Security Basics mailing list archives
Re: IP Session Hijacking And Spoofing
From: "simsjs" <sims () interex org>
Date: Mon, 25 Nov 2002 13:28:22 -0800
Charles, Here is a clip from an article in network magazine: Source routing can be strict or loose. Strict source routing lets a manager specify the path through all the routers to the destination. Return responses use the same path in reverse. Loose source routing lets managers specify an address that the packet must pass through on its way to the destination. It is loose source routing that aids an attacker. You can find the entire article at http://www.networkmagazine.com/article/NMG20000517S0167 There is also a really good book called "Hackers Beware" that goes in detail over session hijacking and IP address spoofing that might help you understand a little better. Glad I could help. Jeff *********** REPLY SEPARATOR *********** On 11/25/2002 at 1:12 PM charles lindsay wrote:
enlighten me. How do you get the server to use source routing in its replies? Source routing tells the routers between you and the destination the next hops for the packet. As far as I am aware, there is no requirement that the destination employ the reverse path in its replies.From: simsjs [sims () interex org] Sent: Friday, November 22, 2002 12:23 PM To: LEHMANN, TODD; security-basics Subject: Re: IP Session Hijacking And Spoofing With IP Spoofing there is no need to guess the sequence number sincethere is no session currently open with that IP address. The way that the traffic would get back to you is by using source routing. This is where you tell the network how to route the output and input from a session, then you simply sniff it from the network as it passes by you. But you have to make sure you put in a route that will both reach its destination and pass through your own network.As far as guessing the sequence numbering for session high-jacking, Ireally have no idea, but there are programs that will attempt to guess these for you. The one I am thinking of (whose name escapes me at the time) will allow you to watch a session, reset a session, or hijack it.Hope some of this helps. Jeff *********** REPLY SEPARATOR *********** On 11/19/2002 at 11:33 AM LEHMANN, TODD wrote:I have read some documentation on IP Spoofing, and from what I haveread,it sounds like you must determine the sequence number of the host beforeyoucan spoof. However, I don't understand why you would have to determinethesequence if you are creating a new session with the host under a falseIP.Wouldn't the creation of the new TCP session negotiate the sequencenumberat that time? I also failed to understand how the traffic gets back to you if you are telling it to respond to another host. Can someone shine some light onthisfor me? When it comes to session high-jacking, how does one go aboutdeterminingthe sequence number on a host that uses a random number seed to create the sequence? Is it some form of complex algorithms or is it justimpossibleunless you create the session? Todd Lehmann Systems Analyst I VPN Subject Matter Expert--------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
Current thread:
- IP Session Hijacking And Spoofing LEHMANN, TODD (Nov 21)
- Re: IP Session Hijacking And Spoofing John Fastabend (Nov 22)
- RE: IP Session Hijacking And Spoofing Daniel R. Miessler (Nov 25)
- Re: IP Session Hijacking And Spoofing simsjs (Nov 25)
- Re: IP Session Hijacking And Spoofing Svetoslav Gyurov (Nov 26)
- <Possible follow-ups>
- RE: IP Session Hijacking And Spoofing Gene LeDuc (Nov 25)
- RE: IP Session Hijacking And Spoofing ALBEE,RUSSELL. S FC2 (CV63 CS5) (Nov 25)
- RE: IP Session Hijacking And Spoofing Svetoslav Gyurov (Nov 26)
- RE: IP Session Hijacking And Spoofing LEHMANN, TODD (Nov 26)
- RE: IP Session Hijacking And Spoofing John Fastabend (Nov 27)
- Re: IP Session Hijacking And Spoofing simsjs (Nov 26)