This attack is done by creating and sending (A spoofed TCP segment) To tricks two connected targets using TCP To interrupt the connection between them
This attack had a lot of consequences in the real world and caused fear of changes to the protocol TCP. It is believed that this attack is a major component of the Great Chinese Firewall that the Chinese government uses to censor the Internet inside China, despite the importance of this attack, but it does not require a deep understanding of networks or the workings mechanism of the TCP protocol
- The first is by creating a data package using the (hping3 tool)
- The second is by writing Python code to perform this task
How is TCP Reset Attack done
The attacker cuts the communication between two victim devices by sending a fake message to one or both of them, and the content of this message is a direct request to disconnect , and this message is TCP reset segment .
In normal cases, this message is sent when the device receives an unexpected data traffic and wants its sender to stop the transmission process, and this attack is done by exploiting this mechanism to deceive the victims to closing the TCP connection after receiving a spoofed reset segment , and if the values for this packet are set correctly by the attacker, then the victim device will realize that this data is correct and will break the connection and prevent it from exchanging more informations , the victims can establish a new TCP connection as an attempt to resume the previous connection but the attacker can also break this connection again , and because this attack requires the attacker to set up and create the spoofed segment , this attack is only effective against long connections , because short connections will have expired by the time the attacker tries to create the spoofed segment.
Sending a spoofed TCP segment is very easy, since the mechanism of both TCP and IP protocols does not verify the identity of the user (there is an add-on to the IP protocol that provides the authentication process called IPSec, which we will learn about it in an upcoming article, but it is not widely used) The Internet service provider (ISP) is supposed to refuse to transmit data packets that claim to have come from a spoofed IP address but this verification is not fully implemented.
All the receiver can do is take the IP address and the port number of the source from inside the data packet and try to verify the identity of the sender by the higher layer protocols. Since TCP reset is a part of the TCP protocol itself, it cannot be validated using these protocols.
Although this attack is easy, it is best to first understand how TCP works.
TCP Protocol
Transmission Control Protocol
The protocol that is responsible for the communication process , and it works in the fourth layer (Transport Layer) and the communication process begins through a three-way handshake, and the arrival of the transmitted data is confirmed, so it is used in applications that send important data such as: HTTP and FTP.
TCP is known as the Connection Oriented protocol and it establishes the connection and then makes sure that the data packets are sent to the receiver.
The communication process starts by sending a SYN Packet which is the start of the three-way handshake which tells the receiver that the sender wants to establish a TCP connection, the receiver replies by sending a SYN-ACK as notification that it has received a SYN request and when the response SYN-ACK arrives to the sender, it sends an ACK as notification that it has received the response , Then the connection process begins by the TCP protocol.
The following figure shows the three-way handshake process:
TCP Packet packets are numbered sequentially and you must understand the mechanism of the numbering to use in this type of attacks or session hijacking and MITM – Man in the Middle attacks.
A TCP message is called a Segment and consists of the transmitted data and the Header.
The following figure shows the components of the TCP Header:
- Source Port and Destination Port:
It has a length of 16 bits and contains the number of the port on which the data is sent and the number of the port which the data will be received through.
- Sequence Number (32 bits):
It contains the serial number of the first byte of data in a segment and is used to determine the location or the correct order of data packets.
- Acknowledgment Number (32 bits):
Contains the sender’s serial number (increased by one).
- H.Len (4 bits):
Header size.
- Rsvd:
Reserved for future use.
- Control Bits (Control Flags):
It contains one of the following flags:
- SYN: To indicate synchronization and has a serial number and is used to start the communication process.
- ACK: To indicate receipt of the request.
- RST: Immediate disconnection.
- FIN: To Indicate that the data sent has expired, thus ending the communication process.
- PSH:To indicate that data in the temporary memory must be transmitted.
- URG: To indicate that the data sent is urgent data and the Urgent Pointer contains the serial number of this data.
Test environment
The test environment consists of three devices within the same network.
- Attacker device: Runs on kali linux operating system .
- victim’s first device: Runs on Linux (metasploitable2) and it has an IP address : 192.168.17.129
- victim’s second device: runs on Ubuntu system and it has IP address : 192.168.17.135
Attack Scenario
We will make a telnet connection through Ubuntu system IP: 192.168.17.135 with the metasploitable2 system IP: 192.168.17.129 and then we will cut this connection by sending a spoofed TCP Reset packet by Kali Linux.
After the connection is successful, let’s open wireshark in the attacking machine (Kali) and filter the data packets using the following filtering option : ip.dst== 192.168.17.129 && ip.src==192.168.17.135
Which will only show data traffic from source 192.168.17.135 to destination 192.168.17.129 only .
HPING3
This tool allows us to send data packets over the network and allows us to create the sent packets and customize them according to the desired purpose, let’s create a fake data packet through the following instruction:
- 192.168.17.129: The address of the device to which the data packet will be sent .
- a 192.168.17.138: spoofed IP – the data packet will have this address as the source address .
- p 23: The port number at the destination .
- s 44914: The port number in the source
- R: To create a Reset Flag .
- M 3979056369 : sequence number .
- c 1: To send a single data packet .
These values were obtained by wireshark
Now that this packet is sent, the telnet connection between the target devices will be disconnected
Attack with Python language
Let’s write Python code to perform this attack
First, let’s import scapy if you don’t already have it installed. You can install it using the following instruction on the Kali Linux system.
Then we specify the IP addresses for each of the source (spoofed address) and the destination, and we specify the port number in both the source and the target, and we specify the sequence number .
(These values are obtained by analyzing traffic within wireshark)
Now when this code is executed, a fake data package will be created with flag reset with source and target IP addresses are the addresses of the target devices and this packet will be sent and the connection between the target devices will be disconnected.
Disclaimer
