Currently, I am trying to create a TCP Reset Attack on 3 docker containers: Attacker, Host01, Host02. My goal is trying to attack the TCP connection between Host01 and Host02 and the end result would be the TCP connection breaks when executing the TCP reset attack.
Here is my code:
My procedure of testing is that: First, I run the code below in Attacker container. Then, on the Host02, I execute "nc -lvp 1337 -e /bin/bash" and on Host01, I execute "nc 192.168.124.20 1337". The source IP is 192.168.124.10 and the destination is 192.168.124.20. Source port is 40967 and the destination port is 1337.
I didn't know why when the script ran, the TCP connection between Host01 and Host02 did not break since I could still enter some commands from Host01.
I used Wireshark to check if that RST packet was sent and actually it was sent(the red line):
Please help me on this, Huy Nguyen.
Related
Background
I have a strange use-case where my VPN cannot be on any of the private subnets, but, also cannot use a TAP interface. The machine will be moving through different subnets, and requires access to the entire private address space by design. A single blocked IP would be considered a failure of design.
So, these are all off limits:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
In searching for a solution, I came across RFC 5735, which defines:
192.0.2.0/24 TEST-NET-1
198.51.100.0/24 TEST-NET-2
203.0.113.0/24 TEST-NET-3
As:
For use in documentation and example code. It is often used in conjunction with domain names
example.com or example.net in vendor and protocol documentation. As described in [RFC5737], addresses within this block do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry.
Which, was a "Jackpot" moment for me and my use case.
Config
I configured an OpenVPN server as such:
local 0.0.0.0
port 443
proto tcp
dev tun
topology subnet
server 203.0.113.0 255.255.255.0 # TEST-NET-3 RFC 5735
push "route 203.0.113.0 255.255.255.0"
...[Snip]...
With Client:
client
nobind
dev tun
proto tcp
...[Snip]...
And ufw rules:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 203.0.113.0/24 -o ens160 -j MASQUERADE
COMMIT
However, upon running I get /sbin/ip route add 203.0.113.0/24 via 203.0.113.1 RTNETLINK answers: File exists in the error logs. While the VPN completes the rest of its connection successfully.
No connection
Running the following commands:
Server: sudo python3 -m http.server 80
Client: curl -X GET / 203.0.113.1
Results in:
curl: (28) Failed to connect to 203.0.113.1 port 80: Connection timed out
I have tried:
/sbin/ip route replace 203.0.113.0/24 dev tun 0 on client and server.
/sbin/ip route change 203.0.113.0/24 dev tun 0 on client and server.
Adding route 203.0.113.0 255.255.255.0 to the server.
Adding push "route 203.0.113.0 255.255.255.0 127.0.0.1" to server
And none of it seems to work.
Does anyone have any idea how I can force the client to push this traffic over the VPN to my server, instead of to the public IP?
This does actually work!
Just dont forget to allow connections within your firewall. I fixed my config with:
sudo ufw allow in on tun0
However, 198.18.0.0/15 and 100.64.0.0/10 defined as Benchmarking and Shared address space respectively, may be more appropriate choices, since being able to forward TEST-NET addresses may be considered a bug.
In my Mac OS, With fluentd I'm trying to read tcp events and write it to local directory.
Below is the td-agent.conf that I have created to open TCP port and writing to local.
<!-- td-agent.conf-->
<source>
#type tcp
#log_level "trace"
tag "tcp.events"
port 2201
bind "0.0.0.0"
delimiter "\\n"
<parse>
#type "regexp"
expression "/^(?<field1>\\d+):(?<field2>\\w+)$/"
</parse>
</source>
<match tcp.events>
#type file
path "/Users/logs/outputlog"
<buffer time>
path "/Users/logs/outputlog"
</buffer>
</match>
To test, I was sending the tcp packages to the port (2201) using tools like telnet and netcat. But the terminal don't return after connecting to the ports. It stays there with out any response.
Checked the verbose of telnet / netcat. No luck.
