Jump to content
Tuts 4 You

TCPIP.SYS raw sockets


Recommended Posts

Posted (edited)

fig'd since the mcsft update patch keeps us from being able to fully utilize our OS it belonged in the security thread

 

this site goes into details about modding up tcpip.sys to allow raw sockets (ancient chinese secrets)

 

http://blog.csdn.net/aerror/article/details/2467775

 

and this site goes into details about allowing unlimited connections for our tcpip.sys sockets

 

unlimited connections but it doesnt solve the problems of RAW TCPIP contsruction

 
TCPIP.SYS
359,040 bytes, version 5.1.2600.2505Offset 130 (This is the checksum!)
FROM: 27 C3 05 00 TO: 1B C4 05 00 (<--- corrected checksum = 05c41bh)offset 4F322
FROM: A0 00 00 00 TO: FE FF FF 00 (<--- unlimited connections)
 
 
and the active recovery system on windows will immediately replace that tcpip.sys if you modify its CRC against what it knows to be valid
so be sure to match them up...
 
would it be against MCSFT policy to mod up a tcpip.sys and post it?   
 
 
More Info:
How To Remove Windows TCP IP Limits connections.doc
 
PS: i find it ironic that 2003 server enterprise allows us to use raw socket but our common everyday SP2 XP will not nor will Vista or Win7
Edited by JMC31337
Posted (edited)

First we needed a raw socket code to test as working under 2003 Enterprise (evaluation)  since my "trial is about to expire i need to re-install the iso)


nonetheless attached is the raw socket code 


 


http://forum.tuts4you.com/topic/34101-tcpipsys-raw-sockets/#entry157387


 


 


XP SP 3 terminal output:


 


Initialising Winsock...Initialised successfully.

Creating Raw TCP Socket...Raw TCP Socket Created successfully.

Setting the socket in RAW mode...Successful.

Sending packet...

 

Error sending Packet : 10004


 

 

2003 Enterprise:


Initialising Winsock...Initialised successfully.

Creating Raw TCP Socket...Raw TCP Socket Created successfully.

Setting the socket in RAW mode...Successful.

Sending packet...

 

  14597  packets send

 

 

so we can easily see we have a good sample to test and if we get "packets send" on SP3 we "Reversed the tcpip.sys"

 

 



.text:00034007 8B 45 B4 mov eax, [ebp+var_4C]
.text:0003400A 89 50 0C mov [eax+0Ch], edx
.text:0003400D 8B 45 B4 mov eax, [ebp+var_4C]
.text:00034010 88 58 1C mov [eax+1Ch], bl
.text:00034013 8B 4D AC mov ecx, [ebp+var_54]
.text:00034016 8A 41 09 mov al, [ecx+9] ; <---开始判断类型
.text:00034019 3C 06 cmp al, 6
.text:0003401B 0F 84 A9 14 00 00 jz pos_to_drop_skip_packet <-- change TO jmp 0003405D under a hex editor: 23FA3 - 23FB8 (for this SP3 tcpip.sys)
8B 45 B4 89 50 0C 8B 45 B4 88 58 1C 8B 4D AC 8A 41 09 3C 06 0F 84
text:0003405D loc_3405D: ; CODE XREF: IPTransmit(x,x,x,x,x,x,x,x,x,x)+213FD j .text:0003405D 8B 45 AC mov eax, [ebp+var_54] ; <---不检查,直接执行
.text:00034060 0F B6 00 movzx eax, byte ptr [eax]
.text:00034063 83 E0 0F and eax, 0Fh
.text:00034066 C1 E0 02 shl eax, 2
.text:00034069 8B F0 mov esi, eax
.text:0003406B 83 FE 14 cmp esi, 14h
.text:0003406E 89 B5 64 FF FF FF mov [ebp+var_9C], esi which is where i guess we wanna be: Hex EDitor : 23FF9 - 2400F (for this SP3 tcpip.sys)
8B 45 AC 0F B6 00 83 E0 0F C1 E0 02 8B F0 83 FE 14 89 B5 64 FF FF FF
its only one place in the tcpip.sys file those .text above came from the chinese source code mentioned in the first post, the Hex edit locations are the SP3 areas for tcpip

on this system it is this (with my ollydbg):




 

Address   Hex dump          Command                                  Comments

B80B4FA3    8B45 B4         MOV EAX,DWORD PTR SS:[EBP-4C]

B80B4FA6    8950 0C         MOV DWORD PTR DS:[EAX+0C],EDX

B80B4FA9    8B45 B4         MOV EAX,DWORD PTR SS:[EBP-4C]

B80B4FAC    8858 1C         MOV BYTE PTR DS:[EAX+1C],BL

B80B4FAF    8B4D AC         MOV ECX,DWORD PTR SS:[EBP-54]

B80B4FB2    8A41 09         MOV AL,BYTE PTR DS:[ECX+9]

B80B4FB5    3C 06           CMP AL,6

B80B4FB7    0F84 C8140000   JE B80B6485       <------------ ?????????????


 

 

 


on this system: (ollydbg)

 

CPU Disasm

Address   Hex dump          Command                                  Comments

B80B4FF9    8B45 AC         MOV EAX,DWORD PTR SS:[EBP-54]

B80B4FFC    0FB600          MOVZX EAX,BYTE PTR DS:[EAX]

B80B4FFF    83E0 0F         AND EAX,0000000F

B80B5002    C1E0 02         SHL EAX,2

B80B5005    8BF0            MOV ESI,EAX

B80B5007    83FE 14         CMP ESI,14

B80B500A    89B5 64FFFFFF   MOV DWORD PTR SS:[EBP-9C],ESI


 

 





maybe use ollydbg to dump the expression memory address as a new sys file: CPU Disasm
Address Hex dump Command Comments
B80B4FA3 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]
B80B4FA6 8950 0C MOV DWORD PTR DS:[EAX+0C],EDX
B80B4FA9 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]
B80B4FAC 8858 1C MOV BYTE PTR DS:[EAX+1C],BL
B80B4FAF 8B4D AC MOV ECX,DWORD PTR SS:[EBP-54]
B80B4FB2 8A41 09 MOV AL,BYTE PTR DS:[ECX+9]
B80B4FB5 3C 06 CMP AL,6
B80B4FB7 0F84 C8140000 JE B80B6485 <------------------ B80B4FF9
B80B4FBD 3C 04 CMP AL,4
B80B4FBF 0F84 C0140000 JE B80B6485
B80B4FC5 3C 29 CMP AL,29
B80B4FC7 0F84 B8140000 JE B80B6485
B80B4FCD FF71 0C PUSH DWORD PTR DS:[ECX+0C]
B80B4FD0 E8 3CCEFDFF CALL B8091E11
B80B4FD5 84C0 TEST AL,AL
B80B4FD7 74 20 JE SHORT B80B4FF9
B80B4FD9 8B45 AC MOV EAX,DWORD PTR SS:[EBP-54]
B80B4FDC FF70 10 PUSH DWORD PTR DS:[EAX+10]
B80B4FDF E8 2DCEFDFF CALL B8091E11
B80B4FE4 3C 03 CMP AL,3
B80B4FE6 0F85 99140000 JNE B80B6485
B80B4FEC 8B45 8C MOV EAX,DWORD PTR SS:[EBP-74]
B80B4FEF F640 0C 20 TEST BYTE PTR DS:[EAX+0C],20
B80B4FF3 0F84 8C140000 JE B80B6485 CPU Disasm
Address Hex dump Command Comments
B80B4FF9 8B45 AC MOV EAX,DWORD PTR SS:[EBP-54]
B80B4FFC 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
B80B4FFF 83E0 0F AND EAX,0000000F
B80B5002 C1E0 02 SHL EAX,2
B80B5005 8BF0 MOV ESI,EAX
B80B5007 83FE 14 CMP ESI,14
B80B500A 89B5 64FFFFFF MOV DWORD PTR SS:[EBP-9C],ESI
B80B5010 0F82 6F140000 JB B80B6485
B80B5016 76 67 JBE SHORT B80B507F
B80B5018 6A 10 PUSH 10
B80B501A 8D46 EC LEA EAX,[ESI-14]
B80B501D 68 54436977 PUSH 77694354
B80B5022 33FF XOR EDI,EDI
B80B5024 50 PUSH EAX
B80B5025 47 INC EDI
B80B5026 53 PUSH EBX
B80B5027 897D 80 MOV DWORD PTR SS:[EBP-80],EDI
B80B502A 8945 88 MOV DWORD PTR SS:[EBP-78],EAX
B80B502D FF15 A8060DB8 CALL DWORD PTR DS:[B80D06A8]
B80B5033 3BC3 CMP EAX,EBX
B80B5035 8945 A8 MOV DWORD PTR SS:[EBP-58],EAX
B80B5038 75 0C JNE SHORT B80B5046
B80B503A BE FE2A0000 MOV ESI,2AFE
B80B503F 56 PUSH ESI
B80B5040 57 PUSH EDI
B80B5041 E9 5B140000 JMP B80B64A1 that's the same Chinese dissassembly that i gave ya earlier only instead of SP2, this is the sp3 version here within these code-tags

B80B4FB7    0F84 C8140000   JE B80B6485                                  <------------------ B80B4FF9


 


 


 


only problem is these sys drivers get loaded into different mem addresses EVERY TIME the machine boots


 


but thats as far as I got last night... 



Edited by JMC31337
Posted (edited)

okay i got this to work under SP3 vmware: 


 


packets get sent and all...  (very hit or miss without using a system kernel debugger)


 


Steps:


 


1) backup your tcpip.sys (the included patcher does this for you) but do it jsut to make sure


2) open your SP3 tcpip.sys file with a hex editor


3) so a search for 8B 45 B4 89 50 0C 8B 45 B4 88 58 1C 8B 4D AC 8A 41 09 3C 06


(its only one place in the file)


 


REPLACE EVERYTHING AS YOU see here


 


8B 45 B4 89 50 0C 8B 45 B4 88 58 1C 8B 4D AC 8A 41 09 3C 06 74 40 C8 14 00 00 3C 04 74 38 C0 14 00 00 3C 29 74 30 B8 14 00 00 FF 71 0C E8 14 CE FD FF 84 C0 74 20 8B 45 AC FF 70 10 E8 05 CE FD FF 3C 03 0F 85 99 14 00 00 8B 45 8C F6 40 0C 20 74 20 8C 14 00 00 8B 45 AC 0F B6 00 83 E0 0F C1 E0 02 8B F0 83 FE 14 89 B5 64 FF FF FF


 


the ones in blue are the driver jumps.. they must point to their respective distances (see the original chinese tcpip modification tutorial) 


 


and save


 


4) head into SAFE MODE WITH COMMAND PROMPT


 5) once in command prompt for administrator (or admin account) head to :


\windows\system32\drivers


 


6) replace our "hacked"unpatched version" and overwrite the original tcpip.sys


7) now run that chinese patcher


8) it will say modified (not original) and change the number of connections to 9999


9) patch


10) a warning will pop asking to patch a modified tcpip.sys  click yes


11) reboot


 


run that winsock raw socket code.. and it will say


 


packets sent!


 


thats SP3...  in time ill do the vista and win7


UniversalTcpipPatch-x86.rar

Edited by JMC31337
Posted

after playing around with  (AF_INET, SOCK_RAW, IPPROTO_RAW)  raw winsock settings,


 


ICMP works (but it works as raw for all machines anyways)


 


UDP and TCP i cant see under a sniffer (maybe not crafting the packets right)


 


other times its BSOD


 


if anyone has any ideas... lemme know.. 


i'm game for trying anything with raw sockets


Posted (edited)

okay it works just fine.. just gotta have the right winsock code and the right TCP header info set


 


 


on the "unhacked" SP3 :



Initialising Winsock...Initialised successfully.
Creating Raw TCP Socket...Raw TCP Socket Created successfully.
Setting the socket in RAW mode...Successful.
Enter hostname : www.tuts4you.com Resolving Hostname...Resolved.
Enter Source IP : 192.168.219.130 Sending packet...
Error sending Packet : 10004

on the hacked SP3 trial evalulation under VMWARE (with network enabled):


