Full Disclosure mailing list archives
Re: info on ip spoofing please
From: "Ian stuart Turnbull" <ian.t7 () hotmail co uk>
Date: Tue, 11 Apr 2006 22:36:05 +0100
Yee-hah! And there we have it in a nutshell. Such an easy asnwer when you know, I'm in your debt for this. Many many thanks. Now I'll get some sleep tonight - great.
Best regards, Ian t
From: Valdis.Kletnieks () vt edu To: Ian stuart Turnbull <ian.t7 () hotmail co uk> CC: bmenrigh () ucsd edu, full-disclosure () lists grok org ukSubject: Re: [Full-disclosure] info on ip spoofing please Date: Tue, 11 Apr 2006 17:11:53 -0400MIME-Version: 1.0Received: from turing-police.cc.vt.edu ([128.173.14.107]) by bay0-pamc1-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Apr 2006 14:11:54 -0700 Received: from turing-police.cc.vt.edu (localhost [127.0.0.1])by turing-police.cc.vt.edu (8.13.6/8.13.6) with ESMTP id k3BLBrYM022370;Tue, 11 Apr 2006 17:11:53 -0400X-Message-Info: JGTYoYF78jEHjJx36Oi8+Z3TmmkSEdPtfpLB7P/ybN8= X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.1-RC3 References: <BAY112-F317806DFA70F524FB8414599CD0 () phx gbl> Return-Path: Valdis.Kletnieks () vt eduX-OriginalArrivalTime: 11 Apr 2006 21:11:55.0180 (UTC) FILETIME=[8F9C96C0:01C65DAC]On Tue, 11 Apr 2006 21:54:50 BST, Ian stuart Turnbull said: > Excellent response Brendon. Thanks heaps. > I was reading the infamous Markoff / Tsutomu Shimomura attack at That was *Mitnick*, not Markoff - Markoff wrote a book or 3 about it later. > http://www.totse.com/en/hack/hack_attack/hacker03.html >> and I guess I assumed that as they did not know each other personally then> Markoff must have found a way to locate 2 computers conversing with each > other randomly? Perhaps this assumption was not correct?> Though from the test it appears Markoff DID find a way of doing this - ie, > finding 2 computers talking to each other NOT on his own LAN / network???Well, at that time, it was a pretty good guess that if you found hostnamesgeorge.site.dom, paul.site.dom, john.site.dom, and ringo.site.dom, and all 4 had rsh enabled, that there was a lot of rsh traffic between them, and likelya .rhost trust between them so you wouldn't need a password.... And what Mitnick's attack did *wasnt* finding 2 computers *talking*. In fact, the attack relied on finding a trusted computer *not* talking (or making it not talk). What he did was: 1) Bash george.site.dom over the head with SYN packets to make it STFU. 2) Send paul.site.dom a forged SYN packet claiming to be from george. 3) Paul sends a syn/ack to george, who can't send an RST because it's STFU. 4) send a forged ACK for the syn/ack claiming to be from george. 5) Send the rest of the TCP datastream. The only tough part is knowing what ISN will be on the syn/ack so you canack it properly - and in that day, just poking its 'finger' port or something, noting *that* ISN, and adding 32K or similar constant was almost guaranteed to work.
<< attach3 >>
_________________________________________________________________Be the first to hear what's new at MSN - sign up to our free newsletters! http://www.msn.co.uk/newsletters
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Michael Holstein (Apr 11)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Michael Holstein (Apr 11)
- Re: info on ip spoofing please Brandon Enright (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Valdis . Kletnieks (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Brandon Enright (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- <Possible follow-ups>
- RE: info on ip spoofing please Neil Davis (Apr 12)
- RE: RE: info on ip spoofing please Ian stuart Turnbull (Apr 12)
- RE: RE: info on ip spoofing please Arley Barros Leal (Apr 12)
- RE: RE: info on ip spoofing please Ian stuart Turnbull (Apr 12)