Results 1 to 9 of 9

Thread: breaking into existing socket connection

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default breaking into existing socket connection

    I'm not 100% certain this is possible, but you guys just let me know if I've got the technicality messed up.

    Here's the case:
    I have a java applet (no it's not runescape) working with a TCP connection over port 499. I can see from tcpick(ing) that there's an authentication proces, which makes it hard for me to simply open a telnet connection to the server (If I do so it prompts me for a handshake, but I don't know the encoding, so I dont know how to respond).

    What I am interested in doing is - after the authentication has happened - break into the socket connected and be able to send my own packets to the server/applet through the existing connection.

    How should I approach that, and what tool could I use?

    Thank you

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    You can use something like Hunt to do TCP session hijacking from the local network, but there are limitations to how well it works. Usually you will get to send one communication to the server before an ACK storm occurs - unless you can somehow prevent ACKS from the server for data you sent getting to the original client.

    Try it out and report back with your results, I'd be curious to know how you go.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    I have actually been trying to use hun, but without much success. I could never look up any hosts. I tried entering both my ip from the outside (when i wasn't behind a router) my ip given by the router (192.xx) and the ip of the webserver i was communicating with, but it gave me no match. I've been googling my ass off trying to find a decent guide, but so far I've been unsuccesfull - any Intel on this?

    To elaborate on this:
    No connections occur. I try opening a telnet connection just to get some response, but not even that is registered. I should say that I'm using interface eth1 or ppp0 and not the default eth0, but I have specified this via the -i parameter, so it should be configured correctly

    And i found this h t t p://9lessons.blogspot.com/2008/12/tcp-hijack.html ransmission Control Protocol (TCP) Hijack saying that I could add ports for hunt to listen on, but I don't have any hunt.c or addpolicy file when I try to use "locate hunt.c" I get nothing in return

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by trackh4t View Post
    I have actually been trying to use hun, but without much success. I could never look up any hosts. I tried entering both my ip from the outside (when i wasn't behind a router) my ip given by the router (192.xx) and the ip of the webserver i was communicating with, but it gave me no match. I've been googling my ass off trying to find a decent guide, but so far I've been unsuccesfull - any Intel on this?

    To elaborate on this:
    No connections occur. I try opening a telnet connection just to get some response, but not even that is registered. I should say that I'm using interface eth1 or ppp0 and not the default eth0, but I have specified this via the -i parameter, so it should be configured correctly
    To use hunt both systems need to be on the same subnet.

    If this is not the case, you will probably need to take another approach for this, and none of the approaches I can think of will be that easy. Either reverse engineer the logon process and write it into your own tool (which you have apparently already looked at) - java source code for the program may help, capture and replay the logon process (if it is replayable - how much does it change between subsequent attempts?), or create a custom proxy that can switch between two input sources at a time of your choosing to redirect the connection.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default

    Quote Originally Posted by lupin View Post
    To use hunt both systems need to be on the same subnet.

    If this is not the case, you will probably need to take another approach for this, and none of the approaches I can think of will be that easy. Either reverse engineer the logon process and write it into your own tool (which you have apparently already looked at) - java source code for the program may help, capture and replay the logon process (if it is replayable - how much does it change between subsequent attempts?), or create a custom proxy that can switch between two input sources at a time of your choosing to redirect the connection.
    Ouch - I can only use hunt locally? I thought I would be able to, because from my perspective changing post packets with tamper data or wireshark and such seems like the same thing as sending data via an already existing socket to me. perhaps I should study a bit harder on network technicalities. That's a real bitch... Then I will have to reverse engineer. I've actually already penetrated the first of their logon systems (there's a whole sequence - an initial handshake and then a second challengestring which is more heavily encrypted - don't ask me why there are 2 layers :P)

    Thank you for your reply.

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by trackh4t View Post
    Ouch - I can only use hunt locally?
    I actually might have been wrong about that. I was reading about hunt about a week ago and that reference said that Hunt only worked locally. That may have been referring to an older version though - I just read the Link below referring to v 1.2 and above and it seems to indicate otherwise...

    .:[ packet storm ]:. - http://packetstormsecurity.org/
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •