十行代码实现网络的全端口监听

看到题目,很多人都会想,不就是端口监听么。开启一个socket,监听不就行了? 注意,注意,如果我们要的是指定端口的监听,比如,80端口,23端口,443端口,那我们创建几个线程,分别监听各个端口就可以了。 但如果我们的需求是全端口监听呢,也就是我们想监听从1到65535任意一个端口的数据呢。有人会说,对,我创建65535个线程不就好了?显然这并不是完美的解决方案。 我原计划是想实现一个网络层的驱动,对底层的网络层操作进行hook,并实现自己的tcp协议栈,越想越复杂。 后来想到了之前用过的神器scapy, 于是,十几行代码解决了我的这个问题。 核心代码如下: #如果我们接收到一个SYN包,则我们构造一个SYN ACK包返回去。 if x['TCP'].flags == 0×02: ipp = IP(dst=x['IP'].src,src=x['IP'].dst) tcpp = TCP(sport=x['TCP'].dport,dport=x['TCP'].sport) tcpp.flags = 0×012 # syn ack flag tcpp.ack = x['TCP'].seq + 1 send(ipp/tcpp) #如果我们接收到一个FIN ACK包,我们则返回一个ACK包。否则他会重传。 elif x['TCP'].flags == 0×011: #if we recv a FIN ACK, we need to back a ACK ipp = IP(dst=x['IP'].src,src=x['IP'].dst) tcpp = TCP(sport=x['TCP'].dport,dport=x['TCP'].sport) tcpp.seq = x['TCP'].ack tcpp.ack = x['TCP'].seq + 1 res_packet = ipp/tcpp send(res_packet) elif x['TCP'].flags == 0×018: if x.haslayer(“Raw”) == 1: print “%s:%d ——%s:%d”%( x['IP'].src, x['IP'].sport, x['IP'].dst, x['IP'].dport) hexdump(x.load) 当然这时候这个代码还没法运行,因为相应端口的请求的包,如果该端口没有开启,系统会提前发送RST包,结束该会话。 所以最后,我们用iptable, 将出去的RST包过滤掉。就可以了实现全端口监听了。 是不是很cool:)

评论

CVE-2015-0311 debug notes

This is my first time to analysis the flash sample. And I will show some skills and experience how to analysis the flash sample. —- (1) root cause analysis ApplicationDomain.currentDomain.domainMemory will point to a global array we defined. When we do some operation on this array, some exceptions will happened. we first compress the array, then we corrupt the array, after this, we uncompress the array, because the data in the array we changed, it will failed, and it has not notified the domainMemory, So the domainMemory still point to a old array we has free. Note: we can find the code in the avmplus(open source). —- (2) how to start First we need to find the functions in the …..

评论

A funny suspected malicious software(notepad.exe) analysis

My colleague send me some exe files, he wants to check if they are really the malicious. Because in the vt, most of the anti-av say they are the malicious. Just take one as the example. You can find static and the dynamic scan details here: https://malwr.com/analysis/MzlkNGUxOWNkZmMwNGU4NjkzMTdmYWU5MzAwNWVhYzU/ From the antiav section: we found many alerts: But from the dynamic result, I found the there was no abnormal actions in the execution flow. So it’s the false positive? But many av alerts. …… At last, I found the reason working with nEINEI. The section of this PE file has been changed. The Attribute of this section has been update to rwe. And also found someone inject some datas into this section. …..

评论