在TCP三次握手后插入伪造的TCP包

创建时间：2005-05-03
文章属性：转载
文章提交：l0pht (vbs_at_21cn.com)

在TCP三次握手后插入伪造的TCP包
一、说明

用Socket的API Connect完成TCP建立连接的三次握手，同时子进程抓包，抓完三次握手的包后，插入第四个包即可，从对端返回的第五个包来看插入成功了，但因为插入了一个TCP包，之后的连接将发生混乱。能够将插入的那个包Data配置为HTTP Request，向WEB服务器提交请求。又假如目标系统的TCP序列号是可预计算的，那么是否能够做带伪源地址的Blind TCP three-time handshakes和插入，值得试验！

二、脚本

1、用到几个模块Net::RawIP Net::Pcap Net::PcapUtils NetPacket；
2、pretty_table()函数是我原来做的，用来在命令行下打印表格（Table）；
3、测试环境-Linux、ADSL拨号，抓包的接口是ppp0，帧的结构和Eth帧结构不同，不能使用NetPacket::Ethernet模块中的strip函数处理帧首部，根据ethereal抓包的结构，我使用unpack函数取得了帧中的IP包；

三、源代码

#!/usr/bin/perl
#By i_am_jojo@msn.com, 2005/04
use strict;
use warnings;

use Net::RawIP;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;

use Socket;
use Getopt::Std;
use POSIX qw(strftime);

my %opts;
getopts('ht:p:u:n:', /%opts);

print_help() and exit if(defined($opts{'h'}));
print_help() and exit if(not defined($opts{'t'}) or not defined($opts{'p'}));

die "/tInvalid Target Ipaddress!/n"
if(defined($opts{'t'}) and $opts{'t'} !~ m/^/d ./d ./d ./d $/);

die "/tInvalid Service Port!/n"
if(defined($opts{'p'}) and $opts{'p'} !~ m/^/d $/);

my $request;
if(defined($opts{'u'})) {
$request = "GET $opts{'u'} HTTP/1.1/r/n";
$request.= "Accept: text/html; text/plain/r/n";
$request.= "/r/n";
} else {
$request = "GET / HTTP/1.1/r/n";
$request.= "Accept: text/html; text/plain/r/n";
$request.= "/r/n";
}

my $child = fork();

if($child == 0) {
#child process
my ($next_packet, %next_header);
my ($frame_hdr, $ip_packet);
my ($ip_obj, $tcp_obj);
my $counter = 0;

my $pkt_descriptor = Net::PcapUtils::open(
FILTER => 'ip',
PROMISC => 0,
DEV => 'ppp0',
#DEV => 'eth0'
);

die "Net::PcapUtils::open returned: $pkt_descriptor/n" if (!ref($pkt_descriptor));
print strftime '%Y/%m/%d %H:%M:%S, ', localtime and print "begin sniffing .../n";

while(($next_packet, %next_header) = Net::PcapUtils::next($pkt_descriptor)) {
($frame_hdr, $ip_packet) = unpack 'H32a*', $next_packet;
$ip_obj = NetPacket::IP->decode($ip_packet);
#$ip_obj = NetPacket::IP->decode(NetPacket::Ethernet::eth_strip($next_packet));

next if ($ip_obj->{'proto'} != 6);
next if (($ip_obj->{'src_ip'} ne $opts{'t'})
and ($ip_obj->{'dest_ip'} ne $opts{'t'}));

$tcp_obj = NetPacket::TCP->decode($ip_obj->{'data'});
next if (($tcp_obj->{'src_port'} ne $opts{'p'})
and ($tcp_obj->{'dest_port'} ne $opts{'p'}));

$counter ;

print "==ID.$counter==", '=' x 60, "/n";
print get_ip_hdr($ip_obj);
print get_tcp_hdr($tcp_obj);
if($tcp_obj->{'data'}) {
my $data;
$data = unpack 'a*', $tcp_obj->{'data'};
$data =~ s/[/r][/n]//g;
print pretty_table('TCP data', [$data]);
}

if($counter == 3) {
my $a = new Net::RawIP;
$a->set({
'ip' => {
'id' => $ip_obj->{'id'} 1,
'saddr' => $ip_obj->{'src_ip'},
'daddr' => $ip_obj->{'dest_ip'}
},
'tcp' => {
'source' => $tcp_obj->{'src_port'},
'dest' => $tcp_obj->{'dest_port'},
'seq' => $tcp_obj->{'seqnum'},
'ack_seq' => $tcp_obj->{'acknum'},
'window' => $tcp_obj->{'winsize'},
'data' => $request,
'psh' => 1,
'ack' => 1
}
});
$a->send;
}
last if($counter == 5);
}
exit;
} else {
sleep(1);
my $trans_serv = getprotobyname('tcp');
my $dest_sockaddr = sockaddr_in($opts{'p'}, inet_aton($opts{'t'}));

socket(TCP_SOCK, PF_INET, SOCK_STREAM, $trans_serv);

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!