I expect TCP to connect and get the data logged in fluentd logs. But connection is getting established to the port but data is not written into log or the control of tcp connection is not returned back to terminal.
Add the following to your conf file.
<source>
#type forward
port 24224
bind 0.0.0.0
</source>
https://docs.fluentd.org/input/forward
I am going to do a time sync for my server.
Tried portqry to the time server with below results:
C:\PortQryV2>portqry -n "time server" -e 123 -p both
Querying target system called:
"time server"
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 123 (unknown service): NOT LISTENING
UDP port 123 (ntp service): LISTENING or FILTERED
UDP port 123 (ntp service): LISTENING or FILTERED
I am not sure if the port is available for time sync or not.
But our team has confirmed that no firewall should be blocking that.
It is not showing "LISTENING" because it is a UDP port?
LISTENING or FILTERED simply means Portqry does not get a response from the port specified.
The problem should be at
Failed to resolve IP address to name
resolve the hostname and try again.
I tried on a PC which is not going to do the time syn.
It can resolve the hostname but got the same result for UDP query:
C:\PortQryV2>portqry -n "IP Address" -e 123 -p both
Querying target system called:
"IP Address"
Attempting to resolve IP address to a name...
IP address resolved to xxx.corp.com
querying...
TCP port 123 (unknown service): NOT LISTENING
UDP port 123 (ntp service): LISTENING or FILTERED
On Solaris (or Unix), running lsof gives me a bunch of lines like this:
java 25375 foo 8161u IPv4 0xfffffeb1f6f523c0 0t0 TCP *:* (IDLE)
But the *:* puzzles me - I was expecting to see something like
hostname1:port1->ipaddress:port2 (IDLE)
What does the *:* mean?
I will quote this from here:
If the Foreign Address is *:* (and, with TCP sockets, the state is
LISTEN), a socket is usually waiting for some remote host to send the
first data. Typical examples: sshd (waits for somebody to open an ssh
connection), apache (waits for somebody to request a web page), cupsd
(waits for somebody to send a print job), and dhclient (waits for the
DHCP server to send, for example, a lease renewal).
I've installed netperf 2.6 in two sites and trying to run the netperf benchmark, but All I'm getting is zero Throughput... Does anyone knows how to use netperf properly? (I was following the official documentation)
I run this at a server:
./netserver -p xxxxx
the output is:
Starting netserver with host 'IN(6)ADDR_ANY' port 'xxxxx' and family AF_UNSPEC
In the other side I run:
./netperf -s 5 -H a.b.c.d -p xxxxx
The output is:
MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to a.b.c.d () port 0 AF_INET : demo
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 16384 16384 10.00 0.00
any ideas?
A netperf test has two "connections." The first is the "control connection" over which information about the test setup and result is exchanged. For the benchmarking itself a "data connection" is used. The control connection will use the control port you've specified with the global "-p" option. The data connection will by default use a port number chosen by the networking stack where the netserver runs.
Both have to be open through firewalls for a test to be successful.
If only the control port is open, you will see the test banners get displayed because the control connection is established. Since the data connection cannot be established, that will report zero.
You can specify an explicit port number for the data connection with a test-specific "-P" option. So, if you opened a second port number, 9992, you would start the netserver as before, and then your netperf command would become:
./netperf -s 5 -H a.b.c.d -p xxxxx -- -P ,9992
That comma is important. The test-specific -P option allows specifying both the local and remote port numbers for the data connection. The remote port number follows a comma.
terminal1:
$ sudo netserver -D -4 -L 0.0.0.0 -p 9991
Starting netserver with host '0.0.0.0' port '9991' and family AF_INET
terminal2:
$ sudo netperf -H 192.168.2.103 -l 60 -t TCP_STREAM
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 192.168.2.103 (192.168.2.103) port 0 AF_INET
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time Throughput
bytes bytes bytes secs. 10^6bits/sec
87380 524288 524288 60.02 89.66