TEH3221 – ETHICAL HACKING AND SECURITY ASSESSMENT

Tutorial 9

TCP Handshake with Scapy

Host: Kali
Target: Ubuntu/ another Kali/ BackTrack machine

Windows 7 is not suitable in this exercise, because Microsoft has made the TCP handshake timeout
too short and no longer allows the user to adjust it.

1. Starting a netcat listener on Ubuntu by executing this command in their Terminal Window
nc -l 5555 or nc -lvvp 5555

2. To make sure the netcat listener is listening, open another Terminal window and execute this
command:

netstat -an | grep 5555

3. You should see a process listening on port 5555.

4. Scapy will be sending TCP packets, but the Linux kernel will be confused by that, and send
ACK packets, thinking there is no process listening on the ports. To prevent that, we need to
add an iptables firewall rule.
5. On the Kali machine, execute these commands.

sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

sudo iptables -L

6. You should see one rule in the OUTPUT section dropping RST packets.
7. As usual, use this command to start Scapy in Kali:
sudo scapy

8. Create an IP object towards the Ubuntu.

9. Create a TCP object towards the Ubuntu, set the flags to “S” (for SYN).
10. Notice that the seq and ack numbers are both 0 in the properties of your TCP object.
11. Show me your result. [2%]
12. Use sr1 command to send and receive one packet, of type IP at layer 3 and TCP at layer 4.
You should see the response shown with flags=SA (a SYN/ACK reply). The ack number is 1,
indicating that this is a reply to your SYN packet with seq = 0.
13. Find the seq number in the SYN/ACK reply. Add one (+1) to this number to find the ack value
you must use in the ACK packet that completes the handshake.
14. Change the properties of your TCP object, as following:
flag = “A”
seq = 1
ack = number computed in question 13

15. Use send command to send the packet onto the network.
16. On the Linux target machine, in a Terminal window, execute this command:
netstat -an | grep 5555
 17. You should see a connection from local port 5555 with a status of ESTABLISHED. If you
don't see the session, it may have timed out. Repeat the steps more quickly--try to get the ACK
sent within 30 seconds of the SYN. A trick that sometimes helps is to send some layer 7 data
along with the ack. That will keep the session open longer, while the target waits for more layer
7 data.
18. Show me your result. [5%]

Hack This Site [5%]:

1. Login with your registered account.

2. Complete at least 5 levels and show me.