TCP Session Hijacking

In this lab, we will perform a few attacks including the Telnet session hijacking.

[10pts] Part 0: Setting the VM environments

Set up the VM environments by following the instructions given here.

Important!

I want you to change the host names.
I want you to create a user account according to your alpha.

Submit

Nothing to submit. However, I will see and check whether you did this by seeing the screen captures for the subsequent parts in your lab report.

[20pts] Part 1: UDP Spoofing using Scapy

Perform the UDP Spoofing using Scapy as instructed in the lecture notes on "Scapy and Reverse Shell". Fill out the omitted function hexshow().

Tips

Regarding writing hexshow(), we already did something similar (Part 2 of Lab 1 in IT430). Think of it as refreshing some of your coding skils. (If you don't remember how you wrote the code, read the tips there carefully.)

Submit

Show and explain your work possibly with a execution log or a screen capture in the lab report.

[20pts] Part 2: TCP Reset Attack

The TCP Reset Attack can terminate an established TCP connection between two victims.

Suppose that there is an established Telnet connection between two users A and B, attackers can spoof a RST packet from A to B, breaking this existing connection.

Telnet

Telnet is the predecessor of SSH. Telnet doesn't use encryption, and it's not secure. For this reason, Ubuntu doesn't install this service by default.

In our class, we will see that we can actually attack the Telnet protocol. To install the Telnet service:

 sudo apt install telnetd -y

Now, you can use the Telnet command to log in to other machine. The usage is basically the same as ssh:

telnet 192.168.172.5

Crafting a packet

To succeed in this attack, attackers need to correctly construct the TCP Reset packet. In particular, You need to craft a packet that looks like the following:


# fill out the fields correctly 
ip = IP(src="xxx.xxx.xxx.xxx", dst="yyy.yyy.yyy.yyy")
tcp = TCP(sport=sssss, dport=ddddd, seq=zzzzzz, ack=aaaaa, flags="R")
pkt = ip/tcp

The flags "R" in the above means Reset.

Warning

Be very careful about correctly launching the attack in terms of which host is doing what task.
If the seq/ack numbers are incorrect, the packet will be ignored by the TCP stack.
You proably need to sniff the TCP session in it432c. Recall sniffing the packets for the other hosts in a local network needs enabling the promiscuous mode. The following command will enable the promiscuous mode.
```
sudo ifconfig ens160 promisc
```

Your Task

In it432a, login to it432b using Telnet.
In it432c (the attacker machine), send a TCP RST packet (using Scapy) to disconnect the Telnet connection. Please read the documentation carefully to see how to craft and send the TCP packet.

Submit

Show (with screen captures and code) and explain your work. Convince the instructor that the attack has been successful by showing the details of your work.

[35pts] Part 3: TCP Session Hijacking

In this part, we will show how we can set up a reverse shell if we can directly run a command on the victim machine (i.e. the server machine). In the TCP session hijacking attack, attackers cannot directly run a command on the victim machine, so their jobs is to run a reverse-shell command through the session hijacking attack.

Your task

In it432a, login to it432b using Telnet.
In it432c (the attacker machine), listen at TCP port 8000 using the nc command. The attacker will need to do this to receive a reverse shell session.
Also, in it432c, sniff the TCP session. Recall sniffing the packets for the other hosts in a local network needs enabling the promiscuous mode. The following command will enable the promiscuous mode.
```
sudo ifconfig ens160 promisc
```
In it432c, inject a TCP packet (using Scapy) that contains a reverse shell toward it432c. Please read the documentation carefully to see how to craft and send the TCP packet.
- You need to correctly specify the sequence/ack number in the packet. Otherwise, the TCP stack will ignore your packet.
- Fortunately, the checksum will be calculated by Scapy for you! So, you don't really need to worry about this.

Tips You need to craft a packet that looks like the following:


# fill out the fields correctly 
ip = IP(src="xxx.xxx.xxx.xxx", dst="yyy.yyy.yyy.yyy")
tcp = TCP(sport=sssss, dport=ddddd, seq=zzzzzz, ack=aaaaa, flags="A")
data  = b"\n/bin/bash -i ....???redirection???... \n" 
pkt = ip/tcp/data

The flags "A" in the above means Ack.
In the data field, it's a good practice to add a new line character "\n" in the front and back so that this command always works.

Warning

Read the lecture notes on this attack. You may find the pictures therein helpful.
Be very careful about correctly launching the attack in terms of which host is doing what task. In particular, contemplate on the followinig questions:
- The lie that the spoofed packet says is as follows:
  - I am "???" and I am sending this packet. How would you fill the TCP fields specifically to achieve this goal?
- Who should receive this spoofed packet?
If the seq/ack numbers are incorrect, the packet will be ignored by the TCP stack.

Submit

Show (with screen captures and code) and explain your work. Convince the instructor that the attack has been successful by showing the details of your work.

[15pts] Part 4: Writing a Lab Report

Please explain and show your work. Write a lab report by using the provided template (check the lab ground rules). The writing quality of the lab report matters.

~/bin/submit -c=IT432 -p=lab02 lab02_report.doc