Re: Howto: Simulate 3-way handshake with custom packets

Sat, 30 Mar 2002 01:37:24 -0800 

On Thu, Mar 28, 2002 at 02:49:24PM -0500, Bobby, Paul wrote:
>    I'm trying to understand how nasl does it's thing, and at the same time,
>    play with networks at their most basic.
>     
>    My previous hurdles have been overcome, but now I'm trying to simulate a
>    3-way handshake using nasl.
>     
>    Here's the code:
>    When I sniff the session using ethereal, here's what I see:
>     
>    src -> dst    my crafted SYN packet
>    dst -> src    SYN/ACK reply
>    src -> dst    RST
>    src -> dst    my crafted ACK packet
>    dst -> src    RST

You need to add a firewall rule on your host which would prevent
outgoing RST packets.

>    It seems that my tcp/ip stack is responding to the SYN/ACK from the
>    destination rather than assuming there is an application expecting to
>    receive the packet.
>     
>    I presume it's because I do not 'open' a socket to the destination, rather
>    I'm just using NASL to craft a packet and send it on the wire. There is no
>    application to listen for it, so my own tcp/ip stack just thinks "wow,
>    where did this SYN/ACK come from, I'd better issue an RST"
>     
>    Can I do this with Nasl or do I have to resort to programming my tests in
>    C?
>
>    I'll tell you what I'm ultimately trying to do, and that is send some data
>    with the initial SYN packet, complete the 3-way handshake and then finish
>    sending the data using a normal send process.  By doing so I want to
>    simulate the insertion method of IDS evasion (something nessus does
>    already but I wanted to write my own code to do it.... and I was trying to
>    avoid having to use C)

Even in C, you'll have to do that. In order to overcome that in the
insertion method, Nessus relies on the OS send() and connect() calls 
of the OS, and sends forged data between two sends (as packets are sent
byte by byte). Roughly, this gives something like :

        pcap = open_pcap_live(....);
        pcap_apply_filter(pcap, "tcp and src ip <myip> and dst ip
        <target> and dst port <remote port> and src port <my local
        port>");

        while(data_len)
        {
        send(soc, data+data_len, 1, 0);
        pkt = pcap_next(pcap);
        th_seq = tcp(pkt)->th_seq;
        forget_tcp_packet(th_seq);
        data_len--;
        }

(Full code is in nessus-libraires/libnessus/ids_send.c)


                                -- Renaud

Reply via email to