Re: Forge packets ?

["Samy Kamkar [CommPort5]" <CommPort5 () LUCIDX COM>]

That sounds right, but as originally asked, can we send some data
without
disrupting anything...let's think about this situation.  We're assuming
that
the remote host will take packets with incorrect sequence numbers, etc
and
throw them away (I doubt there's much else it would want to do with
those
packets.)  See below and maybe you'll see how it can be done without
disrupting
anything:

spoofed == us, local == the local user, remote == remote host...
spoofed-local > remote: <data>  (here is what you want sent, but now
local is
out of sync)
spoofed-remote > local: <data>  (this is just here to get local to
synchronize
with our 'half-hijack'...we hope this will trigger local to send some
stuff
back to 'remote' and synchronize like that)
local > remote: ack/<data> (this is discarded at remote since remote
already
got it's data)
remote > local: ack

So here you (being the spoofed packets) send some data to the remote
host and
send some data to the local user.  Assuming you put in some data (of
course
this isn't always possible, but should be able to be done) that gets
local to
send ack or data to remote [it will have an incorrect sequence number
now],
remote will ignore it since it doesn't belong anywhere.  Remote will
also send
an ack back saying 'I heard your packet [the spoofed one]' so local sees

everything normally and so does remote.  Probably difficult but it
should be
able to be done

George Gales wrote:

> Hijacking normally involves knocking the original local user off the
net one
> way or another.  I don't believe there's a way to hijack without
causing a
> disconnect without doing that.
>
> Assuming the hijacker was able to impersonate the local user (monitor
their
> traffic, then inject spoofed packets with the right sequence numbers),
the
> original user would still get disconnected.
>
> The cause is that, while the hijacker is sniffing the net to monitor
the
> local user's traffic (and adjusting it's sequence numbers to make
things
> work), the original local user isn't sniffing, and won't adjust his
sequence
> numbers to take into account the hijackers traffic.
>
> As soon as the original local user communicates with the remote end
(either
> direction), the receiving end would notice the incorrect sequence
numbers,
> and things would go down the tubes (probably generate a RST and close
the
> connection).
>
> If I'm wrong, please somebody explain...
>
> -Simon
> george_gales () non agilent com
>
> -----Original Message-----
> From: Samy Kamkar [CommPort5] [mailto:CommPort5 () LUCIDX COM]
> Sent: Monday, September 11, 2000 4:29 PM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: Forge packets ?
>
> Just sending packets (assuming there is a connection from your lan
which
> you're
> able to sniff) with data without disconnecting connections should be
pretty
> simple.  No handshakes needed since the connection will still be open
from
> the
> local user...the local user will see it if (s)he sniffs the lan's
packets
> and
> the remote host may echo the data which you sent, depending on the
protocol.
> You would need to sniff the packets which the local user is sending to
the
> remote host and then you'll need to create a packet matching what an
> outgoing
> packet from the local user would look like (correct sequence number,
window
> size, etc.) and send it on it's way...so it is possible.  There are
also
> many
> programs which already 'utilize' the local-net/tcp insecuritys.  Not
> allowing
> spoofed packets out (although it won't necesarilly always be
'spoofed',
> could
> be from the same hostname depending on how the lan is set up) could
stop
> it...I'm not aware of the best way to stop this from happening, or how
easy
> it
> is to not allow spoofed packets out.
>
> Skreel wrote:
>
> > So TCP hijacking is the solution ? I thought hunt could only hijack
> > connections on
> > port 23. What I actually want is to send data to remote host without

> > dropping the
> > user's connection, wether the user's sees the data or not (i'm only
> talking
> > theoritically)
> > i just wanted to know if it was possible. And also if I used
ipchains to
> > IPmasquerade
> > the lan, then wouldn't it be easier for an attacker to send data and

> hijack
> > the user's
> > connection ? Is there anyway to prevent this kind of attack (if it
is a
> real
> > attack )?