E:\>raw_tcp
Initialising Winsock...Initialised successfully.
Creating Raw TCP Socket...Raw TCP Socket Created successfully.
Setting the socket in RAW mode...Successful.
Enter hostname : www.tuts4you.com Resolving Hostname...Resolved.
Enter Source IP : 192.168.219.130 Sending packet...
7180 packets send
2 TCP 192.168.219.130 198.57.187.53 1234 50000 xpvm.localdomain tuts4you.com 1,218 633,360 Bytes 672,888 Bytes 122.6 KB/Sec 12/25/2013 1:03:49 AM:531 12/25/2013 1:03:54 AM:578 00:00:05.046
Packets Stream Report
Index 2
Protocol TCP
Local Address 192.168.219.130
Remote Address 198.57.187.53
Local Port 1234
Remote Port 50000
Local Host xpvm.localdomain
Remote Host tuts4you.com
Service Name
Packets 1,218
Data Size 633,360 Bytes
Total Size 672,888 Bytes
Data Speed 122.6 KB/Sec
Capture Time 12/25/2013 1:03:49 AM:531
Last Packet Time 12/25/2013 1:03:54 AM:578
Duration 00:00:05.046
Local MAC Address
Remote MAC Address
Local IP Country
Remote IP Country 00000000 31 44 00 00 00 00 00 00 5E 5E 5E 5E 5E 5E 5E 5E 1D...... ^^^^^^^^
00000010 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000020 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000030 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000040 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000050 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000060 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000070 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000080 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000090 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000000A0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000000B0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000000C0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000000D0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000000E0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000000F0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000100 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000110 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000120 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000130 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000140 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000150 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000160 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000170 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000180 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000190 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000001A0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000001B0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000001C0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000001D0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000001E0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
000001F0 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^ ^^^^^^^^
00000200 5E 5E 5E 5E 5E 5E 5E 5E ^^^^^^^^

and the code that did it:


