headers
Jong Chun Park | 1 Aug 2008 05:10
Picon

Re: TCP Seq/Ack value changed?

Please, discard this mail because it's my fault. My other python code of sniffing libpcap
has a bug. I apologize for this inconvenience. Thanks a lot,
Jong

On Wed, Jul 30, 2008 at 10:51 PM, Jong Chun Park <joumon <at> gmail.com> wrote:
I have a web sever which generates customized packets as below. I'm also using
libpcap to sniff packets instead Scapy sniff function due to some unspecified reasons. 
BTW, even though I set TCP ack/seq values to 100/200, respectively, those packets
received at the client had TCP ack/seq values set to ZEROs. Is there anyone who knows
why this happens? Is this a Scapy bug or my fault? Any tip would be greatly appreciated 
in advance.  

    ip=IP(dst=CLIENT_ADDRESS, src=SERVER_ADDRESS)
    tcp=TCP(dport=CLIENT_PORT, sport=SERVER_PORT, ack=100, seq=200)
    tcp.flags=24
    page="test"
    sendp(Ether()/ip/tcp/page, iface="eth0")

Thanks a lot,
Jong



Permalink | Reply | 0 comments |
headers
Jong Chun Park | 7 Aug 2008 07:02
Picon

TCP handshake?

I'm trying to initiate TCP handshake, but a server keeps sending me a TCP RST packet,
thereby my connection request being discarded by the server. It's supposed to be pretty 
simple, but I have no idea why it doesn't work. It'd be greatly appreciated if someone can 
help me out of this trouble. Here is my code snippet:

targetip=www.target.com #fake
targetport=80
sourceip=www.mine.com #fake

ip = IP(dst=targetip, src=sourceip, flags=2)
ip.id=RandShort()
r = srp1(Ether()/ip/TCP(dport=targetport, sport=RandShort(),
              flags="S", seq=RandInt(), ack=RandInt()), iface="eth0")
sendp(Ether()/ip/TCP(flags="A", ack=r[TCP].seq+1, seq=r[TCP].ack,
             sport=r[TCP].dport, dport=r[TCP].sport), iface="eth0") 
r=srp(Ether()/ip/TCP(flags="AP", ack=r[TCP].seq+1, seq=r[TCP].ack,
             sport=r[TCP].dport, dport=r[TCP].sport)/page, iface="eth0")

Thanks a lot,
Jong
Permalink | Reply | 48 comments |
headers
Sake Blok | 7 Aug 2008 07:29
Picon

Re: TCP handshake?

On Wed, Aug 06, 2008 at 11:02:35PM -0600, Jong Chun Park wrote:
> I'm trying to initiate TCP handshake, but a server keeps sending me a TCP
> RST packet,thereby my connection request being discarded by the server. 
[...]
> r = srp1(Ether()/ip/TCP(dport=targetport, sport=RandShort(),
>               flags="S", seq=RandInt(), ack=RandInt()), iface="eth0")

You should use a value of 0 for ack in the initial SYN packet. RandInt
has no way of foreseeing which initial sequence number the server will
pick :-)

Hope this helps,
Cheers,
    Sake

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 1 comment |
headers
Jong Chun Park | 7 Aug 2008 07:42
Picon

Re: TCP handshake?

Okay, I got it. I appreciate your help. Now I changed it to "zero". However,
it's not working. Any idea?

Thanks a lot,
Jong

On Wed, Aug 6, 2008 at 11:29 PM, Sake Blok <sake <at> euronet.nl> wrote:
On Wed, Aug 06, 2008 at 11:02:35PM -0600, Jong Chun Park wrote:
> I'm trying to initiate TCP handshake, but a server keeps sending me a TCP
> RST packet,thereby my connection request being discarded by the server.
[...]
> r = srp1(Ether()/ip/TCP(dport=targetport, sport=RandShort(),
>               flags="S", seq=RandInt(), ack=RandInt()), iface="eth0")

You should use a value of 0 for ack in the initial SYN packet. RandInt
has no way of foreseeing which initial sequence number the server will
pick :-)

Hope this helps,
Cheers,
   Sake

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org



Permalink | Reply | 0 comments |
headers
Mathieu GELI | 7 Aug 2008 07:56
Picon

Re: TCP handshake?

Hi

I see a problem but that's not rigorously what you described.

> I'm trying to initiate TCP handshake, but a server keeps sending me a TCP
> RST packet,

if you don't fillter out on output your box, the OS TCP/IP stack will
send a RST to the
destination trying to abort a connection it did not initiate.

Hope that helps.
Cheers

--

-- 
Mathieu

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 6 comments |
headers
Sake Blok | 7 Aug 2008 10:43
Picon

Re: TCP handshake?

