-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why only SYN and ACK+PSH packets? #1
Comments
You need a middle box router/filter from a not so libertarian country 😁
Le lun. 5 août 2024 à 10:37, happyeverydaylove ***@***.***> a
écrit :
… Hello, I would like to ask, I am testing with two direct computers (static
IPs on the same subnet). I modified the dst_ip in mra.py to the IP of
nginx installed on Kali, and sent it according to the commands on Redmin.
Eventually, there was an 11.pcap file. When I opened it with Wireshark, I
found only SYN and ACK+PSH from src to dst, nothing else. So how do I know
if it reflected?
—
Reply to this email directly, view it on GitHub
<#1>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDECF3EFSZOKYCEKJFVDZP42TRAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ2DOOJVGIZDKNQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
To understand you need to read the white paper
Le lun. 5 août 2024 à 13:35, Sebastien Meniere ***@***.***>
a écrit :
… You need a middle box router/filter from a not so libertarian country 😁
Le lun. 5 août 2024 à 10:37, happyeverydaylove ***@***.***>
a écrit :
> Hello, I would like to ask, I am testing with two direct computers
> (static IPs on the same subnet). I modified the dst_ip in mra.py to the
> IP of nginx installed on Kali, and sent it according to the commands on
> Redmin. Eventually, there was an 11.pcap file. When I opened it with
> Wireshark, I found only SYN and ACK+PSH from src to dst, nothing else. So
> how do I know if it reflected?
>
> —
> Reply to this email directly, view it on GitHub
> <#1>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/A5LFDECF3EFSZOKYCEKJFVDZP42TRAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ2DOOJVGIZDKNQ>
> .
> You are receiving this because you are subscribed to this thread.Message
> ID: ***@***.***>
>
|
I'd like to conduct some tests on the internal network to see how they are performed. Could you recommend any middleware or environments for me? |
After running the script, a file named 11.pcap will be generated in the folder. When opened with Wireshark, it contains only SYN and ACK+PSH packets from the target to the server. Where can I find the returned RST packets? If I try capturing packets directly with Wireshark, there's nothing there. |
The RST packet is made by the middlebox
there is no environnement for testing, you have to find a VPS/SERVER on a
country with middleboxes
Le mer. 7 août 2024 à 05:44, happyeverydaylove ***@***.***> a
écrit :
… After running the script, a file named 11.pcap will be generated in the
folder. When opened with Wireshark, it contains only SYN and ACK+PSH
packets from the target to the server. Where can I find the returned RST
packets? If I try capturing packets directly with Wireshark, there's
nothing there.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEBMYGYM4DC34HMMVSTZQGJ2ZAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGU2TOMZRGU>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
I wonder if the TCP reflection amplification can only be tested on the public network, or is it possible to test it on a private network that I have set up myself? |
Is it possible to set up your own server, like with Apache, Nginx, or Tomcat? |
You need to emulate a middlebox in your environnement. I don't know if such
a thing exists
Le jeu. 8 août 2024 à 03:09, happyeverydaylove ***@***.***> a
écrit :
… Is it possible to set up your own server, like with Apache, Nginx, or
Tomcat?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEDLLGP7YPJZGMMN7XTZQLAOBAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZUGY4TCNZQGY>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Accessing a webpage on the public internet (the "forbidden web" in your code) using a public IP address is generally not an issue; however, the server prohibits access to the target server. This becomes problematic within an internal network setting. |
this is how it works! the middlebox send a reset to the sender, and
sometimes a ton of data in a webpage (this page is forbidden and so
on....), so you can use it to DDOS a server by spoofing the source IP
Le jeu. 8 août 2024 à 08:42, happyeverydaylove ***@***.***> a
écrit :
… Accessing a webpage on the public internet (the "forbidden web" in your
code) using a public IP address is generally not an issue; however, the
server prohibits access to the target server. This becomes problematic
within an internal network setting.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEDLDUBPMTRU5BXIBD3ZQMHMPAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZVGA3DKNZYGM>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
I understand how it works, but I'm a bit confused. When online, the script you wrote can send packets to the server, which eventually reach the target IP. However, when offline with a static IP set, the target server cannot receive them. No data is received when sniffing packets on a server built on my own computer. It feels like the sent requests are not getting to the network card of this computer. |
the packets are sent to the "forbidden sites" only
Le ven. 9 août 2024 à 03:37, happyeverydaylove ***@***.***> a
écrit :
… I understand how it works, but I'm a bit confused. When online, the script
you wrote can send packets to the server, which eventually reach the target
IP. However, when offline with a static IP set, the target server cannot
receive them. No data is received when sniffing packets on a server built
on my own computer. It feels like the sent requests are not getting to the
network card of this computer.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEDHRQU6ZTG6CHNVFL3ZQQMMRAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZWHE4TANJQGQ>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
the packets are sent to the "forbidden sites" only, that's how it works
I've modified the repo
Le ven. 9 août 2024 à 07:09, Sebastien Meniere ***@***.***>
a écrit :
… the packets are sent to the "forbidden sites" only
Le ven. 9 août 2024 à 03:37, happyeverydaylove ***@***.***>
a écrit :
> I understand how it works, but I'm a bit confused. When online, the
> script you wrote can send packets to the server, which eventually reach the
> target IP. However, when offline with a static IP set, the target server
> cannot receive them. No data is received when sniffing packets on a server
> built on my own computer. It feels like the sent requests are not getting
> to the network card of this computer.
