TCP ACK 欺骗
我正在编写一个程序,该程序伪造 TCP 请求并收集数据以存储在本地缓冲区中。为此,在连接到客户端的系统中,我配置了 iptables,以在路由之前将所有传入数据包保留到队列中。然后我使用 netfilter 库从队列中读取数据包。之后,我使用 RAW 套接字将伪造的 TCP 数据包发送到客户端。这样我就可以伪造 SYN/ACK 数据包来响应来自客户端的 SYN 请求。
但是当我尝试向客户端伪造 ACK 以响应传入数据时,就会出现问题。在这种情况下,数据包中包含源的真实 IP,而不是伪造的 IP。请参阅下面标有“>>”的第七条轨迹。在此,源 IP 显示为 192.168.10.10,而它必须是 212.58.246.81。在第四条跟踪(即 SYN/ACK 数据包)中,它显示得很好。
3 0.073852000 192.168.10.100 212.58.246.81 TCP 38307 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=502233100 TSER=0 WS=6
4 0.103102000 212.58.246.81 192.168.10.100 TCP http > 38307 [SYN, ACK] Seq=0 Ack=1 Win=31744 Len=0
5 0.103147000 192.168.10.100 212.58.246.81 TCP 38307 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0
6 0.103349000 192.168.10.100 212.58.246.81 HTTP GET /go/rss/int/news/-/sport2/hi/tennis/9519762.stm HTTP/1.1
>>> 7 1.118729000 192.168.10.10 192.168.10.100 TCP http > 38307 [ACK] Seq=1 Ack=1 Win=31744 Len=0
8 1.118788000 192.168.10.100 192.168.10.10 TCP 38307 > http [RST] Seq=1 Win=0 Len=0
9 3.102627000 192.168.10.100 212.58.246.81 HTTP [TCP Retransmission] GET /go/rss/int/news/-/sport2/hi/tennis/9519762.stm HTTP/1.1
10 3.148590000 192.168.10.10 192.168.10.100 TCP [TCP Dup ACK 7#1] http > 38307 [ACK] Seq=1 Ack=1 Win=31744 Len=0
11 3.148606000 192.168.10.100 192.168.10.10 TCP 38307 > http [RST] Seq=1 Win=0 Len=0
我还尝试过像下面这样的“sendip”命令来发送一个假的 TCP ACK,
sendip -p ipv4 -p tcp -is 212.58.246.81 -id 192.168.10.100 -ts 80 -td 4567 -tfa 1 -tfs 0 -d "Data" 192.168.10.100
这里 tfa 和 tfs 分别代表 ack 和 syn 标志。 这也没有按预期工作,它显示为源自 192.168.10.10 而不是 212.58.246.81。但如果我将两个标志(syn 和 ack)设置为 1 那么它工作正常。
操作系统是Ubuntu。谁能告诉我我哪里出错了。非常感谢您的帮助。
I am writing a program that fakes TCP requests and collects the data to store in a local buffer. For this, in the system connected to the client i have configured the iptables to keep all the incoming packets to a queue before routing. Then i use the netfilter library to read the packets from the queue. After this using RAW sockets I send the fake TCP packets to the client. With this I am able to fake the SYN/ACK packet in response to the SYN request from the client.
But issue happens when I try to fake an ACK to the client in response to the incoming data. In this case the real ip of the source comes in the packet and not the faked one. Please see 7th trace below marked with ">>>". In this the source ip is shown as 192.168.10.10 where as it has to be 212.58.246.81. In the 4th trace(i.e. SYN/ACK packet) its showing as fine.
3 0.073852000 192.168.10.100 212.58.246.81 TCP 38307 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=502233100 TSER=0 WS=6
4 0.103102000 212.58.246.81 192.168.10.100 TCP http > 38307 [SYN, ACK] Seq=0 Ack=1 Win=31744 Len=0
5 0.103147000 192.168.10.100 212.58.246.81 TCP 38307 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0
6 0.103349000 192.168.10.100 212.58.246.81 HTTP GET /go/rss/int/news/-/sport2/hi/tennis/9519762.stm HTTP/1.1
>>> 7 1.118729000 192.168.10.10 192.168.10.100 TCP http > 38307 [ACK] Seq=1 Ack=1 Win=31744 Len=0
8 1.118788000 192.168.10.100 192.168.10.10 TCP 38307 > http [RST] Seq=1 Win=0 Len=0
9 3.102627000 192.168.10.100 212.58.246.81 HTTP [TCP Retransmission] GET /go/rss/int/news/-/sport2/hi/tennis/9519762.stm HTTP/1.1
10 3.148590000 192.168.10.10 192.168.10.100 TCP [TCP Dup ACK 7#1] http > 38307 [ACK] Seq=1 Ack=1 Win=31744 Len=0
11 3.148606000 192.168.10.100 192.168.10.10 TCP 38307 > http [RST] Seq=1 Win=0 Len=0
Also I have tried out "sendip" command like below to send a fake TCP ACK
sendip -p ipv4 -p tcp -is 212.58.246.81 -id 192.168.10.100 -ts 80 -td 4567 -tfa 1 -tfs 0 -d "Data" 192.168.10.100
here tfa and tfs stands for ack and syn flags respectively.
This also didnt work as expected and its shown as orginating from 192.168.10.10 instead of 212.58.246.81. But if I set both flags(syn and ack) as 1 then its working fine.
The OS is Ubuntu. Can anyone please let me know where I am going wrong. Thanks a lot for your help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论