在TCP三次握手后插入伪造的TCP包

一、说明

用Socket的API Connect完成TCP建立连接的三次握手，同时子进程抓包，抓完三次握手的包后，插入第四个包即可，从对端返回的第五个包来看插入成功了，但因为插入了一个TCP包，之后的连接将发生混乱。可以将插入的那个包Data设置为HTTP Request，向WEB服务器提交请求。又如果目标系统的TCP序列号是可预计算的，那么是否可以做带伪源地址的Blind TCP three-time handshakes和插入，值得试验！

二、脚本

1、用到几个模块Net::RawIP Net::Pcap Net::PcapUtils NetPacket；

2、pretty_table()函数是我原来做的，用来在命令行下打印表格（Table）；

3、测试环境-Linux、ADSL拨号，抓包的接口是ppp0，帧的结构和Eth帧结构不同，不能使用NetPacket::Ethernet模块中的strip函数处理帧首部，根据ethereal抓包的结构，我使用unpack函数取得了帧中的IP包；

三、源代码#!/usr/bin/perl#By i_am_jojo@msn.com, 2005/04use strict;use warnings;use Net::RawIP;use Net::PcapUtils;use NetPacket::Ethernet;use NetPacket::IP;use NetPacket::TCP;use Socket;use Getopt::Std;use POSIX qw(strftime);my %opts;getopts('ht:p:u:n:', \%opts);print_help() and exit if(defined($opts{'h'}));print_help() and exit if(not defined($opts{'t'}) or not defined($opts{'p'}));die "Invalid Target Ipaddress!

"

if(defined($opts{'t'}) and $opts{'t'} !~ m/^d+.d+.d+.d+$/);die "Invalid Service Port!

"

if(defined($opts{'p'}) and $opts{'p'} !~ m/^d+$/);my $request;if(defined($opts{'u'})) {

$request = "GET $opts{'u'} HTTP/1.1

";

$request.= "Accept: text/html; text/plain

";

$request.= "

";} else {

$request = "GET / HTTP/1.1

";

$request.= "Accept: text/html; text/plain

";

$request.= "

";}my $child = fork();if($child == 0) {

#child process

my ($next_packet, %next_header);

my ($frame_hdr, $ip_packet);

my ($ip_obj, $tcp_obj);

my $counter = 0;

my $pkt_descriptor = Net::PcapUtils::open(

FILTER

=> 'ip',

PROMISC => 0,

DEV

=> 'ppp0',

#DEV

=> 'eth0'

);

die "Net::PcapUtils::open returned: $pkt_descriptor

" if (!ref($pkt_descriptor));

print strftime '%Y/%m/%d %H:%M:%S, ', localtime and print "begin sniffing ...

";

while(($next_packet, %next_header) = Net::PcapUtils::next($pkt_descriptor)) {

($frame_hdr, $ip_packet) = unpack 'H32a*', $next_packet;

$ip_obj = NetPacket::IP->decode($ip_packet);

#$ip_obj = NetPacket::IP->decode(NetPacket::Ethernet::eth_strip($next_packet));

next if ($ip_obj->{'proto'} != 6);

next if (($ip_obj->{'src_ip'} ne $opts{'t'})

and ($ip_obj->{'dest_ip'} ne $opts{'t'}));

$tcp_obj = NetPacket::TCP->decode($ip_obj->{'data'});

next if (($tcp_obj->{'src_port'} ne $opts{'p'})

and ($tcp_obj->{'dest_port'} ne $opts{'p'}));

$counter++;

print "==ID.$counter==", '=' x 60, "

";

print get_ip_hdr($ip_obj);

print get_tcp_hdr($tcp_obj);

if($tcp_obj->{'data'}) {

my $data;

$data = unpack 'a*', $tcp_obj->{'data'};

$data =~ s/[

][

]//g;

print pretty_table('TCP data', [$data]);

}

if($counter == 3) {

my $a = new Net::RawIP;

$a->set({

'ip' => {

'id'

=> $ip_obj->{'id'} + 1,

'saddr' => $ip_obj->{'src_ip'},

'daddr' => $ip_obj->{'dest_ip'}

},

'tcp' => {

'source'

=> $tcp_obj->{'src_port'},

'dest'

=> $tcp_obj->{'dest_port'},

'seq'

=> $tcp_obj->{'seqnum'},

'ack_seq' => $tcp_obj->{'acknum'},

'window'

=> $tcp_obj->{'winsize'},

'data'

=> $request,

'psh'

=> 1,

'ack'

=> 1

}

});

