I'm trying to
understand how nasl does it's thing, and at the same time, play with networks at
their most basic.
My previous hurdles
have been overcome, but now I'm trying to simulate a 3-way handshake using
nasl.
Here's the
code:
# Sending raw
packets
seq =
2056759790;
ip1 =
forge_ip_packet
(
ip_hl:5,
ip_v:4,
ip_tos:0,
ip_len:40,
ip_id:99,
ip_off:0,
ip_ttl:200,
ip_p:IPPROTO_TCP,
ip_src:this_host()
);
tcp1 = forge_tcp_packet (
ip:ip1,
th_sport:1234,
th_dport:80,
th_flags:TH_SYN,
th_seq:seq,
th_ack:0,
th_x2:0,
th_off:5,
th_win:2048,
th_urp:0
);
ip_hl:5,
ip_v:4,
ip_tos:0,
ip_len:40,
ip_id:99,
ip_off:0,
ip_ttl:200,
ip_p:IPPROTO_TCP,
ip_src:this_host()
);
tcp1 = forge_tcp_packet (
ip:ip1,
th_sport:1234,
th_dport:80,
th_flags:TH_SYN,
th_seq:seq,
th_ack:0,
th_x2:0,
th_off:5,
th_win:2048,
th_urp:0
);
reply =
send_packet(tcp1,pcap_active:TRUE);
ack =
get_tcp_element(tcp:reply, element:"th_seq");
tcp2 =
forge_tcp_packet
(
ip:ip1,
th_sport:1234,
th_dport:80,
th_flags:TH_ACK,
th_seq:seq+1,
th_ack:ack,
th_x2:0,
th_off:5,
th_win:2048,
th_urp:0
);
ip:ip1,
th_sport:1234,
th_dport:80,
th_flags:TH_ACK,
th_seq:seq+1,
th_ack:ack,
th_x2:0,
th_off:5,
th_win:2048,
th_urp:0
);
send_packet(tcp2,pcap_active:FALSE);
When I sniff the
session using ethereal, here's what I see:
src ->
dst my crafted SYN packet
dst ->
src SYN/ACK reply
src ->
dst RST
src ->
dst my crafted ACK packet
dst ->
src RST
It seems that my
tcp/ip stack is responding to the SYN/ACK from the destination rather than
assuming there is an application expecting to receive the
packet.
I presume it's
because I do not 'open' a socket to the destination, rather I'm just using NASL
to craft a packet and send it on the wire. There is no application to listen for
it, so my own tcp/ip stack just thinks "wow, where did this SYN/ACK come from,
I'd better issue an RST"
Can I do this with
Nasl or do I have to resort to programming my tests in C?
I'll tell you what
I'm ultimately trying to do, and that is send some data with the initial SYN
packet, complete the 3-way handshake and then finish sending the data using a
normal send process. By doing so I want to simulate the insertion method
of IDS evasion (something nessus does already but I wanted to write my own code
to do it.... and I was trying to avoid having to use C)
If nasl can't do
this, I'll just code away.
Thanks
