GET메세지

GET메세지

2016. 5. 25. 17:34ㆍ네트워크 보안 수업/네트워크 취약점 분석

#include <stdio.h>

#include <string.h>

#include <unistd.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <netinet/ip.h>

#include <net/if.h>

#include <net/if_arp.h>

#include <linux/if_packet.h>

#include <linux/if_ether.h>

#include <net/ethernet.h>

#include <arpa/inet.h>

struct eth_header {

unsigned char dst[6];

unsigned char src[6];

unsigned short type;

} __attribute__((packed));

struct ip_header{

unsigned char hlen:4;

unsigned char ver:4;

unsigned char service;

unsigned short total;

unsigned short id;

unsigned char flag;

unsigned char offset;

unsigned char ttl;

unsigned char type;

unsigned short chk;

unsigned int src;

unsigned int dst;

} __attribute__((packed));

struct tcp_header {

unsigned short src_port;

unsigned short dst_port;

unsigned char seq[4];

unsigned char ack[4];

unsigned char reserve:4;

unsigned char length:4;

unsigned char flag;

unsigned short window;

unsigned short chksum;

unsigned short dummy;

} __attribute__((packed));

struct pseudo_header {

unsigned long int src;

unsigned long int dst;

unsigned char zero;

unsigned char protocol;

unsigned short length;

struct tcp_header tcp;

} __attribute__((packed));

struct http_tcp_header {

unsigned short src_port;

unsigned short dst_port;

unsigned char seq[4];

unsigned char ack[4];

unsigned char reserve:4;

unsigned char length:4;

unsigned char flag;

unsigned short window;

unsigned short chksum;

unsigned short dummy;

unsigned char message[49];

} __attribute__((packed));

struct http_pseudo_header {

unsigned long int src;

unsigned long int dst;

unsigned char zero;

unsigned char protocol;

unsigned short length;

struct http_tcp_header http;

} __attribute__((packed));

unsigned short csum ( unsigned short *buf, int nwords )

{

unsigned long sum;

u_short oddbyte;

sum = 0;

while( nwords > 1 ) {

sum += *buf++;

nwords -= 2;

}

if( nwords ==1 ) {

oddbyte = 0;

*((u_char *)&oddbyte) = *(u_char *)buf;

sum += oddbyte;

}

sum = (sum >> 16) + (sum & 0xffff);

sum += (sum >> 16);

answer = ~sum;

return (answer);

}

int main(int argc, char *argv[])

{

int send_sock = 0;

int recv_sock = 0;

int size = 0;

int count = 0;

int j=0;

char src[9] = {0,};

char dst[9] = {0,};

char seq[4]={0,};

char ack[4]={0,};

char src_port[2] = {0,};

char dst_port[2] = {0,};

char temp[4]={0,};

unsigned char *ptr2;

struct sockaddr_in addr;

struct sockaddr_in port;

struct sockaddr_ll sll;

struct sockaddr_in sin;

struct eth_header eth;

struct ip_header ip;

struct tcp_header tcp;

struct pseudo_header pseudo;

struct http_tcp_header http;

struct http_pseudo_header http_pseudo;

char data[sizeof( eth ) + sizeof( ip ) + sizeof( tcp )] = {0,};

char ack_data[sizeof( eth ) + sizeof( ip ) + sizeof( tcp )] = {0,};

char message[1024] = {0,};

char recv[1024] = {0,};

send_sock = socket(PF_PACKET, SOCK_RAW, 0);

recv_sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

sll.sll_family = PF_PACKET;

sll.sll_ifindex = if_nametoindex("enp0s3");

sll.sll_halen = 6;

eth.dst[0] = 0x50;

eth.dst[1] = 0x6a;

eth.dst[2] = 0x03;

eth.dst[3] = 0xaf;

eth.dst[4] = 0x2a;

eth.dst[5] = 0x98;

eth.src[0] = 0x08;

eth.src[1] = 0x00;

eth.src[2] = 0x27;

eth.src[3] = 0x25;

eth.src[4] = 0x5d;

eth.src[5] = 0x35;

eth.type = htons(0x0800);

ip.ver = 0x4;

ip.hlen = sizeof( ip ) >> 2;

ip.service = 0x00;

