在TCP三次握手后插入伪造的TCP包
在TCP三次握手后插入伪造的TCP包
一、说明
用Socket的API Connect完成TCP建立连接的三次握手,同时子进程抓包,抓完三次握手的包后,插入第四个包即可,从对端返回的第五个包来看插入成功了,但因为插入了一个TCP包,之后的连接将发生混乱。可以将插入的那个包Data设置为HTTP Request,向WEB服务器提交请求。又如果目标系统的TCP序列号是可预计算的,那么是否可以做带伪源地址的Blind TCP three-time handshakes和插入,值得试验!
二、脚本
1、用到几个模块Net::RawIP Net::Pcap Net::PcapUtils NetPacket;
2、pretty_table()函数是我原来做的,用来在命令行下打印表格(Table);
3、测试环境-Linux、ADSL拨号,抓包的接口是ppp0,帧的结构和Eth帧结构不同,不能使用NetPacket::Ethernet模块中的strip函数处理帧首部,根据ethereal抓包的结构,我使用unpack函数取得了帧中的IP包;
三、源代码
#!/usr/bin/perl
#By i_am_jojo@msn.com, 2005/04
use strict;
use warnings;
use Net::RawIP;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Socket;
use Getopt::Std;
use POSIX qw(strftime);
my %opts;
getopts('ht:p:u:n:', \%opts);
print_help() and exit if(defined($opts{'h'}));
print_help() and exit if(not defined($opts{'t'}) or not defined($opts{'p'}));
die "\tInvalid Target Ipaddress!\n"
if(defined($opts{'t'}) and $opts{'t'} !~ m/^\d+.\d+.\d+.\d+$/);
die "\tInvalid Service Port!\n"
if(defined($opts{'p'}) and $opts{'p'} !~ m/^\d+$/);
my $request;
if(defined($opts{'u'})) {
$request = "GET $opts{'u'} HTTP/1.1\r\n";
$request.= "Accept: text/html; text/plain\r\n";
$request.= "\r\n";
} else {
$request = "GET / HTTP/1.1\r\n";
$request.= "Accept: text/html; text/plain\r\n";
$request.= "\r\n";
}
my $child = fork();
if($child == 0) {
#child process
my ($next_packet, %next_header);
my ($frame_hdr, $ip_packet);
my ($ip_obj, $tcp_obj);
my $counter = 0;
my $pkt_descriptor = Net::PcapUtils::open(
FILTER => 'ip',
PROMISC => 0,
DEV => 'ppp0',
#DEV => 'eth0'
);
die "Net::PcapUtils::open returned: $pkt_descriptor\n" if (!ref($pkt_descriptor));
print strftime '%Y/%m/%d %H:%M:%S, ', localtime and print "begin sniffing ...\n";
while(($next_packet, %next_header) = Net::PcapUtils::next($pkt_descriptor)) {
($frame_hdr, $ip_packet) = unpack 'H32a*', $next_packet;
$ip_obj = NetPacket::IP->decode($ip_packet);
#$ip_obj = NetPacket::IP->decode(NetPacket::Ethernet::eth_strip($next_packet));
next if ($ip_obj->{'proto'} != 6);
next if (($ip_obj->{'src_ip'} ne $opts{'t'})
and ($ip_obj->{'dest_ip'} ne $opts{'t'}));
$tcp_obj = NetPacket::TCP->decode($ip_obj->{'data'});
next if (($tcp_obj->{'src_port'} ne $opts{'p'})
and ($tcp_obj->{'dest_port'} ne $opts{'p'}));
$counter++;
print "==ID.$counter==", '=' x 60, "\n";
print get_ip_hdr($ip_obj);
print get_tcp_hdr($tcp_obj);
if($tcp_obj->{'data'}) {
my $data;
$data = unpack 'a*', $tcp_obj->{'data'};
$data =~ s/[\r][\n]//g;
print pretty_table('TCP data', [$data]);
}
if($counter == 3) {
my $a = new Net::RawIP;
$a->set({
'ip' => {
'id' => $ip_obj->{'id'} + 1,
