troubleshooting Question

Can't capture my Spoofed SYN packet by ethereal...

Avatar of gotdough
gotdough asked on
C++
11 Comments2 Solutions446 ViewsLast Modified:
Several days ago I wrote a spoofing SYN c++ program, I execute it on one PC, sending the spoofed syn to my own computer. But I can't see any SYN packets by running ethereal on my own computer. I captured only one IP(but protocol I set in the spoofed syn is TCP) packet, the info is: IPv6 hop-by-hop option(0x00) , and this IP packet used the real source ip, not the spoofed source ip I set in the program... I want to know if there is anything wrong with my program? Can anyone help me? Thanks in advance. Both computers' system are XP, and the program is the following:

int _tmain(int argc, _TCHAR* argv[])
{
                class SpoofSocket spoof_socket;

      WSADATA WSAData;
      int ret=WSAStartup(MAKEWORD(2,2),&WSAData);

      //Create Raw_Socket
      bool ip_hdrincl=true;
      int SendTimeOver=1000;

      SOCKET raw_sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_IP,NULL,0,WSA_FLAG_OVERLAPPED);                  
      setsockopt(raw_sock,IPPROTO_IP,IP_HDRINCL,(char *)&ip_hdrincl,sizeof(ip_hdrincl));      
      setsockopt(raw_sock,SOL_SOCKET,SO_SNDTIMEO,(char *)&SendTimeOver,sizeof(SendTimeOver));
      
      unsigned int s_ipAddress=inet_addr("192.168.0.103");
      unsigned int d_ipAddress=inet_addr("192.168.0.104");
      unsigned short s_port=2006;
      unsigned short d_port=8000;
      unsigned int seq=0x00000000;
      unsigned int ack=0x00000001;

      //Spoof buffer for sending
      spoof_socket.SetIP_Head_Buffer(s_ipAddress,d_ipAddress);
      spoof_socket.SetTCP_Head_Buffer(s_port,d_port,2,seq,ack+1);
                              
      int len=spoof_socket.tcp_head_len+spoof_socket.ip_head_len;
                                    
      SOCKADDR_IN addr_client1_in;
      addr_client1_in.sin_family=AF_INET;
      addr_client1_in.sin_port=htons(d_port);
      addr_client1_in.sin_addr.S_un.S_addr=d_ipAddress;
                                    
      int send_bytes=sendto(raw_sock,spoof_socket.SendBuffer,len,0,(struct sockaddr*)&addr_client1_in,sizeof(addr_client1_in));
                              
      Console::WriteLine(S"Send one SYN+ACK success!!!");

      closesocket(raw_sock);
      WSACleanup();

      char i;
      cin>>i;
            
      return 0;
}

spoofsocket.cpp:
unsigned short SpoofSocket::checksum(unsigned short *buffer,int size){

      unsigned short cksum=0;
    while(size>1)
      {
            cksum+=*buffer++;
            size-=sizeof(unsigned short);
      }
      if(size)
      {
            cksum+=*(unsigned char*)buffer;
      }
      cksum=(cksum>>16) + (cksum&0xffff);
      cksum+=(cksum>>16);

      return cksum;

};

void SpoofSocket::SetIP_Head_Buffer(unsigned long SourceAddress,unsigned long DestAddress){

      //Set ip_header
      ip_header.h_lenver=(4<<4|sizeof(ip_header)/sizeof(unsigned int));
      ip_header.tos=0;
      ip_header.total_len=htons(sizeof(ip_header)+sizeof(tcp_header));
      ip_header.ident=1;
      ip_header.flags=0;
      ip_header.ttl=(unsigned char)GetTickCount()%87+123;
      ip_header.proto=IPPROTO_TCP;
      ip_header.checksum=0;
      ip_header.sourceIP=SourceAddress;
      ip_header.destIP=DestAddress;
};

void SpoofSocket::SetTCP_Head_Buffer(unsigned short SourcePort,unsigned short DestPort,unsigned char flag,unsigned long seqNumber,unsigned long ackNumber){

