Logo

0x5a.live

for different kinds of informations and explorations.

GitHub - kpcyrd/rshijack: TCP connection hijacker, Rust rewrite of shijack

TCP connection hijacker, Rust rewrite of shijack. Contribute to kpcyrd/rshijack development by creating an account on GitHub.

Visit SiteGitHub - kpcyrd/rshijack: TCP connection hijacker, Rust rewrite of shijack

GitHub - kpcyrd/rshijack: TCP connection hijacker, Rust rewrite of shijack

TCP connection hijacker, Rust rewrite of shijack. Contribute to kpcyrd/rshijack development by creating an account on GitHub.

Powered by 0x5a.live 💗

rshijack Crates.io

tcp connection hijacker, rust rewrite of shijack from 2001.

This was written for TAMUctf 2018, brick house 100. The target was a telnet server that was protected by 2FA. Since the challenge wasn't authenticated, there have been multiple solutions for this. Our solution (cyclopropenylidene) was waiting until the authentication was done, then inject a tcp packet into the telnet connection:

# if you don't know one of the ports use 0 to match any port
echo 'cat ~/.ctf_flag' | sudo rshijack tap0 172.16.13.20:37386 172.16.13.19:23

After some attempts this command was accepted and executed by the telnet server, resulting in a tcp packet containing the flag.

screenshot

The way this works is by sniffing for a packet of a specific connection, then read the SEQ and ACK fields. Using that information, it's possible to send a packet on a raw socket that is accepted by the remote server as valid.

The other tools in that screenshot are sniffglue and arpspoof.

Installation

Arch Linux

pacman -S rshijack

Docker

If needed, rshijack can be pulled as a docker image. The image is currently about 10.2MB.

docker run -it --init --rm --net=host kpcyrd/rshijack eth0 172.16.13.20:37386 172.16.13.19:23

Notable mentions

License

GPLv3+

Rust Resources

are all listed below.

Resources

listed to get explored on!!

Made with ❤️

to provide different kinds of informations and resources.