'saddr' => $ip_obj->{'src_ip'},
'daddr' => $ip_obj->{'dest_ip'}
},
'tcp' => {
'source' => $tcp_obj->{'src_port'},
'dest' => $tcp_obj->{'dest_port'},
'seq' => $tcp_obj->{'seqnum'},
'ack_seq' => $tcp_obj->{'acknum'},
'window' => $tcp_obj->{'winsize'},
'data' => $request,
'psh' => 1,
'ack' => 1
}
});
$a->send;
}
last if($counter == 5);
}
exit;
} else {
sleep(1);
my $trans_serv = getprotobyname('tcp');
my $dest_sockaddr = sockaddr_in($opts{'p'}, inet_aton($opts{'t'}));
socket(TCP_SOCK, PF_INET, SOCK_STREAM, $trans_serv);
connect(TCP_SOCK, $dest_sockaddr);
sleep(1);
#close TCP_SOCK;
}
exit;
sub print_help {
print <<HELP
%./iamFool.pl [-h] <-t,-p,-u,-n>
-h print help
-t target ipaddr
-p service port
-u requested url
by:i_am_jojo\@msn.com
HELP
}
sub get_ip_hdr {
my $ip_obj = shift;
my @ip_hdr;
push @ip_hdr, [qw(ver tos flags id src_ip proto)];
push @{$ip_hdr[1]}, $ip_obj->{$_} foreach (qw(ver tos flags id src_ip proto));
push @ip_hdr, [qw(hlen len foffset ttl dest_ip cksum)];
push @{$ip_hdr[3]}, $ip_obj->{$_} foreach (qw(hlen len foffset ttl dest_ip cksum));
return pretty_table('IP Header', @ip_hdr);
}
sub get_tcp_hdr {
my $tcp_obj = shift;
my @tcp_hdr;
push @tcp_hdr, [qw(src_port seqnum hlen flags)];
push @{$tcp_hdr[1]}, $tcp_obj->{$_} foreach (qw(src_port seqnum hlen flags));
push @tcp_hdr, [qw(dest_port acknum reserved winsize)];
push @{$tcp_hdr[3]}, $tcp_obj->{$_} foreach (qw(dest_port acknum reserved winsize));
return pretty_table('TCP Header', @tcp_hdr);
}
sub pretty_table {
# prettyTable($aString, @aList); @aList = ( [...], [...] );
# by i_am_jojo@msn.com
my ($title, @data) = @_;
my @temp;
my @max_length;
my $row_length;
my $indent = 4;
my $the_table;
foreach my $col (0..$#{$data[0]}) { push @{$temp[$col]}, $_->[$col] foreach (@data); }
$max_length[$_] = length( (sort{length($b) <=> length($a)} @{$data[$_]} )[0]) + 2 foreach (0..$#data);
$row_length+= $max_length[$_] foreach (0..$#{$temp[0]});
$row_length+= $#data;
$the_table = ' ' x $indent.'+'.'-' x $row_length."+\n";
$the_table.= ' ' x $indent.'| '.$title.' ' x ($row_length - length($title) - 1)."|\n";
foreach my $row (0..$#temp) {
$the_table.= ' ' x $indent;
$the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]});
$the_table.= "+\n";
$the_table.= ' ' x $indent;
$the_table.= '| '.@{$temp[$row]}[$_].' ' x ($max_length[$_] - length(@{$temp[$row]}[$_]) - 1) foreach (0.. $#{$temp[0]});
$the_table.= "|\n";
}
$the_table.= ' ' x $indent;
$the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]});
$the_table.= "+\n";
return $the_table;
}
四、结果举例
==Result eXample==
2005/05/02 21:51:23, begin sniffing ...
==ID.1==============================================================
+---------------------------------------------------+
| IP Header |
+--------+---------------+---------+----------------+
| ver | 4 | hlen | 5 |
+--------+---------------+---------+----------------+
| tos | 0 | len | 60 |
+--------+---------------+---------+----------------+
| flags | 2 | foffset | 0 |
+--------+---------------+---------+----------------+
| id | 20682 | ttl | 64 |
+--------+---------------+---------+----------------+
| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
+--------+---------------+---------+----------------+
| proto | 6 | cksum | 31878 |
+--------+---------------+---------+----------------+
+------------------------------------------+
| TCP Header |
+----------+------------+-----------+------+
| src_port | 32851 | dest_port | 80 |
+----------+------------+-----------+------+
| seqnum | 1104143983 | acknum | 0 |
+----------+------------+-----------+------+
| hlen | 10 | reserved | 0 |
+----------+------------+-----------+------+
| flags | 2 | winsize | 5808 |
+----------+------------+-----------+------+
==ID.2==============================================================
+---------------------------------------------------+
| IP Header |
+--------+----------------+---------+---------------+
| ver | 4 | hlen | 5 |
+--------+----------------+---------+---------------+
| tos | 0 | len | 44 |
+--------+----------------+---------+---------------+
| flags | 0 | foffset | 0 |
+--------+----------------+---------+---------------+
| id | 63029 | ttl | 241 |
+--------+----------------+---------+---------------+
| src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |
+--------+----------------+---------+---------------+
| proto | 6 | cksum | 26154 |
+--------+----------------+---------+---------------+
+------------------------------------------------+
| TCP Header |
+----------+------------+-----------+------------+
| src_port | 80 | dest_port | 32851 |
+----------+------------+-----------+------------+
| seqnum | 3660731207 | acknum | 1104143984 |
+----------+------------+-----------+------------+
| hlen | 6 | reserved | 0 |
+----------+------------+-----------+------------+
| flags | 18 | winsize | 4356 |
+----------+------------+-----------+------------+
==ID.3==============================================================
+---------------------------------------------------+
| IP Header |
+--------+---------------+---------+----------------+
| ver | 4 | hlen | 5 |
+--------+---------------+---------+----------------+
| tos | 0 | len | 40 |
+--------+---------------+---------+----------------+
| flags | 2 | foffset | 0 |
+--------+---------------+---------+----------------+
| id | 20684 | ttl | 64 |
+--------+---------------+---------+----------------+
| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
+--------+---------------+---------+----------------+
| proto | 6 | cksum | 31896 |
+--------+---------------+---------+----------------+
+------------------------------------------------+
| TCP Header |
+----------+------------+-----------+------------+
| src_port | 32851 | dest_port | 80 |
+----------+------------+-----------+------------+
| seqnum | 1104143984 | acknum | 3660731208 |
+----------+------------+-----------+------------+
| hlen | 5 | reserved | 0 |
+----------+------------+-----------+------------+
| flags | 16 | winsize | 5808 |
+----------+------------+-----------+------------+
==ID.4==============================================================
+---------------------------------------------------+
| IP Header |
+--------+---------------+---------+----------------+
| ver | 4 | hlen | 5 |
+--------+---------------+---------+----------------+
| tos | 16 | len | 89 |
+--------+---------------+---------+----------------+
| flags | 2 | foffset | 0 |
+--------+---------------+---------+----------------+
| id | 20685 | ttl | 64 |
+--------+---------------+---------+----------------+
| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |
+--------+---------------+---------+----------------+
| proto | 6 | cksum | 31830 |
+--------+---------------+---------+----------------+
+------------------------------------------------+
| TCP Header |
+----------+------------+-----------+------------+
| src_port | 32851 | dest_port | 80 |
+----------+------------+-----------+------------+
| seqnum | 1104143984 | acknum | 3660731208 |
+----------+------------+-----------+------------+
| hlen | 5 | reserved | 0 |
+----------+------------+-----------+------------+
| flags | 24 | winsize | 5808 |
+----------+------------+-----------+------------+
+--------------------------------------------+
| TCP data |
+--------------------------------------------+
| GET / HTTP/1.1Accept: text/html; text/plai |
+--------------------------------------------+
==ID.5==============================================================
+---------------------------------------------------+
| IP Header |
+--------+----------------+---------+---------------+
| ver | 4 | hlen | 5 |
+--------+----------------+---------+---------------+
| tos | 0 | len | 40 |
+--------+----------------+---------+---------------+
| flags | 0 | foffset | 0 |
+--------+----------------+---------+---------------+
| id | 47931 | ttl | 241 |
+--------+----------------+---------+---------------+
| src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |
+--------+----------------+---------+---------------+
| proto | 6 | cksum | 41256 |
+--------+----------------+---------+---------------+
+------------------------------------------------+
| TCP Header |
+----------+------------+-----------+------------+
| src_port | 80 | dest_port | 32851 |
+----------+------------+-----------+------------+
| seqnum | 3660731208 | acknum | 1104144033 |
+----------+------------+-----------+------------+
| hlen | 5 | reserved | 0 |
+----------+------------+-----------+------------+
| flags | 16 | winsize | 4356 |
+----------+------------+-----------+------------+
===End===
转载于:https://www.cnblogs.com/F4ncy/archive/2005/05/03/149127.html
在TCP三次握手后插入伪造的TCP包相关推荐
- tcp三次握手后被马上rst_TCP为什么需要三次握手?
