<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Weird enough: I have managed to even alter the tcp payload. I had some problems with the tcp payload but now I see why before I couldn't change the ip checksum...this would lead to an invalid checksum at the tcp layer because the tcp checksum includes both src and dest ip.</div><div>When I saw that I could change the tcp payload I injected an redirection http header to divert traffic to my server. I should note that I spoofed one way(I could see all "victim's" packets from the gateway but not the packets sent by the client...so that everything would be faster). Now comes the problem: the injected payload was quicly unrecognized by the other computer<br></div><div>. This lead me to think that once a client receives a packet it checks the checksum but it also sends pack the packet for confirmation. This is the only explanation for why the client refused the redirect packet(it would have sent it back to the server and the server would not-acknowldge it...). So this is a dead end.</div><div><br></div><div>Back to the ip method: Once I realized that I shoud recalculate the tcp checksum I went on to patch the ip layer. Now I have serious problems with this one. I tried every checksum function I could find on internet but none works(don't worry..I am not a copycat-I read and understand the code I copy). I have a strong feeling the checksum is incorrect because on big/little endianness mismatch(this was the case with the code I took for tcp checksum). <br></div><div><br></div><div><br></div><div>Update. Actually I solved it. I found a good method for recalculating the checksum it appears to work. About sending packets to own NIC. Another method. Send the packet to router(set dest mac to gateway) and set the dest ip to mine. The router will check the ip and forward the packet back to my computer. My system will think the source is the victim. Is this a good ideea? (I already tried it but it seems I still have problems with tcp checksum and out -of-order packets...I wonder why..).<br></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">În dum., 23 sept. 2018 la 21:00, Mark Pizzolato - Winpcap-Users <<a href="mailto:winpcap-users-20040408@subscriptions.pizzolato.net">winpcap-users-20040408@subscriptions.pizzolato.net</a>> a scris:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sunday, September 23, 2018 at 10:20 AM, Guy Harris wrote:<br>
> On Sep 23, 2018, at 4:37 AM, Reznicencu Sergiu<br>
> <<a href="mailto:sergiureznicencu@gmail.com" target="_blank">sergiureznicencu@gmail.com</a>> wrote:<br>
> <br>
> > I forgot to mention that I already recalculate the ip checksum. It is weird that<br>
> I cann see in wireshark the packets that I modified and resnt. Shouldn't the<br>
> packets be in "loopback"?<br>
> <br>
> On most UN*Xes, yes; they will show up on the loopback interface (lo0 or lo).<br>
> <br>
> On Windows, there isn't such an interface. WinPcap doesn't capture that<br>
> traffic; <br>
<br>
Actually, WinPcap, by default, does capture all traffic you transmit using <br>
pcap_sendpacket() on a pcap_t handle (unless you're filtering to exclude it).<br>
<br>
That transmitted traffic will in fact be received by the host system's network <br>
Stack (presuming matching MAC and IP address values on the interface your <br>
pcap_t handle is connected to).<br>
<br>
This receipt will be in addition to the fact that the host system's network<br>
stack will also have received the original traffic which you've rewritten.<br>
<br>
WinPcap is not a facility that will let you capture traffic and inhibit its <br>
reception by the host system's network stack.<br>
<br>
- Mark Pizzolato<br>
_______________________________________________<br>
Winpcap-users mailing list<br>
<a href="mailto:Winpcap-users@winpcap.org" target="_blank">Winpcap-users@winpcap.org</a><br>
<a href="https://www.winpcap.org/mailman/listinfo/winpcap-users" rel="noreferrer" target="_blank">https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br>
</blockquote></div>