$a->send;

}

last if($counter == 5);

}

exit;} else {

sleep(1);

my $trans_serv = getprotobyname('tcp');

my $dest_sockaddr = sockaddr_in($opts{'p'}, inet_aton($opts{'t'}));

socket(TCP_SOCK, PF_INET, SOCK_STREAM, $trans_serv);

connect(TCP_SOCK, $dest_sockaddr);

sleep(1);

#close TCP_SOCK;}exit;sub print_help {

print <<HELP

%./iamFool.pl [-h] <-t,-p,-u,-n>

-h

print help

-t

target ipaddr

-p

service port

-u

requested url

by:i_am_jojo@msn.comHELP}sub get_ip_hdr {

my $ip_obj = shift;

my @ip_hdr;

push @ip_hdr, [qw(ver tos flags id src_ip proto)];

push @{$ip_hdr[1]}, $ip_obj->{$_} foreach (qw(ver tos flags id src_ip proto));

push @ip_hdr, [qw(hlen len foffset ttl dest_ip cksum)];

push @{$ip_hdr[3]}, $ip_obj->{$_} foreach (qw(hlen len foffset ttl dest_ip cksum));

return pretty_table('IP Header', @ip_hdr);}sub get_tcp_hdr {

my $tcp_obj = shift;

my @tcp_hdr;

push @tcp_hdr, [qw(src_port seqnum hlen flags)];

push @{$tcp_hdr[1]}, $tcp_obj->{$_} foreach (qw(src_port seqnum hlen flags));

push @tcp_hdr, [qw(dest_port acknum reserved winsize)];

push @{$tcp_hdr[3]}, $tcp_obj->{$_} foreach (qw(dest_port acknum reserved winsize));

return pretty_table('TCP Header', @tcp_hdr);}sub pretty_table {

# prettyTable($aString, @aList); @aList = ( [...], [...] );

# by i_am_jojo@msn.com

my ($title, @data) = @_;

my @temp;

my @max_length;

my $row_length;

my $indent = 4;

my $the_table;

foreach my $col (0..$#{$data[0]}) { push @{$temp[$col]}, $_->[$col] foreach (@data); }

$max_length[$_] = length( (sort{length($b) <=> length($a)} @{$data[$_]} )[0]) + 2 foreach (0..$#data);

$row_length+= $max_length[$_] foreach (0..$#{$temp[0]});

$row_length+= $#data;

$the_table = ' ' x $indent.'+'.'-' x $row_length."+

";

$the_table.= ' ' x $indent.'| '.$title.' ' x ($row_length - length($title) - 1)."|

";

foreach my $row (0..$#temp) {

$the_table.= ' ' x $indent;

$the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]});

$the_table.= "+

";

$the_table.= ' ' x $indent;

$the_table.= '| '.@{$temp[$row]}[$_].' ' x ($max_length[$_] - length(@{$temp[$row]}[$_]) - 1) foreach (0.. $#{$temp[0]});

$the_table.= "|

";

}

$the_table.= ' ' x $indent;

$the_table.= '+'.'-' x $max_length[$_] foreach (0.. $#{$temp[0]});

$the_table.= "+

";

return $the_table;}

四、结果举例==Result eXample==2005/05/02 21:51:23, begin sniffing ...==ID.1==============================================================+---------------------------------------------------+| IP Header

|+--------+---------------+---------+----------------+| ver

| 4

| hlen

| 5

|+--------+---------------+---------+----------------+| tos

| 0

| len

| 60

|+--------+---------------+---------+----------------+| flags

| 2

| foffset | 0

|+--------+---------------+---------+----------------+| id

| 20682

| ttl

| 64

|+--------+---------------+---------+----------------+| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |+--------+---------------+---------+----------------+| proto

| 6

| cksum

| 31878

|+--------+---------------+---------+----------------++------------------------------------------+| TCP Header

|+----------+------------+-----------+------+| src_port | 32851

| dest_port | 80

|+----------+------------+-----------+------+| seqnum

| 1104143983 | acknum

| 0

|+----------+------------+-----------+------+| hlen

| 10

| reserved

| 0

|+----------+------------+-----------+------+| flags

| 2

| winsize

| 5808 |+----------+------------+-----------+------+==ID.2==============================================================+---------------------------------------------------+| IP Header

|+--------+----------------+---------+---------------+| ver

| 4

| hlen

| 5

|+--------+----------------+---------+---------------+| tos

| 0

| len

| 44

|+--------+----------------+---------+---------------+| flags

| 0

| foffset | 0

|+--------+----------------+---------+---------------+| id

| 63029

| ttl

| 241

|+--------+----------------+---------+---------------+| src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |+--------+----------------+---------+---------------+| proto

