Skip to content

Instantly share code, notes, and snippets.

/tcp-4way.py Secret
Created Nov 7, 2016

Embed
What would you like to do?
Demo of how to use 4-way TCP handshake to get past firewalls/NATs
#!/usr/bin/env python3
# Copyright (c) 2016 Jarek Siembida <jarek.siembida@gmail.com>
# Copyright (c) 2016 LShift Ltd. <query@lshift.net>
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation files
# (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge,
# publish, distribute, sublicense, and/or sell copies of the Software,
# and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
"""
This demonstrates how to use timed SYN packets to get past firewalls/NATs:
hostA <--> fwA (public IP: 1.2.3.4) <--> (public IP: 5.6.7.8) fwB <--> hostB
1. hostA sends a SYN to the public IP of fwB and a known port. fwA translates
the source IP to its public IP and starts tracking the session for it.
Assumption here is, that fwA does not change the source port of the SYN
packet - which often is the case.
2. Simultaneously, hostB sends a SYN to the public IP of fwA and a known port.
fwB translates the source IP, doesn't change the source port and starts
tracking the session for this packet.
3. SYN from point 1) arrives to fwB and because it matches the public IP of
fwB and the source port of packet from point 2) it's being assumed to be
a continuation of the TCP setup - so fwB passes the packet along to hostB
who replies to it with an ACK.
4. The same happens with the SYN packet sent by hostB, fwA treats it as a part
of the session setup and lets it thru and hostA replies with an ACK.
Assuming hostA and hostB clocks are precisely synchronized, run:
on hostA: this-script 5.6.7.8 5555 hello
on hostB: this-script 1.2.3.4 5555 world
"""
from sys import argv
from time import sleep
from socket import socket, AF_INET, SOCK_STREAM
from socket import timeout as TimeoutException
from datetime import datetime
def wait(secs):
now = datetime.utcnow().timestamp()
delay = secs - (int(now) % secs)
timestamp = int(now) + delay
delay = timestamp - now
print(str(int(delay)) + 's to the next try')
# Scheduler granularity determines the precision with which process will be
# woken up. Usually it is 100ms, so we say we want to wake up 50ms earlier.
sleep(delay - 0.050)
# In the busy loop try to get within 1ms from the timestamp
while True:
now = datetime.utcnow().timestamp()
if timestamp - now < 0.001:
return
def exchange(sock, host, port, message):
sock.connect((host, port))
print('connected to ' + host + ':' + str(port))
sock.sendall(message.encode())
return sock.recv(1000).decode()
def main(host, port, message):
while True:
sock = socket(AF_INET, SOCK_STREAM)
sock.settimeout(5)
sock.bind(('0.0.0.0', port))
wait(10)
try:
reply = exchange(sock, host, port, message)
print('received message: [' + reply + ']')
break
except (ConnectionRefusedError, TimeoutException):
pass
finally:
sock.close()
if __name__ == '__main__':
main(argv[1], int(argv[2]), argv[3])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.