用Socket的API Connect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插入第四个包即可,从对端返回的第五个包来看插入成功了,但因为插入了一个TCP包,之后的连接将发生混乱。可以将插入的那个包Data设置为HTTP Request,向WEB服务器提交请求。又如果目标系统的TCP序列号是可预计算的,那么是否可以做带伪源地址的Blind TCP three-time handshakes和插入,值得试验!
二、脚本
1、用到几个模块Net::RawIP Net::Pcap Net::PcapUtils NetPacket;
2、pretty_table()函数是我原来做的,用来在命令行下打印表格(Table);
3、测试环境-Linux、ADSL拨号,抓包的接口是ppp0,帧的结构和Eth帧结构不同,不能使用NetPacket::Ethernet模块中的strip函数处理帧首部,根据ethereal抓包的结构,我使用unpack函数取得了帧中的IP包;
三、源代码
#!/usr/bin/perl
#By i_am_jojo@msn.com, 2005/04
use strict;
use warnings;
use Net::RawIP;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Socket;
use Getopt::Std;
use POSIX qw(strftime);
my %opts;
getopts('ht:p:u:n:', /%opts);
print_help() and exit if(defined($opts{'h'}));
print_help() and exit if(not defined($opts{'t'}) or not defined($opts{'p'}));
die "/tInvalid Target Ipaddress!/n"
if(defined($opts{'t'}) and $opts{'t'} !~ m/^/d+./d+./d+./d+$/);
die "/tInvalid Service Port!/n"
if(defined($opts{'p'}) and $opts{'p'} !~ m/^/d+$/);
my $request;
if(defined($opts{'u'})) {
$request = "GET $opts{'u'} HTTP/1.1/r/n";
$request.= "Accept: text/html; text/plain/r/n";
$request.= "/r/n";
} else {
$request = "GET / HTTP/1.1/r/n";
$request.= "Accept: text/html; text/plain/r/n";
$request.= "/r/n";
}
my $child = fork();
if($child == 0) {
#child process
my ($next_packet, %next_header);
my ($frame_hdr, $ip_packet);
my ($ip_obj, $tcp_obj);
my $counter = 0;
my $pkt_descriptor = Net::PcapUtils::open(
FILTER => 'ip',
PROMISC => 0,
DEV => 'ppp0',
#DEV => 'eth0'
);
die "Net::PcapUtils::open returned: $pkt_descriptor/n" if (!ref($pkt_descriptor));
print strftime '%Y/%m/%d %H:%M:%S, ', localtime and print "begin sniffing .../n";
while(($next_packet, %next_header) = Net::PcapUtils::next($pkt_descriptor)) {
($frame_hdr, $ip_packet) = unpack 'H32a*', $next_packet;
$ip_obj = NetPacket::IP->decode($ip_packet);
#$ip_obj = NetPacket::IP->decode(NetPacket::Ethernet::eth_strip($next_packet));
next if ($ip_obj->{'proto'} != 6);
next if (($ip_obj->{'src_ip'} ne $opts{'t'})
and ($ip_obj->{'dest_ip'} ne $opts{'t'}));
$tcp_obj = NetPacket::TCP->decode($ip_obj->{'data'});
next if (($tcp_obj->{'src_port'} ne $opts{'p'})
and ($tcp_obj->{'dest_port'} ne $opts{'p'}));
$counter++;
print "==ID.$counter==", '=' x 60, "/n";
print get_ip_hdr($ip_obj);
print get_tcp_hdr($tcp_obj);
if($tcp_obj->{'data'}) {
my $data;
$data = unpack 'a*', $tcp_obj->{'data'};
$data =~ s/[/r][/n]//g;
print pretty_table('TCP data', [$data]);
}
if($counter == 3) {
my $a = new Net::RawIP;
$a->set({
'ip' => {
'id' => $ip_obj->{'id'} + 1,
'saddr' => $ip_obj->{'src_ip'},
'daddr' => $ip_obj->{'dest_ip'}
},
'tcp' => {
'source' => $tcp_obj->{'src_port'},
'dest' => $tcp_obj->{'dest_port'},
'seq' => $tcp_obj->{'seqnum'},
'ack_seq' => $tcp_obj->{'acknum'},
'window' => $tcp_obj->{'winsize'},
'data' => $request,
'psh' => 1,
'ack' => 1
}
});
$a->send;
}
last if($counter == 5);
}
exit;
} else {
sleep(1);
my $trans_serv = getprotobyname('tcp');
my $dest_sockaddr = sockaddr_in($opts{'p'}, inet_aton($opts{'t'}));
socket(TCP_SOCK, PF_INET, SOCK_STREAM, $trans_serv);
connect(TCP_SOCK, $dest_sockaddr);
sleep(1);
#close TCP_SOCK;
}
exit;
sub print_help {
print <<HELP
%./iamFool.pl [-h] <-t,-p,-u,-n>
-h print help
-t target ipaddr
-p service port
-u requested url
by:i_am_jojo/@msn.com
HELP
}
sub get_ip_hdr {
my $ip_obj = shift;
my @ip_hdr;
push @ip_hdr, [qw(ver tos flags id src_ip proto)];
push @{$ip_hdr[1]}, $ip_obj->{$_} foreach (qw(ver tos flags id src_ip proto));
push @ip_hdr, [qw(hlen len foffset ttl dest_ip cksum)];
push @{$ip_hdr[3]}, $ip_obj->{$_} foreach (qw(hlen len foffset ttl dest_ip cksum));
return pretty_table('IP Header', @ip_hdr);
}
sub get_tcp_hdr {
my $tcp_obj = shift;
my @tcp_hdr;
push @tcp_hdr, [qw(src_port seqnum hlen flags)];