| 6

| cksum

| 26154

|+--------+----------------+---------+---------------++------------------------------------------------+| TCP Header

|+----------+------------+-----------+------------+| src_port | 80

| dest_port | 32851

|+----------+------------+-----------+------------+| seqnum

| 3660731207 | acknum

| 1104143984 |+----------+------------+-----------+------------+| hlen

| 6

| reserved

| 0

|+----------+------------+-----------+------------+| flags

| 18

| winsize

| 4356

|+----------+------------+-----------+------------+==ID.3==============================================================+---------------------------------------------------+| IP Header

|+--------+---------------+---------+----------------+| ver

| 4

| hlen

| 5

|+--------+---------------+---------+----------------+| tos

| 0

| len

| 40

|+--------+---------------+---------+----------------+| flags

| 2

| foffset | 0

|+--------+---------------+---------+----------------+| id

| 20684

| ttl

| 64

|+--------+---------------+---------+----------------+| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |+--------+---------------+---------+----------------+| proto

| 6

| cksum

| 31896

|+--------+---------------+---------+----------------++------------------------------------------------+| TCP Header

|+----------+------------+-----------+------------+| src_port | 32851

| dest_port | 80

|+----------+------------+-----------+------------+| seqnum

| 1104143984 | acknum

| 3660731208 |+----------+------------+-----------+------------+| hlen

| 5

| reserved

| 0

|+----------+------------+-----------+------------+| flags

| 16

| winsize

| 5808

|+----------+------------+-----------+------------+==ID.4==============================================================+---------------------------------------------------+| IP Header

|+--------+---------------+---------+----------------+| ver

| 4

| hlen

| 5

|+--------+---------------+---------+----------------+| tos

| 16

| len

| 89

|+--------+---------------+---------+----------------+| flags

| 2

| foffset | 0

|+--------+---------------+---------+----------------+| id

| 20685

| ttl

| 64

|+--------+---------------+---------+----------------+| src_ip | 218.11.149.14 | dest_ip | 64.233.189.104 |+--------+---------------+---------+----------------+| proto

| 6

| cksum

| 31830

|+--------+---------------+---------+----------------++------------------------------------------------+| TCP Header

|+----------+------------+-----------+------------+| src_port | 32851

| dest_port | 80

|+----------+------------+-----------+------------+| seqnum

| 1104143984 | acknum

| 3660731208 |+----------+------------+-----------+------------+| hlen

| 5

| reserved

| 0

|+----------+------------+-----------+------------+| flags

| 24

| winsize

| 5808

|+----------+------------+-----------+------------++--------------------------------------------+| TCP data

|+--------------------------------------------+| GET / HTTP/1.1Accept: text/html; text/plai |+--------------------------------------------+==ID.5==============================================================+---------------------------------------------------+| IP Header

|+--------+----------------+---------+---------------+| ver

| 4

| hlen

| 5

|+--------+----------------+---------+---------------+| tos

| 0

| len

| 40

|+--------+----------------+---------+---------------+| flags

| 0

| foffset | 0

|+--------+----------------+---------+---------------+| id

| 47931

| ttl

| 241

|+--------+----------------+---------+---------------+| src_ip | 64.233.189.104 | dest_ip | 218.11.149.14 |+--------+----------------+---------+---------------+| proto

| 6

| cksum

| 41256

|+--------+----------------+---------+---------------++------------------------------------------------+| TCP Header

|+----------+------------+-----------+------------+| src_port | 80

| dest_port | 32851

|+----------+------------+-----------+------------+| seqnum

| 3660731208 | acknum

| 1104144033 |+----------+------------+-----------+------------+| hlen

| 5

| reserved

| 0

|+----------+------------+-----------+------------+| flags

| 16

| winsize

| 4356

|+----------+------------+-----------+------------+

===End===

• ·600招玩转电脑办公|报价￥20.90|图书,
• ·外行装机快速入门|报价￥18.70|图书,工业
• ·淘宝网开店做赢家|报价￥15.10|图书,计算
• ·战术攻防思维撷粹(1)
• ·战术攻防思维撷粹(2)
• ·电脑主板维修从入门到精通|报价￥26.20|图
• ·破解网吧限制逍遥行
• ·快速查找对方IP技术总汇
• ·揭开网络钓鱼(Phishing)秘密
• ·五笔双版快查字典|报价￥7.60|图书,计算机