使用 nfqueue/scapy 更改 TCP Payload [英] Change TCP Payload with nfqueue/scapy

问题描述

您好，我正在使用 nfqueue 和 scapy，我的目标是在我的 NFQUEUE 接收数据包，更改有效负载并重新发送它们.

Hello I am using nfqueue and scapy and I my goal is to recieve packets at my NFQUEUE, change the payload and resend them.

我可以毫无问题地更改像 TTL 这样的字段，但是在更改有效负载时，我遇到了问题.

I can change fields like the TTL without any kind of problem, but when it comes to change the payload, I am encoutering problems.

当我更改有效负载时，我使用wireshark 嗅探数据包，显然我发送了修改了有效负载的数据包，但服务器没有应答.

When I change the payload, I sniff the packet with wireshark and apparently I send the packet with the payload modified, but the server doesn't answer.

这是我的代码:

#!/usr/bin/env python

import nfqueue
from scapy.all import *
def callback(payload):
    data = payload.get_data()
    pkt = IP(data)

    pkt[TCP].payload = str(pkt[TCP].payload).replace("ABC","GET")

    pkt[IP].ttl = 40

    print 'Data: '+ str(pkt[TCP].payload)
    print 'TTL: ' + str(pkt[IP].ttl)

    del pkt[IP].chksum
    payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))
def main():
    q = nfqueue.queue()
    q.open()
    q.bind(socket.AF_INET)
    q.set_callback(callback)
    q.create_queue(0)
    try:
        q.try_run() # Main loop
    except KeyboardInterrupt:
        q.unbind(socket.AF_INET)
        q.close()

main()

我已经为到端口 80 的传出流量设置了这个规则:iptables -I OUTPUT -s 192.168.1.10 -p tcp --dport 80 -j NFQUEUE

I have set this rule for outgoing traffic to port 80: iptables -I OUTPUT -s 192.168.1.10 -p tcp --dport 80 -j NFQUEUE

并且，为了测试它，例如我打开 telnet 到 google 端口 80，执行 GET/HTTP/1.1，这是我看到的:

And, to test it, for example I open telnet to google port 80, do a GET / HTTP/1.1 and this is what I see:

TTL: 40
DATA: GET / HTTP/1.1

现在，如果我执行 ABC/HTTP/1.1 我没有收到任何答复！我的 telnet 卡住了.

Now, if I do ABC / HTTP/1.1 I receive no answer! My telnet just get stuck.

我也试过在 HTTP 网站浏览器上浏览一些东西，在wireshark 上检查我的 TTL 是如何真正变成 40 的，然后，浏览字符串ABC"，我的浏览器再次卡住了.我发现请求已更改为 GET，但我没有收到任何答复.

I have also tried on HTTP websites browers to browse something, check on wireshark how my TTL is really changing to 40, then, browse the string "ABC" and my browser again get stuck. I sniff the request changed to GET but I receive no answer.

谢谢让我头疼，如果有更多经验的人可以引导我找到正确的方法，我将不胜感激.提前致谢.

Thank is kind of giving me a headache and I would really appreciate if someone with more experience could lead me to the right way. Thank you in advance.

推荐答案

我添加了重新计算 TCP 校验和的行，这很有用.

I added the line for recalculate the TCP checksum, that was usefull.

这仅在我更改有效负载时才有效，我不会更改它的长度，否则，我需要更改 IP 标头的字段长度，并回答我自己，也许其他正在寻找此答案的人，我只是通过这样做来实现的:

That only works if I change payload I don't alter the lenght of it, otherwise, I would need to change the field length of the IP Header, and answering myself, and maybe other people that is looking for this answer, I achieve that just by doing:

payload_before = len(pkt[TCP].payload)

pkt[TCP].payload = str(pkt[TCP].payload).replace("Heading","Other string")

payload_after = len(pkt[TCP].payload)

payload_dif = payload_after - payload_before

pkt[IP].len = pkt[IP].len + payload_dif

我知道我必须更改更多字段，因为有时，如果您添加了足够的有效负载以需要分段为新数据包，则必须更改更多字段.

I know that I have to change more fields, because sometimes, if you add enough payload for needing to fragment into a new packet, you have to change more fields.

目前我不知道如何有效地但一点一点地实现这一目标.希望有人发现我改变有效负载的解决方案很有用.

Currently I don't know how to achieve this efficiently but little by little. Hope someone find my solution for altering the payload useful.

这篇关于使用 nfqueue/scapy 更改 TCP Payload的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！