0

I'm in no way a networking expert so there is possibly something obvious I am missing here. I'm attempting to rewrite a database query within a TCP payload. I have been able to get this to work for a single scenario but for others it is not working and I don't know why.

Got to Work:

Changing - 'select * from test1' TO 'select * from test2'

Doesn't Work:

Changing - 'Select * from test1' TO 'select * from test50'

  • Is this not working due to a change in the size of the payload?

Here is an example of my code:

import nfqueue
from scapy.all import *
import os
import sys

iptable_change = "iptables -A OUTPUT -p tcp --dport 8008 -j NFQUEUE"
os.system(iptable_change)


def callback(payload):
    data = payload.get_data()
    pkt = IP(data)
    if pkt.src == '127.0.0.1':
        if 'test1' in pkt[Raw].load:
            pkt[TCP].payload = str(pkt[TCP].payload).replace("test1", "test50")
            del pkt[IP].chksum
            del pkt[TCP].chksum
            payload.set_verdict_modified(nfqueue.NF_ACCEPT, str(pkt), len(pkt))


def main():
    q = nfqueue.queue()
    q.open()
    q.bind(socket.AF_INET)
    q.set_callback(callback)
    q.create_queue(0)
    try:
        q.try_run()
    except KeyboardInterrupt:
        q.unbind(socket.AF_INET)
        q.close()


if __name__ == "__main__":
    main()

Is there something I am missing here? Because I am changing a db query do packets need to be handled differently?

Jason
  • 195
  • 1
  • 3
  • 15
  • Possible duplicate of [Change TCP Payload with nfqueue/scapy](https://stackoverflow.com/questions/27293924/change-tcp-payload-with-nfqueue-scapy). In short: you have to change `pkt[IP].len` too. And of course you would also need to make changes to all following packets and replies since after changing the length of a single packet the sequence numbers need to be fixed everywhere. – Steffen Ullrich Mar 19 '18 at 20:09
  • I've tried changing the pkt[IP].len to no avail. The request I am changing is the final request before the server response. Would the server response need to be changed as well? – Jason Mar 20 '18 at 02:40
  • Everything after the changed packet need to be changed too. The server response includes an ACK for the clients packet. Since you've increased the length of the clients packet the ACK will acknowledge a sequence number which wasn't used by the client yet and thus the packet from the server will be discarded since it does not match the current connection. – Steffen Ullrich Mar 20 '18 at 03:32
  • @SteffenUllrich, Everything you said makes sense. I figured something like that was happening on the server side. Thanks for the detailed response! – Jason Mar 20 '18 at 20:04

1 Answers1

1

If you change the length of a TCP packet, then you have to fix the following sequence and acknowledgment numbers... which is hard.

If you need to tamper with the content of a TCP connection, I'd suggest you just DNAT the connection to a TCP proxy you write (a simple TCP server that establishes a connection to the original server and forwards the data between the two endpoints). This way, you let your host's network stack deal with TCP sequence and acknowledgment numbers.

Pierre
  • 6,047
  • 1
  • 30
  • 49