Security Basics mailing list archives

Re: IP Session Hijacking And Spoofing

From: John Fastabend <jfastabe () up edu>
Date: Thu, 21 Nov 2002 17:29:51 -0800 (PST)

On Tue, 19 Nov 2002, LEHMANN, TODD wrote:

I have read some documentation on IP Spoofing, and from what I have read, it
sounds like you must determine the sequence number of the host before you
can spoof. However, I don't understand why you would have to determine the
sequence if you are creating a new session with the host under a false IP.
Wouldn't the creation of the new TCP session negotiate the sequence number
at that time?

Yes. If you were to create a new session with the host then you wouldn't 
have to know the sequence number.  But, if you were creating a new session then 
inevitable you are going to run into some form of login ie a user password 
combo, unless you are spoofing to get into rlogin or a similar service.  
The point of hijacking is to interrupt a session somewhere in the middle 
after the authentication process has happened. That way you do not have to 
know the password and username.

I also failed to understand how the traffic gets back to you if you are
telling it to respond to another host. Can someone shine some light on this
for me?

It doesn't. So there are two methods to get around this, the first is to 
somehow route the traffic through your computer and the other is to do 
what is called blind spoofing.  This is when you never see the traffic, 
but are able to respond by guessing well actually by knowing how the 
target computer is going to act and then building the right sorts of 
packets.

When it comes to session high-jacking, how does one go about determining the
sequence number on a host that uses a random number seed to create the
sequence? Is it some form of complex algorithms or is it just impossible
unless you create the session?


Yes the sequence number is created by an algorithms.  Sometimes this 
algorithm is complex and well sometimes its not.  A great paper about this 
topic is called Strange Attractors and TCP/IP Sequence Number Analysis 
you can read it at http://razor.bindview.com/publish/papers/tcpseq.html 
there is also a follow up to this paper, but unfortunately I do not know 
the address though I assume a quick google search would find it.  Well 
hopefully that clears up some of the mystery. 


John Fastabend
aka PerlKiddie
Computer Engineering Major
University of Portland

Current thread:

IP Session Hijacking And Spoofing LEHMANN, TODD (Nov 21)
- Re: IP Session Hijacking And Spoofing John Fastabend (Nov 22)
- RE: IP Session Hijacking And Spoofing Daniel R. Miessler (Nov 25)
- Re: IP Session Hijacking And Spoofing simsjs (Nov 25)
  - Re: IP Session Hijacking And Spoofing Svetoslav Gyurov (Nov 26)
- <Possible follow-ups>
- RE: IP Session Hijacking And Spoofing Gene LeDuc (Nov 25)
- RE: IP Session Hijacking And Spoofing ALBEE,RUSSELL. S FC2 (CV63 CS5) (Nov 25)
  - RE: IP Session Hijacking And Spoofing Svetoslav Gyurov (Nov 26)
- RE: IP Session Hijacking And Spoofing LEHMANN, TODD (Nov 26)
  - RE: IP Session Hijacking And Spoofing John Fastabend (Nov 27)
- Re: IP Session Hijacking And Spoofing simsjs (Nov 26)