Vulnerability Development mailing list archives
Re: Retransmissions while blocking TCP Stack's RST?
From: Cynic <cynic () progrock com>
Date: Thu, 31 Oct 2002 01:48:28 -0800 (PST)
Let's perhaps take it a step backwards. What I am trying to acomplish for example, is to send a HTTP GET request, but with no FIN in the end of the session from the client side. Avoiding writing a complete script for the job (perl/Nasl/C you name it), I was thinking to capture a HTTP GET request, remove the server's packets, and the last FIN from the client side and replay. Now I have 2 problems, one is the client's stack sending RST's once it receives the server's SYN-ACK, that's solvable by spoofing, or iptables dropping the RST no problem. second, is the ISN's.... Any ideas? Thanks, Cynic. --- Dan Hanson <dhanson () securityfocus com> wrote:
Well, here's an idea off the top of my head. totally forgetting about problems with the ISN numbers (ie, the ISN number that is provided by the targetted host won't match the Ack's that your host sends) and IP addresses. you would have to mung around with the packets and rechecksum them so that they don't get dumped when the checksums don't match. You could listen on a network in promiscuous mode, select a non-used IP, craft your packets to originate from that IP... the responses will come back and nothing will respond... effectively, the app is BECOMING the tcp stack. In order to do this, you would have to have root. Additionally, (thinking as I type) you will have a few issues regarding ARP, etc. As well, Dan Kaminsky had an interesting presentation at BlackHat in August regarding multiple computers sharing the same IP address... I can't remember all the details, but you may want to check it out to see if he has any ideas (it doesn't relate directly, but may provide inspiration). Or perhaps I am missing something in what you are attempting to do. If you are relaly just going to throw a capture file back at a host, I think (but am not certain) that you are not successfully going to get past the ISN problems I am always open to information that increases my understanding of tcp stacks.. D On Wed, 30 Oct 2002, Jared Stanbrough wrote:On Wed, 30 Oct 2002, Brad Arlt wrote:On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote:Hi, I am looking for an application for *NIX, that can replay captured packets, while dropping, the TCP Stacks responses. Let's assume I replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley replies with a RST since it was not aware a connection was to be opened. So I am looking for some low-level retransmission application for *nix such as Network monitor for NT. (I believe it does this.)http://tcpreplay.sourceforge.net/ TCP Replay resends a libpcap or snoop capture file. As far as I know it doesn't listen to a darn thing, so you are good to go.This doesn't address the issue of keeping the originating machine from trying to take part in the replayed TCP session. The question isn't how to replay the data, it's how to keep the originating host from screwing it up by tearing down the illigitimate connection. One easy way to do this would be to setup iptables to block outbound TCP packets that have the RST flag set (of course, this would mess up replayed data which contains RSTs..but I'm sure you can think of creative solutions for that :) --jaredYou can trim the capture file however you like using the tools that come with it, Snoop, or tcpdump. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) I should be biking right now. Computer Science
_____________________________________________________________ For the best in Progressive Rock on the internet, check out PROGROCK.COM! http://www.progrock.com _____________________________________________________________ Select your own custom email address for FREE! Get you () yourchoice com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
Current thread:
- Retransmissions while blocking TCP Stack's RST? Cynic (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Brad Arlt (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Jared Stanbrough (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Bryan Burns (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Dan Kaminsky (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Dan Hanson (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? MA (Oct 31)
- Re: Retransmissions while blocking TCP Stack's RST? Jared Stanbrough (Oct 30)
- Re: Retransmissions while blocking TCP Stack's RST? Filipe Almeida (Oct 30)
- <Possible follow-ups>
- RE: Retransmissions while blocking TCP Stack's RST? Cynic (Oct 31)
- Re: Retransmissions while blocking TCP Stack's RST? Cynic (Oct 31)
- Re: Retransmissions while blocking TCP Stack's RST? Brad Arlt (Oct 30)