How to check TCP sequence number to detect mitm?



  • I suspect that my router (I'm using an iPhone as router) has been owned and the attacker is making some kind of mitm attack. I suspect also that some html and js code has not been sent to my laptop and filtered by the attacker, meaning that some sites do not have some functionalities.

    If this is true, then there should be a hole in the TCP sequence number stream. How can I check the TCP sequence number integrity?

    I'm using a Windows 10 VM in a Linux/ubuntu host with VirtualBox. My idea is to check the sequence number with snort or Wireshark from the host, but I'd appreciate some hint on alternatives.



  • If this is true there should be a hole in the tcp sequence number stream.

    MITM attacks don't leave such holes. Your approach to detect MITM thus would not even work in theory and there is no need to discuss how to make in work in practice then.

    TCP sequence numbers describe a position in the byte stream (not the packet number). The recipient reassembles the stream based on the sequence numbers. A "hole" in the stream would result the in a broken connection, i.e. would simply not work.

    Some MITM attacks are packet based and only change the content of a single packet at a time. In this case they don't change the length of the packet, but just some bytes inside. Usually MITM attacks are applied to the connection itself, i.e. they essentially create a new connection with new sequence numbers. The original connection is never seen by the recipient. In this case arbitrary modifications to the data can be made, including adding or removing data. With both approaches the TCP sequence numbers are "complete", i.e. there are no holes in the stream.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2