├── COPYING
├── README.md
└── tcp-connection-hijack-reset.py


/COPYING:
--------------------------------------------------------------------------------
 1 |             DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
 2 |                     Version 2, December 2004
 3 | 
 4 |  Copyright (C) 2012 Mike Kazantsev <mk.fraggod@gmail.com>
 5 | 
 6 |  Everyone is permitted to copy and distribute verbatim or modified
 7 |  copies of this license document, and changing it is allowed as long
 8 |  as the name is changed.
 9 | 
10 |             DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
11 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
12 | 
13 |   0. You just DO WHAT THE FUCK YOU WANT TO.
14 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | tcp-connection-hijack-reset
 2 | --------------------
 3 | 
 4 | Simple [scapy](http://www.secdev.org/projects/scapy/) + iptables/ipsets + nflog
 5 | tool to hijack and reset existing TCP connections (for both ends), established
 6 | from other pids.
 7 | 
 8 | Purpose is not some malicious DoS attacks but rather kicking hung state-machines
 9 | in otherwise nice software, while making the whole thing look like a random net
10 | hiccup, which most apps are designed to handle.
11 | 
12 | If NFLOG is used (to get packets that should not pass netfilter, for instance),
13 | requires [scapy-nflog-capture](https://github.com/mk-fg/scapy-nflog-capture).
14 | 
15 | 
16 | Usage
17 | --------------------
18 | 
19 | - Create "conn_cutter" ipset: `ipset create conn_cutter hash:ip,port`
20 | 
21 | - Create "conn_cutter" chain (some lines wrapped):
22 | 
23 | 	```
24 | 	-A conn_cutter ! -p tcp -j RETURN
25 | 	-A conn_cutter -m set ! --match-set conn_cutter src,src -j RETURN
26 | 	-A conn_cutter -p tcp -m recent --set --name conn_cutter --rsource
27 | 	-A conn_cutter -p tcp -m recent ! --rcheck --seconds 20\
28 | 		--hitcount 2 --name conn_cutter --rsource -j NFLOG
29 | 	-A conn_cutter -p tcp -m recent ! --rcheck --seconds 20\
30 | 		--hitcount 2 --name conn_cutter --rsource -j REJECT --reject-with tcp-reset
31 | 	```
32 | 
33 | 	Note that due to one global "recent" netfilter tag used above, only one
34 | 	connection can be cut in 20 seconds (others will pass through this chain
35 | 	unharmed).
36 | 
37 | 	This is done in case of rare pids which may bind() outgoing socket to a
38 | 	constant port, so that packets of the reconnection attempt from the same port
39 | 	won't get matched and pass.
40 | 
41 | - Update "OUTPUT" chain:
42 | 
43 | 	```
44 | 	-I OUTPUT -j conn_cutter
45 | 	```
46 | 
47 | 	That should be strictly *before* rules like `--state RELATED,ESTABLISHED -j
48 | 	ACCEPT`.
49 | 
50 | - Run: `tcp-connection-hijack-reset.py conn_cutter --pid 1234 --debug`
51 | 
52 | 	Will pick single TCP connection of a specified pid (or raise error if there's
53 | 	more than one) and cut it, with a lots of noise about what it's doing (due to
54 | 	"--debug").
55 | 
56 | - Result: both endpoints should reliably get single RST packet and connection
57 | 	closed promptly.
58 | 
59 | See [this
60 | post](http://blog.fraggod.net/2013/04/08/tcp-hijacking-for-the-greater-good.html)
61 | on more details about what it all means and why it's there.
62 | 
63 | 
64 | Similar tools
65 | --------------------
66 | 
67 | - [dsniff](http://www.monkey.org/~dugsong/dsniff/) - has "tcpkill" binary that
68 | 	does very similar thing.
69 | 
70 | - [tcpkill](https://github.com/chartbeat/tcpkill) - standalone tcpkill tool from
71 | 	dsniff.
