Graphics Programs Reference
In-Depth Information
The host machine will receive the spoofed packet with the correct
acknowledgment number and will have no reason to believe it didn't come
from the victim machine.
0x461
RST Hijacking
A very simple form of TCP/IP hijacking involves injecting an authentic-looking
reset (RST) packet. If the source is spoofed and the acknowledgment number
is correct, the receiving side will believe that the source actually sent the reset
packet, and the connection will be reset.
Imagine a program to perform this attack on a target IP. At a high level,
it would sniff using libpcap, then inject RST packets using libnet. Such a
program doesn't need to look at every packet but only at established TCP
connections to the target IP. Many other programs that use libpcap also don't
need to look at every single packet, so libpcap provides a way to tell the kernel
to only send certain packets that match a filter. This filter, known as a Berkeley
Packet Filter (BPF), is very similar to a program. For example, the filter rule
to filter for a destination IP of 192.168.42.88 is
"dst host 192.168.42.88"
. Like
a program, this rule consists of keyword and must be compiled before it's
actually sent to the kernel. The tcpdump program uses BPFs to filter what it
captures; it also provides a mode to dump the filter program.
reader@hacking:~/booksrc $ sudo tcpdump -d "dst host 192.168.42.88"
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 4
(002) ld [30]
(003) jeq #0xc0a82a58 jt 8 jf 9
(004) jeq #0x806 jt 6 jf 5
(005) jeq #0x8035 jt 6 jf 9
(006) ld [38]
(007) jeq #0xc0a82a58 jt 8 jf 9
(008) ret #96
(009) ret #0
reader@hacking:~/booksrc $ sudo tcpdump -ddd "dst host 192.168.42.88"
10
40 0 0 12
21 0 2 2048
32 0 0 30
21 4 5 3232246360
21 1 0 2054
21 0 3 32821
32 0 0 38
21 0 1 3232246360
6 0 0 96
6 0 0 0
reader@hacking:~/booksrc $
After the filter rule is compiled, it can be passed to the kernel for filter-
ing. Filtering for established connections is a bit more complicated. All
established connections will have the ACK flag set, so this is what we should
look for. The TCP flags are found in the 13th octet of the TCP header. The