>
> —
> Reply to this email directly, view it on GitHub
> <#1 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/A5LFDEDHRQU6ZTG6CHNVFL3ZQQMMRAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZWHE4TANJQGQ>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***
> .com>
>
|
I re-ran the script you compiled, conducting tests on one computer with three virtual machines (NAT). Machine 147 is the pivot (server), and machine 149 is the target, as shown in Figure 1. I would like to ask why the pivot sends a SYN-ACK to the target, and then the target responds with an RST to the pivot? |
Be more specific, give me your locals IP of:
- the server to DDOS
- the forbidden site
- the middlebox
Le ven. 9 août 2024 à 10:57, happyeverydaylove ***@***.***> a
écrit :
… I re-ran the script you compiled, conducting tests on one computer with
three virtual machines (NAT). Machine 147 is the pivot (server), and
machine 149 is the target, as shown in Figure 1. I would like to ask why
the pivot sends a SYN-ACK to the target, and then the target responds with
an RST to the pivot?
[image: Uploading 1.png…]
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEBEAQ6HQRMGSACBXDDZQR77VAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGQ4DGMZYGI>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
In NAT mode: |
give me the IP:
- the server to DDOS (target machine):
- the forbidden site:
- the middlebox:
don't care about your machine, the script crafts packets with the forbidden
sites and the target to DDOS
Le ven. 9 août 2024 à 11:49, happyeverydaylove ***@***.***> a
écrit :
… In NAT mode:
Attacker machine IP: 192.168.100.1
Server IP: 192.168.100.10
Target machine IP: 192.168.100.110
In the code, fill in "forbidden" as 192.168.100.10, and run it as python
mra.py 100 192.168.100.110
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEDQXWCU6AVWB5VO2M3ZQSGENAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGU3TKOJRGU>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
|
The IP of the middlebox?
Le ven. 9 août 2024 à 12:27, happyeverydaylove ***@***.***> a
écrit :
…
- the server to DDOS (target machine):192.168.100.10
- the forbidden site:192.168.100.110
- the middlebox: tomcat7
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEFF4RKQNDU65ERL5TDZQSKPXAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGY2DANZXGE>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Isn't the middlebox IP the same as the server's IP? |
no!
the middlebox is an "evil" router/firewall that controls the packets and
prevents to go outside a country
you need to emulate the middlebox, and send a "blocked website blabla" to
the source IP (the target to DDOS, because the packet spoof the IP)
Le ven. 9 août 2024 à 12:41, happyeverydaylove ***@***.***> a
écrit :
… Isn't the middlebox IP the same as the server's IP?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEH5B63RO6OIYDFSITLZQSMFPAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGY3DGOJQHA>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
I'm starting to get what you mean; so currently, only a simple server has been set up without the intermediary box? Are there any tutorials available for me to simulate the intermediary box? |
So, for example, if I turn on the firewall in a Windows 10 system, would that be considered an intermediary box? |
the middlebox is a ROUTER /FIREWALL that can block some packets. When the
destination of the packet is forbidden,
this ROUTER /FIREWALL sends to the source IP a web page saying "blablabla
forbidden". This page can be huge and this data can be use to DDOS someone.
So by crafting a spoofed packet, SRC = IP to DDOS DEST = forbidden site,
the ROUTER/FIREWALL will send to the source IP a shiton of datas
Le ven. 9 août 2024 à 12:59, happyeverydaylove ***@***.***> a
écrit :
… So, for example, if I turn on the firewall in a Windows 10 system, would
that be considered an intermediary box?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEHXILNMYKWC7TLHSSLZQSOKFAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZXGY4TGNBWGA>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Actually, you could simulate the environment with two devices: one as an attacking machine (running Kali Linux) with a firewall configured to block the destination address, and the other as the target machine or victim. Would this setup work? |
your firewall needs to act like a middlebox
Le ven. 9 août 2024 à 16:14, happyeverydaylove ***@***.***> a
écrit :
… Actually, you could simulate the environment with two devices: one as an
attacking machine (running Kali Linux) with a firewall configured to block
the destination address, and the other as the target machine or victim.
