Let's perhaps take it a step backwards. What I am trying to acomplish for example, is to send a HTTP GET request, but with no FIN in the end of the session from the client side. Avoiding writing a complete script for the job (perl/Nasl/C you name it), I was thinking to capture a HTTP GET request, remove the server's packets, and the last FIN from the client side and replay. Now I have 2 problems, one is the client's stack sending RST's once it receives the server's SYN-ACK, that's solvable by spoofing, or iptables dropping the RST no problem. second, is the ISN's.... Any ideas? Thanks, Cynic. --- Dan Hanson <dhansonat_private> wrote: >Well, here's an idea off the top of my head. totally forgetting about >problems with the ISN numbers (ie, the ISN number that is provided by the >targetted host won't match the Ack's that your host sends) and IP >addresses. you would have to mung around with the packets and rechecksum >them so that they don't get dumped when the checksums don't match. > >You could listen on a network in promiscuous mode, select a non-used IP, >craft your packets to originate from that IP... the responses will come >back and nothing will respond... effectively, the app is BECOMING the tcp >stack. In order to do this, you would have to have root. Additionally, >(thinking as I type) you will have a few issues regarding ARP, etc. > >As well, Dan Kaminsky had an interesting presentation at BlackHat in >August regarding multiple computers sharing the same IP address... I can't >remember all the details, but you may want to check it out to see if he >has any ideas (it doesn't relate directly, but may provide inspiration). > >Or perhaps I am missing something in what you are attempting to do. > >If you are relaly just going to throw a capture file back at a host, I >think (but am not certain) that you are not successfully going to get past >the ISN problems > >I am always open to information that increases my understanding of >tcp stacks.. > >D > >On Wed, 30 Oct 2002, Jared Stanbrough wrote: > >> On Wed, 30 Oct 2002, Brad Arlt wrote: >> >> > On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote: >> > > Hi, >> > > >> > > I am looking for an application for *NIX, that can replay captured >> > > packets, while dropping, the TCP Stacks responses. Let's assume I >> > > replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley >> > > replies with a RST since it was not aware a connection was to be >> > > opened. So I am looking for some low-level retransmission >> > > application for *nix such as Network monitor for NT. (I believe it >> > > does this.) >> > >> > http://tcpreplay.sourceforge.net/ >> > >> > TCP Replay resends a libpcap or snoop capture file. As far as I know >> > it doesn't listen to a darn thing, so you are good to go. >> >> This doesn't address the issue of keeping the originating machine from >> trying to take part in the replayed TCP session. The question isn't how to >> replay the data, it's how to keep the originating host from screwing it up >> by tearing down the illigitimate connection. >> >> One easy way to do this would be to setup iptables to block outbound TCP >> packets that have the RST flag set (of course, this would mess up replayed >> data which contains RSTs..but I'm sure you can think of creative solutions >> for that :) >> >> --jared >> >> > >> > You can trim the capture file however you like using the tools that >> > come with it, Snoop, or tcpdump. >> > ----------------------------------------------------------------------- >> > __o Bradley Arlt Security Team Lead >> > _ \<_ arltat_private University Of Calgary >> > (_)/(_) I should be biking right now. Computer Science >> > >> > >> _____________________________________________________________ For the best in Progressive Rock on the internet, check out PROGROCK.COM! http://www.progrock.com _____________________________________________________________ Select your own custom email address for FREE! Get youat_private w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
This archive was generated by hypermail 2b30 : Thu Oct 31 2002 - 09:01:07 PST