As we know when we send TCP request to server our OS specifies SOURCE port. For example: DESTINATION_PORT: 80, SOURCE_PORT: 65123 When server replies to us, it uses SOURCE_PORT.
Imagine next scenario:
1 single network:
SERVER - very slow HTTP server
PC1 - victim, client that sends requests to SERVER
PC2 - hacker
PC1 -> SERVER: SOURCE_PORT: 65123, DESTINATION_PORT: 80
SERVER -> PC1: SOURCE_PORT: 80, DESTINATION_PORT: 65123
Question:
Can a PC2, send data to PC1 source port and replace response from SERVER
Like this:
PC1 -> SERVER: SOURCE_PORT: 65123, DESTINATION_PORT: 80
PC2 -> PC1: SOURCE_PORT: 80, DESTINATION_PORT: 65123
CodePudding user response:
This is doable. With low level access to the network (usually root access rights to some Linux machine are enough), you can fabricate packets including their source IP address and TCP port. This is the same mechanics how nmap does the decoy scan.
As mentioned by Ron Maupin there are some more fields in the TCP packets that must match and be as expected for the attack you have described to work, so this is not easy to be performed. And even if the fields match, it is likely that due to inconsistencies being introduced in the communication the socket will be closed afterwards.
It would be much easier for PC2 to perform a Man in the Middle attack (easy to be done in local networks) and than replace content of the communication between PC1 and SERVER.