RE: IP Session Hijacking And Spoofing

[Gene LeDuc <Gene.LeDuc () mktdev tnsofres com>]

Let's take 2 machines, A and T.  A is the attacker and T is the target.  We
can use B as the bogus (spoofed) source address.

A sends a SYN packet to T with B's address as the source to open a TCP
connection.  Any sequence number will work in this packet.

T receives the bogus packet, increments A's sequence number and sends a
SYN/ACK packet with T's own sequence number.  A's sequence number is used to
ACK the original SYN packet and T's sequence number is used to serialize
this packet.  This packet will just disappear into the Internet because it's
going to B's bogus address.

A doesn't receive the SYN/ACK from T because it went to a bogus address.  A
assumes, however, that T did send a SYN/ACK.  In order to complete the TCP
3-way handshake A must now send an ACK packet back to T with T's sequence
number incremented.  If A has no idea what T used as a sequence number on
it's SYN/ACK then it's extremely unlikely that he'll guess what number to
ACK in his packet.

The traffic from T will NEVER get back to A if A is sending packets with a
spoofed address.  There's a lot A can do, though, without ever seeing any
packets from T.  Sending e-mail is one pretty simple example.  A already
knows (because he's done his homework and knows how to do smtp) what T's
responses are going to be for an SMTP exchange so he just sends his e-mail
in a way that T would expect to receive it.  Another fun trick would be to
run a root exploit on DNS or FTP or whatever service you know is broken and
install a root kit.

If you can't guess or sniff the target's sequence numbers then it's going to
be extremely difficult to hijack a session.  I don't know how you'd do it.

I hope this answers your questions.

Regards,
Gene

-----Original Message-----
From: LEHMANN, TODD [mailto:TODLEH () SAFECO com]
Sent: Tuesday, November 19, 2002 11:33 AM
To: security-basics () securityfocus com
Subject: IP Session Hijacking And Spoofing


I have read some documentation on IP Spoofing, and from what I have read, it
sounds like you must determine the sequence number of the host before you
can spoof. However, I don't understand why you would have to determine the
sequence if you are creating a new session with the host under a false IP.
Wouldn't the creation of the new TCP session negotiate the sequence number
at that time?

I also failed to understand how the traffic gets back to you if you are
telling it to respond to another host. Can someone shine some light on this
for me?

When it comes to session high-jacking, how does one go about determining the
sequence number on a host that uses a random number seed to create the
sequence? Is it some form of complex algorithms or is it just impossible
unless you create the session? 

Todd Lehmann
Systems Analyst I
VPN Subject Matter Expert