Libnet Example (5) 2000-01-01 SCZ Technical Document This time this time you continue to introduce the libnet library programming with the DOS of ICMP. ICMP redirect attack has been a long time, and it will not be overlooked for some technical details for a long time. -------------------------------------------------- ------------------------ The default route to the sender reports another shorter route to a particular host to the ICMP redirection. Initially, network route redirect is supported, but later network routing is discarded. In addition to the router, the host must take the ICMP redirection. The following is hereby incorporated by an 45.x BSD host to receive ICMP redirect packets. To prevent malicious routes, hosts or malicious intruders from modifying system routes. Table, did the following exam: 1. The new route must be straight to direct, which is that this machine is not required to pass by other routes, directly using the ARP addressing, and use MAC addresses to post the report. 2. The redirect package must come from the current routing to the target, for example, a want to go to z, A and Z are not in one subnet, the first route passed by the host A is G, but g It is considered to be more optimized by you, so tell A to change the current selection rule to give priority to the Z. This redirect message must come from G, not other hosts or routing. A The current routing table may have two routes, can be reached by Z, but G ratio F is preferred, then A currently can only accept redirection packets from G, redirect packet from F It is considered to be invalid and discarded. Many phenomena in the later experiments are related to this rule, must be enhanced. 3. Redirecting the package cannot notify the host to do routing with yourself, although this is reasonable, but the PWIN98 allows the host to do routing with himself, actually causes DOS. Other systems have not been tested. 4. The changed routing must be an indirect routing so-called indirect route is the route we usually understand, then what is direct route, use the MAC address to deliver a message, the same subnet, understand? Therefore, if A and B are in the same subnet, A is not likely to use ICMP to redirect Brass to themselves to themselves, but you can make B sending Bonnet external IP package to themselves. ICMP redirect provides a quite effective DOS. Not like the ARP entry, these specific host routing portions never expire (just to manually increase the routing with the route add command, if there is no refresh, there is no expiration problem). Note that there is no requirement to be initiated from the LAN, and the facts can be initiated from the WAN. If the DNS used by the subnet is located in the gateway, it is easy to generate an error route to the DNS, so ... I tested under PWIN98, the route generated by the ICMP redirect package is 255.255 . 255.255 Specific host routing, there is no way to generate network routes such as 255.255.0.0 so mask. In addition, I don't know if the system is realized. Under PWIN98, the route from ICMP will expire. In the case of expiration, it seems that the observation seems to have expired for a long time, and the Route Add will not expire. It is necessary to retain the residual image even if it expires, the non-illneus routing disappears from the routing table even if it expires. Many desktop operating systems linearly search for their routing tables, if you use ICMP to redirect the package plus too many specific host routes to their routing table, hey. For UNIX systems, although the search routing table is not linear search, excessive specific host routes consume a lot of memory space. These are all DOS attack categories.
Modern operating systems are more or less opportunities to block ICMP redirect packages, and how to achieve it is also very chaotic. -------------------------------------------------- ------------------------ This is written when I am in Huawei, some things have not remember, some experimental data discard, retest. This time we don't consider using ICMP redirects to listen, just consider DOS attacks. Forged an ICMP redirector from 192.168.0.1, starting from the MAC layer. 1) Use 05 01 to redirect packets (for specific hosts), can still modify the 2K routing table! But you can't make 2k-specific host routes point to yourself (while PWIN98 can be), 2K has improved this at this point. The redirected specific host routing does not disappear for a long time, and can handle Route delete. If you have been redirected to an IP, you will send a reactive packet attempt to point to other IP failed. In fact, the last experimental results may not be what you understand, notice that before we mentioned that the redirect package must come from the current routing to the target, otherwise the redirect message is considered to be illegally discarded. This is the real reason. We cannot use ICMP to generate two specific host routes because the second will be modified to modify specific host routes, rather than adding specific host routes. 98 Route ADD can manually increase two specific host routing, but in fact there is only one take effect, otherwise the rule rules are quite messy, and individuals think this is the defect in the ROUTE Add command itself. If you have been redirected to an IP, you need to reconstruct a redirect message so that its source IP is the last specified routing IP, so that such packets take effect. 2K can add a route with Route Add, so that it is your own, this and the redirect package cannot inform the host to use itself to do routing is not contradictory. The increased route can be deleted by Route delete. 2) PWIN98 can make a specific host route to yourself. The redirected specific host routing does not disappear, delete two cases, if the specific host route does not point to himself, can handle Route delete, if you point you, Route delete will report the routing, When the route change, the route can not be found. Netstat -nr can also see the route. The route -f parameter cannot delete the route. If you don't delete the route again, you want to refresh the route table, did not continue Test how to delete the pathological route. 98 You can add a route with Route Add, so that this route can be deleted by Route delete. However, the redirect package leads to the path of pathways to their own pathogens, but cannot be deleted with Route delete. 98 to achieve the route command quite confusing, such as can route add 202.99.11.161 mask 255.255.255.255 192.168.10.3route add 202.99.11.161 mask 255.255.255.255 192.168.10.4route add 202.99.11.161 mask 255.255.255.255 192.168.10.5 this time with Netstat -nr View three-specific host routing and a default route, but Telnet 202.99.11.161 80 is used only 192.168.10.3, not attempts 10.4, 10.5 and default routes after failure, which makes DOS Attack was established. Route Change 202.99.11.161 Mask 255.255.255.255 192.168.0.1 Modified 10.5 correspondence, Telnet 202.99.11.161 80 also failed, the reason is the same.