push @{$tcp_hdr[1]}, $tcp_obj->{$_} foreach (qw(src_port seqnum hlen flags));
push @tcp_hdr, [qw(dest_port acknum reserved winsize)];
push @{$tcp_hdr[3]}, $tcp_obj->{$_} foreach (qw(dest_port acknum reserved winsize));
return pretty_table('TCP Header', @tcp_hdr);
}
sub pretty_table {
# prettyTable($aString, @aList); @aList = ( [...], [...] );
# by i_am_jojo@msn.com
my ($title, @data) = @_;
my @temp;
my @max_length;
my $row_length;
my $indent = 4;
my $the_table;
foreach my $col (0..$#{$data[0]}) { push @{$temp[$col]}, $_->[$col] foreach (@data); }
$max_length[$_] = length( (sort{length($b) <=> length($a)} @{$data[$_]} )[0]) + 2 foreach (0..$#data);
$row_length+= $max_length[$_] foreach (0..$#{$temp[0]});
$row_length+= $#data;
$the_table = ' ' x $indent.'+'.'-' x $row_length."+/n";
$the_table.= ' ' x $indent.'| '.$title.' ' x ($row_length - length($title) - 1)."|/n";
foreach my $row (0..$#temp) {
$the_table.= ' ' x $indent;
$the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]});
$the_table.= "+/n";
$the_table.= ' ' x $indent;
$the_table.= '| '.@{$temp[$row]}[$_].' ' x ($max_length[$_] - length(@{$temp[$row]}[$_]) - 1) foreach (0.. $#{$temp[0]});
$the_table.= "|/n";
}
$the_table.= ' ' x $indent;
$the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]});
$the_table.= "+/n";
return $the_table;
}
四、结果举例
==Result eXample==
2005/05/02 21:51:23, begin sniffing ...
==ID.1==============================================================
+---------------------------------------------------+
| IP Header |
+--------+---------------+---------+----------------+
| ver | 4 | hlen | 5 |
+--------+---------------+---------+----------------+
| tos | 0 | len | 60 |
+--------+---------------+---------+----------------+
| flags | 2 | foffset | 0 |
+--------+---------------+---------+----------------+
| id | 20682 | ttl | 64 |
+--------+---------------+---------+----------------+
| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
+--------+---------------+---------+----------------+
| proto | 6 | cksum | 31878 |
+--------+---------------+---------+----------------+
+------------------------------------------+
| TCP Header |
+----------+------------+-----------+------+
| src_port | 32851 | dest_port | 80 |
+----------+------------+-----------+------+
| seqnum | 1104143983 | acknum | 0 |
+----------+------------+-----------+------+
| hlen | 10 | reserved | 0 |
+----------+------------+-----------+------+
| flags | 2 | winsize | 5808 |
+----------+------------+-----------+------+
==ID.2==============================================================
+---------------------------------------------------+
| IP Header |
+--------+----------------+---------+---------------+
| ver | 4 | hlen | 5 |
+--------+----------------+---------+---------------+
| tos | 0 | len | 44 |
+--------+----------------+---------+---------------+
| flags | 0 | foffset | 0 |
+--------+----------------+---------+---------------+
| id | 63029 | ttl | 241 |
+--------+----------------+---------+---------------+
| src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |
+--------+----------------+---------+---------------+
| proto | 6 | cksum | 26154 |
+--------+----------------+---------+---------------+
+------------------------------------------------+
| TCP Header |
+----------+------------+-----------+------------+
| src_port | 80 | dest_port | 32851 |
+----------+------------+-----------+------------+
| seqnum | 3660731207 | acknum | 1104143984 |
+----------+------------+-----------+------------+
| hlen | 6 | reserved | 0 |
+----------+------------+-----------+------------+
| flags | 18 | winsize | 4356 |
+----------+------------+-----------+------------+
==ID.3==============================================================
+---------------------------------------------------+
| IP Header |
