Vulnerability Development mailing list archives
Re: Forge packets ?
From: Michael Wojcik <Michael.Wojcik () MERANT COM>
Date: Tue, 12 Sep 2000 12:39:43 -0700
From: Samy Kamkar [CommPort5] [mailto:CommPort5 () LUCIDX COM] Sent: Monday, September 11, 2000 3:29 PM
Just sending packets (assuming there is a connection from your lan which you're able to sniff) with data without disconnecting connections should be pretty simple. No handshakes needed since the connection will still be open from the local user...the local user will see it if (s)he sniffs the lan's packets and the remote host may echo the data which you sent, depending on the protocol.
Spoofing packets without *disconnecting* the real source, maybe, but you're going to interfere with the real source's conversation. The spoofed packets will consume sequence numbers, with at least two possible results: - packets from the real source will be treated as duplicates and discarded (if you're lucky; if not, spoofed data will arrive second and be discarded, or data will be interleaved) - ACKs will come back to the real source for data it hasn't sent yet. I don't know what the RFCs say about that, but I imagine stacks aren't happy about it, unless they're required to ignore it. Session hijacking isn't one of my hobbies, so there may be some clever dodge around these issues that I'm unaware of, but offhand I don't see how you'll keep the real source ignorant of your interference (at least if it ever tries to use the conversation again after you've started messing with it). Now, it *might* be possible to perform a man-in-the-middle attack where you intercept packets from the real source; prevent them from arriving at the destination (you're acting as an evil router); change the data in them to your data - preserving packet sizes, so the sequence numbers match; and forward them on. (And you may have to mess with the responses so the real source doesn't notice anything funny going on. How transparent does this need to be?) Non-trivial. Session hijacking itself isn't particularly difficult. Keeping the passengers from noticing the guy in the cockpit with the gun, on the other hand... Michael Wojcik michael.wojcik () merant com MERANT Department of English, Miami University
Current thread:
- Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? FX, Phenoelit (Sep 21)
- <Possible follow-ups>
- Re: Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? Michael Wojcik (Sep 12)
- Re: Forge packets ? George Gales (Sep 12)
- Re: Forge packets ? Everhart, Glenn (FUSA) (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 13)
- Re: Forge packets ? Andrew Thomas (Sep 13)
- Re: Forge packets ? Michael Wojcik (Sep 14)