'eth0'    );    die "Net::PcapUtils::open returned: $pkt_descriptor\n" if (!ref($pkt_descriptor));    print strftime '%Y/%m/%d %H:%M:%S, ', localtime and print "begin sniffing ...\n";        while(($next_packet, %next_header) = Net::PcapUtils::next($pkt_descriptor)) {                ($frame_hdr, $ip_packet) = unpack 'H32a*', $next_packet;        $ip_obj = NetPacket::IP->decode($ip_packet);        #$ip_obj = NetPacket::IP->decode(NetPacket::Ethernet::eth_strip($next_packet));                next if ($ip_obj->{'proto'} != 6);        next if (($ip_obj->{'src_ip'} ne $opts{'t'})                  and ($ip_obj->{'dest_ip'} ne $opts{'t'}));                $tcp_obj = NetPacket::TCP->decode($ip_obj->{'data'});        next if (($tcp_obj->{'src_port'} ne $opts{'p'})                  and ($tcp_obj->{'dest_port'} ne $opts{'p'}));                $counter++;                print "==ID.$counter==", '=' x 60, "\n";        print get_ip_hdr($ip_obj);        print get_tcp_hdr($tcp_obj);        if($tcp_obj->{'data'}) {            my $data;            $data = unpack 'a*', $tcp_obj->{'data'};            $data =~ s/[\r][\n]//g;            print pretty_table('TCP data', [$data]);        }                if($counter == 3) {            my $a = new Net::RawIP;            $a->set({                'ip' => {                    'id'    => $ip_obj->{'id'} + 1,                    'saddr' => $ip_obj->{'src_ip'},                    'daddr' => $ip_obj->{'dest_ip'}                    },                'tcp' => {                    'source'  => $tcp_obj->{'src_port'},                    'dest'    => $tcp_obj->{'dest_port'},                    'seq'     => $tcp_obj->{'seqnum'},                    'ack_seq' => $tcp_obj->{'acknum'},                    'window'  => $tcp_obj->{'winsize'},                    'data'    => $request,                    'psh'     => 1,                    'ack'     => 1                    }                });            $a->send;        }        last if($counter == 5);    }    exit;} else {    sleep(1);    my $trans_serv = getprotobyname('tcp');    my $dest_sockaddr = sockaddr_in($opts{'p'}, inet_aton($opts{'t'}));        socket(TCP_SOCK, PF_INET, SOCK_STREAM, $trans_serv);    connect(TCP_SOCK, $dest_sockaddr);    sleep(1);    #close TCP_SOCK;}exit;sub print_help {    print <<HELP        %./iamFool.pl [-h] <-t,-p,-u,-n>    -h    print help    -t    target ipaddr    -p    service port    -u    requested url                    by:i_am_jojo\@msn.com                HELP}sub get_ip_hdr {    my $ip_obj = shift;    my @ip_hdr;        push @ip_hdr, [qw(ver tos flags id src_ip proto)];    push @{$ip_hdr[1]}, $ip_obj->{$_} foreach (qw(ver tos flags id src_ip proto));    push @ip_hdr, [qw(hlen len foffset ttl dest_ip cksum)];    push @{$ip_hdr[3]}, $ip_obj->{$_} foreach (qw(hlen len foffset ttl dest_ip cksum));        return pretty_table('IP Header', @ip_hdr);}sub get_tcp_hdr {    my $tcp_obj = shift;    my @tcp_hdr;        push @tcp_hdr, [qw(src_port seqnum hlen flags)];    push @{$tcp_hdr[1]}, $tcp_obj->{$_} foreach (qw(src_port seqnum hlen flags));    push @tcp_hdr, [qw(dest_port acknum reserved winsize)];    push @{$tcp_hdr[3]}, $tcp_obj->{$_} foreach (qw(dest_port acknum reserved winsize));        return pretty_table('TCP Header', @tcp_hdr);}sub pretty_table {    # prettyTable($aString, @aList); @aList = ( [...], [...] );    # by i_am_jojo@msn.com    my ($title, @data) = @_;    my @temp;    my @max_length;    my $row_length;    my $indent = 4;    my $the_table;    foreach my $col (0..$#{$data[0]}) { push @{$temp[$col]}, $_->[$col] foreach (@data); }    $max_length[$_] = length( (sort{length($b) <=> length($a)} @{$data[$_]} )[0]) + 2 foreach (0..$#data);    $row_length+= $max_length[$_] foreach (0..$#{$temp[0]});      $row_length+= $#data;        $the_table = ' ' x $indent.'+'.'-' x $row_length."+\n";    $the_table.= ' ' x $indent.'| '.$title.' ' x ($row_length - length($title) - 1)."|\n";    foreach my $row (0..$#temp) {        $the_table.= ' ' x $indent;        $the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]});        $the_table.= "+\n";        $the_table.= ' ' x $indent;        $the_table.= '| '.@{$temp[$row]}[$_].' ' x ($max_length[$_] - length(@{$temp[$row]}[$_]) - 1) foreach (0.. $#{$temp[0]});        $the_table.= "|\n";    }    $the_table.= ' ' x $indent;    $the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]});    $the_table.= "+\n";        return $the_table;}四、结果举例==Result eXample==2005/05/02 21:51:23, begin sniffing ...==ID.1==============================================================    +---------------------------------------------------+    | IP Header                                         |    +--------+---------------+---------+----------------+    | ver    | 4             | hlen    | 5              |    +--------+---------------+---------+----------------+    | tos    | 0             | len     | 60             |    +--------+---------------+---------+----------------+    | flags  | 2             | foffset | 0              |    +--------+---------------+---------+----------------+    | id     | 20682         | ttl     | 64             |    +--------+---------------+---------+----------------+    | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |    +--------+---------------+---------+----------------+    | proto  | 6             | cksum   | 31878          |    +--------+---------------+---------+----------------+    +------------------------------------------+    | TCP Header                               |    +----------+------------+-----------+------+    | src_port | 32851      | dest_port | 80   |    +----------+------------+-----------+------+    | seqnum   | 1104143983 | acknum    | 0    |    +----------+------------+-----------+------+    | hlen     | 10         | reserved  | 0    |    +----------+------------+-----------+------+    | flags    | 2          | winsize   | 5808 |    +----------+------------+-----------+------+==ID.2==============================================================    +---------------------------------------------------+    | IP Header                                         |    +--------+----------------+---------+---------------+    | ver    | 4              | hlen    | 5             |    +--------+----------------+---------+---------------+    | tos    | 0              | len     | 44            |    +--------+----------------+---------+---------------+    | flags  | 0              | foffset | 0             |    +--------+----------------+---------+---------------+    | id     | 63029          | ttl     | 241           |    +--------+----------------+---------+---------------+    | src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |    +--------+----------------+---------+---------------+    | proto  | 6              | cksum   | 26154         |    +--------+----------------+---------+---------------+    +------------------------------------------------+    | TCP Header                                     |    +----------+------------+-----------+------------+    | src_port | 80         | dest_port | 32851      |    +----------+------------+-----------+------------+    | seqnum   | 3660731207 | acknum    | 1104143984 |    +----------+------------+-----------+------------+    | hlen     | 6          | reserved  | 0          |    +----------+------------+-----------+------------+    | flags    | 18         | winsize   | 4356       |    +----------+------------+-----------+------------+==ID.3==============================================================    +---------------------------------------------------+    | IP Header                                         |    +--------+---------------+---------+----------------+    | ver    | 4             | hlen    | 5              |    +--------+---------------+---------+----------------+    | tos    | 0             | len     | 40             |    +--------+---------------+---------+----------------+    | flags  | 2             | foffset | 0              |    +--------+---------------+---------+----------------+    | id     | 20684         | ttl     | 64             |    +--------+---------------+---------+----------------+    | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |    +--------+---------------+---------+----------------+    | proto  | 6             | cksum   | 31896          |    +--------+---------------+---------+----------------+    +------------------------------------------------+    | TCP Header                                     |    +----------+------------+-----------+------------+    | src_port | 32851      | dest_port | 80         |    +----------+------------+-----------+------------+    | seqnum   | 1104143984 | acknum    | 3660731208 |    +----------+------------+-----------+------------+    | hlen     | 5          | reserved  | 0          |    +----------+------------+-----------+------------+    | flags    | 16         | winsize   | 5808       |    +----------+------------+-----------+------------+==ID.4==============================================================    +---------------------------------------------------+    | IP Header                                         |    +--------+---------------+---------+----------------+    | ver    | 4             | hlen    | 5              |    +--------+---------------+---------+----------------+    | tos    | 16            | len     | 89             |    +--------+---------------+---------+----------------+    | flags  | 2             | foffset | 0              |    +--------+---------------+---------+----------------+    | id     | 20685         | ttl     | 64             |    +--------+---------------+---------+----------------+    | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |    +--------+---------------+---------+----------------+    | proto  | 6             | cksum   | 31830          |    +--------+---------------+---------+----------------+    +------------------------------------------------+    | TCP Header                                     |    +----------+------------+-----------+------------+    | src_port | 32851      | dest_port | 80         |    +----------+------------+-----------+------------+    | seqnum   | 1104143984 | acknum    | 3660731208 |    +----------+------------+-----------+------------+    | hlen     | 5          | reserved  | 0          |    +----------+------------+-----------+------------+    | flags    | 24         | winsize   | 5808       |    +----------+------------+-----------+------------+    +--------------------------------------------+    | TCP data                                   |    +--------------------------------------------+    | GET / HTTP/1.1Accept: text/html; text/plai |    +--------------------------------------------+==ID.5==============================================================    +---------------------------------------------------+    | IP Header                                         |    +--------+----------------+---------+---------------+    | ver    | 4              | hlen    | 5             |    +--------+----------------+---------+---------------+    | tos    | 0              | len     | 40            |    +--------+----------------+---------+---------------+    | flags  | 0              | foffset | 0             |    +--------+----------------+---------+---------------+    | id     | 47931          | ttl     | 241           |    +--------+----------------+---------+---------------+    | src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |    +--------+----------------+---------+---------------+    | proto  | 6              | cksum   | 41256         |    +--------+----------------+---------+---------------+    +------------------------------------------------+    | TCP Header                                     |    +----------+------------+-----------+------------+    | src_port | 80         | dest_port | 32851      |    +----------+------------+-----------+------------+    | seqnum   | 3660731208 | acknum    | 1104144033 |    +----------+------------+-----------+------------+    | hlen     | 5          | reserved  | 0          |    +----------+------------+-----------+------------+    | flags    | 16         | winsize   | 4356       |    +----------+------------+-----------+------------+===End===

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部