+--------+---------------+---------+----------------+
| ver | 4 | hlen | 5 |
+--------+---------------+---------+----------------+
| tos | 0 | len | 40 |
+--------+---------------+---------+----------------+
| flags | 2 | foffset | 0 |
+--------+---------------+---------+----------------+
| id | 20684 | ttl | 64 |
+--------+---------------+---------+----------------+
| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
+--------+---------------+---------+----------------+
| proto | 6 | cksum | 31896 |
+--------+---------------+---------+----------------+
+------------------------------------------------+
| TCP Header |
+----------+------------+-----------+------------+
| src_port | 32851 | dest_port | 80 |
+----------+------------+-----------+------------+
| seqnum | 1104143984 | acknum | 3660731208 |
+----------+------------+-----------+------------+
| hlen | 5 | reserved | 0 |
+----------+------------+-----------+------------+
| flags | 16 | winsize | 5808 |
+----------+------------+-----------+------------+
==ID.4==============================================================
+---------------------------------------------------+
| IP Header |
+--------+---------------+---------+----------------+
| ver | 4 | hlen | 5 |
+--------+---------------+---------+----------------+
| tos | 16 | len | 89 |
+--------+---------------+---------+----------------+
| flags | 2 | foffset | 0 |
+--------+---------------+---------+----------------+
| id | 20685 | ttl | 64 |
+--------+---------------+---------+----------------+
| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
+--------+---------------+---------+----------------+
| proto | 6 | cksum | 31830 |
+--------+---------------+---------+----------------+
+------------------------------------------------+
| TCP Header |
+----------+------------+-----------+------------+
| src_port | 32851 | dest_port | 80 |
+----------+------------+-----------+------------+
| seqnum | 1104143984 | acknum | 3660731208 |
+----------+------------+-----------+------------+
| hlen | 5 | reserved | 0 |
+----------+------------+-----------+------------+
| flags | 24 | winsize | 5808 |
+----------+------------+-----------+------------+
+--------------------------------------------+
| TCP data |
+--------------------------------------------+
| GET / HTTP/1.1Accept: text/html; text/plai |
+--------------------------------------------+
==ID.5==============================================================
+---------------------------------------------------+
| IP Header |
+--------+----------------+---------+---------------+
| ver | 4 | hlen | 5 |
+--------+----------------+---------+---------------+
| tos | 0 | len | 40 |
+--------+----------------+---------+---------------+
| flags | 0 | foffset | 0 |
+--------+----------------+---------+---------------+
| id | 47931 | ttl | 241 |
+--------+----------------+---------+---------------+
| src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |
+--------+----------------+---------+---------------+
| proto | 6 | cksum | 41256 |
+--------+----------------+---------+---------------+
+------------------------------------------------+
| TCP Header |
+----------+------------+-----------+------------+
| src_port | 80 | dest_port | 32851 |
+----------+------------+-----------+------------+
| seqnum | 3660731208 | acknum | 1104144033 |
+----------+------------+-----------+------------+
| hlen | 5 | reserved | 0 |
+----------+------------+-----------+------------+
| flags | 16 | winsize | 4356 |
+----------+------------+-----------+------------+
===End===
在TCP三次握手后插入伪造的TCP包
一、说明 用Socket的API Connect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插入第四个包即可,从对端返回的第五个包来看插入成功了,但因为插入了一个TCP包,之后的连接将发生混乱。可以将插入的那个包Data设置为HTTP Request,向WEB服务器提交请求。又如果目标系统的TCP序列号是可预计算的,那么是否可以做带伪源地址的Blind TCP three-time handshakes和插入,值得试验!
