Bugtraq mailing list archives
Re: Hijacking tool
From: casper () fwi uva nl (Casper Dik)
Date: Tue, 24 Jan 1995 14:45:39 +0100
There is a tool floating around called TAP which is a kernel mod that allows you to easily watch streams on SunOs, and capture what a person is typing. It is easy to modify so that you could actually write to the stream thus emulating that person and hijacking their terminal connection. To load the modules, the intruder does a modload to add the module to the kernel. One way to detect the hijacking tool is to do a modstat and see if there is any unfamiliar modules loaded. An intruder could trojan modstat so it might be worthwhile to check the integrity of modstat.I'm less concerned about the IP spoofing attack method than I am curious about this TAP tool. Does anyone have any detailed/technical information on this in particular?
If you're hijacking *connections* isn't it much easier to just steal the filehandles in the kernel? (Just go to a processes' file table and add that processes file * to your open set, e.g., by implementing an new systemcall, interprocess dup: int ipcdup(int pid, int fd)) Can't be more than four or five lines of kernel code. Casper
Current thread:
- Hijacking tool Christopher Klaus (May 10)
- Re: Hijacking tool Paul Ferguson (Jan 24)
- Re: Hijacking tool Casper Dik (Jan 24)
- Re: Hijacking tool Alec Muffett (Jan 24)
- Re: Hijacking tool Alan Hannan (Jan 24)
- Re: Hijacking tool bmanning () isi edu (Jan 24)
- Re: Hijacking tool Scott D. Yelich (Jan 25)
- Re: Hijacking tool Casper Dik (Jan 24)
- Re: Hijacking tool Paul Ferguson (Jan 24)
- Re: Hijacking tool Oliver Friedrichs (Jan 24)
- Re: Hijacking tool Oliver Friedrichs (Jan 24)
- Re: Hijacking tool Eric Conrad (Jan 24)
- Re: Hijacking tool Jim Duncan (Jan 24)
- Re: Hijacking tool John Evans (Jan 24)
- <Possible follow-ups>
- Re: Hijacking tool jim () Tadpole COM (Jan 23)