All geek questions in one place

TCP ACK spoofing

I am writing a program that fakes TCP requests and collects data for storage in a local buffer. To do this, on a system connected to the client, I configured iptables so that all incoming packets are in the queue before routing. Then I use the netfilter library to read packets from the queue. After that, using RAW sockets, I send fake TCP packets to the client. With this, I can fake a SYN / ACK packet in response to a SYN request from a client.

But the problem occurs when I try to fake an ACK for a client in response to incoming data. In this case, the real source ip is included in the package, not a fake one. See the 7th trace below, marked with a β€œβ†’>”. In this, the source ip is shown as 192.168.10.10, where it should be 212.58.246.81. In the 4th track (that is, the SYN / ACK packet), its display will be excellent.

3 0.073852000 192.168.10.100 212.58.246.81 TCP 38307 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=502233100 TSER=0 WS=6 4 0.103102000 212.58.246.81 192.168.10.100 TCP http > 38307 [SYN, ACK] Seq=0 Ack=1 Win=31744 Len=0 5 0.103147000 192.168.10.100 212.58.246.81 TCP 38307 > http [ACK] Seq=1 Ack=1 Win=5840 Len=0 6 0.103349000 192.168.10.100 212.58.246.81 HTTP GET /go/rss/int/news/-/sport2/hi/tennis/9519762.stm HTTP/1.1 >>> 7 1.118729000 192.168.10.10 192.168.10.100 TCP http > 38307 [ACK] Seq=1 Ack=1 Win=31744 Len=0 8 1.118788000 192.168.10.100 192.168.10.10 TCP 38307 > http [RST] Seq=1 Win=0 Len=0 9 3.102627000 192.168.10.100 212.58.246.81 HTTP [TCP Retransmission] GET /go/rss/int/news/-/sport2/hi/tennis/9519762.stm HTTP/1.1 10 3.148590000 192.168.10.10 192.168.10.100 TCP [TCP Dup ACK 7#1] http > 38307 [ACK] Seq=1 Ack=1 Win=31744 Len=0 11 3.148606000 192.168.10.100 192.168.10.10 TCP 38307 > http [RST] Seq=1 Win=0 Len=0

I also tried the sendip command as shown below to send a fake TCP ACK

 sendip -p ipv4 -p tcp -is 212.58.246.81 -id 192.168.10.100 -ts 80 -td 4567 -tfa 1 -tfs 0 -d "Data" 192.168.10.100

here tfa and tfs mean flags ack and syn, respectively. This also did not work as expected, and showed that it works with 192.168.10.10 instead of 212.58.246.81. But if I set both flags (syn and ack) as 1, then its work stopped.

OS - Ubuntu. Can someone please tell me where I am going wrong. Many thanks for your help.

+1
source share

No one has answered this question yet.

See similar questions:

or similar:

Source: https://habr.com/ru/post/1380138/

More articles:


All Articles