RE: [Plugins-writers] TCP out of sequence

From: Brad Amazeen (bamazeen@private)
Date: Tue Apr 11 2006 - 11:19:45 PDT


Thanks Martin.  That would work to open a TCP session and grab the
source port I think.  What I need to do now is send a TCP packet from
that session out of sequence while ACK'ing the last packets valid SEQ
number.

If I were to use this method, I do not think I have the granularity
required to forge the packet appropriately by calling a
get_seq_number(soc) or something.

If I were to use forge_ip_packet() and forge_tcp_packet() to gain the
granularity to control and access the SEQ numbers, the host OS (XP)
intercepts the SYN-ACK from the device and resets the connection before
I can establish one.  

So establishing a TCP session outside of open_sock_tcp() is not doable
unless you filter the RST from the host OS it seems.  Just trying to
confirm before I go off and find a firewall that can filter outbound
packets in this manner.

Thanks guys

-----Original Message-----
From: plugins-writers-bounces@private
[mailto:plugins-writers-bounces@private] On Behalf Of
whitewolf69
Sent: Monday, April 10, 2006 3:27 PM
To: plugins-writers@private
Subject: Re: [Plugins-writers] TCP out of sequence


Hi,

maybe you are looking for this:

soc = open_sock_tcp(port);
srcport = get_source_port(soc);

works fine for me

regards
Martin




Hello,

I'm new to this list so forgive me if I fall out of protocol, I'll
learn. Has this problem I found on the list ever been solved? I am in
need of the same thing. I also get the RST from the OS (XP) trying to
establish the 3-way and am trying for configure the OS firewall to
prevent this.

The script not being portable (due to the requirement of a firewall) is
an issue as well but may not be a showstopper.

So, has the OS-unwanted-RST "issue" been worked around in any way apart
from a firewall? And has anyone successfully written a TCP out of
sequence test script already?

Thanks guys,
-Brad

=======================================
I've read through several of the scripts and the list archive but I
still can't see if there is a way to send arbitrary TCP data packets in
the middle of a TCP connection.

The sequence I want to achieve is:

<em class="">-> SYN
<- SYN ACK
<em class="">-> ACK
-> DATA
-> DATA with incorrect sequence number

As far as I can see from previous discussions, forge_tcp_packet cannot
be used to establish the 3-way handshake as the <- SYN ACK triggers a ->
RST ACK from the local IP stack.

Alternatively, trying to use open_sock_tcp, when I come to the
forge_tcp_packet I don't know what value to use for th_sport. There
doesn't seem to be a way to find out what source port has been allocated
by open_sock_tcp. If I leave th_sport blank, then forge_tcp_pack inserts
zero rather than the current value.

Does anyone know a way to send TCP data packets with arbitrary options
set?


Dennis Jackson
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Tue Apr 11 2006 - 11:21:05 PDT