在TCP三次握手後插入偽造的TCP包(轉)
在TCP三次握手後插入偽造的TCP包(轉)[@more@]
一、說明
用Socket的API Connect完成TCP建立連線的三次握手,同時子程式抓包,抓完三次握手的包後,插入第四個包即可,從對端返回的第五個包來看插入成功了,但因為插入了一個TCP包,之後的連線將發生混亂。可以將插入的那個包Data設定為HTTP Request,向WEB伺服器提交請求。又如果目標系統的TCP序列號是可預計算的,那麼是否可以做帶偽源地址的Blind TCP three-time handshakes和插入,值得試驗!
二、指令碼
1、用到幾個模組Net::RawIP Net::Pcap Net::PcapUtils NetPacket;
2、pretty_table()函式是我原來做的,用來在命令列下列印表格(Table);
3、測試環境-Linux、ADSL撥號,抓包的介面是ppp0,幀的結構和Eth幀結構不同,不能使用NetPacket::Ethernet模組中的strip函式處理幀首部,根據ethereal抓包的結構,我使用unpack函式取得了幀中的IP包;
三、原始碼
#!/usr/bin/perl#By i_am_jojo@msn.com, 2005/04use strict;use warnings;use Net::RawIP;use Net::PcapUtils;use NetPacket::Ethernet;use NetPacket::IP;use NetPacket::TCP;use Socket;use Getopt::Std;use POSIX qw(strftime);my %opts;getopts('ht:p:u:n:', \%opts);print_help() and exit if(defined($opts{'h'}));print_help() and exit if(not defined($opts{'t'}) or not defined($opts{'p'}));die " Invalid Target Ipaddress! " if(defined($opts{'t'}) and $opts{'t'} !~ m/^d+.d+.d+.d+$/);die " Invalid Service Port! " if(defined($opts{'p'}) and $opts{'p'} !~ m/^d+$/);my $request;if(defined($opts{'u'})) { $request = "GET $opts{'u'} HTTP/1.1 "; $request.= "Accept: text/html; text/plain "; $request.= " ";} else { $request = "GET / HTTP/1.1 "; $request.= "Accept: text/html; text/plain "; $request.= " ";}my $child = fork();if($child == 0) { #child process my ($next_packet, %next_header); my ($frame_hdr, $ip_packet); my ($ip_obj, $tcp_obj); my $counter = 0; my $pkt_descriptor = Net::PcapUtils::open( FILTER => 'ip', PROMISC => 0, DEV => 'ppp0', #DEV => 'eth0' ); die "Net::PcapUtils::open returned: $pkt_descriptor " if (!ref($pkt_descriptor)); print strftime '%Y/%m/%d %H:%M:%S, ', localtime and print "begin sniffing ... "; while(($next_packet, %next_header) = Net::PcapUtils::next($pkt_descriptor)) { ($frame_hdr, $ip_packet) = unpack 'H32a*', $next_packet; $ip_obj = NetPacket::IP->decode($ip_packet); #$ip_obj = NetPacket::IP->decode(NetPacket::Ethernet::eth_strip($next_packet)); next if ($ip_obj->{'proto'} != 6); next if (($ip_obj->{'src_ip'} ne $opts{'t'}) and ($ip_obj->{'dest_ip'} ne $opts{'t'})); $tcp_obj = NetPacket::TCP->decode($ip_obj->{'data'}); next if (($tcp_obj->{'src_port'} ne $opts{'p'}) and ($tcp_obj->{'dest_port'} ne $opts{'p'})); $counter++; print "==ID.$counter==", '=' x 60, " "; print get_ip_hdr($ip_obj); print get_tcp_hdr($tcp_obj); if($tcp_obj->{'data'}) { my $data; $data = unpack 'a*', $tcp_obj->{'data'}; $data =~ s/[ ][ ]//g; print pretty_table('TCP data', [$data]); } if($counter == 3) { my $a = new Net::RawIP; $a->set({ 'ip' => { 'id' => $ip_obj->{'id'} + 1, 'saddr' => $ip_obj->{'src_ip'}, 'daddr' => $ip_obj->{'dest_ip'} }, 'tcp' => { 'source' => $tcp_obj->{'src_port'}, 'dest' => $tcp_obj->{'dest_port'}, 'seq' => $tcp_obj->{'seqnum'}, 'ack_seq' => $tcp_obj->{'acknum'}, 'window' => $tcp_obj->{'winsize'}, 'data' => $request, 'psh' => 1, 'ack' => 1 } }); $a->send; } last if($counter == 5); } exit;} else { sleep(1); my $trans_serv = getprotobyname('tcp'); my $dest_sockaddr = sockaddr_in($opts{'p'}, inet_aton($opts{'t'})); socket(TCP_SOCK, PF_INET, SOCK_STREAM, $trans_serv); connect(TCP_SOCK, $dest_sockaddr); sleep(1); #close TCP_SOCK;}exit;sub print_help { print < %./iamFool.pl [-h] -h print help -t target ipaddr -p service port -u requested url by:i_am_jojo@msn.comHELP}sub get_ip_hdr { my $ip_obj = shift; my @ip_hdr; push @ip_hdr, [qw(ver tos flags id src_ip proto)]; push @{$ip_hdr[1]}, $ip_obj->{$_} foreach (qw(ver tos flags id src_ip proto)); push @ip_hdr, [qw(hlen len foffset ttl dest_ip cksum)]; push @{$ip_hdr[3]}, $ip_obj->{$_} foreach (qw(hlen len foffset ttl dest_ip cksum)); return pretty_table('IP Header', @ip_hdr);}sub get_tcp_hdr { my $tcp_obj = shift; my @tcp_hdr; push @tcp_hdr, [qw(src_port seqnum hlen flags)]; push @{$tcp_hdr[1]}, $tcp_obj->{$_} foreach (qw(src_port seqnum hlen flags)); push @tcp_hdr, [qw(dest_port acknum reserved winsize)]; push @{$tcp_hdr[3]}, $tcp_obj->{$_} foreach (qw(dest_port acknum reserved winsize)); return pretty_table('TCP Header', @tcp_hdr);}sub pretty_table { # prettyTable($aString, @aList); @aList = ( [...], [...] ); # by i_am_jojo@msn.com my ($title, @data) = @_; my @temp; my @max_length; my $row_length; my $indent = 4; my $the_table; foreach my $col (0..