Full Disclosure mailing list archives
Re: info on ip spoofing please
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 11 Apr 2006 21:23:47 +0000
On Tue, 2006-04-11 at 21:54 +0100, Ian stuart Turnbull wrote:
Excellent response Brendon. Thanks heaps. I was reading the infamous Markoff / Tsutomu Shimomura attack at http://www.totse.com/en/hack/hack_attack/hacker03.html and I guess I assumed that as they did not know each other personally then Markoff must have found a way to locate 2 computers conversing with each other randomly? Perhaps this assumption was not correct? Though from the test it appears Markoff DID find a way of doing this - ie, finding 2 computers talking to each other NOT on his own LAN / network???
The attack you are referring to is known as an TCP sequence prediction
attack. This sort of attack is not realistic with modern operating
system and TCP/IP stacks because they are careful to prevent predictable
TCP sequence numbers.
If you are curious how easy or hard a sequence attack against a machine
is, using Nmap with -O and -v you can have Nmap check the sequence
numbers and categorize them to some extent.
The output of a Windows XP machine (with either MS05-019 or SP2) looks
something like:
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental
Conversely, the Windows 98 stack has a difficulty of 1 (by Nmap
standards) which would make a sequence attack very possible.
Reasonable ingress and egress filtering coupled with modern TCP/IP
stacks makes sequence prediction attacks totally infeasible.
Brandon
--
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu
From: Brandon Enright <bmenrigh () ucsd edu> On Tue, 2006-04-11 at 20:37 +0100, Ian stuart Turnbull wrote:Hello all, Athttp://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/Spoofing/default.htmwas this comment :- QUOTE " Examples of spoofing: man-in-the-middle packet sniffs on link between the two end points, and can thereforepretendto be one end of the connection " My question is How can you sniff packets on a link that your machine isNOTon ie NOT on the same subnet?? Why am I at a loss to understand this. Is there a command/software that allows one to say: sniff packets on port x of IP xxx.xxx.xxx.xxx ? Please put me out of my agony on this. Thanks for any info you can give. Ian tIn general you can not arbitrarily monitor the traffic of any random host. If the host you are trying to attack is not relatively local there is little to no chance you'll be able to sniff the traffic. For more local hosts though, if you can directly influence the network devices separating you from your victim there is a chance you will be able to redirect traffic for an attack. The two more common methods for performing MITM attacks are ARP spoofing and Spanning Tree spoofing. Several tools can perform ARP poisoning (ettercap comes to mind). There is an excellent overview of attacks with Spanning Tree in Cisco's _Network Security Architectures_ (ISBN: 1-58705-115-X). If you goal isn't to modify the stream for a MITM attack but just watch the traffic, CAM table flooding can reduce the switch/vLAN to the behavior of a hub. For a discussion of all of these attacks see http://www.rootsecure.net/content/downloads/pdf/layer2sniffing.pdf All that being said, it still may not be possible to manipulate the network in any useful way. Cisco and other vendors have mechanisms that can be turned on for most of their devices that detect and prevent many or all of the above attacks. For those with Cisco devices looking to protect against said attacks, limiting the number of MACs per port and turning on BPDU Guard (http://www.cisco.com/warp/public/473/65.html) is typically all that needs to be done. Regards, Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Michael Holstein (Apr 11)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Michael Holstein (Apr 11)
- Re: info on ip spoofing please Brandon Enright (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Valdis . Kletnieks (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Brandon Enright (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- <Possible follow-ups>
- RE: info on ip spoofing please Neil Davis (Apr 12)
- RE: RE: info on ip spoofing please Ian stuart Turnbull (Apr 12)
- RE: RE: info on ip spoofing please Arley Barros Leal (Apr 12)
- RE: RE: info on ip spoofing please Ian stuart Turnbull (Apr 12)