Penetration Testing mailing list archives
Re: RE: Session & IP Spoofing
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 04 Dec 2003 18:41:09 -0600
On Thu, 2003-12-04 at 09:46, Nexus wrote:
But you would also need to spoof the TCP 3-way handshake before you can even send the HTTP GET request, which is um..... non-trivial ;-)
I thought that IIS servers don't need the 3-way handshake. Isn't IE cheating by trying to send regular ACKed data packets in order to speed up the connection with the IIS webserver? (and falls back to TCP 3-way when it doesn't get a response, as is pretty much the case with all standards abiding web servers). So IIS servers may be more vulnerable against those spoofing attacks then, say, Apache servers. (and if that is the case -- testing required here -- then it's just another one of those situations where Microsoft ignores a standard, tries to cheat in favor of performance, and gets bitten with a vulnerability in the end...) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Session & IP Spoofing pire pire (Dec 03)
- Re: Session & IP Spoofing Stephen de Vries (Dec 03)
- <Possible follow-ups>
- RE: Session & IP Spoofing Micheal Thompson (Dec 03)
- RE: Session & IP Spoofing Scovetta, Michael V (Dec 03)
- RE: RE: Session & IP Spoofing pire pire (Dec 04)
- Re: RE: Session & IP Spoofing Nexus (Dec 04)
- Re: RE: Session & IP Spoofing Frank Knobbe (Dec 06)
- RE: RE: Session & IP Spoofing Rob Shein (Dec 06)
- Re: RE: Session & IP Spoofing Nexus (Dec 04)
- RE: RE: Session & IP Spoofing MARTIN M. Bénoni (Dec 04)
- RE: RE: Session & IP Spoofing Micheal Thompson (Dec 06)
- RE: RE: Session & IP Spoofing Scovetta, Michael V (Dec 06)