作者所做的实验其实什么也说明不了,只是验证了一下TCP协议序号和检验和计算函数而已。
我想作者八成是受了CC攻击原理的启发,想不通过代理的方式以达到CC攻击效果。但在序号预测这个步骤上,说实话没有可行性。正常TCP协议采用的同步序号是随机值,在43亿的可选空间中,以百兆带宽的速度进行预测也将是杯水车薪。但是……
为了防御ddos,不少厂商的安全设备中都实现了无状态的syn cookie算法,这种算法在大量syn冲击下利用cookie序号在ack包回传的方式判断连接请求的合法性。所以他们的TCP协议握手部分不是一个健康的实现,本思路经修改后用于攻击此类设备将会取得不错的效果。下面简单介绍攻击者如何以64字节ACK包换取服务器1518大数据包重传,如果源IP伪造成功,攻击者从理论上将获得20余倍的带宽放大攻击效果 。如果有两个目标网站,本方法将一箭双雕。
攻击原理:利用TCP协议收到ACK后的快速重传机制
序号乱刀之一:攻击正常TCP/IP协议栈示意图
当我们获得http response回应后,立即回复一个ack数据包,此ack数据包的seq值是http response数据包中的ack seq值,而ack seq值为http response数据包的seq序号值。这样当server收到此ack数据包后,会认为是自己刚才发送的http response包在网络中已丢失,会利用快速重传机制加以重传。如果我们拼命发送大量的ack包,则服务器就会不断进行重传。Ack数据包的大小只需64字节,但http response通常都在512字节左右,最长可达1518字节。
因为正常tcp协议序号的不可预测性,所以我们在这次攻击中暴露了自己的真实IP。
序号乱刀之二:攻击采用静态syn cookie的ddos设备防护下的服务器
所谓静态syn cookie就是以客户端请求之syn包为参数计算回复syn ack中的seq值,并在ack包回传时判断连接合法性的方法,这种方法被ddos厂商大量采用,并且获得数量可观的国家发明专利,呵呵….。你经常会听到ddos厂商的人说他们的设备比防火墙“牛”多了,可轻松达到百兆线速syn防御,但百兆防火墙30M攻击流量就可以干掉,说这种话的ddos厂商,我可以打赌他们的设备80%采用了这种syn cookie算法。
Syn cookie算法的好处是只在synflood攻击时消耗CPU资源,这对于X86下强悍的通用CPU来说,正适用。
读者可能会感到很奇怪,为什么如此成熟的技术防火墙不采用,而让ddos厂商成天挤对?这有如下几个方面的原因:
1:防火墙也用syn cookie进行synflood防御的,但大多不是静态syn cookie,而是严格记录连接状态采用动态syn cookie,所以当syn flood攻击时不光消耗CPU,还要消耗大量内存。这也就是我本文开头提及的本方法可以攻击大部分ddos厂商和小部分防火墙厂商的原因。
2:syn cookie/syn proxy是bsd系统内核源码的一部分,在Linux最新版的2.6内核中syn proxy还没有被包含。所以ddos设备也大多由bsd系统组成。当然bsd是开源的,移植也不是什么大问题喽。
3:防火墙大多以Linux下的开源软件netfilter为基础,但netfilter中hash算法和连接表设计不是很优秀,防火墙转发性能的瓶颈就在于此,如果再加入syn proxy表项,会进一步降低对数据包的处理能力或加大连接表体积。高端防火墙大都支持数百万的连接数,这百万的表项就够防火墙喝一壶的了,再加一个syn proxy表项,性能还不得掉的稀里哗拉的?
4:防火墙很重要的一个网络功能就是DNAT,在没有DNAT操作前,防火墙不知道这些syn包的最终目的地是自身还是DMZ区的服务器,所以syn包必须DNAT后才知道是否要进行syn cookie保护。但这时就已经进入到netfilter处理框架了,性能当然就跟不上了。你见过几个ddos设备支持NAT的?如果支持了,他的性能也会下降不少。如果防火墙工作在桥模式下,不经过netfilter处理框架,防火墙就可以摇身一变成为性能卓越的抗ddos设备了,吗功能都没有,当然一身轻松了。呵呵…但您买的是防火墙,会这么大材小用吗?
言归正传,采用静态syn cookie的ddos设备,我们只需要重放一个ack包就可以达到与服务器的三次握手效果,因此可以做到源IP地址伪装。(这个伪装的源IP地址是你以前用过的,并且与ddos设备通讯过,并保存下来的,现在将它重放而己。如果你看不懂我在说什么,参照我写的《对国内ddos厂商技术点评》一文,抓包分析一下就知道了)。第二步就是发送一个正常的http request请求,随后就是大量的虚假ack请求重传。
天知道,谁在用我们伪装的源IP地址,做为一个连带的牺牲品。
你可能会认为受害服务器B会回复rst包给受害服务器A。这是有可能,但如果服务器B前面加装了一个“状态检测”防火墙,就会直接丢弃这个反射的http response数据包。