portknocking(端口试探） demo

最新推荐文章于 2024-12-07 11:05:49 发布

原创最新推荐文章于 2024-12-07 11:05:49 发布 · 2k 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#null #filter #interface #command #session #string

安全相关专栏收录该内容

4 篇文章

订阅专栏

本文介绍了一个简单的PortKnocking演示程序，包括server端和client端的实现。server端通过初始化iptables并清空规则来响应特定的端口敲门序列，而client端则负责发送这些端口试探包以开启相应的TCP端口。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

一个基本的portknocking demo.
server端运行receive程序，初始化iptable，规则清空；
client端允许send程序，发送端口试探序列，开启相应的tcp端口。

send.c

/* portknocking demo V0.1 moxuansheng */

#include <sys/socket.h>

#include <netinet/ip.h>

#include <netinet/in.h>

#define __FAVOR_BSD

#include <netinet/tcp.h>

#include <stdio.h>

#include <unistd.h>

/* Global variable */

struct portlist {

int port;

struct portlist* next;

};

struct portlist* start = NULL; /* the port list */

struct sockaddr_in server; /* destination socket struct */

int portnum = 0; /* the sum of port knock packet send to dest*/

/* function protype */

void

get_command(char** argv, struct portlist** start, char** dest, char** srcport); /* parser program arg */

char*

is_another_param(char** argv); /* has next arg */

char*

next_param(char*** argv); /* next to arg */

void

addportList(struct portlist** start, char* port); /* add the port list in List */

unsigned short

csum(unsigned short* buf, int nwords); /* packet check sum */

void

sendpacket(int sockfd, char* data, int destport, char* dest, int srcport); /* send the packet to dest */

void

usage(void); /* program usage */

int

main(int argc, char *argv[]) {

int sockfd;

char* dest; /* dest host IP address string */

char* sourceport;

char datagram[4096];

int count; /* send packet count */

/* parser the argument */

get_command(argv, &start, &dest, &sourceport);

#ifdef DEBUG2

struct portlist* temp = start;

printf("the port sequence is: ");

while(temp != NULL) {

printf(" %d ", temp->port);

temp = temp->next;

}

printf(" the port number is:%d ",portnum);

#endif

/* initilize the sockaddr_in */

bzero(&server,sizeof(server));

bzero(datagram,4096);

server.sin_family = AF_INET;

server.sin_addr.s_addr = inet_addr(dest);

server.sin_port = htons(0);

/*create raw socket */

if ((sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) {

printf(" create socket error ");

exit(0);

}

/* send packet with port number in portlist */

struct portlist* current;

for (count = 0; count < portnum; count++) {

current = start;

sendpacket(sockfd, datagram,current->port, dest, atoi(sourceport));

start = start->next;

free(current);

}

return 0;

}

void

get_command(char** argv, struct portlist** start, char** dest, char** srcport) {

char c;

char* conf;

char* port;

if (!*(argv+1)){

printf("missing argument ");

usage();

exit(0);

}

/* parser the program argument */

while(*++argv) {

if ((*argv)[0] != '-') {

printf(" missing switch character at '%s'.Use -h for option.",*argv);

exit(0);

}

if (!(c = (*argv)[1])) {

printf(" missing switch character at '%s'.Use -h for option.",*argv);

exit(0);

}

if ((*argv)[2]) {

printf(" joined argument is not allowed ");

exit(0);

}

switch(c) {

case 'h':

usage();

break;

case 'd':

{

if ( !is_another_param(argv)){

printf("ERR: -d need one argument ");

usage();

exit(0);

}

*dest = next_param(&argv);

if (is_another_param(argv)) {

printf("ERR:no more two destination hosts ");

usage();

exit(0);

}

break;

case 'p':

if ( !is_another_param(argv)){

printf("ERR: -p need one argument ");

usage();

exit(0);

}

while((port=next_param(&argv))) {

addportList(start,port);

++portnum;

}

break;

case 's':

if (!is_another_param(argv)) {

printf("ERR: -s need one argument ");

usage();

exit(0);

}

*srcport = next_param(&argv);

if (is_another_param(argv)) {

printf("ERR: no more two source port ");

usage();

exit(0);

}

break;

default:

{

usage();

exit(0);

}

char*

is_another_param(char** argv) {

return (*(argv + 1) && *(argv + 1)[0] != '-')

? *(argv + 1)

: NULL;

}

char*

next_param(char*** argv) {

char* c;

if ((c = is_another_param(*argv))) {

(*argv)++;

return c;

}

return NULL;

}

/* add the port knock sequence in the portlist*/

void

addportList(struct portlist** start, char* port) {

struct portlist* newport, *currentport, * previousport;

currentport = *start;

previousport = NULL;

newport = (struct portlist*)malloc(sizeof(struct portlist));

if (newport == NULL) {

printf("malloc portlist struct failed ");

exit(0);

}

if ((newport->port = atoi(port)) > 65535) {

printf(" the port out of range ");

exit(0);

}

newport->next = NULL;

while (currentport != NULL) {

previousport = currentport;

currentport = currentport->next;

}

if (*start == NULL) {

*start = newport;

} else {

previousport->next = newport;

}

/* check sum, copy from the raw socket programming */

unsigned short

csum(unsigned short* buf, int nwords) {

unsigned long sum;

for (sum = 0; nwords > 0; nwords--)

sum += *buf++;

sum = (sum >> 16) + (sum & 0xffff);

sum += (sum >> 16);

return ~sum;

}

/*send the packet to destination using raw socket */

void

sendpacket(int sockfd, char* datagram, int destport, char* dest, int srcport) {

struct ip *iph = (struct ip*)datagram;

struct tcphdr *tcph = (struct tcphdr*)(datagram + sizeof(struct ip));

iph->ip_hl = 5;

iph->ip_v = 4;

iph->ip_tos = 0;

iph->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);

iph->ip_id = htonl(12345);

iph->ip_off = 0;

iph->ip_ttl = 255;

iph->ip_p = 6;

iph->ip_sum = 0;

iph->ip_src.s_addr = inet_addr("127.0.0.1");

iph->ip_dst.s_addr = inet_addr(dest);

tcph->th_sport = htons(srcport);

tcph->th_dport = htons(destport);

tcph->th_seq = random();

tcph->th_ack = 0;

tcph->th_x2 = 0;

tcph->th_off = 0;

tcph->th_flags = TH_SYN;

tcph->th_win = htonl(65535);

tcph->th_sum = 0;

tcph->th_urp = 0;

iph->ip_sum = csum ((unsigned short*)datagram, iph->ip_len >> 1);

int one = 1;

const int *val = &one;

if (setsockopt(sockfd,IPPROTO_IP, IP_HDRINCL, val, sizeof(one)) < 0) {

printf("Cannot set HDRINCL ");

exit(0);

}

if (sendto(sockfd, datagram, iph->ip_len, 0, (struct sock_addr*)&server, sizeof(server)) < 0){

printf("send error ");

exit(0);

} else {

printf("send ok ");

}

/* usage */

void

usage(void) {

printf("-d the destination server ");

printf("-p the port sequence sending to dest ");

printf("-s the sourceport of packet sending to dest ");

printf(" the usage is: ");

printf(" -d dest -p port1 port2 -s port3 ");

printf(" the example is: ");

printf(" arg -d 192.168.100.200 -p 1024 1025 1026 -s 1981 ");

}

receive.c

/* portknocking demo V0.1 moxuansheng*/

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <pcap.h>

#include <pthread.h>

#include <sys/socket.h>

#include <sys/types.h>

#define __FAVOR_BSD

#include <netinet/if_ether.h>

#include <netinet/in.h>

#include <netinet/ip.h>

#include <netinet/tcp.h>

#include <syslog.h>

#define PCAP_FILTER_1 "tcp src port " /* pcap filter */

#define PCAP_FILTER_2 " or " /* pcap filter */

#define CLOSE_PORT "9999" /* close the firewall */

#define IPTABLE_PATH "/sbin/iptables"

#define SUCCESS 0

#define ERROR 1

#define FOUND 0

#define NOTFOUND 1

/* Global variable */

enum{

CLOSE,

OPEN

};

struct portlist {

int port;

struct portlist* next;

}; /* the list store port sequence */

struct hostnode {

int stat; /* the host stat opening or close */

int steps; /* the port sequence steps */

char* addr;/* host addr */

struct hostnode* next;

};

struct portlist* portstart = NULL; /* port list start node */

int portnum = 0; /* the number of port sequence */

int *portarray; /* the the port array, access directly without list */

struct hostnode* hoststart = NULL; /* the host start node */

pcap_t *session; /* pcap session handler */

char* cli_addr; /* the client ip address */

/* function prototype */

void

get_command(char** argv, char** interface, char** sourceport, struct portlist** start); /* parser program arg */

char*

is_another_param(char** argv); /* fetch next arg */

char*

next_param(char*** argv); /* get arg and step to next arg */

void

iptables_init(void); /* iptables init */

void

addportList(struct portlist** portstart, char* port); /* add the port to List */

int

addhostList(struct hostnode** hoststart, char* cli_addr, int destport); /* add the receive ip into a host list*/

int

checkhostList(struct hostnode** start, char* cli_addr, int destport); /* check the destport if the cli_addr insert into hostnode List or not */

int

checkportList(struct portlist** start, int destport); /* check whether the destport of received packet is in portlist or not */

int

pcap_init(char* , char*); /* init the libpcap */

void

print_error(pcap_t* session); /* print the pcap session err*/

void

receive_pkt(u_char* args, const struct pcap_pkthdr* header, const u_char* packet); /* process a receive packet */

void*

emalloc(size_t size, int num); /* malloc size of memory */

void

usage(void); /* the program usage */

int

main(int argc, char* argv[]) {

char* interface; /* network interface */

char* sourceport; /* the packet's sourceport */

get_command(argv, &interface, &sourceport, &portstart);

///////////////////

//run in daemon, you can add standard method

///////////////////

#ifdef DEBUG2

printf(" the interface is:%s ", interface);

struct portlist* temp = portstart;

printf("the port sequence is: ");

while (temp) {

printf(" %d ",temp->port);

temp = temp->next;

}

#endif

/* copy the portlist to array, so it could access directly without all list*/

portarray = (int*) emalloc(sizeof(int), portnum);

int i = 0;

struct portlist* pstart = portstart;

while (pstart != NULL) {

portarray[i++] = pstart->port;

pstart = pstart->next;

}

#ifdef DEBUG2

printf("the port array is: ");

for (i = 0; i < portnum; i++)

printf(" %d ",portarray[i]);

#endif

/* iptable init */

iptables_init();

/* pcap init */

if(pcap_init(interface, sourceport)) {

printf("pcap init Error ");

return ERROR;

}

/* this is main loop program, capature the matched packet */

pcap_loop(session, -1, &receive_pkt, NULL);

return SUCCESS;

}

void

get_command(char** argv, char** interface, char** sourceport, struct portlist** portstart) {

char c;

char* port;

if (!*(argv + 1)) {

printf("ERR: missing argument ");

usage();

exit(0);

}

while(*++argv) {

if ((*argv)[0] != '-') {

printf(" missing switch character at '%s'.Use -h for option.",*argv);

usage();

exit(0);

}

if (!(c = (*argv)[1])) {

printf(" missing argument at '%s'.Use -h for option.",*argv);

usage();

exit(0);

}

if ((*argv)[2]) {

printf(" joined argument is not allowed ");

usage();

exit(0);

}

switch(c) {

case 'h':

usage();

exit(0);

break;

/* get the interface */

case 'i':

{

if (!is_another_param(argv)) {

printf(" -i option need one arg ");

usage();

exit(0);

}

*interface = next_param(&argv);

if (is_another_param(argv)) {

printf("ERR:no more two interface ");

usage();

exit(0);

}

break;

}

/* get the sourceport and compare it with the received packet's srouceport*/

case 's':

{

if (!is_another_param(argv)) {

printf(" -s option need one arg ");

usage();

exit(0);

}

break;

}

/* get the port sequece and store them in port list */

case 'p':

{

if (!is_another_param(argv)) {

printf(" -p option need at least one arg ");

usage();

exit(0);

}

while((port = next_param(&argv))) {

addportList(portstart,port);

portnum++;

}

break;

}

default:

usage();

exit(0);

}

char*

is_another_param(char** argv) {

return (*(argv + 1) && *(argv+1)[0] != '-')

? *(argv + 1)

: NULL;

}

char*

next_param(char*** argv) {

char* c;

if ((c = is_another_param(*argv))) {

(*argv)++;

return c;

}

return NULL;

}

void

addportList(struct portlist** portstart, char* port) {

struct portlist* newport, *currentport, *previousport;

currentport = *portstart;

newport = (struct portlist*)malloc(sizeof(struct portlist));

previousport = NULL;

if (newport == NULL) {

printf("malloc struct portlist failed ");

exit(0);

}

if((newport->port = atoi(port)) > 65535) {

printf("port out of range ");

exit(0);

