Vulnerability Development mailing list archives

Re: Forge packets ?

From: Michael Wojcik <Michael.Wojcik () MERANT COM>
Date: Tue, 12 Sep 2000 12:39:43 -0700

From: Samy Kamkar [CommPort5] [mailto:CommPort5 () LUCIDX COM]
Sent: Monday, September 11, 2000 3:29 PM

Just sending packets (assuming there is a connection from your lan which
you're able to sniff) with data without disconnecting connections should
be pretty simple.  No handshakes needed since the connection will still
be open from the local user...the local user will see it if (s)he sniffs
the lan's packets and the remote host may echo the data which you sent,
depending on the protocol.


Spoofing packets without *disconnecting* the real source, maybe, but you're
going to interfere with the real source's conversation.  The spoofed packets
will consume sequence numbers, with at least two possible results:

- packets from the real source will be treated as duplicates and discarded
(if you're lucky; if not, spoofed data will arrive second and be discarded,
or data will be interleaved)

- ACKs will come back to the real source for data it hasn't sent yet.  I
don't know what the RFCs say about that, but I imagine stacks aren't happy
about it, unless they're required to ignore it.

Session hijacking isn't one of my hobbies, so there may be some clever dodge
around these issues that I'm unaware of, but offhand I don't see how you'll
keep the real source ignorant of your interference (at least if it ever
tries to use the conversation again after you've started messing with it).

Now, it *might* be possible to perform a man-in-the-middle attack where you
intercept packets from the real source; prevent them from arriving at the
destination (you're acting as an evil router); change the data in them to
your data - preserving packet sizes, so the sequence numbers match; and
forward them on.  (And you may have to mess with the responses so the real
source doesn't notice anything funny going on.  How transparent does this
need to be?)  Non-trivial.

Session hijacking itself isn't particularly difficult.  Keeping the
passengers from noticing the guy in the cockpit with the gun, on the other
hand...

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University

Current thread:

Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? FX, Phenoelit (Sep 21)
- <Possible follow-ups>
- Re: Forge packets ? Skreel (Sep 12)
  - Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? Michael Wojcik (Sep 12)
- Re: Forge packets ? George Gales (Sep 12)
- Re: Forge packets ? Everhart, Glenn (FUSA) (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 13)
- Re: Forge packets ? Andrew Thomas (Sep 13)
- Re: Forge packets ? Michael Wojcik (Sep 14)