Project 10: TCP Handshake with scapy (15 pts.)

What you need

Two Linux machines, real or virtual. I used a Ubuntu 10.4 virtual machine as the Target and a BackTrack 4 R2 virtual machine as the Sender, to run scapy.
You cannot use Windows 7 for either role, because Microsoft has made the TCP handshake tineout too short and no longer allows the user to adjust it.

Finding the Target Linux Machine's IP Address

Use the ifconfig command on the target Linux machine to find its IP address. Record it--you will need it for the later steps.

Starting a netcat Listener on the Linux Target Machine

On the Linux target machine, in a Terminal window, execute this command (notice that the switch is a lowercase L):

nc -l 5555

Note: on older Ubuntu versions, and on BackTrack 4 R2, you need to use this command instead: nc -l -p 5555

On the Linux target machine, open another Terminal window and execute this command:

netstat -an | grep 5555

You should see a process listening on port 5555, as shown below on this page.

Blocking ACK Packets on the Linux Sender Machine

scapy will be sending TCP packets, but the Linux kernel will be confused by that, and send ACK packets, thinking there is no process listening on the ports. To prevent that, we need to add an iptables firewall rule.

On the Linux Sender machine, execute these commands.

sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
sudo iptables -L

You should see one rule in the OUTPUT section dropping RST packets, as shown below on this page.

Installing scapy on the Linux Sender Machine

If you are using BackTrack 4 R2, scapy is already installed.

If you are using Ubuntu, use this command to install it:

sudo apt-get install python-scapy

Starting scapy on the Linux Sender Machine

On the Linux machine, use this command to start scapy:

sudo scapy

Creating an IP Object on the Linux Sender Machine

In the Linux sender machine, in the Terminal window, at the >>> prompt, execute these commands, replacing the IP address in the second command with the IP address of your Linux target machine:

i = IP() i.dst="192.168.198.139"
i.display()

scapy fills in both the source and destination addresses, as shown below on this page.

Creating a TCP Object on the Linux Sender Machine

Use these commands to create an object named t of type TCP with a destination port of 5555 and the flags set to S (for SYN):

t = TCP() t.dport = 5555 t.flags = "S"
t.display()

The properties of your TCP object should look like the example shown below on this page. Notice that the seq and ack numbers are both 0.

Sending a SYN Packet on the Linux Sender Machine

Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:

sr1(i/t)

This command sends and receives one packet, of type IP at layer 3 and TCP at layer 4. As you can see in the image below, the response is shown, with flags=SA (a SYN/ACK reply). The ack number is 1, indicating that this is a reply to your SYN packet with seq = 0.

Find the seq number in the SYN/ACK reply--in the figure below, it is 2833926512. Add one to this number to find the ack value you must use in the ACK packet that completes the handshake.

Sending an ACK Packet on the Linux Sender Machine

On the Linux machine, at the >>> prompt, execute these commands. Replace the ack value with the value you calculated above.

t.flags = "A" t.seq = 1 t.ack = 2833926513
t.display()

The properties of your TCP object should look like the example shown below on this page.

Use this command to send the packet onto the network:

send(i/t)

Observing the Session on the Linux Target Machine

On the Linux target machine, in a Terminal window, execute this command:

netstat -an | grep 5555

You should see a connection from local port 5555 with a status of ESTABLISHED, as shown below on this page. If you don't see the session, it may have timed out. Repeat the steps more quickly--try to get the ACK sent within 30 seconds of the SYN. A trick that sometimes helps is to send some layer 7 data along with the ack: instead of using the send(i/t) command, use send(i/t/"X") to send the final ACK. That will keep the session open longer, while the target waits for more layer 7 data.

Saving the Screen Image

Make sure you can see the ESTABLISHED connection.

Save a screen image with the filename Proj 10 from Your Name.

Turning in Your Project

Email the images to [email protected] with a Subject line of Proj 10 from Your Name.

Source

http://blog.facilelogin.com/2010/12/hand-crafting-tcp-handshake-with-scapy.html

Last modified 8-1-11 11 pm