Re: Retransmissions while blocking TCP Stack's RST?

[Dan Hanson <dhanson () securityfocus com>]

Well, here's an idea off the top of my head.  totally forgetting about
problems with the ISN numbers (ie, the ISN number that is provided by the
targetted host won't match the Ack's that your host sends) and IP
addresses. you would have to mung around with the packets and rechecksum
them so that they don't get dumped when the checksums don't match.

You could listen on a network in promiscuous mode, select a non-used IP,
craft your packets to originate from that IP... the responses will come
back and nothing will respond... effectively, the app is BECOMING the tcp
stack. In order to do this, you would have to have root. Additionally,
(thinking as I type) you will have a few issues regarding ARP, etc.

As well, Dan Kaminsky had an interesting presentation at BlackHat in
August regarding multiple computers sharing the same IP address... I can't
remember all the details, but you may want to check it out to see if he
has any ideas (it doesn't relate directly, but may provide inspiration).

Or perhaps I am missing something in what you are attempting to do.

If you are relaly just going to throw a capture file back at a host, I
think (but am not certain) that you are not successfully going to get past
the ISN problems

I am always open to information that increases my understanding of
tcp stacks..

D

On Wed, 30 Oct 2002, Jared Stanbrough wrote:

> On Wed, 30 Oct 2002, Brad Arlt wrote:
>
> > On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote:
> > > Hi,
> > >
> > > I am looking for an application for *NIX, that can replay captured
> > > packets, while dropping, the TCP Stacks responses.  Let's assume I
> > > replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley
> > > replies with a RST since it was not aware a connection was to be
> > > opened.  So I am looking for some low-level retransmission
> > > application for *nix such as Network monitor for NT. (I believe it
> > > does this.)
> >
> > http://tcpreplay.sourceforge.net/
> >
> > TCP Replay resends a libpcap or snoop capture file.  As far as I know
> > it doesn't listen to a darn thing, so you are good to go.
>
> This doesn't address the issue of keeping the originating machine from
> trying to take part in the replayed TCP session. The question isn't how to
> replay the data, it's how to keep the originating host from screwing it up
> by tearing down the illigitimate connection.
>
> One easy way to do this would be to setup iptables to block outbound TCP
> packets that have the RST flag set (of course, this would mess up replayed
> data which contains RSTs..but I'm sure you can think of creative solutions
> for that :)
>
> --jared
>
> > You can trim the capture file however you like using the tools that
> > come with it, Snoop, or tcpdump.
> > -----------------------------------------------------------------------
> >    __o              Bradley Arlt                    Security Team Lead
> >  _ \<_              arlt () cpsc ucalgary ca                University Of Calgary
> > (_)/(_)     I should be biking right now.   Computer Science