Results 1 to 9 of 9

Thread: breaking into existing socket connection

  1. #1
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default breaking into existing socket connection

    I'm not 100% certain this is possible, but you guys just let me know if I've got the technicality messed up.

    Here's the case:
    I have a java applet (no it's not runescape) working with a TCP connection over port 499. I can see from tcpick(ing) that there's an authentication proces, which makes it hard for me to simply open a telnet connection to the server (If I do so it prompts me for a handshake, but I don't know the encoding, so I dont know how to respond).

    What I am interested in doing is - after the authentication has happened - break into the socket connected and be able to send my own packets to the server/applet through the existing connection.

    How should I approach that, and what tool could I use?

    Thank you

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    You can use something like Hunt to do TCP session hijacking from the local network, but there are limitations to how well it works. Usually you will get to send one communication to the server before an ACK storm occurs - unless you can somehow prevent ACKS from the server for data you sent getting to the original client.

    Try it out and report back with your results, I'd be curious to know how you go.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    I have actually been trying to use hun, but without much success. I could never look up any hosts. I tried entering both my ip from the outside (when i wasn't behind a router) my ip given by the router (192.xx) and the ip of the webserver i was communicating with, but it gave me no match. I've been googling my ass off trying to find a decent guide, but so far I've been unsuccesfull - any Intel on this?

    To elaborate on this:
    No connections occur. I try opening a telnet connection just to get some response, but not even that is registered. I should say that I'm using interface eth1 or ppp0 and not the default eth0, but I have specified this via the -i parameter, so it should be configured correctly

    And i found this h t t p://9lessons.blogspot.com/2008/12/tcp-hijack.html ransmission Control Protocol (TCP) Hijack saying that I could add ports for hunt to listen on, but I don't have any hunt.c or addpolicy file when I try to use "locate hunt.c" I get nothing in return

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by trackh4t View Post
    I have actually been trying to use hun, but without much success. I could never look up any hosts. I tried entering both my ip from the outside (when i wasn't behind a router) my ip given by the router (192.xx) and the ip of the webserver i was communicating with, but it gave me no match. I've been googling my ass off trying to find a decent guide, but so far I've been unsuccesfull - any Intel on this?

    To elaborate on this:
    No connections occur. I try opening a telnet connection just to get some response, but not even that is registered. I should say that I'm using interface eth1 or ppp0 and not the default eth0, but I have specified this via the -i parameter, so it should be configured correctly
    To use hunt both systems need to be on the same subnet.

    If this is not the case, you will probably need to take another approach for this, and none of the approaches I can think of will be that easy. Either reverse engineer the logon process and write it into your own tool (which you have apparently already looked at) - java source code for the program may help, capture and replay the logon process (if it is replayable - how much does it change between subsequent attempts?), or create a custom proxy that can switch between two input sources at a time of your choosing to redirect the connection.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    Quote Originally Posted by lupin View Post
    To use hunt both systems need to be on the same subnet.

    If this is not the case, you will probably need to take another approach for this, and none of the approaches I can think of will be that easy. Either reverse engineer the logon process and write it into your own tool (which you have apparently already looked at) - java source code for the program may help, capture and replay the logon process (if it is replayable - how much does it change between subsequent attempts?), or create a custom proxy that can switch between two input sources at a time of your choosing to redirect the connection.
    Ouch - I can only use hunt locally? I thought I would be able to, because from my perspective changing post packets with tamper data or wireshark and such seems like the same thing as sending data via an already existing socket to me. perhaps I should study a bit harder on network technicalities. That's a real bitch... Then I will have to reverse engineer. I've actually already penetrated the first of their logon systems (there's a whole sequence - an initial handshake and then a second challengestring which is more heavily encrypted - don't ask me why there are 2 layers :P)

    Thank you for your reply.

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by trackh4t View Post
    Ouch - I can only use hunt locally?
    I actually might have been wrong about that. I was reading about hunt about a week ago and that reference said that Hunt only worked locally. That may have been referring to an older version though - I just read the Link below referring to v 1.2 and above and it seems to indicate otherwise...

    .:[ packet storm ]:. - http://packetstormsecurity.org/
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    something's not working for me entirely right. I found out that I had the bin version of hunt, so I went out and got myself one I could compile with make myself, that had the hunt.c and addpolicy.c file. I changed those and ran "make" I got some errors, but the program SEEMS to start up. I still don't get any connections though. Not even when I open a telnet session will the program respond. (towel.blinkenlights.nl - really funny ascii art btw).

    I must've misunderstood the concept of use of hunt. I have no connections whatsoever. Can anyone else get it to compile and work successfully?

    (btw lupin: I like your Churcill quote

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Seems like you could put something together with netcat and tcpreplay. It'd be a bit kludgey but it can't probably be made to work.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    I was actually successfull in configuring hunt this time around. I still have no idea why hunt wouldn't let me view the connection when i had recompile with the addpolicy and port 499 set, but I tried just setting it = 0; so it would accept ALL connections, and then my 499 connection was dusplayed too. It works ok, but I get kicked off from time to time, not really knowing why. If any one has a hunch on why this happens - and/or how to disable hunt from reconnecting when it detects an ack storm (because in this particular app it detects normal packets as an ack storm when there are lots of them, and that makes it crash)

    Anyway to conclude:

    SUCCES, but I might have to code some solution myself, because it seems a bit flawed this one. It's an important part-goal and that's what counts for me right now

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •