OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bryan Burns (bburns_at_netscreen.com)
Date: Wed Oct 30 2002 - 15:37:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    If you're using TCP, the sequence numbers in the ACKs are going to be
    totally wrong, and just won't work. For example:

    > SYN (seq Sc) (from the replay)
    < SYN ACK (seq Ss, ack Sc) (from your stack)
    > SYN (seq Sc+1, ack Ss_old) (from the replay)
    < stack-dependant freak-out

    You somehow have to either make your stack's sequence number be the
    same from the replay, or have your replay ACK the correct sequence
    number. A similar issue arises if the number of bytes your stack sends
    doesn't match the number of bytes from the replay.

    -Bryan

    On Wednesday, October 30, 2002, at 12:30 PM, Jared Stanbrough wrote:

    > On Wed, 30 Oct 2002, Brad Arlt wrote:
    >
    >> On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote:
    >>> Hi,
    >>>
    >>> I am looking for an application for *NIX, that can replay captured
    >>> packets, while dropping, the TCP Stacks responses. Let's assume I
    >>> replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley
    >>> replies with a RST since it was not aware a connection was to be
    >>> opened. So I am looking for some low-level retransmission
    >>> application for *nix such as Network monitor for NT. (I believe it
    >>> does this.)
    >>
    >> http://tcpreplay.sourceforge.net/
    >>
    >> TCP Replay resends a libpcap or snoop capture file. As far as I know
    >> it doesn't listen to a darn thing, so you are good to go.
    >
    > This doesn't address the issue of keeping the originating machine from
    > trying to take part in the replayed TCP session. The question isn't
    > how to
    > replay the data, it's how to keep the originating host from screwing
    > it up
    > by tearing down the illigitimate connection.
    >
    > One easy way to do this would be to setup iptables to block outbound
    > TCP
    > packets that have the RST flag set (of course, this would mess up
    > replayed
    > data which contains RSTs..but I'm sure you can think of creative
    > solutions
    > for that :)
    >
    > --jared
    >
    >>
    >> You can trim the capture file however you like using the tools that
    >> come with it, Snoop, or tcpdump.
    >> ----------------------------------------------------------------------
    >> -
    >> __o Bradley Arlt Security Team Lead
    >> _ \<_ arltcpsc.ucalgary.ca University Of Calgary
    >> (_)/(_) I should be biking right now. Computer Science
    >>
    >>
    >
    >