      //Set tcp_Header
      tcp_header.th_dport=htons(DestPort);
      tcp_header.th_sport=htons(SourcePort);
      tcp_header.th_seq=htonl(seqNumber);
      tcp_header.th_ack=htonl(ackNumber);
      tcp_header.th_lenres=(sizeof(tcp_header)/4<<4|0);
      tcp_header.th_flags=flag;//flag=2 is SYN; flag=16 is ACK; flag=12 is SYN_ACK
      tcp_header.th_win=htons(512);
      tcp_header.th_urp=0;
      tcp_header.th_sum=0;

      //Set TCP psudHeader
      psd_header.saddr=ip_header.sourceIP;
      psd_header.daddr=ip_header.destIP;
      psd_header.mbz=0;
      psd_header.ptcl=IPPROTO_TCP;
      psd_header.tcpl=htons(sizeof(tcp_header));

      //Get header length
      psd_head_len=sizeof(psd_header);
      tcp_head_len=sizeof(tcp_header);
      ip_head_len=sizeof(ip_header);

      send_buffer=new BYTE[psd_head_len+tcp_head_len];

      //Compute the Checksum value
      memset(send_buffer,0,psd_head_len+tcp_head_len);
      memcpy(send_buffer,&psd_header,psd_head_len);
      memcpy(send_buffer+psd_head_len,&tcp_header,tcp_head_len);
      tcp_header.th_sum=checksum((unsigned short *)send_buffer,psd_head_len+tcp_head_len);

      
      send_buffer=new BYTE[tcp_head_len+ip_head_len];

      //put spoofed IP and TCP header into the SendBuffer
      memset(send_buffer,0,tcp_head_len+ip_head_len);
      memcpy(send_buffer,&ip_header,ip_head_len);
      memcpy(send_buffer+ip_head_len,&tcp_header,tcp_head_len);
      ip_header.checksum=checksum((unsigned short *)send_buffer,ip_head_len+tcp_head_len);

      memset(send_buffer,0,tcp_head_len+ip_head_len);
      memcpy(send_buffer,&ip_header,ip_head_len);
      memcpy(send_buffer+ip_head_len,&tcp_header,tcp_head_len);
      char SendBuffer[60]={0};
      memcpy(SendBuffer,send_buffer,tcp_head_len+ip_head_len);
};

spoofsocket.h
typedef struct ip_head{

      unsigned char h_lenver; //four bits for header length;four bits for IP version
      unsigned char tos;     //eight bits for Type of Service
      unsigned short total_len;// 16bits for total length
      unsigned short ident;
      unsigned short flags; //3flags
      unsigned char ttl;
      unsigned char proto;
      unsigned short checksum;
      unsigned int sourceIP; //32bits source IP
      unsigned int destIP;//32bits destination IP

}IPHEADER;

typedef struct tcp_head{

      unsigned short th_sport;//16bits source port
      unsigned short th_dport;//16bits destination port
      unsigned int th_seq;//32bits sequence number
      unsigned int th_ack;//32bits confirmation number
      unsigned char th_lenres;//four bits for header length;four bits for restoring key words
      unsigned char th_flags;//6flags
      unsigned short th_win;//16bits windows size
      unsigned short th_sum;//16bits checksum
      unsigned short th_urp;//16bits urgent data offsets

}TCPHEADER;

//define TCP pseudHeader
typedef struct ts_head{

      unsigned long saddr;
      unsigned long daddr;
      char mbz;
      char ptcl;//protocol type
      unsigned short tcpl;//TCP length

}PSDHEADER;

class SpoofSocket {

public:
      SpoofSocket(){};
      ~SpoofSocket(){};
      unsigned short checksum(unsigned short *,int);
      void SetIP_Head_Buffer(unsigned long SourceAddress,unsigned long DestAddress);
      void SetTCP_Head_Buffer(unsigned short SourcePort,unsigned short DestPort,unsigned char flag,unsigned long seqNumber,unsigned long ackNumber);
      
      unsigned short psd_sport;
      bool result;
      char SendBuffer[60];
      BYTE * send_buffer;
      int psd_head_len;
      int tcp_head_len;
      int ip_head_len;

      TCPHEADER tcp_header;
      PSDHEADER psd_header;
      IPHEADER ip_header;      
};
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 2 Answers and 11 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros