l0pht (vbs_at_21cn.com) 在TCP三次握手后插入伪造的TCP包 一、说明 用Socket的APIConnect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插" name="description" />

在TCP三次握手后插入伪造的TCP包

发表于:2007-05-25来源:作者:点击数: 标签:三次握手伪造TCP插入
在TCP三次握手后插入伪造的TCP包 创建时间:2005-05-03 文章属性:转载 文章提交: MI D=19646">l0pht (vbs_at_21cn.com) 在TCP三次握手后插入伪造的TCP包 一、说明 用Socket的APIConnect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插

在TCP三次握手后插入伪造的TCP包


创建时间:2005-05-03
文章属性:转载
文章提交:MID=19646">l0pht (vbs_at_21cn.com)

在TCP三次握手后插入伪造的TCP包
一、说明

用Socket的API Connect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插入第四个包即可,从对端返回的第五个包来看插入成功了,但因为插入 了一个TCP包,之后的连接将发生混乱。可以将插入的那个包Data设置为HTTP Request,向WEB服务器提交请求。又如果目标系统的TCP序列号是可预计算的,那么是否可以做带伪源地址的Blind TCP three-time handshakes和插入,值得试验!

二、脚本

1、用到几个模块Net::RawIP Net::Pcap Net::PcapUtils NetPacket;
2、pretty_table()函数是我原来做的,用来在命令行下打印表格(Table);
3、测试环境-Linux、ADSL拨号,抓包的接口是ppp0,帧的结构和Eth帧结构不同,不能使用NetPacket::Ethernet模块中的strip函数处理帧首部,根据ethereal抓包的结构,我使用unpack函数取得了帧中的IP包;

三、源代码

#!/usr/bin/perl
#By i_am_jojo@msn.com, 2005/04
use strict;
use warnings;

use Net::RawIP;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;

use Socket;
use Getopt::Std;
use POSIX qw(strftime);

my %opts;
getopts('ht:p:u:n:', \%opts);

print_help() and exit if(defined($opts));
print_help() and exit if(not defined($opts) or not defined($opts));

die "\tInvalid Target Ipaddress!\n"
    if(defined($opts) and $opts !~ m/^\d+.\d+.\d+.\d+$/);

die "\tInvalid Service Port!\n"
    if(defined($opts) and $opts !~ m/^\d+$/);

my $request;
if(defined($opts)) {
    $request = "GET $opts HTTP/1.1\r\n";
    $request.= "Aclearcase/" target="_blank" >ccept: text/html; text/plain\r\n";
    $request.= "\r\n";
} else {
    $request = "GET / HTTP/1.1\r\n";
    $request.= "Accept: text/html; text/plain\r\n";
    $request.= "\r\n";
}

my $child = fork();

if($child == 0) {
    #child process
    my ($next_packet, %next_header);
    my ($frame_hdr, $ip_packet);
    my ($ip_obj, $tcp_obj);
    my $counter = 0;

    my $pkt_descriptor = Net::PcapUtils::open(
        FILTER  => 'ip',
        PROMISC => 0,
        DEV     => 'ppp0',
        #DEV    => 'eth0'
    );

    die "Net::PcapUtils::open returned: $pkt_descriptor\n" if (!ref($pkt_descriptor));
    print strftime '%Y/%m/%d %H:%M:%S, ', localtime and print "begin sniffing ...\n";
    
    while(($next_packet, %next_header) = Net::PcapUtils::next($pkt_descriptor)) {        
        ($frame_hdr, $ip_packet) = unpack 'H32a*', $next_packet;
        $ip_obj = NetPacket::IP->decode($ip_packet);
        #$ip_obj = NetPacket::IP->decode(NetPacket::Ethernet::eth_strip($next_packet));
        
        next if ($ip_obj-> != 6);
        next if (($ip_obj-> ne $opts)
                  and ($ip_obj-> ne $opts));
        
        $tcp_obj = NetPacket::TCP->decode($ip_obj->);
        next if (($tcp_obj-> ne $opts)
                  and ($tcp_obj-> ne $opts));
        
