Port Knocking: Sending Single TCP Packet

  • Thread starter Thread starter Mark Olbert
  • Start date Start date
M

Mark Olbert

I'm trying to build a simple port knocking client in dotNet. However, whenever I try to connect to the target machine, three packets
get sent by System.Net.Sockets.Connect() rather than just the one that I want to send.

Is there a way to send a single packet under dotNET?

- Mark
 
Hi

TCP is an connection-oriented protocol which is known as Three-Way
Handshake.
Explanation of the Three-Way Handshake via TCP/IP
http://support.microsoft.com/?id=172983

If you want to control the Three-Way Handshake , you need to use the RAW
socket to compose your own TCP packet in a IP packet to send.
Here are some information for your reference.
SharpPcap - A packet capture framework for .NET
http://www.codeproject.com/csharp/sharppcap.asp#sendPackets

Raw IP Networking FAQ
http://www.whitefang.com/rin/rawfaq.html#10


Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Peter,

Thanx for the quick reply. I came across winpcap, and sharppcap, in the course of further research. But, unfortunately, winpcap (and
hence sharppcap) don't support transmitting across PPP WAN connections (they're primarily focused on monitoring ethernet
connections, after all).

So I'm back to square one trying to use raw sockets myself.

One thing that concerns me, though, was that I read WinXP SP2 dropped support for raw sockets. Do you know if that's correct?

- Mark
 
Hi

Yes, it seems there are more restriction for the RAW socket support in XP
SP2 due to security concern.

http://www.interact-sw.co.uk/iangblog/2004/08/12/norawsockets

Changes to Functionality in Microsoft Windows XP Service Pack 2
Part 2: Network Protection Technologies
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx
What new functionality is added to this feature in Windows XP Service Pack
2?
Restricted traffic over raw sockets
Detailed description

A very small number of Windows applications make use of raw IP sockets,
which provide an industry-standard way for applications to create TCP/IP
packets with fewer integrity and security checks by the TCP/IP stack. The
Windows implementation of TCP/IP still supports receiving traffic on raw IP
sockets. However, the ability to send traffic over raw sockets has been
restricted in two ways:

? TCP data cannot be sent over raw sockets.

? UDP datagrams with invalid source addresses cannot be sent over raw
sockets. The IP source address for any outgoing UDP datagram must exist on
a network interface or the datagram is dropped.



For detailed information I think you may to post in the newsgroup below.
There would be more network experts there.
microsoft.public.win32.programmer.networks

Thanks for your understanding!

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
In case anyone else runs into this problem...

After trying many, many things, it turns out one answer is to:

- create the socket
- put the socket into nonblocking mode using ioctlsocket
- call connect on the socket
- immediately close the socket

Apparently, if you immediately close the socket after the nonbinding connect attempt windoze only has time to send a single packet.
If you wait to close you'll get multiple packets.

It ain't pretty, but it works.

- Mark
 
Hi

Thanks for your knowledge sharing.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top