劫持客户端套接字

Question

I have set up a server socket (plain raw socket) listening on port A . A client now connects to this server. OS opens up a port for the client for this purpose. Say port B is allocated to this client. Now my question is, can a 3 ^rd script connect to this port B and send data. Or in other words can I spoof a response to the client as if it was coming from the server? I tried spoofing it using scapy, but it wasnt working.

server.py

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("localhost", A))
s.listen(10)
ns, cli_addr = s.accept()
time.sleep(30) # so that i can trigger my 3rd script

goodclient.py

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("localhost", A))
print s.getsockname() # to get the local port of client - B
s.recv(1024)

badboy.py

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("localhost", B)) # connection refused error
s.send("hihihi")

scapybadboy.py

pack = IP(src="localhost", dst="localhost") / TCP(sport=A, dport=B) / "Hello"
send(pack) # Packet sent but not received by the client

Answer 1

Because server and client using SOCK_STREAM sockets, they both aware of TCP session(including port, IP and ( SEQ_NUMBER , ACK_NUMBER )), so when session is already in process, you will have to perform TCP hikacking and IP spoofing in order to send messages in stream.

In other words, you will have to guess(or steal) ACK number of server in order to send fake messages to client using badclient .

However, if you will make somehow goodclient answer you and not a server you should run the following:

iptables -A FORWARD -j NFQUEUE --queue-num 1 , because your operating system doesn't know about session that you just "opened" with goodclient and it will send RST packet. This command will prevent it.