python - How to spoof a TCP handshake in scapy? -
python - How to spoof a TCP handshake in scapy? -
i trying write scapy script performs total tcp handshake. thought connect 2 qemu vms using -net socket userspace interface (which seems handle raw ip/ethernet fine) , instruct machine b block input (to prevent sending rsts). then, used telnet connect() machine b , ran next script on machine b:
#!/usr/bin/python import scapy.all scapy filter = "port 31337" iface = "eth0" def prepare_response(t): print("received: %s" % repr(t)) t.src, t.dst = t.dst, t.src # swap ethernet addresses ip = t.getlayer("ip") ip.src, ip.dst = ip.dst, ip.src t.dport, t.sport = t.sport, t.dport t.ack = t.seq t.ack += 1 syn = scapy.sniff(filter=filter, count=1, iface=iface)[0] print(syn.sprintf('%tcp.flags%')) syn_ack = syn prepare_response(syn_ack) syn_ack.getlayer("tcp").flags |= 0x10 # set ack flag print(syn_ack.sprintf('%tcp.flags%')) print("sending: %s" % repr(syn_ack)) scapy.sendp(syn_ack, iface=iface, verbose=false) ack = scapy.sniff(filter=filter, count=1, iface=iface)[0] assert(ack.flags & 0x10) the problem instead of receiving ack b, seem syn retransmission if syn+ack wasn't interpreted correctly:
tcp on machine confirms syn+ack reached machine:
05:47:03.925100 ip 10.0.0.1.39634 > debian.31337: flags [s], seq 2426802888, win 14600, options [mss 1460,nop,nop,sackok,nop,wscale 4], length 0 05:47:03.927515 ip debian.31337 > 10.0.0.1.39634: flags [s.], seq 2426802888, ack 2426802889, win 14600, options [mss 1460,nop,nop,sackok,nop,wscale 4], length 0 here's pcap file machine b's perspective in base64 form:
1moyoqiabaaaaaaaaaaaap//aaabaaaayliluwiedgaraqaaeqeaaaeaxgaa+1juabi0vggarqaba2uuqad/esrycgaaauaaapsu6rtpao/r/qaaaaaaawaaaauaaae2atubnaezatibmqflawybzgfmatabmae0atubmae1atabmaewatabmaewatabmaewatabmaewataboaflawydaxa2bgfycgeaap8aaqtkzwjpyw4tmta5mwvsb2nhbaaa/wabatibmaewajewb2lulwfkzhlauad/aahawganaaeaaab4aasesty4ngvmsu5vwmbaaaeaaqaaahgabaoaaalacqamaaeaaab4aalawsbaabwaaqaaahgaep6aaaaaaaaaufqa//4snfbadaamaaeaaab4aalawmjypvmjoa4anaaaajwaaaabaf4aaptsvaasnfyiaeuaai4gleaa/xgjzgoaaahgaad7foku6qb6hfgaaiqaaaaaaqaaaaabnge1atqbmweyatebzqfmawybzgewatabnae1atabnqewatabmaewatabmaewatabmaewatabmaewatgbzqfma2lwngrhcnbhaaamgaeaaab4abikzgviawfultqwnwvsb2nhbabnwkvtviyiaeiaaabcaaaaulqaejrwulqaejrwcabfaaa0hdtaaeagcockaaabcgaaaprbemmul/p8aaaaaiacoqhjsaaaagqftaebbaibawmez1ilu5cocabcaaaaqgaaafjuabi0vljuabi0vggarqaanb3bqababgjncgaaagoaaaf6azrbrpf6fk6x+n2aejkiy7aaaaiebbqbaqqcaqmdbghypvptfggaqgaaaeiaaabsvaasnfzsvaasnfyiaeuaadqd3eaaqayi5goaaaekaaacmtt6aa6x+nwaaaaagai5cgowaaacbaw0aqeeagedawrqwkvtri4iaeiaaabcaaaaulqaejrwulqaejrwcabfaaa0hd1aaeagcoukaaabcgaaaprbemmul/p8aaaaaiacoqhjsaaaagqftaebbaibawme
and 1 b's perspective:
1moyoqiabaaaaaaaaaaaap//aaabaaaavvilu9nxcabcaaaaqgaaafjuabi0vljuabi0vggarqaanb3bqababgjncgaaaqoaaaka23pprpf6faaaaacaajkifckaaaiebbqbaqqcaqmdbfvypvpiyagaqgaaaeiaaabsvaasnfzsvaasnfyiaeuaadqd20aaqayi5woaaaikaaabemma266x+nyul/p9gbi5cgowaaacbaw0aqeeagedawrwwkvt008iaeiaaabcaaaaulqaejrwulqaejrwcabfaaa0hdxaaeagcoykaaabcgaaaprbemmul/p8aaaaaiacoqgukqaaagqftaebbaibawmewfilu4ffcabcaaaaqgaaafjuabi0vljuabi0vggarqaanb3dqababgjlcgaaaqoaaaka23pprpf6faaaaacaajkifckaaaiebbqbaqqcaqmdba==
at first thought somehow related linux tcp/ip quirk, experimented turning off tcp timestamps , syn cookies. tried increasing ip id, didn't help either. both machines running debian 7.5 linux-image-3.2.0-4-686-pae under qemu 1.6.2. missing?
that's checksum issue.
in ip layer happens ok since you're swapping source , destination addresses, in tcp layer original checksum becomes wrong when alter flags value.
the best alternative allow scapy compute right checksum value you, adding del(t[tcp].chksum) in prepare_response().
python linux tcp scapy
Comments
Post a Comment