ip.total = htons( sizeof( ip ) + sizeof( tcp ));

ip.id = htons( 0x1234 );

ip.flag = 0x40;

ip.offset = 0x00;

ip.ttl = 0x80;

ip.type = 0x06;

ip.chk = 0x0000;

ip.src = inet_addr("192.168.15.140");

ip.dst = inet_addr("192.168.15.254");

ip.chk = csum( (unsigned short *)&ip, sizeof( ip ) );

tcp.src_port = htons(1234);

tcp.dst_port = htons(80);

tcp.seq[0] = 0x11;

tcp.seq[1] = 0x11;

tcp.seq[2] = 0x11;

tcp.seq[3] = 0x11;

tcp.ack[0] = 0x00;

tcp.ack[1] = 0x00;

tcp.ack[2] = 0x00;

tcp.ack[3] = 0x00;

tcp.length = sizeof(tcp)>>2;

tcp.reserve = 0x00;

tcp.flag = 0x02;

tcp.window = htons(0xffff);

tcp.chksum = 0x0000;

tcp.dummy = 0x0000;

pseudo.src = ip.src;

pseudo.dst = ip.dst;

pseudo.zero = 0;

pseudo.protocol = 0x06;

pseudo.length = htons(sizeof(tcp));

memcpy( &pseudo.tcp, &tcp, sizeof(tcp));

tcp.chksum = csum((unsigned short *)&pseudo, sizeof(pseudo));

memcpy( data, &eth, sizeof( eth ) );

memcpy( data + sizeof( eth ), &ip, sizeof( ip ) );

memcpy( data + sizeof( eth ) + sizeof( ip ), &tcp, sizeof( tcp ) );

int i = 0;

unsigned char *ptr = data;

printf("[seq:");

for(j=0;j<4;j++){

printf(" %02x",tcp.seq[j]);

}

printf(", ack:");

for(j=0;j<4;j++){

printf(" %02x",tcp.ack[j]);

}

printf("]\n");

for( i = 0; i < sizeof( data ); i++){

if( i != 0 && i % 16 ==0 ){ printf("\n"); }

printf("%02x ", *(ptr+i));

}

printf("\n");

sendto(send_sock, data, sizeof(data), 0, (struct sockaddr *)&sll, sizeof(sll));

struct eth_header * peth;

struct ip_header * pip;

struct tcp_header * ptcp;

while(1){

recvfrom(recv_sock, recv, sizeof(recv), 0, (struct sockaddr *)&sin, &size);

peth = (struct eth_header *)recv;

pip = (struct ip_header *)(recv + sizeof( eth));

addr.sin_addr.s_addr = pip->src;

ptr = inet_ntoa(addr.sin_addr);

strcpy(src, ptr);

addr.sin_addr.s_addr = pip->dst;

ptr = inet_ntoa(addr.sin_addr);

strcpy(dst, ptr);

ptcp = (struct tcp_header *)(recv + sizeof(eth)+sizeof(ip));

if(ptcp->flag == 0x02 || ptcp->flag == 0x12 || ptcp->flag == 0x10){

if( ptcp->ack[0] == 0x11 && ptcp->ack[1] == 0x11 && ptcp->ack[2] == 0x11 && ptcp->ack[3] == 0x12 || ptcp->ack[0] == ptcp->seq[0] && ptcp->ack[1] == ptcp->seq[1] && ptcp->ack[2] == ptcp->seq[2] && ptcp->ack[3] == ptcp->seq[3]){

printf("%s(%d) -> %s(%d) [seq:",src, htons(ptcp->src_port), dst, htons(ptcp->dst_port));

for(j=0;j<4;j++){

printf(" %x",ptcp->seq[j]);

}

printf(", ack:");

for(j=0;j<4;j++){

printf(" %x",ptcp->ack[j]);

