/tcp-4way.py Secret
Created
November 7, 2016 11:02
Star
You must be signed in to star a gist
Demo of how to use 4-way TCP handshake to get past firewalls/NATs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# Copyright (c) 2016 Jarek Siembida <jarek.siembida@gmail.com> | |
# Copyright (c) 2016 LShift Ltd. <query@lshift.net> | |
# | |
# Permission is hereby granted, free of charge, to any person | |
# obtaining a copy of this software and associated documentation files | |
# (the "Software"), to deal in the Software without restriction, | |
# including without limitation the rights to use, copy, modify, merge, | |
# publish, distribute, sublicense, and/or sell copies of the Software, | |
# and to permit persons to whom the Software is furnished to do so, | |
# subject to the following conditions: | |
# | |
# The above copyright notice and this permission notice shall be | |
# included in all copies or substantial portions of the Software. | |
# | |
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | |
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS | |
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN | |
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | |
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | |
# SOFTWARE. | |
""" | |
This demonstrates how to use timed SYN packets to get past firewalls/NATs: | |
hostA <--> fwA (public IP: 1.2.3.4) <--> (public IP: 5.6.7.8) fwB <--> hostB | |
1. hostA sends a SYN to the public IP of fwB and a known port. fwA translates | |
the source IP to its public IP and starts tracking the session for it. | |
Assumption here is, that fwA does not change the source port of the SYN | |
packet - which often is the case. | |
2. Simultaneously, hostB sends a SYN to the public IP of fwA and a known port. | |
fwB translates the source IP, doesn't change the source port and starts | |
tracking the session for this packet. | |
3. SYN from point 1) arrives to fwB and because it matches the public IP of | |
fwB and the source port of packet from point 2) it's being assumed to be | |
a continuation of the TCP setup - so fwB passes the packet along to hostB | |
who replies to it with an ACK. | |
4. The same happens with the SYN packet sent by hostB, fwA treats it as a part | |
of the session setup and lets it thru and hostA replies with an ACK. | |
Assuming hostA and hostB clocks are precisely synchronized, run: | |
on hostA: this-script 5.6.7.8 5555 hello | |
on hostB: this-script 1.2.3.4 5555 world | |
""" | |
from sys import argv | |
from time import sleep | |
from socket import socket, AF_INET, SOCK_STREAM | |
from socket import timeout as TimeoutException | |
from datetime import datetime | |
def wait(secs): | |
now = datetime.utcnow().timestamp() | |
delay = secs - (int(now) % secs) | |
timestamp = int(now) + delay | |
delay = timestamp - now | |
print(str(int(delay)) + 's to the next try') | |
# Scheduler granularity determines the precision with which process will be | |
# woken up. Usually it is 100ms, so we say we want to wake up 50ms earlier. | |
sleep(delay - 0.050) | |
# In the busy loop try to get within 1ms from the timestamp | |
while True: | |
now = datetime.utcnow().timestamp() | |
if timestamp - now < 0.001: | |
return | |
def exchange(sock, host, port, message): | |
sock.connect((host, port)) | |
print('connected to ' + host + ':' + str(port)) | |
sock.sendall(message.encode()) | |
return sock.recv(1000).decode() | |
def main(host, port, message): | |
while True: | |
sock = socket(AF_INET, SOCK_STREAM) | |
sock.settimeout(5) | |
sock.bind(('0.0.0.0', port)) | |
wait(10) | |
try: | |
reply = exchange(sock, host, port, message) | |
print('received message: [' + reply + ']') | |
break | |
except (ConnectionRefusedError, TimeoutException): | |
pass | |
finally: | |
sock.close() | |
if __name__ == '__main__': | |
main(argv[1], int(argv[2]), argv[3]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment