Table of Contents
Killcx 是一个 Perl 脚本,用于在 Linux 下关闭 TCP 连接,无论其状态如何(半打开、已建立、等待或关闭状态)。
今天尝试在ubuntu中安装它,并且记录下过程
下载 killcx
wget https://kumisystems.dl.sourceforge.net/project/killcx/killcx/1.0.3/killcx-1.0.3.tgz
tar -zxvf killcx-1.0.3.tgz
killcx-1.0.3.tgz 官网下载链接
安装 perl
sudo apt install perl
安装所需的 Perl 模块
sudo apt-get install -y libnet-rawip-perl
sudo apt-get install -y libnet-pcap-perl
sudo apt-get install -y libnetpacket-perl
尝试过其他文章中CPAN的安装,但没有成功。可能是 perl 安装方式有关,折腾不明白索性放弃了。错误如下:
# sudo cpan -f install Net::Pcap
……
……
……
looking for -lpcap... no
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You appear to lack the pcap(3) library.
If it is installed in a non-standard location, please try setting the LIBS
and INC values on the command line.
Or get the sources and install the pcap library from http://www.tcpdump.org/
If you install the pcap library using a system package, make sure to also
install the corresponding -devel package, which contains the C headers needed
to compile this module.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Warning: No success on command[/usr/bin/perl Makefile.PL INSTALLDIRS=site]
CORION/Net-Pcap-0.21.tar.gz
/usr/bin/perl Makefile.PL INSTALLDIRS=site -- NOT OK
Killcx 的工作原理
Killcx 的工作原理是创建一个带有伪造 SeqNum 的伪造 SYN 数据包,欺骗远程客户端 IP/端口并将其发送到服务器。它将分叉一个子进程,该子进程将捕获服务器响应,从 ACK 数据包中提取 2 个seq值,并使用它们发送欺骗性 RST 数据包。然后连接将被关闭。
尝试失败
环境是: 腾讯云 ubuntu 16
看起来是 killcx 无法获取到ACK。
注意:这里killcx 是向本地的地址发起了一个SYN,而不是向远程地址。
sudo killcx xxx.xxx.xxx.xxx:44578
killcx v1.0.3 - (c)2009-2011 Jerome Bruandet - http://killcx.sourceforge.net/
[PARENT] checking connection with [xxx.xxx.xxx.xxx:44578]
[PARENT] found connection with [172.16.16.15:443] (ESTABLISHED)
[PARENT] forking child
[PARENT] sending spoofed SYN to [172.16.16.15:443] with bogus SeqNum
[CHILD] interface not defined, will use [eth0]
[CHILD] setting up filter to sniff ACK on [eth0] for 5 seconds
[PARENT] no response from child, operation may have failed
[PARENT] => you may try using 'lo' as interface parameter
[PARENT] killing child [13383] and exiting program
尝试排查
- 可能是Pcap启动或者抓包太慢,增加等待时间后也许可以抓到数据。
# wait 0.5 second for our child to be ready :
select( undef, undef, undef,4 );// 增加等待时间 0.5=>4
print "[PARENT] sending spoofed SYN to [$local_ip:$local_port]".
" with bogus SeqNum\n";
# send spoofed SYN packet :
my $packet = Net::RawIP->new({
ip => { frag_off => 0, tos => 0,
saddr => $dest_ip, daddr => $local_ip
},
tcp =>{ dest => $local_port, source => $dest_port,
seq => 10, syn => 1
}
});
$packet->send;
# wait max 5 seconds :
select( undef, undef, undef, 10 );
- 即使调高了等待数值,抓包成功率依然很低,偶尔几次抓到数据依然没有按期望关闭TCP
- 并没有响应SYN的ACK包
通过抓包发现,只有SYN包,但是没有对应的ACK包返回。偶尔能抓到的包其实是来自keep-live或者其他的ACK包。这给人的错觉就是抓包成功率低。
- 没关闭TCP
当捕获到ACK包,伪造的RST 包是有发送的,然而TCP状态依然是 ESTABLISHED
参考
Centos7 安装使用Killcx
killcx.sourceforge.net
How To Install “libnetpacket-perl” Package on Ubuntu