Created
June 19, 2013 19:28
-
-
Save eviltik/5817244 to your computer and use it in GitHub Desktop.
TCP + IP = generateChecksums failed, i've tried every offsets !
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| tcpdump -vvv -i lo -n ip | |
| NMAP result (nmap -sS localhost -p 23) | |
| root@debian:/home/zenetik# tcpdump -vvv -i lo -n ip | |
| tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes | |
| 21:50:20.794277 IP (tos 0x0, ttl 40, id 56063, offset 0, flags [none], proto TCP (6), length 44) | |
| 127.0.0.1.56649 > 127.0.0.1.23: Flags [S], cksum 0x17c8 (correct), seq 1809790236, win 1024, options [mss 1460], length 0 | |
| 21:50:20.794292 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44) | |
| 127.0.0.1.23 > 127.0.0.1.56649: Flags [S.], cksum 0xfe20 (incorrect -> 0xa280), seq 2375108310, ack 1809790237, win 43690, options [mss 65495], length 0 | |
| 21:50:20.794297 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) | |
| 127.0.0.1.56649 > 127.0.0.1.23: Flags [R], cksum 0x3381 (correct), seq 1809790237, win 0, length 0 | |
| syn.js result : | |
| 1:51:01.309365 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48) | |
| 127.0.0.1.35643 > 127.0.0.1.23: Flags [S], cksum 0x0000 (incorrect -> 0x01db), seq 234156285:234156289, win 1024, options [mss 1460], length 4 | |
| */ | |
| /* | |
| IP Header | |
| 0 1 2 3 | |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| |Version| IHL |Type of Service| Total Length | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Identification |Flags| Fragment Offset | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Time to Live | Protocol | Header Checksum | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Source Address | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Destination Address | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Options | Padding | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| TCP Headers | |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Source Port | Destination Port | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Sequence Number | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Acknowledgment Number | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Data | |U|A|P|R|S|F| | | |
| | Offset| Reserved |R|C|S|S|Y|I| Window | | |
| | | |G|K|H|T|N|N| | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Checksum | Urgent Pointer | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Options | Padding | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | data | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| */ | |
| var raw = require ("raw-socket"); | |
| var options = { | |
| protocol: raw.Protocol.TCP, | |
| //checksumOffset:0x2c | |
| //checksumOffset:0x27 | |
| }; | |
| var socket = raw.createSocket(options); | |
| var ipBuffer = new Buffer([ | |
| 0x45, // IP: version (ipv4, static value) | |
| 0x00, // IP: Internet Header Length (updated by the module ?) | |
| 0x00,0x00, // IP: Type of service (update by the module ?) | |
| 0x00,0x00,0x00,0x00, // IP: Total length (updated by the module ?) | |
| 0x00, // IP: TTL (updated by the module ?) | |
| 0x06, // IP: protocol (ICMP=1, IGMP=2, TCP=6, UDP=17, static value) | |
| 0x00,0x00, // IP: checksum for IP part of this packet (computed by the module ?) | |
| 0x7f,0x00,0x00,0x01, // IP: ip src (127.0.0.1) | |
| 0x7f,0x00,0x00,0x01, // IP: ip dst (127.0.0.1) | |
| ]); | |
| var tcpBuffer = new Buffer([ | |
| 0x8e,0x37, // TCP: src port (should be random) | |
| 0x00,0x17, // TCP: dst port (should be the port you want to scan) | |
| 0x0b,0x9b,0x3b,0x97, // TCP: sequence number (should be random) | |
| 0x00,0x00,0x00,0x00, // TCP: acquitment number (must be null because WE are intiating the SYN, static value) | |
| 0x60, // TCP: header length (data offset, static value, seem's not updated by the module) | |
| 0x02, // TCP: flags (fin=1,syn=2,rst=4,psh=8,ack=16,urg=32, static value) | |
| 0x04,0x00, // TCP: window 1024 | |
| 0xc0,0xa3, // TCP: checksum for TCP part of this packet) | |
| 0x00,0x00, // TCP: ptr urgent | |
| 0x02,0x04, // TCP: options | |
| 0x05,0xb4 // TCP: padding (mss=1460, static value) | |
| ]); | |
| var buffer = Buffer.concat([ipBuffer,tcpBuffer],ipBuffer.length+tcpBuffer.length); | |
| var setPort = function(buf,port,offset) { | |
| buf[offset] = (port >> 8) & 0xff; | |
| buf[offset + 1] = (port & 0xff); | |
| } | |
| var setPortDst = function(buf,port) { | |
| //setPort(buf,port,0x02); | |
| } | |
| var setPortSrc = function(buf,port) { | |
| setPort(buf,port,0x00); | |
| } | |
| var setTcpChecksum = function(buf) { | |
| var sum = 0; | |
| var _sourceIP = 0x0c; | |
| var _destIP = 0x10; | |
| var _protocol = 0x09; | |
| sum += buf[_sourceIP] * 0x100 + buf[_sourceIP + 1] + buf[_sourceIP + 2] * 0x100 + buf[_sourceIP + 3]; | |
| sum += buf[_destIP] * 0x100 + buf[_destIP + 1] + buf[_destIP + 2] * 0x100 + buf[_destIP + 3]; | |
| sum += buf[_protocol]; | |
| return sum; | |
| } | |
| setPortDst(buffer,21); | |
| //setPortSrc(buffer,4444); // port src should be random, not static | |
| //setCrc(buffer); | |
| var target = '127.0.0.1'; | |
| socket.on ("close", function () { | |
| console.log ("socket closed"); | |
| process.exit (-1); | |
| }); | |
| socket.on ("error", function (error) { | |
| console.log ("error: " + error.toString ()); | |
| process.exit (-1); | |
| }); | |
| socket.on ("message", function (buffer, source) { | |
| var port = buffer[0x14] * 0x100 + buffer[0x15]; | |
| if (buffer[0x09] == 0x06) { | |
| // TCP flag found | |
| if (buffer[0x21] == 0x12) { | |
| // SYN flag found | |
| process.stdout.write('\nReceived SYN from '+source+':'+port+'\n'); | |
| } else { | |
| process.stdout.write('.'); | |
| } | |
| } else { | |
| process.stdout.write('.'); | |
| } | |
| }); | |
| var beforeSend = function() { | |
| socket.setOption( | |
| raw.SocketLevel.IPPROTO_IP, | |
| raw.SocketOption.IP_HDRINCL, | |
| new Buffer ([0x00, 0x00, 0x00, 0x11]), | |
| 4); | |
| socket.generateChecksums(true,1); | |
| } | |
| socket.send (buffer, 0, buffer.length, '127.0.0.1', beforeSend, function (error, bytes) { | |
| if (error) { | |
| console.log (error.toString ()); | |
| } else { | |
| console.log ("sent " + bytes + " bytes to " + target); | |
| } | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment