Performing TCP connections automatically with libpcap

878 views Asked by At

I'm writing a program which performs an ARP spoofing attack on a gateway and a host and then tries to captures de HTTP traffic between them and renders the web sessions on a browser. I'm using libnet and pcap for these.

I already did the spoofing successfully and now I'm trying to make the relay, where the program implements the virtual connection between host and gateway.

I'm having trouble with the TCP transaction. When the host require a page, it first try to establish a TCP connection with the attacker (because it's already spoofed), by sending a TCP SYN packet. The problem is that my machine (attacker) doesn't respond the SYN, then the victim retries to the make de connection, sending a bunch of SYN retransmissions.

In my head, I thought that the TCP connection was made automatically by the pcap (or kernel). Is there any config or parameter for setting this or I'll need to perform the TCP transaction on my own? If so, is there any advice for making this with max performance?

Thanks in advice.

Obs.: for filtering the HTTP requests, I'm using the following filter on pcap, avaiable on it's man page

tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
2

There are 2 answers

2
rodopoulos On BEST ANSWER

Ok, for anyone who bumped on this topic, I found a clever way to achieve the connection between victim and server (which is the right way, I guess).

Instead of perfoming two connections to send the HTTP messages, one with the gateway and another with the victim, you must only let the TCP SYNs, ACKs and whatevers go through. You act just like a "pipe".

So when you receive a SYN from the victim, just send it to the gateway, which will deliver it to the server and answer with the SYN ACK. Of course, you must fake de Ethernet headers for sender and target, to validate the spoofing.

1
AudioBubble On

Libpcap is a library for reading raw network packets and, in versions with pcap_sendpacket()/pcap_inject(), sending raw network packets. "Raw network packets" means raw link-layer packets; if you want to pretend to be a TCP implementation, you will have to provide your own implementation of TCP - and IPv4 or IPv6 - atop the raw packet reading/sending mechanism.