TCP Hijacking

The goals of this assignment are to:

  1. Learn about TCP reset and session injection attacks
  2. Implement both attacks against a vulnerable HTTP client

TCP Hijacking

As with lower layers of the TCP/IP stack, TCP was not designed with security in mind with respect to confidentiality, integrity, availability, or authenticity. In particular, an active network attacker can violate all of these security properties. In this assignment, we will focus on TCP reset attacks (violating availability) and TCP session injection (violating integrity). Both of these attacks are possible due to the lack of enforcement of confidentiality and authenticity.

You will play the role of the active attacker that is positioned between a victim HTTP client and a remote service located at Canvas contains a container image named netsec_tcp_hijacking_victim.img.xz that contains the victim. The client simply loops forever, executing periodic HTTP POSTs to the remote service. To run the image, do the following.

docker run -it --rm --name=netsec_tcp_hijacking_victim netsec_tcp_hijacking_victim

For this assignment, you can obtain the required on-path vantage point by either running your code directly on the host or running it in a container with access to the host network namespace (using --network=host).

With the victim running, your objectives are the following.

  1. Prevent the victim from contacting the remote service using spoofed TCP RSTs.
  2. Tamper with the victim’s HTTP request, changing the username and password in the HTTP request body to your email address and an arbitrary password, respectively.

As usual, your attack should be provided as a container with the following interface.

docker run -it --rm                         \
    --name=netsec_tcp_hijacking_attacker    \
    --network=host                          \   # Upstream vantage point
    netsec_tcp_hijacking_attacker           \
    {{reset|inject}}                        \   # Attack type
    {{victim_interface}}                    \   # Interface to send traffic to victim
    {{server_interface}}                        # Interface to send traffic to server

The attack container should print the following JSON object to stdout when performing an injection attack, and nothing else. Feel free to write to stderr for debugging purposes.

    "id": "{{NU email address}}",
    "username": "{{injected username}}",
    "password": "{{injected password}}",
    "timestamp": "{{attack timestamp as UNIX seconds since epoch}}

Submission Instructions

Package your solution as a gzipped TAR archive. Your solution should expand to the following directory structure.

$ tree -F tcp_hijacking
├── Dockerfile
└── src/

The source code to your solution should be contained in src/. Your Dockerfile should, when processed using docker, create a container image that runs your solution using the aforementioned command-line interface.

Submit the solution archive to Canvas.

© 2023 wkr