http://www.binarytides.com/raw-sockets-using-winsock/



//raw tcp packet crafter #include "stdio.h"
#include "winsock2.h"
#include "ws2tcpip.h" //IP_HDRINCL is here
#include "conio.h" #pragma comment(lib,"ws2_32.lib") //winsock 2.2 library typedef struct ip_hdr
{
unsigned char ip_header_len:4; // 4-bit header length (in 32-bit words) normally=5 (Means 20 Bytes may be 24 also)
unsigned char ip_version :4; // 4-bit IPv4 version
unsigned char ip_tos; // IP type of service
unsigned short ip_total_length; // Total length
unsigned short ip_id; // Unique identifier unsigned char ip_frag_offset :5; // Fragment offset field unsigned char ip_more_fragment :1;
unsigned char ip_dont_fragment :1;
unsigned char ip_reserved_zero :1; unsigned char ip_frag_offset1; //fragment offset unsigned char ip_ttl; // Time to live
unsigned char ip_protocol; // Protocol(TCP,UDP etc)
unsigned short ip_checksum; // IP checksum
unsigned int ip_srcaddr; // Source address
unsigned int ip_destaddr; // Source address
} IPV4_HDR, *PIPV4_HDR, FAR * LPIPV4_HDR; // TCP header
typedef struct tcp_header
{
unsigned short source_port; // source port
unsigned short dest_port; // destination port
unsigned int sequence; // sequence number - 32 bits
unsigned int acknowledge; // acknowledgement number - 32 bits unsigned char ns :1; //Nonce Sum Flag Added in RFC 3540.
unsigned char reserved_part1:3; //according to rfc
unsigned char data_offset:4; /*The number of 32-bit words in the TCP header.
This indicates where the data begins.
The length of the TCP header is always a multiple
of 32 bits.*/ unsigned char fin :1; //Finish Flag
unsigned char syn :1; //Synchronise Flag
unsigned char rst :1; //Reset Flag
unsigned char psh :1; //Push Flag
unsigned char ack :1; //Acknowledgement Flag
unsigned char urg :1; //Urgent Flag unsigned char ecn :1; //ECN-Echo Flag
unsigned char cwr :1; //Congestion Window Reduced Flag //////////////////////////////// unsigned short window; // window
unsigned short checksum; // checksum
unsigned short urgent_pointer; // urgent pointer
} TCP_HDR , *PTCP_HDR , FAR * LPTCP_HDR , TCPHeader , TCP_HEADER; int main()
{
char host[100],buf[1000],*data=NULL,source_ip[20]; //buf is the complete packet
SOCKET s;
int k=1; IPV4_HDR *v4hdr=NULL;
TCP_HDR *tcphdr=NULL; int payload=512 , optval;
SOCKADDR_IN dest;
hostent *server; //Initialise Winsock
WSADATA wsock;
printf("\nInitialising Winsock...");
if (WSAStartup(MAKEWORD(2,2),&wsock) != 0)
{
fprintf(stderr,"WSAStartup() failed");
exit(EXIT_FAILURE);
}
printf("Initialised successfully.");
//////////////////////////////////////////////// //Create Raw TCP Packet
printf("\nCreating Raw TCP Socket...");
if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==SOCKET_ERROR)
{
printf("Creation of raw socket failed.");
return 0;
}
printf("Raw TCP Socket Created successfully.");
//////////////////////////////////////////////// //Put Socket in RAW Mode.
printf("\nSetting the socket in RAW mode...");
if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&optval, sizeof(optval))==SOCKET_ERROR)
{
printf("failed to set socket in raw mode.");
return 0;
}
printf("Successful.");
//////////////////////////////////////////////// //Target Hostname
printf("\nEnter hostname : ");
gets(host);
printf("\nResolving Hostname...");
if((server=gethostbyname(host))==0)
{
printf("Unable to resolve.");
return 0;
}
dest.sin_family = AF_INET;
dest.sin_port = htons(50000); //your destination port
memcpy(&dest.sin_addr.s_addr,server->h_addr,server->h_length);
printf("Resolved.");
///////////////////////////////////////////////// printf("\nEnter Source IP : ");
gets(source_ip); v4hdr = (IPV4_HDR *)buf; //lets point to the ip header portion
v4hdr->ip_version=4;
v4hdr->ip_header_len=5;
v4hdr->ip_tos = 0;
v4hdr->ip_total_length = htons ( sizeof(IPV4_HDR) + sizeof(TCP_HDR) + payload );
v4hdr->ip_id = htons(2);
v4hdr->ip_frag_offset = 0;
v4hdr->ip_frag_offset1 = 0;
v4hdr->ip_reserved_zero = 0;
v4hdr->ip_dont_fragment = 1;
v4hdr->ip_more_fragment = 0;
v4hdr->ip_ttl = 8;
v4hdr->ip_protocol = IPPROTO_TCP;
v4hdr->ip_srcaddr = inet_addr(source_ip);
v4hdr->ip_destaddr = inet_addr(inet_ntoa(dest.sin_addr));
v4hdr->ip_checksum = 0; tcphdr = (TCP_HDR *)&buf[sizeof(IPV4_HDR)]; //get the pointer to the tcp header in the packet tcphdr->source_port = htons(1234);
tcphdr->dest_port = htons(50000); tcphdr->cwr=0;
tcphdr->ecn=1;
tcphdr->urg=0;
tcphdr->ack=0;
tcphdr->psh=0;
tcphdr->rst=1;
tcphdr->syn=0;
tcphdr->fin=0;
tcphdr->ns=1; tcphdr->checksum = 0; // Initialize the TCP payload to some rubbish
data = &buf[sizeof(IPV4_HDR) + sizeof(TCP_HDR)];
memset(data, '^', payload); printf("\nSending packet...\n"); while(!_kbhit())
{
printf(" %d packets send\r",k++);
if((sendto(s , buf , sizeof(IPV4_HDR)+sizeof(TCP_HDR) + payload, 0,
(SOCKADDR *)&dest, sizeof(dest)))==SOCKET_ERROR)
{ printf("Error sending Packet : %d",WSAGetLastError());
break;
}
}
getchar();
return 0;
}

one to tuts4you.com from google.com:



C:\Documents and Settings\JMC31337>ping www.google.com Pinging www.google.com [74.125.228.80] with 32 bytes of data: Reply from 74.125.228.80: bytes=32 time=23ms TTL=128 Ping statistics for 74.125.228.80:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 23ms, Maximum = 23ms, Average = 23ms Initialising Winsock...Initialised successfully.
Creating Raw TCP Socket...Raw TCP Socket Created successfully.
Setting the socket in RAW mode...Successful.
Enter hostname : www.tuts4you.com Resolving Hostname...Resolved.
Enter Source IP : 74.125.228.80 Sending packet...
1597 packets send 1 TCP 74.125.228.80 198.57.187.53 1234 50000 www.google.com tuts4you.com 1,830 951,600 Bytes 1,010,712 Bytes 108.7 KB/Sec 12/25/2013 1:20:12 AM:328 12/25/2013 1:20:20 AM:875 00:00:08.546

here's the thing though: through all the research i did, it may be that the ISP are able to detect the TRUE source of packets and drop those that arent coming fromn legit sources.. but other than that.. 


Edited by JMC31337

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...