Re: Forge packets ?

["Everhart, Glenn (FUSA)" <GlennEverhart () FIRSTUSA COM>]

You have to synchronize with the destination. To avoid ack storms
as the real host tries to also synchronize, normal practice is
to try to disrupt that connection. Sending ARP replies (convince
the real host (the box you want to look like) that the destination
has a different MAC address), ICMP redirect (in case ARP doesn't
make it), and maybe a RIP attack (in case ICMP doesn't make it)
are ways to attempt this. Hunt illustrates at least the ARP
spoofing variant. If your program undoes the spoof after you have
finished, the original connection may be continuable and it may
just appear that something went wrong briefly on the net. ACK
storms on the other hand are very noticeable, can bring down
networks easily if they occur with all boxes on the same LAN.

Windows will exhibit messages alerting that an IP address conflict
exists.

Good firewall configs can help in reducing vulnerability to the
long range attacks here.

-----Original Message-----
From: Samy Kamkar [CommPort5] [mailto:CommPort5 () LUCIDX COM]
Sent: Monday, September 11, 2000 4:29 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Forge packets ?


Just sending packets (assuming there is a connection from your lan which
you're
able to sniff) with data without disconnecting connections should be pretty
simple.  No handshakes needed since the connection will still be open from
the
local user...the local user will see it if (s)he sniffs the lan's packets
and
the remote host may echo the data which you sent, depending on the protocol.
You would need to sniff the packets which the local user is sending to the
remote host and then you'll need to create a packet matching what an
outgoing
packet from the local user would look like (correct sequence number, window
size, etc.) and send it on it's way...so it is possible.  There are also
many
programs which already 'utilize' the local-net/tcp insecuritys.  Not
allowing
spoofed packets out (although it won't necesarilly always be 'spoofed',
could
be from the same hostname depending on how the lan is set up) could stop
it...I'm not aware of the best way to stop this from happening, or how easy
it
is to not allow spoofed packets out.


Skreel wrote:

> So TCP hijacking is the solution ? I thought hunt could only hijack
> connections on
> port 23. What I actually want is to send data to remote host without
> dropping the
> user's connection, wether the user's sees the data or not (i'm only
talking
> theoritically)
> i just wanted to know if it was possible. And also if I used ipchains to
> IPmasquerade
> the lan, then wouldn't it be easier for an attacker to send data and
hijack
> the user's
> connection ? Is there anyway to prevent this kind of attack (if it is a
real
> attack )?