$#{$data[0]}) { push @{$temp[$col]}, $_->[$col] foreach (@data); } $max_length[$_] = length( (sort{length($b) <=> length($a)} @{$data[$_]} )[0]) + 2 foreach (0..$#data); $row_length+= $max_length[$_] foreach (0..$#{$temp[0]}); $row_length+= $#data; $the_table = ' ' x $indent.'+'.'-' x $row_length."+ "; $the_table.= ' ' x $indent.'| '.$title.' ' x ($row_length - length($title) - 1)."| "; foreach my $row (0..$#temp) { $the_table.= ' ' x $indent; $the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]}); $the_table.= "+ "; $the_table.= ' ' x $indent; $the_table.= '| '.@{$temp[$row]}[$_].' ' x ($max_length[$_] - length(@{$temp[$row]}[$_]) - 1) foreach (0.. $#{$temp[0]}); $the_table.= "| "; } $the_table.= ' ' x $indent; $the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]}); $the_table.= "+ "; return $the_table;}
四、結果舉例
==Result eXample==2005/05/02 21:51:23, begin sniffing ...==ID.1==============================================================+---------------------------------------------------+| IP Header |+--------+---------------+---------+----------------+| ver | 4 | hlen | 5 |+--------+---------------+---------+----------------+| tos | 0 | len | 60 |+--------+---------------+---------+----------------+| flags | 2 | foffset | 0 |+--------+---------------+---------+----------------+| id | 20682 | ttl | 64 |+--------+---------------+---------+----------------+| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |+--------+---------------+---------+----------------+| proto | 6 | cksum | 31878 |+--------+---------------+---------+----------------++------------------------------------------+| TCP Header |+----------+------------+-----------+------+| src_port | 32851 | dest_port | 80 |+----------+------------+-----------+------+| seqnum | 1104143983 | acknum | 0 |+----------+------------+-----------+------+| hlen | 10 | reserved | 0 |+----------+------------+-----------+------+| flags | 2 | winsize | 5808 |+----------+------------+-----------+------+==ID.2==============================================================+---------------------------------------------------+| IP Header |+--------+----------------+---------+---------------+| ver | 4 | hlen | 5 |+--------+----------------+---------+---------------+| tos | 0 | len | 44 |+--------+----------------+---------+---------------+| flags | 0 | foffset | 0 |+--------+----------------+---------+---------------+| id | 63029 | ttl | 241 |+--------+----------------+---------+---------------+| src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |+--------+----------------+---------+---------------+| proto | 6 | cksum | 26154 |+--------+----------------+---------+---------------++------------------------------------------------+| TCP Header |+----------+------------+-----------+------------+| src_port | 80 | dest_port | 32851 |+----------+------------+-----------+------------+| seqnum | 3660731207 | acknum | 1104143984 |+----------+------------+-----------+------------+| hlen | 6 | reserved | 0 |+----------+------------+-----------+------------+| flags | 18 | winsize | 4356 |+----------+------------+-----------+------------+==ID.3==============================================================+---------------------------------------------------+| IP Header |+--------+---------------+---------+----------------+| ver | 4 | hlen | 5 |+--------+---------------+---------+----------------+| tos | 0 | len | 40 |+--------+---------------+---------+----------------+| flags | 2 | foffset | 0 |+--------+---------------+---------+----------------+| id | 20684 | ttl | 64 |+--------+---------------+---------+----------------+| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |+--------+---------------+---------+----------------+| proto | 6 | cksum | 31896 |+--------+---------------+---------+----------------++------------------------------------------------+| TCP Header |+----------+------------+-----------+------------+| src_port | 32851 | dest_port | 80 |+----------+------------+-----------+------------+| seqnum | 1104143984 | acknum | 3660731208 |+----------+------------+-----------+------------+| hlen | 5 | reserved | 0 |+----------+------------+-----------+------------+| flags | 16 | winsize | 5808 |+----------+------------+-----------+------------+==ID.4==============================================================+---------------------------------------------------+| IP Header |+--------+---------------+---------+----------------+| ver | 4 | hlen | 5 |+--------+---------------+---------+----------------+| tos | 16 | len | 89 |+--------+---------------+---------+----------------+| flags | 2 | foffset | 0 |+--------+---------------+---------+----------------+| id | 20685 | ttl | 64 |+--------+---------------+---------+----------------+| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |+--------+---------------+---------+----------------+| proto | 6 | cksum | 31830 |+--------+---------------+---------+----------------++------------------------------------------------+| TCP Header |+----------+------------+-----------+------------+| src_port | 32851 | dest_port | 80 |+----------+------------+-----------+------------+| seqnum | 1104143984 | acknum | 3660731208 |+----------+------------+-----------+------------+| hlen | 5 | reserved | 0 |+----------+------------+-----------+------------+| flags | 24 | winsize | 5808 |+----------+------------+-----------+------------++--------------------------------------------+| TCP data |+--------------------------------------------+| GET / HTTP/1.1Accept: text/html; text/plai |+--------------------------------------------+==ID.5==============================================================+---------------------------------------------------+| IP Header |+--------+----------------+---------+---------------+| ver | 4 | hlen | 5 |+--------+----------------+---------+---------------+| tos | 0 | len | 40 |+--------+----------------+---------+---------------+| flags | 0 | foffset | 0 |+--------+----------------+---------+---------------+| id | 47931 | ttl | 241 |+--------+----------------+---------+---------------+| src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |+--------+----------------+---------+---------------+| proto | 6 | cksum | 41256 |+--------+----------------+---------+---------------++------------------------------------------------+| TCP Header |+----------+------------+-----------+------------+| src_port | 80 | dest_port | 32851 |+----------+------------+-----------+------------+| seqnum | 3660731208 | acknum | 1104144033 |+----------+------------+-----------+------------+| hlen | 5 | reserved | 0 |+----------+------------+-----------+------------+| flags | 16 | winsize | 4356 |+----------+------------+-----------+------------+
===End===
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10748419/viewspace-956792/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- TCP三次握手原理TCP
- TCP 的 三次握手 四次握手TCP
- 自己理解的TCP三次握手TCP
- TCP的三次握手過程TCP
- tcpdump抓包mysql建聯驗證TCP的三次握手TCPMySql
- Wireshark除錯TCP三次握手流程除錯TCP
- TCP三次握手四次分手TCP
- tcp三次握手和SYN攻擊TCP
- Wireshark抓包分析TCP“三次握手,四次揮手”TCP
- 在Linux中,如何理解Tcp/ip協議三次握手?LinuxTCP協議
- 一起看看 Linux的TCP 三次握手LinuxTCP
- 小白都能看懂的tcp三次握手TCP
- 面試最常問的tcp三次握手策略面試TCP
- TCP 三次握手四次揮手TCP
- TCP三次握手四次揮手TCP
- TCP三次握手&四次揮手TCP
- TCP的三次握手與四次揮手TCP
- 可靠的TCP連線為何是三次握手TCP
- TCP三次握手與四次揮手TCP
- TCP三次握手和四次揮手TCP
- TCP 三次握手 與 四次揮手TCP
- TCP 、 UDP、三次握手、四次揮手TCPUDP
- TCP三次握手及四次揮手理解TCP
- TCP三次握手四次揮手介紹TCP
- 綜合解讀TCP為什麼三次握手TCP
- TCP三次握手和四次揮手理解TCP
- 說說TCP的三次握手和四次揮手TCP
- 圖解TCP的三次握手和四次揮手圖解TCP
- TCP的三次握手與四次揮手詳解TCP
- TCP協議的三次握手和四次揮手TCP協議
- 白話TCP為什麼需要進行三次握手TCP
- 詳解TCP一:三次握手、四次揮手TCP
- tcp三次握手、四次揮手過程解析TCP
- 「真香警告」重學TCP/IP 協議 與三次握手TCP協議
- 簡述TCP三次握手和四次揮手TCP
- JAVA面試-計算機網路-TCP三次握手Java面試計算機網路TCP
- WireShark抓包分析以及對TCP/IP三次握手與四次揮手的分析TCP
- TCP協議三次握手、四次揮手以及TCP視窗滑動機制TCP協議
- TCP協議中的三次握手與四次揮手TCP協議