72 | 
73 | - [cutter](http://www.digitage.co.uk/digitage/software/cutter) - aims to solve
74 | 	similar problem, but on a router box (seem to work with conntrack tables
75 | 	only), and with some strange methods (generating noise on connection to get
76 | 	seq, which doesn't seem to work at all).
77 | 


--------------------------------------------------------------------------------
/tcp-connection-hijack-reset.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | from __future__ import print_function
  3 | 
  4 | from scapy.all import *
  5 | 
  6 | import itertools as it, operator as op, functools as ft
  7 | from subprocess import Popen, PIPE
  8 | from os.path import join
  9 | import os, sys, signal, re
 10 | 
 11 | 
 12 | class ConnMultipleMatches(Exception): pass
 13 | class ConnNotFound(Exception): pass
 14 | 
 15 | 
 16 | def get_endpoints(pid=None, port_local=None, port_remote=None):
 17 | 	if pid: matches = list(get_endpoints_by_pid(pid))
 18 | 	else:
 19 | 		matches = list(get_endpoints_by_port(
 20 | 			port_local=None, port_remote=None ))
 21 | 
 22 | 	if not matches: raise ConnNotFound()
 23 | 	if len(matches) > 1: raise ConnMultipleMatches(matches)
 24 | 
 25 | 	local, remote = matches[0]
 26 | 	return (inet_ntoa(struct.pack('<I', local[0] & 0xffffffff)), local[1]),\
 27 | 		(inet_ntoa(struct.pack('<I', remote[0] & 0xffffffff)), remote[1])
 28 | 
 29 | def get_endpoints_by_port(port_local=None, port_remote=None):
 30 | 	'Lookup connection for a specified port(s) in /proc/net/tcp table.'
 31 | 	assert port_local or port_remote, (port_local, port_remote)
 32 | 	with open('/proc/net/tcp') as src:
 33 | 		src = iter(src)
 34 | 		next(src) # skip header line
 35 | 		for line in src:
 36 | 			local, remote = (
 37 | 				tuple(int(v, 16) for v in ep.split(':'))
 38 | 				for ep in op.itemgetter(1, 2)(line.split()) )
 39 | 			for ep, port in [(local, port_local), (remote, port_remote)]:
 40 | 				if ep[1] == port: break
 41 | 			else: continue
 42 | 			yield local, remote
 43 | 
 44 | def get_endpoints_by_pid(pid):
 45 | 	'Lookup connection(s) for a specified pid.'
 46 | 	assert isinstance(pid, int), pid
 47 | 	conns = dict()
 48 | 	with open('/proc/net/tcp') as src:
 49 | 		src = iter(src)
 50 | 		next(src) # skip header line
 51 | 		for line in src:
 52 | 			line = line.split()
 53 | 			conns[line[9]] = line[1], line[2]
 54 | 	pid_fds = '/proc/{}/fd'.format(pid)
 55 | 	for fd in os.listdir(pid_fds):
 56 | 		match = re.search(r'^socket:\[(\d+)\]$', os.readlink(join(pid_fds, fd)))
 57 | 		if not match: continue
 58 | 		try: match = conns[match.group(1)]
 59 | 		except KeyError: continue
 60 | 		yield tuple(tuple(int(v, 16) for v in ep.split(':')) for ep in match)
 61 | 
 62 | 
 63 | def ipset_update(cmd, name, ip, port):
 64 | 	if name is None: return
 65 | 	assert cmd in ['add', 'del'], cmd
 66 | 	log.debug('Updating ipset {!r} ({} {}:{})'.format(name, cmd, ip, port))
 67 | 	if Popen(['ipset', '-!', cmd, name, '{},{}'.format(ip, port)]).wait():
 68 | 		raise RuntimeError('Failed running ipset command, see error output above.')
