Vulnerability Development mailing list archives
Re: Forge packets ?
From: Andrew Thomas <blink () EYE2EYE NET>
Date: Wed, 13 Sep 2000 18:15:47 +0200
Hi,
The problem that occurs that will disrupt and eventually tear down the
connection has to do with the ACK storms that usually result from hijack
attempts (sans ARP, et al spoofing - being on the same LAN is hence a
requirement here.)
In more detail - when you spoof a packet into an ongoing connection, the
server responds with an ACK packet to acknowledge the data that it was just
received. However, whenever data is received with an out-of-order packet,
an ACK is immediately generated. The client responds to this packet with
another ACK packet containing the 'correct' (from its point of view)
sequence number. And then the is required to respond with an ACK packet
containing the 'correct' sequence number from its point of view... and so on
and so on... The type of traffic will very rapidly congest networks by the
way. In any case, the connection is eventually dropped.
One OS that displays someone different behavior is Linux, which will not
participate and hence promulgate this continous generation of packets.
You can however avoid this by, e.g. spoofing ARP information such that
information destined for one side of the connection actually gets
transmitted to your MAC address on the LAN. However, you now have to make
sure the packet gets forwarded on from your machine to other machine on your
local LAN.
There's some software that works reasonably well at times out there to do
this, hunt being probably the best known one. There is also plenty of
information out there on session hijacking, although most of it is somewhat
lacking in the technical department.
Take it easy,
Andrew
Andrew Thomas
<eye2eye> digital distillers (Pty) Ltd
office: +27-(0)21-4889820
facsimile: +27-(0)21-4889830
mobile: +27-(0)83-3184070
-----Original Message-----
From: Samy Kamkar [CommPort5]
[mailto:CommPort5 () LUCIDX COM]
Sent: Wednesday, September 13, 2000 12:27 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Forge packets ?
That sounds right, but as originally asked, can we send some
data
without
disrupting anything...let's think about this situation.
We're assuming
that
the remote host will take packets with incorrect sequence
numbers, etc
and
throw them away (I doubt there's much else it would want to
do with
those
packets.) See below and maybe you'll see how it can be done
without
disrupting
anything:
spoofed == us, local == the local user, remote == remote
host...
spoofed-local > remote: <data> (here is what you want sent,
but now
local is
out of sync)
spoofed-remote > local: <data> (this is just here to get
local to
synchronize
with our 'half-hijack'...we hope this will trigger local to
send some
stuff
back to 'remote' and synchronize like that)
local > remote: ack/<data> (this is discarded at remote
since remote
already
got it's data)
remote > local: ack
So here you (being the spoofed packets) send some data to
the remote
host and
send some data to the local user. Assuming you put in some
data (of
course
this isn't always possible, but should be able to be done)
that gets
local to
send ack or data to remote [it will have an incorrect
sequence number
now],
remote will ignore it since it doesn't belong anywhere.
Remote will
also send
an ack back saying 'I heard your packet [the spoofed one]'
so local sees
everything normally and so does remote. Probably difficult
but it
should be
able to be done
George Gales wrote:
> Hijacking normally involves knocking the original local
user off the
net one
> way or another. I don't believe there's a way to hijack
without
causing a
> disconnect without doing that.
>
> Assuming the hijacker was able to impersonate the local
user (monitor
their
> traffic, then inject spoofed packets with the right
sequence numbers),
the
> original user would still get disconnected.
>
> The cause is that, while the hijacker is sniffing the net
to monitor
the
> local user's traffic (and adjusting it's sequence numbers
to make
things
> work), the original local user isn't sniffing, and won't
adjust his
sequence
> numbers to take into account the hijackers traffic.
>
> As soon as the original local user communicates with the
remote end
(either
> direction), the receiving end would notice the incorrect
sequence
numbers,
> and things would go down the tubes (probably generate a
RST and close
the
> connection).
>
> If I'm wrong, please somebody explain...
>
> -Simon
> george_gales () non agilent com
>
> -----Original Message-----
> From: Samy Kamkar [CommPort5]
[mailto:CommPort5 () LUCIDX COM]
> Sent: Monday, September 11, 2000 4:29 PM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: Forge packets ?
>
> Just sending packets (assuming there is a connection from
your lan
which
> you're
> able to sniff) with data without disconnecting connections
should be
pretty
> simple. No handshakes needed since the connection will
still be open
from
> the
> local user...the local user will see it if (s)he sniffs
the lan's
packets
> and
> the remote host may echo the data which you sent,
depending on the
protocol.
> You would need to sniff the packets which the local user
is sending to
the
> remote host and then you'll need to create a packet
matching what an
> outgoing
> packet from the local user would look like (correct
sequence number,
window
> size, etc.) and send it on it's way...so it is possible.
There are
also
> many
> programs which already 'utilize' the local-net/tcp
insecuritys. Not
> allowing
> spoofed packets out (although it won't necesarilly always
be
'spoofed',
> could
> be from the same hostname depending on how the lan is set
up) could
stop
> it...I'm not aware of the best way to stop this from
happening, or how
easy
> it
> is to not allow spoofed packets out.
>
> Skreel wrote:
>
> > So TCP hijacking is the solution ? I thought hunt could
only hijack
> > connections on
> > port 23. What I actually want is to send data to remote
host without
> > dropping the
> > user's connection, wether the user's sees the data or
not (i'm only
> talking
> > theoritically)
> > i just wanted to know if it was possible. And also if I
used
ipchains to
> > IPmasquerade
> > the lan, then wouldn't it be easier for an attacker to
send data and
> hijack
> > the user's
> > connection ? Is there anyway to prevent this kind of
attack (if it
is a
> real
> > attack )?
Current thread:
- Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? FX, Phenoelit (Sep 21)
- <Possible follow-ups>
- Re: Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? Michael Wojcik (Sep 12)
- Re: Forge packets ? George Gales (Sep 12)
- Re: Forge packets ? Everhart, Glenn (FUSA) (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 13)
- Re: Forge packets ? Andrew Thomas (Sep 13)
- Re: Forge packets ? Michael Wojcik (Sep 14)