7/27/2019 Lab on TCP Spoofing

1/2

Benjamin HolmesLab 6

======================================Task 1:I entered$sudo ufw status verboseand gotBacter@bactercomp:~$ sudo ufw status verbose[sudo] password:Status: activeLogging: on (low)Default: deny (incoming), allow (outgoing)New profiles: skipBacter@bactercomp:~$========================================Task 2:I used LKM and netfilter to implement the packet filtering module. It supports the rules as detailed in the above section.

$ cd LKM$ make$ sudo insmod samplefw.kothen

$ gcc -o -Wall sampleFirewall sampleFirewall.c$ sudo ./sampleFirewall --in --proto ALL --action BLOCK$ ping www.google.com

and wasn't able to ping google.========================================Question 1: Netfilter supports the following hooks1. NF_ACCEPT: continue traversal as normal.2. NF_DROP: drop the packet; don't continue traversal.3. NF_STOLEN: I've taken over the packet; don't continue traversal.4. NF_QUEUE: queue the packet (usually for userspace handling).5. NF_REPEAT: call this hook again.

An example of a packet going through netfilter:

Packets come in from the left, and are checked to make sure they aren't truncated, have good IP checksums, aren't promiscuous recieves.1 = NF_IP_PRE_ROUTINGThen they go to routing code, which decides if the packet is going to another interface or a local process. If it's local, we go to2 = NF_IP_LOCAL_INthen it's passed to the local process.It it's supposed to go to another interface, it goes to3 = NF_IP_FORWARD, then passes the4 = NF_IP_POST_ROUTING hook, and then is sent back onto the wire.

If a process is created locally, the5 = NF_IP_LOCAL_OUT hook is applied to it, and it's passed through this then routed.

Question 2:For ingress filtering, a hook should be placed after routing, and before the packet is sent to the local machine.For egress filtering, a hook should be placed before routing, and after the filter and routing the packet is sent out.

7/27/2019 Lab on TCP Spoofing

2/2

Question 3:Netfilter should just filter packets, not change them. However, the netfilter module iptable_mangle allows for modification of packets.

=============================================Task 3

I set up two VMs, one on my laptop, called bactercomp, and one on my PC at home,called bacterHomeBy using$ sudo ufw deny out port 23When I tried to connect, I got dropped packets.

Using the command$ sudo ufw deny out to 69.63.176.13$ sudo ufw deny out to 69.63.181.15$ sudo ufw deny out to 69.63.184.142$ sudo ufw deny out to 69.63.187.17$ sudo ufw deny out to 69.63.187.18This seemed to block all possibilty of accessing facebook

3a:

$ ssh -L 8000:10.4.24.177:23 seed@10.4.24.179

I was able to observe what was happening over the wire with wireshark$ ssh remote-host "tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -I can see the packets entering the wire without filtering - a result of the tunneling that happens.

3b:I run firefox, and I'm able to see the facebook page normally

Once I close firefox, break the ssh, clear the cache, and try to re-open, I'm unable to see the site. The page says it's unable to connect to that IP address.

I establish the SSH, and again I'm able to view firefox.

I can see on wireshark how the SSH breaks the egress filtering. The SSH createsa tunnel that simply connects the computer directly to the net - totally bypassing the filter. It forces the packets through another computer and port.======================================Question 4:Yes, you can set up an SSH tunnel on another channel - but BOTH computers need to agree to use that channel for SSHing=======================================

Attached are the files I used!