breaking into existing socket connection

**trackh4t** · 11-24-2009, 01:16 AM

I'm not 100% certain this is possible, but you guys just let me know if I've got the technicality messed up.

Here's the case:
I have a java applet (no it's not runescape) working with a TCP connection over port 499. I can see from tcpick(ing) that there's an authentication proces, which makes it hard for me to simply open a telnet connection to the server (If I do so it prompts me for a handshake, but I don't know the encoding, so I dont know how to respond).

What I am interested in doing is - after the authentication has happened - break into the socket connected and be able to send my own packets to the server/applet through the existing connection.

How should I approach that, and what tool could I use?

Thank you

**lupin** · 11-24-2009, 02:45 AM

You can use something like Hunt to do TCP session hijacking from the local network, but there are limitations to how well it works. Usually you will get to send one communication to the server before an ACK storm occurs - unless you can somehow prevent ACKS from the server for data you sent getting to the original client.

Try it out and report back with your results, I'd be curious to know how you go.

**trackh4t** · 11-24-2009, 02:59 AM

I have actually been trying to use hun, but without much success. I could never look up any hosts. I tried entering both my ip from the outside (when i wasn't behind a router) my ip given by the router (192.xx) and the ip of the webserver i was communicating with, but it gave me no match. I've been googling my ass off trying to find a decent guide, but so far I've been unsuccesfull - any Intel on this?

To elaborate on this:
No connections occur. I try opening a telnet connection just to get some response, but not even that is registered. I should say that I'm using interface eth1 or ppp0 and not the default eth0, but I have specified this via the -i parameter, so it should be configured correctly

And i found this h t t p://9lessons.blogspot.com/2008/12/tcp-hijack.html ransmission Control Protocol (TCP) Hijack saying that I could add ports for hunt to listen on, but I don't have any hunt.c or addpolicy file when I try to use "locate hunt.c" I get nothing in return

**lupin** · 11-24-2009, 03:19 AM

Originally Posted by trackh4t

I have actually been trying to use hun, but without much success. I could never look up any hosts. I tried entering both my ip from the outside (when i wasn't behind a router) my ip given by the router (192.xx) and the ip of the webserver i was communicating with, but it gave me no match. I've been googling my ass off trying to find a decent guide, but so far I've been unsuccesfull - any Intel on this?

To elaborate on this:
No connections occur. I try opening a telnet connection just to get some response, but not even that is registered. I should say that I'm using interface eth1 or ppp0 and not the default eth0, but I have specified this via the -i parameter, so it should be configured correctly

To use hunt both systems need to be on the same subnet.

If this is not the case, you will probably need to take another approach for this, and none of the approaches I can think of will be that easy. Either reverse engineer the logon process and write it into your own tool (which you have apparently already looked at) - java source code for the program may help, capture and replay the logon process (if it is replayable - how much does it change between subsequent attempts?), or create a custom proxy that can switch between two input sources at a time of your choosing to redirect the connection.

**trackh4t** · 11-24-2009, 03:46 AM

Originally Posted by lupin

To use hunt both systems need to be on the same subnet.

If this is not the case, you will probably need to take another approach for this, and none of the approaches I can think of will be that easy. Either reverse engineer the logon process and write it into your own tool (which you have apparently already looked at) - java source code for the program may help, capture and replay the logon process (if it is replayable - how much does it change between subsequent attempts?), or create a custom proxy that can switch between two input sources at a time of your choosing to redirect the connection.

Ouch - I can only use hunt locally? I thought I would be able to, because from my perspective changing post packets with tamper data or wireshark and such seems like the same thing as sending data via an already existing socket to me. perhaps I should study a bit harder on network technicalities. That's a real bitch... Then I will have to reverse engineer. I've actually already penetrated the first of their logon systems (there's a whole sequence - an initial handshake and then a second challengestring which is more heavily encrypted - don't ask me why there are 2 layers :P)

Thank you for your reply.

**lupin** · 11-24-2009, 05:04 AM

Originally Posted by trackh4t

Ouch - I can only use hunt locally?

I actually might have been wrong about that. I was reading about hunt about a week ago and that reference said that Hunt only worked locally. That may have been referring to an older version though - I just read the Link below referring to v 1.2 and above and it seems to indicate otherwise...

.:[ packet storm ]:. - http://packetstormsecurity.org/

BackTrack Linux - Penetration Testing Distribution

Thread: breaking into existing socket connection

Thread Tools

Search Thread

Display

Hybrid View

breaking into existing socket connection

Posting Permissions