关联漏洞
标题:
Linux kernel 安全漏洞
(CVE-2016-5696)
描述:Linux kernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4 implementation是其中的一个分布式文件系统协议。 Linux kernel 4.7之前的版本中的net/ipv4/tcp_input.c文件中存在安全漏洞。攻击者可利用该漏洞实施中间人攻击,劫持TCP会话。
描述
global rate-limiting in Linux (CVE-2016-5696) scanner
介绍
grill
=====
`grill`, aka global rate-limiting in Linux, is a scanner for
CVE-2016-5696 (pure TCP off-path).
Install
-------
```
$ go get github.com/nogoegst/grill
```
Caveats
-------
*Don't ever use wireless links* on the way to the hosts. Constant packet loss and retransmisions drastically reduce scan accuracy.
*Use less NATs as possible* (down to 0), they introduce delays and change packets.
Currenly `grill` uses around avg. 400KBit/s and max. 500Kbit/s of output bandwidth (16 concurrent scans).
Kernel interference
-------------------
To avoid kernel interference during scan add a rule to your firewall to drop outgoing RST packets.
For PF (`/etc/pf.conf`):
```
block drop out quick proto tcp flags R/R
```
then `# pfctl -f /etc/pf.conf`.
For NetFilter:
```
# iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
```
Usage
-----
`grill` reads `stdin` and scans hosts from it (up to 16 concurrent scans). The input format is `host port\n`.
```
# cat probe | grill -i interface -dll gateway-MAC [-sll src-MAC] [-sip src-IP] > results
```
The output format is `host:port,recievedChACKs,1stBurstSendingTime,2ndBurstSendingTime`.
To get human results, run results though `verdict` utility (is in `verdict` directory):
```
cat results | verdict
```
So it goes. Have fun and make love.
Scanning the Tor network
------------------------
To scan relays of the Tor network, just fetch and format last consensus:
```
curl https://collector.torproject.org/recent/relay-descriptors/consensuses/`date -u +'%Y-%m-%d-%H-00-00-consensus'` | grep '^r '| awk '{print $7" "$8}' > probe-consensus
```
And then just pass resulted file to `grill` input.
As of now, scanning whole Tor network should take less than 30m (16 concurrent scans).
I managed to scan whole net in 7m44s by using 127 concurrent scans and in 6m30s by reducing timeout to 1.7s further (this is probably not safe due to packet loss, congestion, etc).
Note that 127 is the maximum (and reasonable) number of open BPFs in OpenBSD. In Linux this limit is higher but it will make you kernel almost stuck. Anyway, good luck.
Acknowlegments
-------------
`grill` is hugely inspired by similar Scapy scanner by David Stainton [https://github.com/david415/scan_for_rfc5961]
and PoC by violentshell [https://github.com/violentshell/rover].
文件快照
[4.0K] /data/pocs/c6c62f9d6d158dee7320fd9b6dd1e637ca14e28e
├── [6.9K] LICENSE
├── [2.3K] README.md
├── [4.6K] scanner.go
├── [ 988] tor.filters
└── [4.0K] verdict
└── [1.5K] verdict.go
1 directory, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。