我可以使用client source_port替换服务器对客户端的响应
众所周知,当我们将TCP请求发送到服务器时,我们的操作系统指定源端口。 例如: destination_port:80,source_port:65123 当服务器回复我们时,它使用source_port。
Imagine next scenario:
1 single network:
SERVER - very slow HTTP server
PC1 - victim, client that sends requests to SERVER
PC2 - hacker
PC1 -> SERVER: SOURCE_PORT: 65123, DESTINATION_PORT: 80
SERVER -> PC1: SOURCE_PORT: 80, DESTINATION_PORT: 65123
Question:
Can a PC2, send data to PC1 source port and replace response from SERVER
Like this:
PC1 -> SERVER: SOURCE_PORT: 65123, DESTINATION_PORT: 80
PC2 -> PC1: SOURCE_PORT: 80, DESTINATION_PORT: 65123
As we know when we send TCP request to server our OS specifies SOURCE port.
For example:
DESTINATION_PORT: 80, SOURCE_PORT: 65123
When server replies to us, it uses SOURCE_PORT.
Imagine next scenario:
1 single network:
SERVER - very slow HTTP server
PC1 - victim, client that sends requests to SERVER
PC2 - hacker
PC1 -> SERVER: SOURCE_PORT: 65123, DESTINATION_PORT: 80
SERVER -> PC1: SOURCE_PORT: 80, DESTINATION_PORT: 65123
Question:
Can a PC2, send data to PC1 source port and replace response from SERVER
Like this:
PC1 -> SERVER: SOURCE_PORT: 65123, DESTINATION_PORT: 80
PC2 -> PC1: SOURCE_PORT: 80, DESTINATION_PORT: 65123
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这是可行的。由于对网络的低级别访问(通常是对某些Linux机器的根访问权限就足够了),您可以制造数据包,包括其源IP地址和TCP端口。这与Nmap如何进行诱饵扫描是相同的机制。
正如罗恩·莫皮(Ron Maupin)提到的那样,TCP数据包中还有更多的字段必须匹配,并且对于您所描述的攻击工作的预期,因此执行这并不容易。即使该字段匹配,由于通信中引入不一致的情况,插座之后也会关闭。
PC2在中间攻击中执行一个男人(在本地网络中易于完成)要容易得多,而不是替换PC1和服务器之间的通信内容。
This is doable. With low level access to the network (usually root access rights to some Linux machine are enough), you can fabricate packets including their source IP address and TCP port. This is the same mechanics how nmap does the decoy scan.
As mentioned by Ron Maupin there are some more fields in the TCP packets that must match and be as expected for the attack you have described to work, so this is not easy to be performed. And even if the fields match, it is likely that due to inconsistencies being introduced in the communication the socket will be closed afterwards.
It would be much easier for PC2 to perform a Man in the Middle attack (easy to be done in local networks) and than replace content of the communication between PC1 and SERVER.