确实挺难找的:)
不过这里找东西 还是我比较强 嘿嘿
复制内容到剪贴板
代码:
/**************************************************************************/
/* SEQ-scan - Example program for scanning SEQ-nr generators */
/* (illustration for 'A short overview of IP spoofing') */
/* */
/* Purpose - Gaining information about the targets SEQ-nr generator */
/* */
/* Author - Brecht Claerhout <[email]Coder@reptile.rug.ac.be[/email]> */
/* Serious advice, comments, statements, greets, always welcome */
/* flames, moronic 3l33t >/dev/null */
/* */
/* Disclaimer - This program is for educational purposes only. I am in */
/* NO way responsible for what you do with this program, */
/* or any damage you or this program causes. */
/* */
/* For whom - People with a little knowledge of TCP/IP, C source code */
/* and general UNIX. Otherwise, please keep your hands of, */
/* and catch up on those things first. */
/* */
/* Limited to - Linux 1.3.X or higher. */
/* Watch the devices! default is 'eth0' you might have to */
/* change that. Read the code... */
/* */
/* Compiling - gcc -o SEQ-scan SEQ-scan.c -lm */
/* */
/* Usage - Usage described in the spoofing article that came with this. */
/* If you didn't get this, try to get the full release... */
/* */
/* See also - Sniffit (for getting the necessairy data on a connection) */
/**************************************************************************/
#include "spoofit_v3.h"
#include <math.h>
#include <sys/time.h>
/*** Network device info, you could have to change this ***/
#define INTERFACE "eth0"
#define INTERFACE_PREFIX 14
/*
#define INTERFACE "ppp0"
#define INTERFACE_PREFIX 0
*/
#define MAXSEQ 10 /* array length*/
#define STARTSEQ 0x9E2CF343 /* You might want a personal touch */
#define STARTPORT 10666 /* You might want a personal touch */
char SOURCE[200]; /* required hostinformation */
char TARGET[200];
int TARGET_P;
int fd_receive, fd_send; /* Kinda selfexpl. */
unsigned long SEQ_list[MAXSEQ];
unsigned long diff_seq[MAXSEQ];
struct timeval time_list[MAXSEQ];
struct timeval time_diff[MAXSEQ];
double time_diff_usec[MAXSEQ];
double incr_per_usec[MAXSEQ];
double incr_per_usec2[MAXSEQ];
char VERBOSE=0, DO_ALL=0; /* Options */
int COUNT=MAXSEQ; /* I leave you all freedom for adjusting*/
int get_seq_nrs(unsigned long *, int, int );
void get_numbers(void);
int easy_64k_rule(void);
void simple_time_relation (void);
void rm_minmax(double , double , int);
void timeval_substract (struct timeval ,struct timeval ,struct timeval *);
void quit(char *progname)
{
printf("usage: %s <args> [options]\n", progname);
printf("required <args> are:\n");
printf(" -t <target> host you want to scan\n");
printf(" -p <port> port you want to use for scanning\n");
printf("[options] are:\n");
printf(" -v verbose\n");
printf(" -a do all tests\n");
exit(1);
}
int main(int argc, char *argv[])
{
int i,c;
char required=0;
extern char *optarg;
while((c=getopt(argc, argv,"s:t:p:va"))!=-1)
{
switch(c)
{
case 'v': printf("Verbose mode on...\n"); VERBOSE=1; /* VERBOSE */
break;
case 'p': TARGET_P=atoi(optarg); required |=2; break;
case 't': strcpy(TARGET,optarg); required |=1; break;
case 'a': DO_ALL=1; break;
default : quit(argv[0]); break;
};
}
SOURCE[199]=0;
if(gethostname(SOURCE,199)<0)
{fprintf(stderr,
"Error: Couldn't determine host name... what's happening??");}
if(required != 3)
{quit(argv[0]);}
DEV_PREFIX = INTERFACE_PREFIX;
get_numbers(); /* get some data */
if((easy_64k_rule()==1)&&(!DO_ALL)) /* 64K rule checking */
exit(0);
simple_time_relation(); /* Simple relation */
}
/*** NUMBER CRUNCHING ;) ***************************************************/
int easy_64k_rule(void)
{
int i, seq_vuln=0;
if(VERBOSE)
{printf("*** 64K rule checking\n");}
for(i=1;i<COUNT;i++)
{
