Vulnerability Development mailing list archives
Re: Forge packets ?
From: "Everhart, Glenn (FUSA)" <GlennEverhart () FIRSTUSA COM>
Date: Tue, 12 Sep 2000 13:12:27 -0400
You have to synchronize with the destination. To avoid ack storms as the real host tries to also synchronize, normal practice is to try to disrupt that connection. Sending ARP replies (convince the real host (the box you want to look like) that the destination has a different MAC address), ICMP redirect (in case ARP doesn't make it), and maybe a RIP attack (in case ICMP doesn't make it) are ways to attempt this. Hunt illustrates at least the ARP spoofing variant. If your program undoes the spoof after you have finished, the original connection may be continuable and it may just appear that something went wrong briefly on the net. ACK storms on the other hand are very noticeable, can bring down networks easily if they occur with all boxes on the same LAN. Windows will exhibit messages alerting that an IP address conflict exists. Good firewall configs can help in reducing vulnerability to the long range attacks here. -----Original Message----- From: Samy Kamkar [CommPort5] [mailto:CommPort5 () LUCIDX COM] Sent: Monday, September 11, 2000 4:29 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Forge packets ? Just sending packets (assuming there is a connection from your lan which you're able to sniff) with data without disconnecting connections should be pretty simple. No handshakes needed since the connection will still be open from the local user...the local user will see it if (s)he sniffs the lan's packets and the remote host may echo the data which you sent, depending on the protocol. You would need to sniff the packets which the local user is sending to the remote host and then you'll need to create a packet matching what an outgoing packet from the local user would look like (correct sequence number, window size, etc.) and send it on it's way...so it is possible. There are also many programs which already 'utilize' the local-net/tcp insecuritys. Not allowing spoofed packets out (although it won't necesarilly always be 'spoofed', could be from the same hostname depending on how the lan is set up) could stop it...I'm not aware of the best way to stop this from happening, or how easy it is to not allow spoofed packets out. Skreel wrote:
So TCP hijacking is the solution ? I thought hunt could only hijack connections on port 23. What I actually want is to send data to remote host without dropping the user's connection, wether the user's sees the data or not (i'm only
talking
theoritically) i just wanted to know if it was possible. And also if I used ipchains to IPmasquerade the lan, then wouldn't it be easier for an attacker to send data and
hijack
the user's connection ? Is there anyway to prevent this kind of attack (if it is a
real
attack )?
Current thread:
- Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? FX, Phenoelit (Sep 21)
- <Possible follow-ups>
- Re: Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? Michael Wojcik (Sep 12)
- Re: Forge packets ? George Gales (Sep 12)
- Re: Forge packets ? Everhart, Glenn (FUSA) (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 13)
- Re: Forge packets ? Andrew Thomas (Sep 13)
- Re: Forge packets ? Michael Wojcik (Sep 14)