Packet Injection – Solved

Home Forums Discussions Support Portal Packet Injection – Solved

This topic contains 6 replies, has 3 voices, and was last updated by  cozmik 8 years, 5 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #5229

    HennieP
    Participant

    Hi Serpentfly,

    I’m sure you are tired of this sort of questions but I need some help please. I am trying to send a block page when a packet contains one or more censored words. Currently I am doing this –

    Read packet and check contents and check for censored words – This works great.

    Create reset packet with current Headers (Ethernet,IP and TCP), change TCP flags to 0x04, Calulate checksums and send to adapter.
    Create blockpage packet with all current headers, add unicode string of html, change IP length, change seq and ack, recalculate checksums and send packet to adapter.

    This does not seem to work. If I type a censored word in Google for example it blocks the request but the browser just hangs in limbo for a while and then times out.

    I have checked the custom packet contents and it seems OK but I’m not sure if I’m messing up with the checksums, seq and ack or just missing something.

    Can you please shed some light n this? From all the other posts on this forum it seems to be a simple task but I have already battled with this for a week now. Do you have any code samples (doesn’t matter in what programming language) on how to calculate the seq and ack fields ?

    Also, one request to google for example generates many packets. Must I buffer all packets first and then process or should a reset request work?

    Any help you can give will be greatly appreciated.

    #6686

    Vadim Smirnov
    Moderator

    Create blockpage packet with all current headers, add unicode string of html, change IP length, change seq and ack, recalculate checksums and send packet to adapter.

    Instead I would do the following:

    1) Wait for a response packet from WWW-server
    2) If HTTP response packet contains a censored word then modify HTTP packet to contain a redirect packet like:







    This simple redirect packet in most cases will be smaller in size than HTTP server response and you can add padding string between to exactly match the size of the original packet. This way you won’t need to affect SEQ/ACK fields, just recalculate TCP checksum.

    #6687

    HennieP
    Participant

    Hmm, I checked the response header for Google and it’s not going to be that easy.

    It sends response which just says the data will follow next in gzip compressed format so I will have to implement a compression library to check actual content.

    You have given me an idea though. I will check outgoing packets for censored words and if any is found add the dest ip to a list. Then I can match incoming response packages to the list and inject them with redirect string and then remove the ip from the list again.

    Does this sound right?

    #6688

    HennieP
    Participant

    Finally some success!!

    I had a casting error in my checksum functions. I calculated the checksums by hand and I saw that I was getting the wrong values. It seems that you MUST cast a byte value to unsigned short in .Net to do the bit shifting.

    If I switch from tunnel mode to listen mode everything works! I read packet and send reset and google dies an instant death. Now I just need to get that blockpage to display but I’m sure that is a problem with the seq/ack numbers.

    Is there no way to do all this in tunnel mode?

    #6689

    HennieP
    Participant

    I did it!

    You can not believe the simple little errors you pick up when you start checking every last number that is generated. My seq+ack formula was correct but it turns out the ntohl (uint32) function I used was bogus. .NET has NetworkToHostOrder functions but they dont work with UINT types (VB.NET) so I had to use a custom bit swap function to do the job. That function was all wrong!

    All of this works 100% in listen mode now. I can reset server to which request was sent and display custom page.

    Now all I need is to figure out why it does not work in tunnel mode. I have an idea about this though. I think in tunnel mode the packet is stopped before syn ack ack handshaking so server can’t respond to reset request.

    Any ideas?

    #6690

    HennieP
    Participant

    Disregard the last statement about tunnel mode. It is working 100% in all modes now. My test code was a mess with all the changing and adding so I cleaned everything up and repaired some loops and now it works great. :mrgreen:

    #6691

    cozmik
    Participant

    Um, the guy who wrote the previous post, yj1tm2pl3, is purposely cluttering up a great accomplishment by HenniP. In respect of this, can an admin please remove yj1tm2pl3’s post here? Thanks.

    HennieP, great job. How you were able to just do this in “listen” mode is fantastic. Can you post your source code somewhere so we can all share the magic? Thanks.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.