Penetration Testing mailing list archives

RE: RE: Session & IP Spoofing

From: "Rob Shein" <shoten () starpower net>
Date: Thu, 4 Dec 2003 15:34:51 -0500

You'd better care about the return traffic; without it you won't even be
able to complete the TCP handshake to send the request.  TCP spoofing is
harder now than it used to be.  Your options include positioning yourself
between the target and the IP you're impersonating (difficult to set up, but
very effective if done) and trying source routing to specify that the
packets for that spoofed IP should come back to you instead of following
their normal route (many firewalls and routers do not allow source routing
these days, and many IDSes trigger when they see it).

-----Original Message-----
From: pire pire [mailto:pirepire69 () romandie com] 
Sent: Thursday, December 04, 2003 4:54 AM
To: MThompson () brinkster com; pen-test () securityfocus com
Subject: RE: RE: Session & IP Spoofing

No I don't care about the return traffic! All I 
need is to sen I GET request with a spoofed IP!

Example:

GET /toto.php?sessionId=123456&transfer=1000
Host: www.toto.com

I just need to send this request to the server 
with the ip adress belonging to the sessionID 
I've got throuh my XSS!

So how do you do that?

Thanks for your help

---------------------------------------
You can spoof any IP. The question is do you 
want the return traffic. 

-----Original Message-----
 From: pire pire 
[mailto:pirepire69 () romandie com] 
Sent: Tuesday, December 02, 2003 5:02 PM
To: pen-test () securityfocus com
Subject: Session & IP Spoofing

Hi,

I've found a vulnerability in a Web App which 
gave me via an XSS the sessionID token.

I would like to replay this token. But the 
session ID manager (on the server) seems to 
look 
also to IP adresses. 

So my question is: Is there a way to spoof my 
ip 
address in order to replay the sessionID??

Like: 
http://www.tutu.com/toto.php?
sessionid=32443243  
and some how spoof of my IP?!

If I replay the sessionid from my machine or an 
other machine behind my NAT (same outside IP) 
it 
works!! 

Thanks a lot for your help

_______________________________________________

La messagerie gratuite des romands : 10 MO !!!
Profitez-en ! >>> http://www.romandie.com

--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Session & IP Spoofing pire pire (Dec 03)
- Re: Session & IP Spoofing Stephen de Vries (Dec 03)
- <Possible follow-ups>
- RE: Session & IP Spoofing Micheal Thompson (Dec 03)
- RE: Session & IP Spoofing Scovetta, Michael V (Dec 03)
- RE: RE: Session & IP Spoofing pire pire (Dec 04)
  - Re: RE: Session & IP Spoofing Nexus (Dec 04)
    - Re: RE: Session & IP Spoofing Frank Knobbe (Dec 06)
  - RE: RE: Session & IP Spoofing Rob Shein (Dec 06)
- RE: RE: Session & IP Spoofing MARTIN M. Bénoni (Dec 04)
- RE: RE: Session & IP Spoofing Micheal Thompson (Dec 06)
- RE: RE: Session & IP Spoofing Scovetta, Michael V (Dec 06)