我们都知道TCP连接的建立需要经历三次握手,为什么需要握三次手?握手的过程又是什么样的呢? 在探讨这些问题之前,我们需要先来了解TCP和IP的封装结构. TCP和IP的封装结构 IP数据包由TCP数据 ...
- TCP三次握手和四次挥手?TCP如何保证可靠性?什么是TCP滑动窗口?
TCP三次握手和四次挥手? 三次握手 tcp3handshake.gif tcp3handshake2.gif tcp3handshake3.gif tcp3handshake4.gif 四次挥手 t ...
- java 中的网络编程(Socket、TCP三次握手四次挥手、TCP/UDP/URL)
文章目录 前言 一.网络编程概述 二.网络通信要素概述 1.如何实现网络中的主机互相通信 2.网络通信协议 3.IP和端口号 4.InetAddress类 5.网络协议 6.TCP/IP协议簇 7.T ...
- 【大白话系列】图解TCP三次握手【使用wireshark工具抓包分析TCP三次交互流程】
文章目录 1.首先准备好抓包工具wireshark 2.准备一段简单的socket程序 3.打开wireshark工具进行抓包 4.举例了解一下TCP报文段中的ACK和Seq的含义 5.流程分析 6. ...
- TCP三次握手、糊涂窗口、粘包问题
这是在学习中的总结,若有错误请大家不吝指正(^.^) 关于TCP/IP的三次握手: 当服务端的状态为LISTEN,客户端的状态为CLOSED时,客户端发起连接 客户端发送有SYN字段报文,此时状态为S ...
- 大剑无锋之HTTP连接、Tcp三次握手四次挥手、Tcp状态
Http请求: 总的来说: DNS解析 TCP连接 发送HTTP请求 服务器处理请求并返回HTTP报文 浏览器解析渲染页面 连接结束 [补充] 三次握手和四次挥手: 第一次握手:建立连接时,客户端发送 ...
- 硬不硬你说了算!近 40 张图解被问千百遍的 TCP 三次握手和四次挥手面试题
来自:小林coding 每日一句英语学习,每天进步一点点: 前言 不管面试 Java .C/C++.Python 等开发岗位, TCP 的知识点可以说是的必问的了. 任 TCP 虐我千百遍,我仍待 T ...
- 图解TCP三次握手和四次挥手!(简单易懂)
哈喽:亲爱的小伙伴,首先祝大家五一快乐~ 本来打算节日 happy 一下就不发文了,但想到有些小伙伴可能因为疫情的原因没出去玩,或者劳逸结合偶尔刷刷公众号,所以今天就诈尸更新一篇干货,给大家解解闷~ ...
- 40张图全面解析TCP 三次握手和四次挥手
每日一句英语学习,每天进步一点点: 前言 不管面试 Java .C/C++.Python 哪种语言的开发岗位, TCP 的知识点可以说是的必问的了. 任 TCP 虐我千百遍,我仍待 TCP 如初恋. ...
- 吊打面试官!近 40 张图解被问千百遍的 TCP 三次握手和四次挥手面试题
作者 | 小林coding 来源 | 小林coding(ID:CodingLin) 不管面试 Java .C/C++.Python 等开发岗位, TCP 的知识点可以说是的必问的了. 任 TCP 虐我 ...
最新文章
- MindInsight计算图可视设计
- mysql从库追主库日志_Mysql主库跑太快,从库追不上怎么做?
- swoole的安装(已经做测试成功)
- MapReduce词频统计
- 服务器上使用 git 更新 wordpress 内核方案
- 8.GitLab 里程碑
- 数据库基础(超详细版)
- 斯皮尔曼相关系数的解读
- 昂达平板不能开机刷机_手把手教你平板电脑刷机方法
- unity商店demo学习:跑酷游戏
- 研究生课程笔记:软件包在流行病学中的应用(二)——csurvey软件+抽样调查
- Windows下mysql5.7修改root密码
- 柔性电子:超薄可延伸Ag-In-Ga电子皮肤,用于生物电子和人机交互
- SpringBoot - Tomcat 容器 Spring 绿色叶子灰色解决方案
- 打造全栈安全防护体系,华为云等保合规解决方案帮企业30天过等保
- Zookeeper集群启动异常: Cannot open channel to x at election address xx/xxx.xxx.xxx.xxx:3888
- STM32F407探索者(正点原子的资料)(百度链接)
- 中国网络创业的机遇与挑战
- JavaScript基础修炼(14)——WebRTC在浏览器中如何获得指定格式的PCM数据
- 就喜欢男朋友用套路来爱我