diff_seq[0]=SEQ_list-SEQ_list[i-1];
if(VERBOSE)
{printf("SEQ. difference: %lu\n",diff_seq[0]);}
if(diff_seq[0]%64000 == 0)
seq_vuln++;
}
if(seq_vuln>2) /* allow some errors */
{printf("%s vulnerable! (64K rule)\n",TARGET); return 1;}
else
{printf("%s checked. (64K rule)\n",TARGET); return 0;}
diff_seq[0]=0;
}
void simple_time_relation (void)
{
int i;
unsigned long diff_average[2];
double incr_err, incr_err2;
double incr_avr, incr_avr2;
double time_avr;
if(VERBOSE)
{printf("*** Simple relation checking\n");}
time_avr=incr_avr=0;
for(i=1;i<COUNT;i++) /* time calculations */
{
timeval_substract (&(time_diff[i-1]), &(time_list),&(time_list[i-1]));
diff_seq[i-1]=SEQ_list-SEQ_list[i-1];
time_diff_usec[i-1] = 1000000*((double)(time_diff[i-1].tv_sec)) +
(double)(time_diff[i-1].tv_usec) ;
incr_per_usec[i-1]=(double)(diff_seq[i-1])/time_diff_usec[i-1];
if(VERBOSE)
{printf("TIME diff: %f(us) SEQ diff: %lu incr: %f (1/us)\n",
time_diff_usec[i-1],diff_seq[i-1], incr_per_usec[i-1]);}
time_avr += time_diff_usec[i-1];
incr_avr += incr_per_usec[i-1];
}
time_avr /= (COUNT-1);
incr_avr /= (COUNT-1);
if(VERBOSE)
{printf("TIME avr: %f(us) incr avr: %f (1/us)\n",time_avr, incr_avr);}
incr_err=0;
for(i=1;i<COUNT;i++)
{incr_err+=(incr_avr - incr_per_usec[i-1])*(incr_avr - incr_per_usec[i-1]);}
incr_err = sqrt(incr_err);
if(VERBOSE)
{printf("QUAD ERR: %f\n",incr_err);}
if(VERBOSE)
{printf("Removing 2 extreme values...\n");}
rm_minmax(incr_per_usec2, incr_per_usec, COUNT-1);
incr_err2=incr_avr2=0;
for(i=1;i<(COUNT-2);i++)
{incr_avr2+=incr_per_usec2[i-1];}
incr_avr2 /= (COUNT-3);
for(i=1;i<(COUNT-2);i++)
{incr_err2+=(incr_avr - incr_per_usec2[i-1])*
(incr_avr -incr_per_usec2[i-1]);}
incr_err2 = sqrt(incr_err2);
if(VERBOSE)
{printf("QUAD ERR2: %f\n",incr_err2);}
/* Reporting */
if((incr_err<10)||(incr_err2<10))
{printf("%s time relation found. (err: %f)\n",TARGET,
(incr_err<10) ? incr_err : incr_err2);
return;
};
printf("%s checked. (time rel. err: %f and %f)\n",TARGET,incr_err,incr_err2);
}
/* remove minimum and maximum from a list */
void rm_minmax(double *newlist, double *oldlist, int len)
{
int i, j=0, rm_max=0, rm_min=0;
double hlp_max, hlp_min;
hlp_min=hlp_max=oldlist[0];
for(i=1;i<len;i++)
{
if(hlp_min>oldlist)
{hlp_min=oldlist; rm_min=i;}
if(hlp_max<oldlist)
{hlp_max=oldlist; rm_max=i;}
}
for(i=0;i<len;i++)
{
if((i!=rm_min)&&(i!=rm_max))
{newlist[j]=oldlist; j++;}
}
}
/* time substraction, time x - time y */
void timeval_substract (result,x,y)
struct timeval *result, *x, *y;
{
long hlp_usec;
result->tv_sec = x->tv_sec - y->tv_sec;
if(y->tv_usec > x->tv_usec)
{
(result->tv_sec)--;
hlp_usec = 1000000 - y->tv_usec;
result->tv_usec = x->tv_usec + hlp_usec;
}
else
{
result->tv_usec = x->tv_usec - y->tv_usec;
};
}
/*** NETWORKING PART *******************************************************/
void get_numbers(void) /* get some SEQ-nrs */
{
fd_send = open_sending();
fd_receive = open_receiving(INTERFACE, IO_NONBLOCK);
if(get_seq_nrs(SEQ_list, COUNT, 0)<0)
{printf("%s time out. (SEQ scanning)\n",TARGET); exit(1);};
}
int get_seq_nrs(unsigned long *list_seq, int packs, int sec_delay)
{
int i, stat;
int tcpstart;
char proto;
short port;
char buffer[1500];
struct IP_header *iphead;
struct TCP_header *tcphead;
struct sp_wait_packet pinfo;
port=STARTPORT;
for(i=0;i<packs;i++)
{
sleep(sec_delay);
port++;
transmit_TCP(fd_send, NULL, 0,0,0, SOURCE, port, TARGET, TARGET_P,
STARTSEQ+i,0, SYN);
stat=wait_packet(fd_receive,&pinfo,TARGET,TARGET_P,SOURCE,port,SYN,20);
gettimeofday(&(time_list),NULL);
if(stat<0)
{return -1;}
else {list_seq=pinfo.seq;
if(pinfo.seq==0)
{printf("\nThis port doesn't accept connections...\n");exit(1);}
};
}
/* RESET auto, because our host sends RESET */
return 0;
}
