前言
最近,有一同学给我发来一投票的链接,当然希望我帮他投某某的票了o(︶︿︶)o 我立马投了票, 再投第二下那时 限制了IP了~ 我却突然萌生一个想法, 如果我伪造TCP数据包, 伪造TCP头上的IP地址,不是可以想多少票,就多少票了~ PS:因为之前看过有关SYN攻击的描述,知道可以发出大量伪造的SYN数据包,使到服务器建立大量半连接,占用服务器的资源 先从简单的udp 数据包开始. 立马找了一段以前udp监听的代码,用它来负责测试. 首先,发送数据包的话, 我首先想到的是raw socket. 马上从网上拷了一段代码, 对我的测试代码发, 失败. 又调了老半天,还是失败. 网上的原因说到: 操作系统对raw socket的限制 - -! 至于能不能使用raw socket 发送数据包, 我就没有细细研究了. 我发现sendto一个数据包还要填地址和端口... 既然是建立在IP那一层, 为什么还要填个端口. //===========================================================================// 接着, 我想到以前用过一下的库 --- Winpcap. Winpcap能发数据链路层的数据! 使用Winpcap发送数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14 |
//获取发送的句柄了 pcap_t* adhandle = NULL; char errbuf[PCAP_ERRBUF_SIZE] = { 0 }; pcap_if_t *alldevs = NULL; if (pcap_findalldevs(&alldevs, errbuf) == -1) return ; if ((adhandle = pcap_open(alldevs->name, 0x10000, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf)) == NULL) return ; pcap_freealldevs(alldevs); //发送数据包 if (pcap_sendpacket(adhandle, ( const u_char*)buf, totalLen) == -1) { } |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 |
u_int16_t in_cksum (u_int16_t * p, int psize) { u_int32_t ret = 0; while (psize > 1) { ret += *p++; psize -= 2; } if (psize == 1) ret += *(u_int8_t*)p; ret = (ret >> 16) + (ret & 0xffff); ret += (ret >> 16); return ~ret; } |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250 |
#define HAVE_REMOTE #include <pcap.h> #pragma comment(lib, "wpcap.lib") #pragma comment(lib, "ws2_32.lib") u_int16_t crc_checksum(u_int16_t* p, int psize) { u_int32_t ret = 0; while (psize > 1) { ret += *p++; psize -= 2; } if (psize == 1) ret += *(u_int8_t*)p; ret = (ret >> 16) + (ret & 0xffff); ret += (ret >> 16); return ~ret; } struct ether_header{ u_int8_t ether_dhost[6]; u_int8_t ether_shost[6]; u_int16_t ether_type; //IP协议,为0x0800 }; struct ip_header { u_int8_t version_headerLen; u_int8_t servicetype; u_int16_t totalLen; u_int16_t identification; u_int16_t flags_fragOffset; u_int8_t ttl; u_int8_t protocol; u_int16_t checksum; u_int32_t saddr; u_int32_t daddr; }; struct udp_header { u_int16_t sport; u_int16_t dport; u_int16_t totalLen; u_int16_t checksum; }; struct tcp_header { u_int16_t sport; u_int16_t dport; u_int32_t seq; u_int32_t ack_seq; u_int16_t dataOffset_reserve_flags; u_int16_t window; u_int16_t checksum; u_int16_t urg_ptr; }; struct psd_header { u_int32_t saddr; u_int32_t daddr; u_int8_t zero; u_int8_t protocol; u_int16_t len; }; void * add_bytes_addr( void * st, int bytes) { return ( void *)((( char *)st) + bytes); } pcap_t* adhandle = NULL; void send_ether_data_from_ip( const char * d, const int dlen) { int totalLen = sizeof (ether_header) + dlen; char * buf = new char [totalLen]; ether_header* etherhdr = (ether_header*)add_bytes_addr(buf, 0); char * data = ( char *)add_bytes_addr(etherhdr, sizeof (ether_header)); memcpy(data, d, dlen); etherhdr->ether_shost[0] = 0x00; etherhdr->ether_shost[1] = 0xE0; etherhdr->ether_shost[2] = 0xB0; etherhdr->ether_shost[3] = 0xE7; etherhdr->ether_shost[4] = 0xA6; etherhdr->ether_shost[5] = 0xDD; etherhdr->ether_dhost[0] = 0xc8; etherhdr->ether_dhost[1] = 0x3a; etherhdr->ether_dhost[2] = 0x35; etherhdr->ether_dhost[3] = 0x2c; etherhdr->ether_dhost[4] = 0x07; etherhdr->ether_dhost[5] = 0x00; etherhdr->ether_type = htons(0x0800); if (pcap_sendpacket(adhandle, ( const u_char*)buf, totalLen) == -1) { } delete[] buf; } void send_ip_data(u_int saddr, u_int daddr, u_char protocol, const char * d, int dlen) { int totalLen = sizeof (ip_header) + dlen; char * buf = new