bash - 如何使用 Bash 伪造 DHCP 发现数据包？

Question

我想使用命令行通过网络 (LAN) 发送一个经典的 DHCP Discover 包，以触发任何监听的 DHCP 服务器 的响应，所以我可以用类似的东西捕获它(假设我的 IP 地址是 192.168.0.30 ):

tcpdump -i eth0 host 192.168.0.30 -n -s 0 -vvv -w listening.pcap

我认为这是一种检测网络上的恶意 DHCP 服务器的简单方法。

我如何使用 Bash 做到这一点？

更多数据:

• 允许使用其他工具，但我们尽量保持简单:NetCat、sed、grep...等。
• 伪造 WOL 数据包的类似示例:Bash one-line command to send wake on LAN magic packet without specific tool

Answer 1

完整解决方案

解决方案与'hacker'类似，区别在于UDP Discover包将在shell中手动生成。

该代码仅用于将网卡的给定 MAC 替换为空格而不是冒号的形式并分配给变量(在 Bash 中键入):

# manualy:
MAC=ab:ab:ab:ab:ab:ab; MAC=`printf "$(echo $MAC | sed 's/:/ /g')%.0s"`
# or automaticaly: 
MAC=`printf "$(echo $(ifconfig -a |awk -v RS= '/eth0/' |awk '/ether/ {print($2)}') | sed 's/:/ /g')%.0s"`
# or simply type (spaces instead of colons!):
MAC="a6 a6 a6 a6 a6 a6"

使用 xxd 生成一个包含准备发送的 DHCPDISCOVER 包的文件。我使用的事实是所有 DHCP 服务器实际上都没有检查校验和。这避免了校验和计算及其记录的严重复杂化。唯一需要更改的元素是网卡的 MAC。
该网站非常有帮助:DHCP (in Russian)

echo -e $(echo -n -e "01 01 06 00 62 48 94 CA 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $MAC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 35 01 01 FF") |xxd -r -p >blobfile

要使 DHCPDISCOVER 数据包无失真地到达 DHCP 服务器，它必须作为二进制数据发送。不幸的是，Bash 接收一些二进制序列作为控制命令。

从00到1F的HEX码是控制字符的范围，因系统而异。其中许多将由 BASH 解释，例如1F、0d 等添加到此的是控制序列，例如082008 或 610860。

MAC 地址理论上是 16777216，它们通常包含标识制造商和硬件的部分。生产者越来越多，电脑也越来越多，也有分配虚构或生成随机MAC地址的做法。因此，使用控制字符的机会是相当大的。

这不包括 echo Bash* 的使用。我们将使用猫。

cat blobfile | nc -w1 -u -b 255.255.255.255 67

Wireshark 结果的片段:

Client MAC address: ab:ab:ab:ab:ab:ab (ab:ab:ab:ab:ab:ab)
Option: (53) DHCP Message Type (Discover)

该解决方案归结为仅使用 cat 和 xxd 以及 netcat 的 2 行代码，假设在 shell 中手动输入 MAC 地址。

我没有找到一种方法让 Bash 在不破坏二进制数据的情况下不受二进制数据的影响。这就是为什么我建议将它排除在包发送阶段之外 用 C 编写生成器可能是有意义的，这将摆脱对文件和 cat 程序的重定向并将所有内容打包到 1 行中。但是，这不是问题的主题。

编辑:

Bash 问题的解决方案是安装 Plan 9 的 rc shell。它非常小 (96kB)，速度很快，而且最重要的是，不会将二进制字符解释为控制。我检查了可通过 apt 获得的标准版本 rc 1.7.4-1 Debian Linux。现在只需按照下面的说明发送正确的 DHCP 发现数据包，而不使用 cat 和 stub 文件，仅 shell 和 xxd 和 nc。

MAC='08 20 08 1f 0d ff'
echo -n -e "01 01 06 00 62 48 94 CA 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $MAC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 35 01 01 FF" |xxd -r -p | nc -w1 -u -b 255.255.255.255 67