Let's perhaps take it a step backwards.
What I am trying to acomplish for example, is to send a HTTP GET request, but with no FIN in the end of the session from the client side.

Avoiding writing a complete script for the job (perl/Nasl/C you name it), I was thinking to capture a HTTP GET request, remove the server's packets, and the last FIN from the client side and replay.

Now I have 2 problems,
one is the client's stack sending RST's once it receives the server's SYN-ACK, that's solvable by spoofing, or iptables dropping the RST no problem.
second, is the ISN's....

Any ideas?

Thanks, Cynic.

--- Dan Hanson <dhansonsecurityfocus.com> wrote:
>Well, here's an idea off the top of my head. totally forgetting about
>problems with the ISN numbers (ie, the ISN number that is provided by the
>targetted host won't match the Ack's that your host sends) and IP
>addresses. you would have to mung around with the packets and rechecksum
>them so that they don't get dumped when the checksums don't match.
>
>You could listen on a network in promiscuous mode, select a non-used IP,
>craft your packets to originate from that IP... the responses will come
>back and nothing will respond... effectively, the app is BECOMING the tcp
>stack. In order to do this, you would have to have root. Additionally,
>(thinking as I type) you will have a few issues regarding ARP, etc.
>
>As well, Dan Kaminsky had an interesting presentation at BlackHat in
>August regarding multiple computers sharing the same IP address... I can't
>remember all the details, but you may want to check it out to see if he
>has any ideas (it doesn't relate directly, but may provide inspiration).
>
>Or perhaps I am missing something in what you are attempting to do.
>
>If you are relaly just going to throw a capture file back at a host, I
>think (but am not certain) that you are not successfully going to get past
>the ISN problems
>
>I am always open to information that increases my understanding of
>tcp stacks..
>
>D
>
>On Wed, 30 Oct 2002, Jared Stanbrough wrote:
>
>> On Wed, 30 Oct 2002, Brad Arlt wrote:
>>
>> > On Wed, Oct 30, 2002 at 06:33:38AM -0800, Cynic wrote:
>> > > Hi,
>> > >
>> > > I am looking for an application for *NIX, that can replay captured
>> > > packets, while dropping, the TCP Stacks responses. Let's assume I
>> > > replay a SYN, and receive a SYN-ACK, my host's TCP Stack immediatley
>> > > replies with a RST since it was not aware a connection was to be
>> > > opened. So I am looking for some low-level retransmission
>> > > application for *nix such as Network monitor for NT. (I believe it
>> > > does this.)
>> >
>> > http://tcpreplay.sourceforge.net/
>> >
>> > TCP Replay resends a libpcap or snoop capture file. As far as I know
>> > it doesn't listen to a darn thing, so you are good to go.
>>
>> This doesn't address the issue of keeping the originating machine from
>> trying to take part in the replayed TCP session. The question isn't how to
>> replay the data, it's how to keep the originating host from screwing it up
>> by tearing down the illigitimate connection.
>>
>> One easy way to do this would be to setup iptables to block outbound TCP
>> packets that have the RST flag set (of course, this would mess up replayed
>> data which contains RSTs..but I'm sure you can think of creative solutions
>> for that :)
>>
>> --jared
>>
>> >
>> > You can trim the capture file however you like using the tools that
>> > come with it, Snoop, or tcpdump.
>> > -----------------------------------------------------------------------
>> > __o Bradley Arlt Security Team Lead
>> > _ \<_ arltcpsc.ucalgary.ca University Of Calgary
>> > (_)/(_) I should be biking right now. Computer Science
>> >
>> >
>>

_____________________________________________________________
For the best in Progressive Rock on the internet, check out PROGROCK.COM!
http://www.progrock.com

_____________________________________________________________
Select your own custom email address for FREE! Get youyourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]