}

printf("]\n");

eth.dst[0] = 0x50;

eth.dst[1] = 0x6a;

eth.dst[2] = 0x03;

eth.dst[3] = 0xaf;

eth.dst[4] = 0x2a;

eth.dst[5] = 0x98;

eth.src[0] = 0x08;

eth.src[1] = 0x00;

eth.src[2] = 0x27;

eth.src[3] = 0x25;

eth.src[4] = 0x5d;

eth.src[5] = 0x35;

eth.type = htons(0x0800);

ip.ver = 0x4;

ip.hlen = sizeof( ip ) >> 2;

ip.service = 0x00;

ip.total = htons( sizeof( ip ) + sizeof( tcp ));

ip.id = htons( 0x1234 );

ip.flag = 0x40;

ip.offset = 0x00;

ip.ttl = 0x80;

ip.type = 0x06;

ip.chk = 0x0000;

ip.src = inet_addr("192.168.15.140");

ip.dst = inet_addr("192.168.15.254");

ip.chk = csum( (unsigned short *)&ip, sizeof( ip ) );

tcp.src_port = htons(1234);

tcp.dst_port = htons(80);

tcp.seq[0] = ptcp->ack[0];

tcp.seq[1] = ptcp->ack[1];

tcp.seq[2] = ptcp->ack[2];

tcp.seq[3] = ptcp->ack[3];

tcp.ack[0] = ptcp->seq[0];

tcp.ack[1] = ptcp->seq[1];

tcp.ack[2] = ptcp->seq[2];

tcp.ack[3] = ptcp->seq[3]+1;

tcp.length = sizeof(tcp)>>2;

tcp.reserve = 0x00;

tcp.flag = 0x10;

tcp.window = htons(0xffff);

tcp.chksum = 0x0000;

tcp.dummy = 0x0000;

pseudo.src = ip.src;

pseudo.dst = ip.dst;

pseudo.zero = 0;

pseudo.protocol = 0x06;

pseudo.length = htons(sizeof(tcp));

memcpy( &pseudo.tcp, &tcp, sizeof(tcp));

tcp.chksum = csum((unsigned short *)&pseudo, sizeof(pseudo));

memcpy( ack_data, &eth, sizeof( eth ) );

memcpy( ack_data + sizeof( eth ), &ip, sizeof( ip ) );

memcpy( ack_data + sizeof( eth ) + sizeof( ip ), &tcp, sizeof( tcp ) );

ptr = ack_data;

for( i = 0; i < sizeof( ack_data ); i++){

if( i != 0 && i % 16 ==0 ){ printf("\n"); }

printf("%02x ", *(ptr+i));

}

printf("\n");

sendto(send_sock, ack_data, sizeof(ack_data), 0, (struct sockaddr *)&sll, sizeof(sll));

addr.sin_addr.s_addr = pip->src;

ptr = inet_ntoa(addr.sin_addr);

strcpy(src, ptr);

addr.sin_addr.s_addr = pip->dst;

ptr = inet_ntoa(addr.sin_addr);

strcpy(dst, ptr);

ptcp = (struct tcp_header *)(recv + sizeof(eth)+sizeof(ip));

printf("%s(%d) -> %s(%d) [seq:",src, htons(ptcp->src_port), dst, htons(ptcp->dst_port));

for(j=0;j<4;j++){

printf(" %x",ptcp->seq[j]);

}

printf(", ack:");

for(j=0;j<4;j++){

printf(" %x",ptcp->ack[j]);

}

printf("]\n");

http.message[0] = 0x47;

http.message[1] = 0x45;

http.message[2] = 0x54;

http.message[3] = 0x20;

http.message[4] = 0x2f;

http.message[5] = 0x76;

http.message[6] = 0x69;

http.message[7] = 0x65;

http.message[8] = 0x77;

http.message[9] = 0x2e;

http.message[10] = 0x68;

http.message[11] = 0x74;

http.message[12] = 0x6d;

http.message[13] = 0x6c;

http.message[14] = 0x20;

http.message[15] = 0x48;

http.message[16] = 0x54;

http.message[17] = 0x54;

http.message[18] = 0x50;

http.message[19] = 0x2f;

http.message[20] = 0x31;

http.message[21] = 0x2e;

http.message[22] = 0x31;

http.message[23] = 0x0d;

http.message[24] = 0x0a;

http.message[25] = 0x48;

http.message[26] = 0x6f;

http.message[27] = 0x73;

http.message[28] = 0x74;

http.message[29] = 0x3a;

http.message[30] = 0x20;

http.message[31] = 0x31;

http.message[32] = 0x39;

http.message[33] = 0x32;

http.message[34] = 0x2e;

http.message[35] = 0x31;