        $counter++;
        
        print "==ID.$counter==", '=' x 60, "\n";
        print get_ip_hdr($ip_obj);
        print get_tcp_hdr($tcp_obj);
        if($tcp_obj->) {
            my $data;
            $data = unpack 'a*', $tcp_obj->;
            $data =~ s/[\r][\n]//g;
            print pretty_table('TCP data', [$data]);
        }
        
        if($counter == 3) {
            my $a = new Net::RawIP;
            $a->set({
                'ip' => {
                    'id'    => $ip_obj-> + 1,
                    'saddr' => $ip_obj->,
                    'daddr' => $ip_obj->
                    },
                'tcp' => {
                    'source'  => $tcp_obj->,
                    'dest'    => $tcp_obj->,
                    'seq'     => $tcp_obj->,
                    'ack_seq' => $tcp_obj->,
                    'window'  => $tcp_obj->,
                    'data'    => $request,
                    'psh'     => 1,
                    'ack'     => 1
                    }
                });
            $a->send;
        }
        last if($counter == 5);
    }
    exit;
} else {
    sleep(1);
    my $trans_serv = getprotobyname('tcp');
    my $dest_sockaddr = sockaddr_in($opts, inet_aton($opts));
    
    socket(TCP_SOCK, PF_INET, SOCK_STREAM, $trans_serv);
    connect(TCP_SOCK, $dest_sockaddr);
    sleep(1);
    #close TCP_SOCK;
}

exit;

sub print_help {
    print <<HELP
    
    %./iamFool.pl [-h] <-t,-p,-u,-n>
    -h    print help
    -t    target ipaddr
    -p    service port
    -u    requested url
    
                by:i_am_jojo\@msn.com
                
HELP
}

sub get_ip_hdr {
    my $ip_obj = shift;
    my @ip_hdr;
    
    push @ip_hdr, [qw(ver tos flags id src_ip proto)];
    push @, $ip_obj-> foreach (qw(ver tos flags id src_ip proto));
    push @ip_hdr, [qw(hlen len foffset ttl dest_ip cksum)];
    push @, $ip_obj-> foreach (qw(hlen len foffset ttl dest_ip cksum));
    
    return pretty_table('IP Header', @ip_hdr);
}

sub get_tcp_hdr {
    my $tcp_obj = shift;
    my @tcp_hdr;
    
    push @tcp_hdr, [qw(src_port seqnum hlen flags)];
    push @, $tcp_obj-> foreach (qw(src_port seqnum hlen flags));
    push @tcp_hdr, [qw(dest_port acknum reserved winsize)];
    push @, $tcp_obj-> foreach (qw(dest_port acknum reserved winsize));
    
    return pretty_table('TCP Header', @tcp_hdr);
}

sub pretty_table {
    # prettyTable($aString, @aList); @aList = ( [...], [...] );
    # by i_am_jojo@msn.com
    my ($title, @data) = @_;
    my @temp;
    my @max_length;
    my $row_length;
    my $indent = 4;
    my $the_table;

    foreach my $col (0..$#) { push @, $_->[$col] foreach (@data); }
    $max_length[$_] = length( (sort{length($b) <=> length($a)} @ )[0]) + 2 foreach (0..$#data);
    $row_length+= $max_length[$_] foreach (0..$#);  
    $row_length+= $#data;
    
    $the_table = ' ' x $indent.'+'.'-' x $row_length."+\n";
    $the_table.= ' ' x $indent.'| '.$title.' ' x ($row_length - length($title) - 1)."|\n";
    foreach my $row (0..$#temp) {
        $the_table.= ' ' x $indent;
        $the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#);
        $the_table.= "+\n";
        $the_table.= ' ' x $indent;
        $the_table.= '| '.@[$_].' ' x ($max_length[$_] - length(@[$_]) - 1) foreach (0.. $#);
        $the_table.= "|\n";
    }
    $the_table.= ' ' x $indent;
    $the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#);
    $the_table.= "+\n";
    