On Thu, Aug 07, 2008 at 07:56:55AM +0200, Mathieu GELI wrote:
> 
> I see a problem but that's not rigorously what you described.
> 
> > I'm trying to initiate TCP handshake, but a server keeps sending me a TCP
> > RST packet,
> 
> if you don't fillter out on output your box, the OS TCP/IP stack will
> send a RST to the
> destination trying to abort a connection it did not initiate.

It looks like this is indeed the problem. The SYN/ACK results in a reset
from the client, so every data packet sent after that will result
in a reset from the server.

How does one filter the packets that scapy handles from reaching the
OS? 

Cheers,
     Sake

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 5 comments |
headers
Zack Payton | 7 Aug 2008 11:17
Picon

Re: TCP handshake?

Either use a different IP and have arp answer differently via scapy or flatly drop all traffic from your actual host IP not in a valid "connection" using conntrack or just set your INPUT policy's action to be DROP (if you aren't going to use any other applications at the same time as scapy).
Z

On Thu, Aug 7, 2008 at 4:43 AM, Sake Blok <sake <at> euronet.nl> wrote:
On Thu, Aug 07, 2008 at 07:56:55AM +0200, Mathieu GELI wrote:
>
> I see a problem but that's not rigorously what you described.
>
> > I'm trying to initiate TCP handshake, but a server keeps sending me a TCP
> > RST packet,
>
> if you don't fillter out on output your box, the OS TCP/IP stack will
> send a RST to the
> destination trying to abort a connection it did not initiate.

It looks like this is indeed the problem. The SYN/ACK results in a reset
from the client, so every data packet sent after that will result
in a reset from the server.

How does one filter the packets that scapy handles from reaching the
OS?

Cheers,
    Sake

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org


Permalink | Reply | 0 comments |
headers
Mathieu GELI | 7 Aug 2008 11:35
Picon

Re: TCP handshake?

> How does one filter the packets that scapy handles from reaching the
> OS?

depends on your existing ruleset, but for basic testing I'd do a :

# iptables -A OUTPUT -p tcp -d targetip --dport targetport -j DROP

filtering on INPUT is not required, but may be seen as saner.

--

-- 
Mathieu

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Permalink | Reply | 3 comments |
headers
Jong Chun Park | 7 Aug 2008 20:04
Picon

Re: TCP handshake?

I tried this, but it didn't work either. I'm also using libpcap to monitor packets
between server and client. Here are a sequence of packets between them:

1] I sent SYN to the server
2] I received SYN+ACK from the server
3] I sent ACK
4] I sent ACK+PSH with HTTP GET request
5] the server sent me TCP RST packets

I'm pretty sure that the server received my SYN because it responded with
SYN+ACK, but I'm not sure that ACK in 3] or 4] reached the server. If not, 
the server may have sent me a RST packet due to incomplete handshake.
Besides, I'm also suspecting that some fields such as checksum might be
invalid, thereby triggering the server to send RST. Any idea?

Thanks a lot,
Jong

On Thu, Aug 7, 2008 at 3:35 AM, Mathieu GELI <mathieu.geli <at> gmail.com> wrote:
> How does one filter the packets that scapy handles from reaching the
> OS?

depends on your existing ruleset, but for basic testing I'd do a :

# iptables -A OUTPUT -p tcp -d targetip --dport targetport -j DROP

filtering on INPUT is not required, but may be seen as saner.

--
Mathieu

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org



Permalink | Reply | 2 comments |
headers
Abuse 007 | 8 Aug 2008 11:33
Picon

Re: TCP handshake?

Hi Jong,

Try capturing the TCP session in wireshark on both the server and the scapy end. If there is a problem with your packets Wireshark will probably show you.

Cheers.

On Fri, Aug 8, 2008 at 4:04 AM, Jong Chun Park <joumon <at> gmail.com> wrote:
I tried this, but it didn't work either. I'm also using libpcap to monitor packets
between server and client. Here are a sequence of packets between them:

1] I sent SYN to the server
2] I received SYN+ACK from the server
3] I sent ACK
4] I sent ACK+PSH with HTTP GET request
5] the server sent me TCP RST packets

I'm pretty sure that the server received my SYN because it responded with
SYN+ACK, but I'm not sure that ACK in 3] or 4] reached the server. If not, 
the server may have sent me a RST packet due to incomplete handshake.
Besides, I'm also suspecting that some fields such as checksum might be
invalid, thereby triggering the server to send RST. Any idea?

Thanks a lot,
Jong

On Thu, Aug 7, 2008 at 3:35 AM, Mathieu GELI <mathieu.geli <at> gmail.com> wrote:
> How does one filter the packets that scapy handles from reaching the
> OS?

depends on your existing ruleset, but for basic testing I'd do a :

# iptables -A OUTPUT -p tcp -d targetip --dport targetport -j DROP

filtering on INPUT is not required, but may be seen as saner.

--
Mathieu

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org




Permalink | Reply | 1 comment |

Gmane