securitynetwork-programmingnetwork-security

Can I replace response from server to client using Client SOURCE_PORT


As we know when we send TCP request to server our OS specifies SOURCE port. For example: DESTINATION_PORT: 80, SOURCE_PORT: 65123 When server replies to us, it uses SOURCE_PORT.

Imagine next scenario:
1 single network:
SERVER - very slow HTTP server
PC1 - victim, client that sends requests to SERVER
PC2 - hacker

PC1 -> SERVER: SOURCE_PORT: 65123, DESTINATION_PORT: 80
SERVER -> PC1: SOURCE_PORT: 80, DESTINATION_PORT: 65123

Question:
Can a PC2, send data to PC1 source port and replace response from SERVER
Like this:
PC1 -> SERVER: SOURCE_PORT: 65123, DESTINATION_PORT: 80
PC2 -> PC1: SOURCE_PORT: 80, DESTINATION_PORT: 65123


Solution

  • This is doable. With low level access to the network (usually root access rights to some Linux machine are enough), you can fabricate packets including their source IP address and TCP port. This is the same mechanics how nmap does the decoy scan.

    As mentioned by Ron Maupin there are some more fields in the TCP packets that must match and be as expected for the attack you have described to work, so this is not easy to be performed. And even if the fields match, it is likely that due to inconsistencies being introduced in the communication the socket will be closed afterwards.

    It would be much easier for PC2 to perform a Man in the Middle attack (easy to be done in local networks) and than replace content of the communication between PC1 and SERVER.