Vulnerability Development mailing list archives
Re: Forge packets ?
From: Andrew Thomas <blink () EYE2EYE NET>
Date: Wed, 13 Sep 2000 18:15:47 +0200
Hi, The problem that occurs that will disrupt and eventually tear down the connection has to do with the ACK storms that usually result from hijack attempts (sans ARP, et al spoofing - being on the same LAN is hence a requirement here.) In more detail - when you spoof a packet into an ongoing connection, the server responds with an ACK packet to acknowledge the data that it was just received. However, whenever data is received with an out-of-order packet, an ACK is immediately generated. The client responds to this packet with another ACK packet containing the 'correct' (from its point of view) sequence number. And then the is required to respond with an ACK packet containing the 'correct' sequence number from its point of view... and so on and so on... The type of traffic will very rapidly congest networks by the way. In any case, the connection is eventually dropped. One OS that displays someone different behavior is Linux, which will not participate and hence promulgate this continous generation of packets. You can however avoid this by, e.g. spoofing ARP information such that information destined for one side of the connection actually gets transmitted to your MAC address on the LAN. However, you now have to make sure the packet gets forwarded on from your machine to other machine on your local LAN. There's some software that works reasonably well at times out there to do this, hunt being probably the best known one. There is also plenty of information out there on session hijacking, although most of it is somewhat lacking in the technical department. Take it easy, Andrew Andrew Thomas <eye2eye> digital distillers (Pty) Ltd office: +27-(0)21-4889820 facsimile: +27-(0)21-4889830 mobile: +27-(0)83-3184070 -----Original Message----- From: Samy Kamkar [CommPort5] [mailto:CommPort5 () LUCIDX COM] Sent: Wednesday, September 13, 2000 12:27 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Forge packets ? That sounds right, but as originally asked, can we send some data without disrupting anything...let's think about this situation. We're assuming that the remote host will take packets with incorrect sequence numbers, etc and throw them away (I doubt there's much else it would want to do with those packets.) See below and maybe you'll see how it can be done without disrupting anything: spoofed == us, local == the local user, remote == remote host... spoofed-local > remote: <data> (here is what you want sent, but now local is out of sync) spoofed-remote > local: <data> (this is just here to get local to synchronize with our 'half-hijack'...we hope this will trigger local to send some stuff back to 'remote' and synchronize like that) local > remote: ack/<data> (this is discarded at remote since remote already got it's data) remote > local: ack So here you (being the spoofed packets) send some data to the remote host and send some data to the local user. Assuming you put in some data (of course this isn't always possible, but should be able to be done) that gets local to send ack or data to remote [it will have an incorrect sequence number now], remote will ignore it since it doesn't belong anywhere. Remote will also send an ack back saying 'I heard your packet [the spoofed one]' so local sees everything normally and so does remote. Probably difficult but it should be able to be done George Gales wrote: > Hijacking normally involves knocking the original local user off the net one > way or another. I don't believe there's a way to hijack without causing a > disconnect without doing that. > > Assuming the hijacker was able to impersonate the local user (monitor their > traffic, then inject spoofed packets with the right sequence numbers), the > original user would still get disconnected. > > The cause is that, while the hijacker is sniffing the net to monitor the > local user's traffic (and adjusting it's sequence numbers to make things > work), the original local user isn't sniffing, and won't adjust his sequence > numbers to take into account the hijackers traffic. > > As soon as the original local user communicates with the remote end (either > direction), the receiving end would notice the incorrect sequence numbers, > and things would go down the tubes (probably generate a RST and close the > connection). > > If I'm wrong, please somebody explain... > > -Simon > george_gales () non agilent com > > -----Original Message----- > From: Samy Kamkar [CommPort5] [mailto:CommPort5 () LUCIDX COM] > Sent: Monday, September 11, 2000 4:29 PM > To: VULN-DEV () SECURITYFOCUS COM > Subject: Re: Forge packets ? > > Just sending packets (assuming there is a connection from your lan which > you're > able to sniff) with data without disconnecting connections should be pretty > simple. No handshakes needed since the connection will still be open from > the > local user...the local user will see it if (s)he sniffs the lan's packets > and > the remote host may echo the data which you sent, depending on the protocol. > You would need to sniff the packets which the local user is sending to the > remote host and then you'll need to create a packet matching what an > outgoing > packet from the local user would look like (correct sequence number, window > size, etc.) and send it on it's way...so it is possible. There are also > many > programs which already 'utilize' the local-net/tcp insecuritys. Not > allowing > spoofed packets out (although it won't necesarilly always be 'spoofed', > could > be from the same hostname depending on how the lan is set up) could stop > it...I'm not aware of the best way to stop this from happening, or how easy > it > is to not allow spoofed packets out. > > Skreel wrote: > > > So TCP hijacking is the solution ? I thought hunt could only hijack > > connections on > > port 23. What I actually want is to send data to remote host without > > dropping the > > user's connection, wether the user's sees the data or not (i'm only > talking > > theoritically) > > i just wanted to know if it was possible. And also if I used ipchains to > > IPmasquerade > > the lan, then wouldn't it be easier for an attacker to send data and > hijack > > the user's > > connection ? Is there anyway to prevent this kind of attack (if it is a > real > > attack )?
Current thread:
- Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? FX, Phenoelit (Sep 21)
- <Possible follow-ups>
- Re: Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? Michael Wojcik (Sep 12)
- Re: Forge packets ? George Gales (Sep 12)
- Re: Forge packets ? Everhart, Glenn (FUSA) (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 13)
- Re: Forge packets ? Andrew Thomas (Sep 13)
- Re: Forge packets ? Michael Wojcik (Sep 14)