如何使用Bash伪造DHCP发现数据包? | 如何使用Bash伪造DHCP发现数据包

本文介绍了如何使用Bash伪造DHCP发现数据包?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我想使用命令行通过网络(LAN)发送经典的 DHCP Discover 软件包，以便触发任何 DHCP服务器侦听的响应，所以我可以用类似的方式捕获它(例如我的IP地址是 192.168.0.30 ):

I would like to send via network (LAN) a classic DHCP Discover package using command line, in order to trigger a response from any DHCP server listening, so I could capture it with something like (say my IP address is 192.168.0.30 ):

tcpdump -i eth0 host 192.168.0.30 -n -s 0 -vvv -w listening.pcap

我认为这是一种检测网络上恶意DHCP服务器的简单方法.

I think about this as a simple method to detect rogue DHCP servers on a network.

如何使用Bash 完成此操作?

其他数据:

允许使用其他工具，但请尝试使它们保持简单:NetCat，sed，grep ...等.
伪造WOL数据包的类似示例:

Other tools allowed, but lets try to keep ti simple: NetCat, sed, grep... etc.
Similar example for forging WOL packet: Bash one-line command to send wake on LAN magic packet without specific tool

推荐答案

完整解决方案

该解决方案类似于黑客"，区别在于UDP Discover软件包将在外壳中手动生成.

The solution is similar to 'hacker' with the difference that the UDP Discover package will be generated manually in the shell.

该代码仅用于以空格而不是冒号的形式替换网卡的给定MAC，并分配给变量(Bash中的类型):

The code is only intended to replace the given MAC of the network card with the form of spaces instead of colons and assigning to a variable (type in Bash):

# manualy:
MAC=ab:ab:ab:ab:ab:ab; MAC=`printf "$(echo $MAC | sed 's/:/ /g')%.0s"`
# or automaticaly:
MAC=`printf "$(echo $(ifconfig -a |awk -v RS= '/eth0/' |awk '/ether/ {print($2)}') | sed 's/:/ /g')%.0s"`
# or simply type (spaces instead of colons!):
MAC="a6 a6 a6 a6 a6 a6"

使用xxd生成一个文件，其中包含准备发送的DHCPDISCOVER包.我使用一个事实，即所有DHCP服务器实际上都不检查校验和.这避免了校验和计算及其记录的显着复杂性.唯一需要更改的元素是网卡的MAC.
该站点非常有用: DHCP(俄语)

Using xxd generate a file containing the DHCPDISCOVER package ready to be sent. I use the fact that the checksum is not checked in practice by all DHCP servers. This avoids significant complications with the checksum calculation and its recording. The only element that needs to be changed is the MAC of the network card.
The site was very helpful: DHCP (in Russian)

echo -e $(echo -n -e "01 01 06 00 62 48 94 CA 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $MAC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 35 01 01 FF") |xxd -r -p >blobfile

为使DHCPDISCOVER数据包不失真地到达DHCP服务器，它必须作为二进制数据发送.不幸的是，Bash收到一些二进制序列作为控制命令.

For the DHCPDISCOVER packet to reach the DHCP server without distortion, it must be sent as binary data. Unfortunately, Bash receives some binary sequences as control commands.

从00到1F的十六进制代码是控制字符的范围，具体取决于系统.其中许多将由BASH解释，例如1F，0d等添加到此的是控制序列，例如082008或610860.

HEX codes from 00 to 1F are the range for control characters, different depending on the system. Many of them will be interpreted by BASH, e.g. 1F, 0d etc.Added to this are control sequences, e.g. 082008 or 610860.

MAC地址理论上是16777216，它们通常包含标识制造商和硬件的部分.有越来越多的生产者，也有计算机，还有分配虚拟或生成随机MAC地址的实践.因此，使用控制字符的机会非常可观.

MAC addresses are theoretically 16777216, they usually contain parts identifying the manufacturer and hardware.There are more and more producers, also computers, there is also the practice of assigning imaginary or generating random MAC addresses. The chance of using control characters is therefore considerable.

这不使用echo Bash *.我们将使用猫.

cat blobfile | nc -w1 -u -b 255.255.255.255 67

Wireshark的结果片段:

A fragment of the result from Wireshark:

Client MAC address: ab:ab:ab:ab:ab:ab (ab:ab:ab:ab:ab:ab)
Option: (53) DHCP Message Type (Discover)

假设仅在外壳中手动输入MAC地址，则仅使用 cat 和 xxd 和 netcat 将解决方案归结为两行代码.

The solution boils down to 2 lines of code using only cat and xxd and netcat assuming manually entering the MAC address in the shell.

我没有找到使Bash不受二进制数据影响的方法.这就是为什么我建议将其从包发送阶段中排除的原因.用C编写生成器可能会有意义，它将避免重定向到文件和cat程序，并将所有内容打包到1行中.但是，这不是问题的主题.

I didn't find a way to make Bash immune to binary data without breaking it. That is why I suggest excluding it from the package sending phase It may make sense to write the generator in C which will get rid of redirection to the file and the cat program and pack everything into 1 line. However, this is not the subject of the question.

解决Bash问题的方法是从Plan 9安装rc shell.它很小(96kB)，速度很快，最重要的是，不会将二进制字符解释为控制字符.我检查了可通过apt获得的标准版本rc 1.7.4-1 Debian Linux.现在，只需按照以下说明发送正确的DHCP Discover数据包，而无需使用cat和存根文件(仅是shell以及xxd和nc ).

The solution to the Bash problem is to install the rc shell from Plan 9. It is very small (96kB), fast, and most importantly, does not interpret binary characters as controlling. I checked on the standard version rc 1.7.4-1 Debian Linux available via apt. Now just follow the instructions below to send the correct DHCP Discover packet without using cat and the stub file, only shell and xxd and nc.

MAC='08 20 08 1f 0d ff'
echo -n -e "01 01 06 00 62 48 94 CA 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $MAC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 35 01 01 FF" |xxd -r -p | nc -w1 -u -b 255.255.255.255 67

这篇关于如何使用Bash伪造DHCP发现数据包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！