char [totalLen]; ip_header* iphdr = (ip_header*)add_bytes_addr(buf, 0); char * data = ( char *)add_bytes_addr(iphdr, sizeof (ip_header)); memcpy(data, d, dlen); iphdr->version_headerLen = (4<<4) | 5; iphdr->servicetype = 0; iphdr->totalLen = htons(totalLen); iphdr->identification = htons(0); iphdr->flags_fragOffset = htons((2<<13) | 0); iphdr->ttl = 0xff; iphdr->protocol = protocol; iphdr->checksum = 0; iphdr->saddr = saddr; iphdr->daddr = daddr; iphdr->checksum = crc_checksum((u_int16_t*)iphdr, sizeof (ip_header)); send_ether_data_from_ip(buf, totalLen); delete[] buf; } u_int16_t calc_psd_checksum(u_int32_t saddr, u_int32_t daddr, u_int8_t protocol, const char * d, int dlen) { int totalLen = sizeof (psd_header) + dlen; char * buf = new char [totalLen]; psd_header* psdhdr = (psd_header*)add_bytes_addr(buf, 0); char * data = ( char *)add_bytes_addr(psdhdr, sizeof (psd_header)); memcpy(data, d, dlen); psdhdr->saddr = saddr; psdhdr->daddr = daddr; psdhdr->zero = 0; psdhdr->protocol = protocol; psdhdr->len = htons(dlen); u_int16_t ret = crc_checksum((u_int16_t*)buf, totalLen); delete[] buf; return ret; } void send_udp_data(u_int32_t saddr, u_int16_t sport, u_int32_t daddr, u_int16_t dport, const char * d, int dlen) { int totalLen = sizeof (udp_header) + dlen; char * buf = new char [totalLen]; udp_header* udphdr = (udp_header*)add_bytes_addr(buf, 0); char * data = ( char *)add_bytes_addr(udphdr, sizeof (udp_header)); memcpy(data, d, dlen); udphdr->sport = htons(sport); udphdr->dport = htons(dport); udphdr->totalLen = htons(totalLen); udphdr->checksum = 0; udphdr->checksum = calc_psd_checksum(saddr, daddr, IPPROTO_UDP, buf, totalLen); send_ip_data(saddr, daddr, IPPROTO_UDP, ( const char *)udphdr, totalLen); delete[] buf; } inline u_int8_t tcp_flags(u_int8_t urg, u_int8_t ack, u_int8_t psh, u_int8_t rst, u_int8_t syn, u_int8_t fin) { return (urg << 5) | (ack << 4) | (psh << 3) | (rst << 2) | (syn << 1) | fin; } void send_tcp_data(u_int32_t saddr, u_int16_t sport, u_int32_t daddr, u_int16_t dport, u_int32_t seq, u_int32_t ack_seq, u_int8_t flags, const char * d, int dlen) { int totalLen = sizeof (tcp_header) + dlen; char * buf = new char [totalLen]; tcp_header* tcphdr = (tcp_header*)add_bytes_addr(buf, 0); char * data = ( char *)add_bytes_addr(tcphdr, sizeof (tcp_header)); memcpy(data, d, dlen); tcphdr->sport = htons(sport); tcphdr->dport = htons(dport); tcphdr->seq = htonl(seq); tcphdr->ack_seq = htonl(ack_seq); tcphdr->dataOffset_reserve_flags = htons((u_short)(( ( sizeof (tcp_header)/4) << 12) | (0<<6) | flags)); tcphdr->window = htons(8196); tcphdr->checksum = 0; tcphdr->urg_ptr = 0; tcphdr->checksum = calc_psd_checksum(saddr, daddr, IPPROTO_TCP, buf, totalLen); send_ip_data(saddr, daddr, IPPROTO_TCP, ( const char *)tcphdr, totalLen); delete[] buf; } void main() { char errbuf[PCAP_ERRBUF_SIZE] = { 0 }; pcap_if_t *alldevs = NULL; if (pcap_findalldevs(&alldevs, errbuf) == -1) return ; if ((adhandle = pcap_open(alldevs->name, 0x10000, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf)) == NULL) return ; pcap_freealldevs(alldevs); //udp //send_udp_data(inet_addr("192.168.0.100"), 45630, inet_addr("192.168.0.100"), 6000, "hello", 6); //tcp int saddr = inet_addr( "192.168.0.100" ); int sport = 52803; send_tcp_data(saddr, sport, inet_addr( "202.104.205.75" ), 80, 0, 0, tcp_flags(0, 0, 0, 0, 1, 0), "" , 0 ); Sleep(20); send_tcp_data(saddr, sport, inet_addr( "202.104.205.75" ), 80, 1, 1, tcp_flags(0, 1, 0, 0, 0, 0), "" , 0 ); return ; } |