http.message[36] = 0x36;

http.message[37] = 0x38;

http.message[38] = 0x2e;

http.message[39] = 0x31;

http.message[40] = 0x35;

http.message[41] = 0x2e;

http.message[42] = 0x32;

http.message[43] = 0x35;

http.message[44] = 0x34;

http.message[45] = 0x0d;

http.message[46] = 0x0a;

http.message[47] = 0x0d;

http.message[48] = 0x0a;

char get_data[sizeof( eth ) + sizeof( ip ) + sizeof( http )] = {0,};

eth.dst[0] = 0x50;

eth.dst[1] = 0x6a;

eth.dst[2] = 0x03;

eth.dst[3] = 0xaf;

eth.dst[4] = 0x2a;

eth.dst[5] = 0x98;

eth.src[0] = 0x08;

eth.src[1] = 0x00;

eth.src[2] = 0x27;

eth.src[3] = 0x25;

eth.src[4] = 0x5d;

eth.src[5] = 0x35;

eth.type = htons(0x0800);

ip.ver = 0x4;

ip.hlen = sizeof( ip ) >> 2;

ip.service = 0x00;

ip.total = htons( sizeof( ip ) + sizeof(http));

ip.id = htons( 0x1234 );

ip.flag = 0x40;

ip.offset = 0x00;

ip.ttl = 0x80;

ip.type = 0x06;

ip.chk = 0x0000;

ip.src = inet_addr("192.168.15.140");

ip.dst = inet_addr("192.168.15.254");

ip.chk = csum( (unsigned short *)&ip, sizeof( ip ) );

http.src_port = htons(1234);

http.dst_port = htons(80);

http.seq[0] = ptcp->seq[0];

http.seq[1] = ptcp->seq[1];

http.seq[2] = ptcp->seq[2];

http.seq[3] = ptcp->seq[3];

http.ack[0] = ptcp->ack[0];

http.ack[1] = ptcp->ack[1];

http.ack[2] = ptcp->ack[2];

http.ack[3] = ptcp->ack[3];

http.length = sizeof(tcp)>>2;

http.reserve = 0x00;

http.flag = 0x18;

http.window = htons(0xffff);

http.chksum = 0x0000;

http.dummy = 0x0000;

http_pseudo.src = ip.src;

http_pseudo.dst = ip.dst;

http_pseudo.zero = 0;

http_pseudo.protocol = 0x06;

http_pseudo.length = htons(sizeof(http));

memcpy( &http_pseudo.http, &http, sizeof(http));

http.chksum = csum((unsigned short *)&http_pseudo, sizeof(http_pseudo));

memcpy( get_data, &eth, sizeof( eth ) );

memcpy( get_data + sizeof( eth ), &ip, sizeof( ip ) );

memcpy( get_data + sizeof( eth ) + sizeof( ip ), &http, sizeof( http ) );

ptr = get_data;

for( i = 0; i < sizeof(get_data) ; i++){

if( i != 0 && i % 16 ==0 ){ printf("\n"); }

printf("%02x ", *(ptr+i));

}

printf("\n");

sendto(send_sock, get_data, sizeof(get_data), 0, (struct sockaddr *)&sll, sizeof(sll));

count = 0;

}

memset( recv, 0, sizeof(recv));

sleep(1);

}

return 0;

}

저작자표시 비영리 변경금지

'네트워크 보안 수업 > 네트워크 취약점 분석' 카테고리의 다른 글

dns 쿼리 캡쳐 및 비교-네트워크 보안 수업 18일차 - 코리아 정보보안 IT학원 (0)	2016.06.01
dns 쿼리 캡쳐-네트워크 보안 수업 17일차 - 코리아 정보보안 IT학원 (0)	2016.05.31
네트워크 보안 수업 16일차 - 코리아 정보보안 IT학원 (0)	2016.05.20
네트워크 보안 수업 15일차 - 코리아 정보보안 IT학원 (0)	2016.05.19
네트워크 보안수업 14일차 - 코리아 정보보안 IT학원 (0)	2016.05.18

잉여롭다

잉여롭다

태그

최근글

댓글

공지사항

아카이브

'네트워크 보안 수업 > 네트워크 취약점 분석' 카테고리의 다른 글

관련글

티스토리툴바