}

newport->next = NULL;

while ( currentport != NULL) {

previousport = currentport;

currentport = currentport->next;

}

if ((*portstart)== NULL) {

*portstart = newport;

} else {

previousport->next = newport;

}

void*

emalloc(size_t size, int num) {

void *p;

p = malloc(size * num);

if (p == NULL) {

printf("malloc error ");

exit(0);

}else {

printf("malloc success ");

}

return p;

}

int

pcap_init(char* interface, char* sourceport) {

#ifdef DEBUG2

printf("pcap-initting ");

#endif

char* dev = interface;

char errbuf[PCAP_ERRBUF_SIZE]; /* Error string returned, see pcap manpage */

struct bpf_program filter; /* The compiled filter */

char filter_string1[] = PCAP_FILTER_1;

char filter_string2[] = PCAP_FILTER_2;

bpf_u_int32 mask; /* Our netmask */

bpf_u_int32 net; /* Our IP */

strncat(filter_string1, sourceport, strlen(sourceport));

strncat(filter_string1, filter_string2, strlen(filter_string2));

strncat(filter_string1, CLOSE_PORT, strlen(CLOSE_PORT));

if ((pcap_lookupnet(dev, &net, &mask, errbuf)) < 0 )

{

printf("Error looking up pcap device: %s ", errbuf);

return ERROR;

}

/* open the pcap session */

if ( (session = pcap_open_live(dev, BUFSIZ, 0, 0, errbuf)) == NULL)

{

printf("Error with pcap_open_live: %s ", errbuf);

return ERROR;

}

/* Compile a new filter */

if ((pcap_compile(session, &filter, filter_string1, 0, net)) < 0)

{

print_error(session);

return ERROR;

}

if ( (pcap_setfilter(session, &filter)) < 0)

{

print_error(session);

return ERROR;

}

return SUCCESS;

}

void

print_error(pcap_t *s)

{

/* From the pcap manpage:

void pcap_perror(pcap_t *p, char *prefix) */

char *prefix = "The following pcap error occurred";

pcap_perror(s, prefix);

}

void

receive_pkt(u_char* args, const struct pcap_pkthdr* header, const u_char* packet) {

#ifdef DEBUG2

printf("receive a packet ");

#endif

int found = 0;

pid_t pid;

const struct ether_header *ethernet_header;

const struct ip *iphdr;

const struct tcphdr *tcpheader;

int size_ether = sizeof(struct ether_header);

int size_ip = sizeof(struct ip);

int destport;

int srcport;

ethernet_header = (struct ether_header*)packet;

iphdr = (struct ip*)(packet + size_ether);

tcpheader = (struct tcphdr*)(packet + size_ether + size_ip);

cli_addr = inet_ntoa(iphdr->ip_src); /* get the src */

destport = ntohs(tcpheader->th_dport); /* get the src port */

srcport = ntohs(tcpheader->th_sport);

/* the the received packet's sourceport is the close port number, remove the cli from host list, and delete iptable rules */

if (srcport == atoi(CLOSE_PORT)) {

struct hostnode *previous, *current;

previous = NULL;

if (hoststart == NULL) {

printf(" the host List is null ");

return;

}

for (current = hoststart; current != NULL; previous = current, current = current->next) {

if (!strcmp(current->addr, cli_addr)) {

found = 1;

/* if the host is in the first host list*/

if(previous == NULL) {

hoststart = current->next;

} else {

previous->next = current->next;

}

free(current);

break;

}

if (found) {

syslog(LOG_ERR, "delete the %s IP in the host list. ", cli_addr);

if ((pid = fork()) == 0) {

execlp(IPTABLE_PATH, "iptables", "-D", "INPUT", "-s", cli_addr, "-p", "tcp", "-j", "ACCEPT", NULL);

exit(0);

}

printf("delete the IP %s from the trusted list. ", cli_addr);

} else {

printf(" the cli_addr not found in the host list ");

}

return ;

}

#ifdef DEBUG2

printf(" received packet's dest port is:%d ",ntohs(tcpheader->th_dport));

#endif

if (!checkhostList(&hoststart, cli_addr, destport)) {

printf("add the cli_addr in the hostnode List ");

} else {

printf(" the received packet not comply rule ");

}

/* (1) check wherther the desport in the portList, if not, the packet received is not a valid packet;