 69 | 
 70 | 
 71 | 
 72 | class TCPBreaker(Automaton):
 73 | 
 74 | 	ss_filter_port_local = ss_filter_port_remote = None
 75 | 	ss_remote, ss_intercept = None, None
 76 | 
 77 | 	def __init__(self, port_local, port_remote, timeout=False, **atmt_kwz):
 78 | 		self.ss_filter_port_local, self.ss_filter_port_remote = port_local, port_remote
 79 | 		self.ss_timeout = timeout
 80 | 		atmt_kwz.setdefault('store', False)
 81 | 		atmt_kwz.setdefault( 'filter',
 82 | 			( 'tcp and ((src port {sport} and dst port {dport})'
 83 | 				' or (dst port {sport} and src port {dport}))' )\
 84 | 			.format(sport=port_local, dport=port_remote) )
 85 | 		super(TCPBreaker, self).__init__(**atmt_kwz)
 86 | 
 87 | 	def pkt_filter(self, pkt):
 88 | 		'Filter packets by ports in case of capture filter leaks or dissector bugs.'
 89 | 		if {pkt[TCP].sport, pkt[TCP].dport} == {self.ss_filter_port_local, self.ss_filter_port_remote}:
 90 | 			return pkt[IP].dst if pkt[TCP].sport == self.ss_filter_port_local else pkt[IP].src
 91 | 		raise KeyError
 92 | 
 93 | 	@ATMT.state(initial=1)
 94 | 	def st_seek(self):
 95 | 		log.debug('Waiting for noise on the session')
 96 | 
 97 | 	@ATMT.receive_condition(st_seek)
 98 | 	def check_packet(self, pkt):
 99 | 		log.debug('Session check, packet: {}'.format(pkt.summary()))
100 | 		try: remote = self.pkt_filter(pkt)
101 | 		except KeyError: return
102 | 		raise self.st_collect(pkt).action_parameters(remote)
103 | 	@ATMT.action(check_packet)
104 | 	def break_link(self, remote):
105 | 		if not self.ss_remote:
106 | 			log.debug('Found session (remote: {})'.format(remote))
107 | 			self.ss_remote = remote
108 | 
109 | 	@ATMT.timeout(st_seek, 1) # yep, hard-coded 1s timeout
110 | 	def interception_done(self):
111 | 		if self.ss_remote and self.ss_intercept:
112 | 			log.debug('Captured seq, proceeding to termination')
113 | 			raise self.st_rst_send()
114 | 
115 | 	@ATMT.state()
116 | 	def st_collect(self, pkt):
117 | 		log.debug('Collected: {!r}'.format(pkt))
118 | 		self.ss_intercept = pkt # only last one matters
119 | 		raise (self.st_rst_send if not self.ss_timeout else self.st_seek)()
120 | 
121 | 	@ATMT.state()
122 | 	def st_rst_send(self):
123 | 		pkt_ip, pkt_tcp = op.itemgetter(IP, TCP)(self.ss_intercept)
124 | 		ordered = lambda k1,v1,k2,v2,pkt_dir=(pkt_ip.dst == self.ss_remote):\
125 | 			dict(it.izip((k1,k2), (v1,v2) if pkt_dir else (v2,v1)))
126 | 		rst = IP(**ordered('src', pkt_ip.src, 'dst', pkt_ip.dst))\
127 | 			/ TCP(**dict(it.chain.from_iterable(p.viewitems() for p in (
128 | 				ordered('sport', pkt_tcp.sport, 'dport', pkt_tcp.dport),
129 | 				ordered('seq', pkt_tcp.seq, 'ack', pkt_tcp.ack),
130 | 				dict(flags=b'R', window=pkt_tcp.window) ))))
131 | 		rst[TCP].ack = 0
132 | 		log.debug('Sending RST: {!r}'.format(rst))
133 | 		send(rst)
134 | 
135 | 		# Finish
136 | 		os.kill(os.getpid(), signal.SIGINT)
137 | 		self.stop()
138 | 
139 | 
140 | 
141 | def main(argv=None):
142 | 	import argparse
143 | 	parser = argparse.ArgumentParser(
144 | 		description='TCP connection breaking tool.'
145 | 			' Finds connection with a specified parameters and adds local'
146 | 				' ip:port to the specified ipset, so firewall can cut it on first activity'
147 | 				' (with something like "-j REJECT --reject-with tcp-reset").'
148 | 			' Also uses captured traffic to get connection sequence number and send'
149 | 				' RST packet to remote endpoint, removing ip:port from ipset upon success.')
150 | 
151 | 	parser.add_argument('ipset_name', nargs='?',
152 | 		help='Name of the ipset to temporarily insert local ip:port to.'
153 | 			' Should be used in some iptables filter rule, rejecting outgoing'
154 | 				' packets matching it with tcp-reset packet (see README for examples).'
155 | 			' If not specified, no ipset updates will be performed and raw-socket'
156 | 				' capture interface will be used (as packet will presumably make it through netfilter).')
157 | 
158 | 	parser.add_argument('--pid', type=int,
159 | 		help='Process ID to terminate connection of.')
160 | 	# parser.add_argument('-i', '--interactive', action='store_true',
161 | 	# 	help='With --pid option, allow to pick connection in CLI, if there is more then one.')
162 | 
163 | 	parser.add_argument('--port', type=int,
164 | 		help='TCP port of local (unless --remote-port is specified) connection to close.')
165 | 	parser.add_argument('-d', '--remote-port', action='store_true',
166 | 		help='Treat port argument as remote, not local one.')
167 | 
168 | 	parser.add_argument('-c', '--capture', metavar='driver',
169 | 		help='Either "raw" or "nflog". Default is "nflog" if ipset name is'
170 | 			' specified as an argument (since packet should not pass through'
171 | 			' netfilter in this case), otherwise "raw".')
172 | 	parser.add_argument('--debug', action='store_true', help='Verbose operation mode.')
173 | 	optz = parser.parse_args(sys.argv[1:] if argv is None else argv)
174 | 
175 | 	import logging
176 | 	logging.basicConfig(level=logging.DEBUG if optz.debug else logging.INFO)
177 | 	global log
178 | 	log = logging.getLogger()
179 | 
180 | 	if not optz.capture:
181 | 		optz.capture = 'nflog' if optz.ipset_name else 'raw'
182 | 		if optz.capture == 'nflog': log.debug('Using nflog packet capture interface')
183 | 	elif optz.capture not in ['nflog', 'raw']:
184 | 		parser.error('Only "nflog" or "raw" values are'
185 | 			' supported with --capture option, not {!r}'.format(optz.capture))
186 | 
187 | 	# It should be traffic to/from same machine - no promisc-mode necessary
188 | 	conf.promisc = conf.sniff_promisc = False
189 | 	# Disables "Sent 1 packets." line
190 | 	conf.verb = False
191 | 
192 | 	if optz.capture == 'nflog':
193 | 		from scapy_nflog import install_nflog_listener
194 | 		install_nflog_listener()
195 | 
196 | 	if optz.port:
197 | 		local, remote = get_endpoints(
198 | 			**{'port_local' if not optz.remote_port else 'port_remote': optz.port} )
199 | 	elif optz.pid: local, remote = get_endpoints(pid=optz.pid)
200 | 	else: parser.error('No connection-picking criterias specified.')
201 | 
202 | 	log.debug('Found connection: {0[0]}:{0[1]} -> {1[0]}:{1[1]}'.format(local, remote))
203 | 
204 | 	ipset_update('add', optz.ipset_name, *local)
205 | 	try: TCPBreaker(port_local=local[1], port_remote=remote[1], timeout=True).run()
206 | 	finally: ipset_update('del', optz.ipset_name, *local)
207 | 
208 | 
209 | if __name__ == '__main__': sys.exit(main())
210 | 


--------------------------------------------------------------------------------