writing a TCP connection hijacking

Question

i wrote a script to hijack a TCP connection, using python's scapy.

when testing the attack on a connection between a couple of VMs (server - xp_sp3, client - xp_sp1) i found the client port, then the server's SND.NEXT and using it the clients SND.NEXT (i have compared all of them with wireshark and they are legit).

now when sending a spoofed packet to the server from the client, using the client's SND.NEXT i see that the packet does arive to the server, but not to the NetCat(it's destination), plus when i compare it to a real client packet it look nearly the same (different mac, ttl, window-size, ect.)

is there anything else that i should do to make the packet look legit to the server beside what i have done?

Answer 1

First, use Wireshark to validate your spoofed packets have a correct TCP checksum. If your spoofed packets have invalid TCP checksums, they will be dropped by the receiver. To turn this feature on in Wireshark: Edit > Preferences > Protocols > TCP > Validate the TCP checksum if possible

Besides the sequence numbers, also confirm that you are correctly manipulating the TCP timestamp values. If the sequence numbers are correct, but the TCP timestamp option is old, then the receiver will still drop the packet.

Here is a function to increment the TCP timestamp, it might do the trick for you.

def inc_timestamp(packet, TSval_inc, TSecr_inc):
    if packet.haslayer(TCP):
        for i, option in enumerate(packet[TCP].options): # Timestamp option format: tuple(name, tuple(time1, time2))    
            if str(option[0]) == "Timestamp":            # Ex. ('Timestamp', (7797613, 414050))]            
                packet[TCP].options[i] = option[0], (option[1][0]+TSval_inc,option[1][1]+TSecr_inc)

If you are creating these packets from scratch in Scapy, you may have to add the TCP timestamp option field as it is not included by default in the Scapy TCP() layer. Either way, the code provided above should give you the necessary format information to do this.