Security Basics mailing list archives
RE: IP Session Hijacking And Spoofing
From: John Fastabend <jfastabe () up edu>
Date: Tue, 26 Nov 2002 17:06:14 -0800 (PST)
On Mon, 25 Nov 2002, LEHMANN, TODD wrote:
I was not aware you could manually define the routing that packets would follow (without configuring the routers). Or do you mean I would just choose to spoof an IP that is downstream from me, so that I am sure the traffic will pass me by on its way to the host? Wouldn't dynamic RIP make the route the traffic will take dynamic? How can I possibly be sure that I will be midstream during the session?
There are lot of ways that you can get traffic to be routed through your host. Forging arp packets comes to mind, icmp redirects, the source route option are among many ways to force traffic to be routed through your computer. There are also numerous ways to trick insecure gateways and routers. I suggest you pick up a copy of TCP/IP Illustrated Vol 1 by Richard Stevens to learn more about networks and install the libnet library. TCP/IP Illustrated is the bible. John Fastabend Computer Engineering Major University of Portland
Todd Lehmann Systems Analyst I VPN Subject Matter Expert -----Original Message----- From: simsjs [mailto:sims () interex org] Sent: Friday, November 22, 2002 9:23 AM To: LEHMANN, TODD; security-basics Subject: Re: IP Session Hijacking And Spoofing With IP Spoofing there is no need to guess the sequence number since there is no session currently open with that IP address. The way that the traffic would get back to you is by using source routing. This is where you tell the network how to route the output and input from a session, then you simply sniff it from the network as it passes by you. But you have to make sure you put in a route that will both reach its destination and pass through your own network. As far as guessing the sequence numbering for session high-jacking, I really have no idea, but there are programs that will attempt to guess these for you. The one I am thinking of (whose name escapes me at the time) will allow you to watch a session, reset a session, or hijack it. Hope some of this helps. Jeff *********** REPLY SEPARATOR *********** On 11/19/2002 at 11:33 AM LEHMANN, TODD wrote:I have read some documentation on IP Spoofing, and from what I have read, it sounds like you must determine the sequence number of the host before you can spoof. However, I don't understand why you would have to determine the sequence if you are creating a new session with the host under a false IP. Wouldn't the creation of the new TCP session negotiate the sequence number at that time? I also failed to understand how the traffic gets back to you if you are telling it to respond to another host. Can someone shine some light on this for me? When it comes to session high-jacking, how does one go about determining the sequence number on a host that uses a random number seed to create the sequence? Is it some form of complex algorithms or is it just impossible unless you create the session? Todd Lehmann Systems Analyst I VPN Subject Matter Expert
Current thread:
- IP Session Hijacking And Spoofing LEHMANN, TODD (Nov 21)
- Re: IP Session Hijacking And Spoofing John Fastabend (Nov 22)
- RE: IP Session Hijacking And Spoofing Daniel R. Miessler (Nov 25)
- Re: IP Session Hijacking And Spoofing simsjs (Nov 25)
- Re: IP Session Hijacking And Spoofing Svetoslav Gyurov (Nov 26)
- <Possible follow-ups>
- RE: IP Session Hijacking And Spoofing Gene LeDuc (Nov 25)
- RE: IP Session Hijacking And Spoofing ALBEE,RUSSELL. S FC2 (CV63 CS5) (Nov 25)
- RE: IP Session Hijacking And Spoofing Svetoslav Gyurov (Nov 26)
- RE: IP Session Hijacking And Spoofing LEHMANN, TODD (Nov 26)
- RE: IP Session Hijacking And Spoofing John Fastabend (Nov 27)
- Re: IP Session Hijacking And Spoofing simsjs (Nov 26)