Would this setup work?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEHZ2CELMLYDYNDWEL3ZQTFC3AVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGA2DMMBXGE>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
I'm going to try setting up the firewall and creating rules, but I have a question. Perhaps I didn't explain it clearly enough. If we set a blocked website, such as Facebook, in a connected environment, we can perform a DDoS attack because we're accessing their servers. But in a disconnected environment, can we set any website as blocked, or...? I hope you understand what I mean. I'm a bit confused about setting up the block. |
you have to emulate a middlebox that send a webpage to the source IP when
it detect a forbidden IP dest
Le ven. 9 août 2024 à 17:01, happyeverydaylove ***@***.***> a
écrit :
… I'm going to try setting up the firewall and creating rules, but I have a
question. Perhaps I didn't explain it clearly enough. If we set a blocked
website, such as Facebook, in a connected environment, we can perform a
DDoS attack because we're accessing their servers. But in a disconnected
environment, can we set any website as blocked, or...? I hope you
understand what I mean. I'm a bit confused about setting up the block.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEGO6S7TXSXXGSL3JU3ZQTKTPAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGE2TMNJUGI>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Is enabling a Linux firewall and adding rules considered simulating a middlebox? How exactly can I simulate a middlebox? |
*you have to emulate a middlebox that send a webpage to the source IP when
it detect a forbidden IP dest*
Do it like you want...
Le ven. 9 août 2024 à 17:07, happyeverydaylove ***@***.***> a
écrit :
… Is enabling a Linux firewall and adding rules considered simulating a
middlebox? How exactly can I simulate a middlebox?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEAB7RRWPKG5GILZJJ3ZQTLMLAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGE3DSNBWG4>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
If I use Kali Linux with Apache to host a website and set access restrictions so that the source IP is blocked, and then set the forbidden website to be Kali's own IP address, would a script-based attack theoretically perform a DDoS on the source IP? |
*you have to emulate a middlebox that send a webpage to the source IP when
it detects a forbidden IP dest in a packet*
I don't know what to add
Le ven. 9 août 2024 à 18:07, happyeverydaylove ***@***.***> a
écrit :
… If I use Kali Linux with Apache to host a website and set access
restrictions so that the source IP is blocked, and then set the forbidden
website to be Kali's own IP address, would a script-based attack
theoretically perform a DDoS on the source IP?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDECRQ5QT34KKDZRY3LLZQTSNBAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGI4DGOBZGE>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
OK,What is the final result of DDoS attack on the target drone using the intermediate box? CPU increase? System crash? |
a regular DDOS attack, but with the middlebox reflection, you only need a
fewer bandwidth to take down a target
Le ven. 9 août 2024 à 19:49, happyeverydaylove ***@***.***> a
écrit :
… OK,What is the final result of DDoS attack on the target drone using the
intermediate box? CPU increase? System crash?
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEGTR6UVZ6NYJSTEIFTZQT6LTAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYGQ2DGMZRHA>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
Why, when connected to the internet, sending a forbidden website to the middlebox can trigger interception? It seems like no specific settings are made on the middlebox itself, and I'm not quite understanding the principle behind this. |
the middlebox is a proxy...
Le sam. 10 août 2024 à 04:17, happyeverydaylove ***@***.***>
a écrit :
… Why, when connected to the internet, sending a forbidden website to the
middlebox can trigger interception? It seems like no specific settings are
made on the middlebox itself, and I'm not quite understanding the principle
behind this.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5LFDEA7ADZBWPXV5LHFS2LZQVZ3DAVCNFSM6AAAAABL72EPVWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZYHE2DEMZWGU>
.
You are receiving this because you commented.Message ID:
***@***.***
com>
|
The result obtained by using this script is based on the middleware reflection shown in (b) of the image |
I see that it is necessary to configure the wrong middleware server, then if the set to access the source ip forbidden, then the script to disable the server ip, so can it? |
Have you tested it on the intranet? If so, how was your intermediary box configured? |
Hello, I would like to ask, I am testing with two direct computers (static IPs on the same subnet). I modified the
dst_ip
inmra.py
to the IP of nginx installed on Kali, and sent it according to the commands on Redmin. Eventually, there was an11.pcap
file. When I opened it with Wireshark, I found only SYN and ACK+PSH from src to dst, nothing else. So how do I know if it reflected?The text was updated successfully, but these errors were encountered: