首页 > 代码库 > ip欺骗(原始套接字系列九)

ip欺骗(原始套接字系列九)

由于使用Raw Socket的时候,IP报头可完全由程序员自定义,所以我们可以任意地修改本地发送包的IP地址,使得接收方错误的认为IP报文是由欺骗地址发出的。

  下面的程序演示了向某目标发送IP地址伪装的UDP报文的过程:

void sendPesuoIpUDP(void)
{
 WSADATA wsd;
 if (WSAStartup(MAKEWORD(2, 2), &wsd) != 0)
 {
  printf("WSAStartup() failed: %d ", GetLastError());
  return;
 } 
 SOCKET s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_UDP, NULL, 0,WSA_FLAG_OVERLAPPED); // Create a raw socket
 if (s == INVALID_SOCKET)
 {
  printf("WSASocket() failed: %d ", WSAGetLastError());
  return - 1;
 }

 BOOL bOpt = TRUE;
 int ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char*) &bOpt, sizeof(bOpt));
 // 使用IP_HDRINCL
 if (ret == SOCKET_ERROR)
 {
  printf("setsockopt(IP_HDRINCL) failed: %d ", WSAGetLastError());
  return - 1;
 }

 const int BUFFER_SIZE = 80;
 char buffer[BUFFER_SIZE];

 const char *strMessage = "treat demo"; // Message to send

 // Set IP header
 IP_HDR ipHdr;
 UDP_HDR udpHdr;

 const unsigned short iIPSize = sizeof(ipHdr) / sizeof(unsigned long);
 const unsigned short iIPVersion = 4;
 ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;
 ipHdr.ip_tos = 0; // IP type of service
 const unsigned short iTotalSize = sizeof(ipHdr) + sizeof(udpHdr) + strlen(strMessage);
 ipHdr.ip_totallength = htons(iTotalSize); // Total packet len
 ipHdr.ip_id = 0; // Unique identifier: set to 0
 ipHdr.ip_offset = 0; // Fragment offset field
 ipHdr.ip_ttl = 128; // Time to live
 ipHdr.ip_protocol = 0x11; // Protocol(UDP)
 ipHdr.ip_checksum = 0; // IP checksum
 const char *target_ip_address = "192.168.0.102";
 const char *treat_ip_address = "1.0.5.7";
 ipHdr.ip_destaddr = inet_addr(target_ip_address); // 接收方IP地址
 ipHdr.ip_srcaddr = inet_addr(treat_ip_address); // 发送方伪造的IP地址

 // Set UDP header
 const u_short uToPort = 8000;
 udpHdr.dst_portno = htons(uToPort); // 接收方端口

 const u_short uFromPort = 1000;
 udpHdr.src_portno = htons(uFromPort); // 发送伪造的端口

 const unsigned short iUdpSize = sizeof(udpHdr) + strlen(strMessage);
 udpHdr.udp_length = htons(iUdpSize);
 udpHdr.udp_checksum = 0;

 // 组建待发送的UDP报文
 ZeroMemory(buffer, BUFFER_SIZE);
 char *ptr = buffer;

 memcpy(ptr, &ipHdr, sizeof(ipHdr));

 ptr += sizeof(ipHdr);
 memcpy(ptr, &udpHdr, sizeof(udpHdr));

 ptr += sizeof(udpHdr);
 memcpy(ptr, strMessage, strlen(strMessage));

 // Apparently, this SOCKADDR_IN structure makes no difference.
 // Whatever we put as the destination IP addr in the IP header is what goes.
 // Specifying a different destination in remote will be ignored.

 sockaddr_in remote;
 remote.sin_family = AF_INET;
 remote.sin_port = htons(8000);
 remote.sin_addr.s_addr = inet_addr("192.168.0.102");

 printf("TO %s:%d ", target_ip_address, uToPort);

 ret = sendto(s, buffer, iTotalSize, 0, (SOCKADDR*) &remote, sizeof(remote));
 // 发送伪造的报文
 if (ret == SOCKET_ERROR)
 {
  printf("sendto() failed: %d ", WSAGetLastError());
 }
 else
  printf("sent %d bytes ", ret);

 closesocket(s);
 WSACleanup();
 return;
}


  如果我们在第4节描述的ICMP FLOOD攻击中伪造IP地址,则对方将无法检测出究竟是谁在对其进行攻击,实际上,这也是一种非常常用的黑客攻击中隐藏自身的途径。