(2) if it's a valid packet, add the cli_addr in hostnode List and modify the status

int

checkhostList(struct hostnode** start, char* cli_addr, int destport) {

if (!checkportList(&portstart,destport)) {

printf(" the destport in the trusted port list ");

if(!addhostList(start, cli_addr, destport)) {

printf("add the host in the list ");

}

else {

return ERROR;

}

} else {

printf(" it's not a valid packet, drop it ");

return ERROR;

}

return SUCCESS;

}

/* check if the received packet's destport in the portlist */

int

checkportList(struct portlist** portstart, int destport) {

struct portlist * currentport;

currentport = *portstart;

while (currentport != NULL) {

if (currentport->port == destport) {

return FOUND;

}

currentport = currentport->next;

}

return NOTFOUND;

}

int

addhostList(struct hostnode** start, char* cli_addr, int destport) {

pid_t pid;

struct hostnode *newhost, *currenthost, *previoushost;

int count; /* compare the destport to portarray */

newhost = (struct hostnode*)malloc(sizeof(struct hostnode));

if (newhost == NULL) {

printf("malloc hostnode failed ");

exit(0);

}

newhost->stat = CLOSE;

newhost->steps = 0;

newhost->addr = cli_addr;

newhost->next = NULL;

currenthost = *start;

previoushost = NULL;

while (currenthost != NULL) {

printf(" in the host list ");

/* find the host whether already add in the host list*/

if (!strcmp(currenthost->addr, newhost->addr)) {

/* if the host's stat is already OPEN, skip the knock sequence */

if (currenthost->stat == OPEN) {

printf(" the host's is already open ");

free(newhost);

return SUCCESS;

}

/* check if the port sequence is right*/

printf(" the currenthost's steps is:%d ",currenthost->steps);

if (portarray[(currenthost->steps + 1)] == destport) {

printf(" follow the sequence ");

++currenthost->steps;

printf(" the steps is:%d ",currenthost->steps);

/* if the steps is the last key in portarray, add the trusted

host list*/

if (currenthost->steps == (portnum - 1)) {

printf("the port sequece is right,add open the firewall ");

currenthost->stat = OPEN;

/* add the cli_addr in the trusted host list */

syslog(LOG_ERR, "open tcp port for IP:%s. ",cli_addr);

if ((pid = fork()) == 0) {

execlp(IPTABLE_PATH, "iptables", "-I", "INPUT", "1", "-s", cli_addr, "-p", "tcp", "-j", "ACCEPT", NULL);

exit(0);

}

return SUCCESS;

}

return SUCCESS;

}

/* if ++steps portarray key is not equal the destport, the port se

quence is wrong */

else {

printf("sequence is wrong ");

return ERROR;

}

previoushost = currenthost;

currenthost = currenthost->next;

}

/* if the host is the not in the trust list, check the first port whether right or not */

if (previoushost == NULL) {

if (destport == portarray[0]) {

*start = newhost;

printf("the start host node ");

}

else {

printf("the first port number is wrong ");

return ERROR;

}

/* if the has the start node, insert the new host in the tail */

else {

if (destport == portarray[0]) {

previoushost = newhost;

}

else {

printf("the first port number is wrong in the host list ");

return ERROR;

}

return SUCCESS;

}

/* get from the cryptoknocking, maybe that the open source :-)*/

void

iptables_init(){

pid_t pid;

syslog(LOG_ERR,"portknocking starting.");

/* Flush the default rules */

if((pid=fork())==0){

execlp(IPTABLE_PATH,"iptables","-F",NULL);

exit(0);

}

/* Add the state modules */

if((pid=fork())==0){

execlp(IPTABLE_PATH,"iptables","-A","INPUT","-m","state","--state",

"ESTABLISHED,RELATED","-j","ACCEPT",NULL);

exit(0);

}

if((pid=fork())==0){

execlp(IPTABLE_PATH,"iptables","-A","OUTPUT","-m","state","--state",

"NEW,ESTABLISHED,RELATED","-j","ACCEPT",NULL);

exit(0);

}

/* Default policy is DROP */

if((pid=fork())==0){

execlp(IPTABLE_PATH,"iptables","-A","INPUT","-p","tcp","-j","DROP",

NULL);

exit(0);

}

syslog(LOG_ERR, "portknocking monitor all incoming traffic ");

}

void

usage(void) {

printf("the portknocking deamon ");

printf("-i the interface listened ");

printf("-p the port knocking sequence ");

printf("-s the source port of packet received ");

printf(" usage: -i eth0 -s 1981 -p 1025 1026 1027 ");

}