Clever use Tcpreplay to let the attack traffic sneak-vulnerability warning-the black bar safety net

ID MYHACK58:62200717630
Type myhack58
Reporter 佚名
Modified 2007-11-17T00:00:00


TcpreplayisNetwork Securityin a commonly used tool, for its message playback feature we are very clear, but for it to replay rewrite the packets of the contents of the function application but not very much, if can skilled application of Tcpreplay packet rewriting function it is possible to make the attacker security the circumvention of firewall detection means. For the current lot offirewallthe product does not detect the packet of the payload, but according to the rules to prevent a Protocol field to achieve the preventive purposes, so that by Tcprepaly can rewrite sensitive to the message text section, so that its security through the firewall detection.

Rewriting the second layer header

From the Client end to send attack traffic to the Server end, if the Firewall is configured on the policy, the blocked Client's MAC address, the Client end can be a Tcprepaly the attack packets with the source MAC Address Rewriting. Specific use is as follows:

./ tcpreplay-i eth0-k 0 0:0 2:0 2:0 3:0 4:0 5 /tmp/1. pcap

The parameter-i is used to specify the transmission of the Primary interface,-k is used to specify the rewrite source MAC address. By-k to specify a Firewall of a trusted MAC address of the attack traffic is likely to sneak in. If the Firewall works in transparent mode, then we the attack traffic needs to replay, the purpose of the MAC you'll need to Server MAC, we can through the command line

./ tcpreplay-i eth0-I 0 0:0 1:0 2:0 3:0 4 -k 0 0:0 2:0 2:0 3:0 2:0 7 /tmp/1. pcap

That is, by adding the parameter-I to override via the Primary port of the flow the purpose of the MAC. If we need to in the Client of the plurality of ports will be attack traffic replay, then we can add the parameter-j to specify the Secondary interface, the parameter-J to rewrite the Secondary interface flow destination MAC, by the parameter-K to rewrite the Secondary port of the source MAC, the specific application is as follows:

./ tcpreplay-j eth1-J 0 0:0 1:0 2:0 3:0 4 -K 0 0:0 2:0 2:0 3:0 2:0 7 /tmp/1. pcap

Similarly, we can also integrated the use of each of the above parameters will be the same attack packet in the Client on different ports to different destination MAC and source MAC to send, so the chaos attack, can be fully tested Firewall application, the specific use is as follows:

./ tcpreplay-i eth0-I 0 0:0 1:0 1:0 2:0 2:0 3 -k 0 0:0 2:0 2:0 4:0 4:0 5 -j eth1-J 0 0:0 1:0 2:0 3:0 4 -K 0 0:0 2:0 2:0 3:0 2:0 7 /tmp/1. pcap

Rewrite the three-layer head

Still above the surface of the TOPO, for example, if the Firewall is configured on the policy blocking a specific IP address, the Client end can through Tcpreplay to re-writing the attack packet source and destination IP, in order to circumvent the Firewall rules, to achieve its attack effect. The specific application is as follows:

./ tcpreplay-e eth1 /tmp/2. pcap

By the parameter-e to specify the attack packet source, destination IP, in order to modify a Firewall to allow by IP address in order to achieve the attack purpose. This modification in the three-layer head is the most commonly used kind of way. If you get a pcap of the packets, you want to put it in replay to someone while reluctant to expose its own IP address, then you can use the parameter-s to the random selection of the IP address, the specific use is as follows:

./ tcpreplay-s 1 1-i eth1 /tmp/2. pcap

Wherein the parameter-s determines your random selection of IP addresses, a different seed value will result without the pcap packets of the IP address. Tcprepaly in again a little deeper application is you can put the packets of IP address mapping, similar to the NAT application, it can be attack packets, the IP addresses are mapped to unused segments, specific applications are as follows:

./ tcpreplay-N eth1 /tmp/2. pcap

Wherein the parameter-N to specify the required mapping of the network segment.

Rewrite the four-layer head

Tcprepaly can modify the second and third layer of the head to modify the Transport Layer information, the same can also modify the four-layer head-to modify the session-level information, for example, we can modify the runs in the 8 0 8 0 port on the HTTP traffic so that it runs in the 8 0 on a port, the specific application is as follows:

./ tcpreplay -4 8 0:8 0 8 0-i eth1 /tmp/2. pcap

We pass the parameter-4 to re-mapping need to replay the packets with the port number. In the modified packet header of the process in the face of a checksum of the problem, because many network cards support TCP/UDP/IP checksun of offloading, so if we capture the traffic is the same one generated by the system, the checksum will be wrong, that in the subsequent playback will produce the problem, so we need to pass the parameter-F to fix the checksum, in the playback process in editing packets will not change the checksum value. The specific application is as follows:

./ tcpreplay -4 8 0:8 0 8 0-i eth1-F /tmp/2. pcap

The parameter-F to fix the checksum on.


Flexible use tcpreplay to rewrite the function, I believe will be in the network attack detection to give us a great help.