These three-specific host routes will be deleted at the same time after Route delete 202.99.11.161, which is invalid to the ICMP redirection caused to its own pathological route. Non-illneus routing by ICMP is consistent with the route effect increased by Route Add. If you first use ICMP to increase a specific host routing on the default routing 192.168.10.3, then its Route add has another specific host routing 192.168.0.1, which is used or the first specific host route 192.168.10.3 . The ICMP redirect package is counterfeited again, the source IP is 192.168.10.3, the target IP is 192.168.10.60, which can continue the "Modify" latter routing table, no longer "increasing" specific host route. For the aforementioned path-state routing, it is still possible to add another specific host route in Route Add 202.99.11.161. Route delete can delete this routing of subsequent increases, and the morbid routing is still. Point to its own pathological routing increase, the initial expression of IP is a bad impact, I am not sure when this impact will continue, when will I have expired. It seems that the route will "accelerate" pathnoped routing effect by manual ROUTE ADD. After the influence "thorough" disappears, Route delete offers a hand-added host route and continues to use the default route. But use NetStat-NR to see a path-state route, although there is no impact at this time, FAINT. In this case, in addition to the residual image, all of which returns to the status of no residual statues, and you can add a source IP to the default routing IP redirect package to increase the specific host routing. It is also confirmed in the test. The target Mac cannot be 0xfffffffffffff, and the target IP cannot be a directional broadcast address, and the source MAC is not checked (arbitrary). If the heterogeneous host sends an ARP request package or response package, the source IP address is equal to its own IP address, then there will be an error configured with an IP address. Net / 3 detects this error and reports to the administrator. Note that only ARP packets (whether request or responding) will update ARP Cache, it is possible to trigger ARP conflicts, so there is no need to pay more attention to the source Mac when counterfeiting ICMP packages. IP packets itself will never cause in fact ARP spoofing, conflict, and refresh effects. ARP Cache will always expire, which will not be used because of the total use of ARP Entry. It can be verified as described in 98, and then set the filter rule with NETXRAY to capture the ARP request packet, always see the ARP request message issued by this unit on the fixed interval. The route expired time limit for ICMP is very long, which is harmful than the ARP. 3) The following is a demo message, which is forged from the gateway 192.168.0.1 to 192.168.10.60 ICMP redirection packets, so that the latter produces a specific host route from 202.99.11.161 192.168.8.90.