    return $the_table;
}


四、结果举例

==Result eXample==

2005/05/02 21:51:23, begin sniffing ...
==ID.1==============================================================
    +---------------------------------------------------+
    | IP Header                                         |
    +--------+---------------+---------+----------------+
    | ver    | 4             | hlen    | 5              |
    +--------+---------------+---------+----------------+
    | tos    | 0             | len     | 60             |
    +--------+---------------+---------+----------------+
    | flags  | 2             | foffset | 0              |
    +--------+---------------+---------+----------------+
    | id     | 20682         | ttl     | 64             |
    +--------+---------------+---------+----------------+
    | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
    +--------+---------------+---------+----------------+
    | proto  | 6             | cksum   | 31878          |
    +--------+---------------+---------+----------------+
    +------------------------------------------+
    | TCP Header                               |
    +----------+------------+-----------+------+
    | src_port | 32851      | dest_port | 80   |
    +----------+------------+-----------+------+
    | seqnum   | 1104143983 | acknum    | 0    |
    +----------+------------+-----------+------+
    | hlen     | 10         | reserved  | 0    |
    +----------+------------+-----------+------+
    | flags    | 2          | winsize   | 5808 |
    +----------+------------+-----------+------+
==ID.2==============================================================
    +---------------------------------------------------+
    | IP Header                                         |
    +--------+----------------+---------+---------------+
    | ver    | 4              | hlen    | 5             |
    +--------+----------------+---------+---------------+
    | tos    | 0              | len     | 44            |
    +--------+----------------+---------+---------------+
    | flags  | 0              | foffset | 0             |
    +--------+----------------+---------+---------------+
    | id     | 63029          | ttl     | 241           |
    +--------+----------------+---------+---------------+
    | src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |
    +--------+----------------+---------+---------------+
    | proto  | 6              | cksum   | 26154         |
    +--------+----------------+---------+---------------+
    +------------------------------------------------+
    | TCP Header                                     |
    +----------+------------+-----------+------------+
    | src_port | 80         | dest_port | 32851      |
    +----------+------------+-----------+------------+
    | seqnum   | 3660731207 | acknum    | 1104143984 |
    +----------+------------+-----------+------------+
    | hlen     | 6          | reserved  | 0          |
    +----------+------------+-----------+------------+
    | flags    | 18         | winsize   | 4356       |
    +----------+------------+-----------+------------+
==ID.3==============================================================
    +---------------------------------------------------+
    | IP Header                                         |
    +--------+---------------+---------+----------------+
    | ver    | 4             | hlen    | 5              |
    +--------+---------------+---------+----------------+
    | tos    | 0             | len     | 40             |
    +--------+---------------+---------+----------------+
    | flags  | 2             | foffset | 0              |
    +--------+---------------+---------+----------------+
    | id     | 20684         | ttl     | 64             |
    +--------+---------------+---------+----------------+
    | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
    +--------+---------------+---------+----------------+
    | proto  | 6             | cksum   | 31896          |
    +--------+---------------+---------+----------------+
    +------------------------------------------------+
    | TCP Header                                     |
    +----------+------------+-----------+------------+
    | src_port | 32851      | dest_port | 80         |
    +----------+------------+-----------+------------+
    | seqnum   | 1104143984 | acknum    | 3660731208 |
    +----------+------------+-----------+------------+
    | hlen     | 5          | reserved  | 0          |
    +----------+------------+-----------+------------+
    | flags    | 16         | winsize   | 5808       |
    +----------+------------+-----------+------------+
==ID.4==============================================================
    +---------------------------------------------------+
    | IP Header                                         |
    +--------+---------------+---------+----------------+
    | ver    | 4             | hlen    | 5              |
    +--------+---------------+---------+----------------+
    | tos    | 16            | len     | 89             |
    +--------+---------------+---------+----------------+
    | flags  | 2             | foffset | 0              |
    +--------+---------------+---------+----------------+
    | id     | 20685         | ttl     | 64             |
    +--------+---------------+---------+----------------+
    | src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
    +--------+---------------+---------+----------------+
    | proto  | 6             | cksum   | 31830          |
    +--------+---------------+---------+----------------+
    +------------------------------------------------+
    | TCP Header                                     |
    +----------+------------+-----------+------------+
    | src_port | 32851      | dest_port | 80         |
    +----------+------------+-----------+------------+
    | seqnum   | 1104143984 | acknum    | 3660731208 |
    +----------+------------+-----------+------------+
    | hlen     | 5          | reserved  | 0          |
    +----------+------------+-----------+------------+
    | flags    | 24         | winsize   | 5808       |
    +----------+------------+-----------+------------+
    +--------------------------------------------+
    | TCP data                                   |
    +--------------------------------------------+
    | GET / HTTP/1.1Accept: text/html; text/plai |
    +--------------------------------------------+
==ID.5==============================================================
    +---------------------------------------------------+
    | IP Header                                         |
    +--------+----------------+---------+---------------+
    | ver    | 4              | hlen    | 5             |
    +--------+----------------+---------+---------------+
    | tos    | 0              | len     | 40            |
    +--------+----------------+---------+---------------+
    | flags  | 0              | foffset | 0             |
    +--------+----------------+---------+---------------+
    | id     | 47931          | ttl     | 241           |
    +--------+----------------+---------+---------------+
    | src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |
    +--------+----------------+---------+---------------+
    | proto  | 6              | cksum   | 41256         |
    +--------+----------------+---------+---------------+
    +------------------------------------------------+
    | TCP Header                                     |
    +----------+------------+-----------+------------+
    | src_port | 80         | dest_port | 32851      |
    +----------+------------+-----------+------------+
    | seqnum   | 3660731208 | acknum    | 1104144033 |
    +----------+------------+-----------+------------+
    | hlen     | 5          | reserved  | 0          |
    +----------+------------+-----------+------------+
    | flags    | 16         | winsize   | 4356       |
    +----------+------------+-----------+------------+
===End===

原文转自:http://www.ltesting.net