00 10 FF 69 FF FF 00 50 04 BF 07 34 08 00 00 00 00 3c 5b 6e 00 00 01 53 C5 C0 A8 00 01 C0 A8 0A 3C 05 01 AF 8A C0 A8 08 5A 45 00 63 64 65 66 00 68 FF 01 51 E1 C0 A8 0A 3C CA 63 0B A1 75 76 77 63 62 63 64 65 66 67 68 69 Deposits the above message into the REDIR1060.TXT file, performs the following command as the root: ./ Linuxkiller -k redir1060. TXT -W 5 -R 1000 is seen during the test, if Route delete 0.0.0.0.0, Route delete 0.0.0.0.0, Route delete 202.99.11.161, is not affected by the ICMP redirection package, before we mention Over, the redirect package must come from the current routing to the target. If there is no suitable current routing at all, the redirect message is considered to be illegal and discarded. 4) If it is 98, you can use the following registry to open the routing function, 98 single network cards can provide routing function: regedit4 [hkey_local_machine / system / currentcontrolset / services / vxd / mstcp] "enablerouting" = "1" 5) due to three The reason for mentioning is unable to use ICMP redirect packets to produce a specific host route. The routing of the specific host routing that is also changed is also changed by ICMP. After starting 98 routing, 192.168.8.90 will send ICMP redirection packets to 192.168.10.60, and the repairer uses 192.168.0.1 directly. Note that mask rules take precedence over a specific host route. The concept of routing priority must be clearly understood. If only default routing, ICMP will result in increasing a specific host route. If there is already a specific host route, no matter how it is generated, it will be modified by ICMP, not an increase. 6) The current test environment uses the exchange HUB, the topology is roughly as follows: -------------------------------- -------- Smart Hub or Switch | | 192.168.10.60 192.168.0.1 (Sygate) <-> Internet255.255.0.0 255.255.0.0 25555.0.0 Observing this happened. From 192.168.10.60 Telnet 202.99.11.161 80, 192.168.8.90 forwarded this message, modified the source MAC address from 000000111111 (192.168.8.8.90 MAC address), and the source IP maintained 192.168.10.60.192.168.8.90 When forwarding the first SYN message initiating TCP connection, ICMP redirection packets are sent to 192.168.10.60 (more optimized under mask rules), making the specific host route become 192.168.0.1. So subsequent issues from 192.168.10.60 to 202.99.11.161, all of which were directly 192.168.0.1, but the returned packets were always 192.168.8.9. This phenomenon is very interesting. The phenomenon observed on 192.168.8.90 and 192.168.10.60 has always been transferred directly from 192.168.0.1, and is forwarded from 192.168.8.90 to the newspaper.
Yuan Ge and IPXODI think that it is the problem of Sygate itself. For example, Sygate does not use standard ARP Cache, which has retained the information such as Mac-IP pairs to improve efficiency; replace it with a regular router, it should not be this phenomenon. Nowadays, many units of local area networks are similar, estimated Sygate, Wingate and other software that support transparent agent functions have such problems. It is not a vulnerability or illegal use. In short, it should be aware of the existence of this problem. I haven't expected this before. The existence of phenomena. When I was just discussing this problem, I just got the issue (specific host route), and I entered the newspaper because the mask rules were delivered directly. Unspected to actual test, 192.168.8.90 itself will send ICMP redirection packets. You can think of a means to let the 192.168.8.90 ICMP redirect packets cannot be sent out, such as personal firewall, modify VXD like Yuan Ge. Do not consider the intervention of the personal firewall, under our topology, ICMP redirection brings from 192.168.8.90, 192.168.8.90. Think about it, 192.168.10.60 quickly resumed the normal routing rules, ARP Cache has nothing to do with this issue, and does not show any abnormalities. The only abnormality is 192.168.10.60, although there is no default route. 192.168.0.1, but there is still a specific host route 192.168.0.1. I haven't seen this article of this article, how many people will think of may be something? Since INTXRAY is entered through 192.168.8.90, a NetXray is not written here, "legal" uses ICMP redirect function and 98 IP routing function, and the abnormal phenomenon minimizes. Unable to get out of the packet here, so you can't listen to data such as the service party such as Telnet Password, see the discussion later. The above description is suitable for the switch scenario, if you send ICMP redirection packets for each IP in the subnet, and turn on the routing function, it is much easier than the ARP spoof, and it has been much longer. Considering the Topology outside the subnet, at least you can see who attempts to analyze what domain name, countless, Sigh. Strong against monitoring, why can you always provide listening to others, perhaps it is another contradictory choice. Like ARP spoof, one is easy to expose, the second is to need high frequency refresh, and the third is generally need to be programmed. ICMP redirection is not easy to expose (considering Sygate "Features"), there is no need for high frequency refresh. If you often use it, you don't need a quarter refresh, and you can send a redirect message with NetXRay. In any case, ICMP redirect packet is a potential security hazard, and now it is now not to use it. The IDS system should be highly sensitive to the emergence of ICMP redirect packets. When there is a support for IP forwarding function hosts, a non-aggressive ICMP redirect message may not be alarm, it needs to be distinguished. 7) In the case of intervention of personal firewall, between 192.168.99.991, the communication is completely passed through 192.168.8.90, regardless of the packet. It should be noted that 98 is not suitable for routing, the efficiency is very low, the load is high, and then a NetXray is more destined, especially if I use the single NIC when I test this test. The above technique is limited to theoretical research and pure DOS attacks, and it is really not practical. Also, at this time, 192.168.10.60 is very eye-catching 192.168.8.90. It is easy to expose.
