Network Security Misconceptions: Chatper 1: IP Spoofing
Results 1 to 10 of 10

Thread: Network Security Misconceptions: Chatper 1: IP Spoofing

  1. #1

    Angry Network Security Misconceptions: Chapter 1: IP Spoofing

    During the last few weeks of us chatting on irc.antionline.com, in #Antionline, there has been a lot of "debate" about IP Spoofing in today's Internet. Some less intelligent people boast about having "Spoofers" for mIRC and Windows in general, while other seasoned vets sit back and laugh at thier expense.
    So, tonight, I'm here going to set the record straight in my first in a series of posts I plan on disproving common Internet Misconceptions.
    To begin, for those who are new to this, "Spoofing" is the slang term given to technique of changing's one's IP to another IP to "make believe" they are from a system they are not on.
    This all started back, way back, probably in the early '90s was when it was big, when a vulnerable name service daemon was released on UNIX systems. With this version of BIND, it was possible to inject code into the memory space of a running name server with the fake authoritative record, and PTR record of a fake domain so that when a connection was made from this server, the fake IP would show up on the destination system up a query of the vulnerable nameserver. This was the most popular method of "spoofing".
    You can't do it anymore.
    The problemw as fixed with later releases of the name server software. You also had to have root (super user) access to exec run the exploit code, and with all that, you ALSO had to be using a name server that had authoritative access AND control over the reverse resolution of thier domain names.
    The second most reliable method that people used to use was that of TCP Sequence number prediction. Every TCP connection makes a 3 way handshake when making the connection.
    First, a SYN(synchronous) packet is sent from your machine to the destination, requesting a connection. Second, a SYN/ACK(acknowledgment) packet is sent from that system to yours requesting a connection, and acknowledging your attempt at a connection. Last, your machine returns an ACK packet to complete the conneciton between the machines.
    The way this was exploited, was when a user, prior to attempting the connection, would scan the system and by the results of the scan, would know the sequence numbers that are used during a TCP connection. With this knowledge, a "spoofer" would then forge the source IP of the TCP SYN packet, and send it to the destination. Upon receipt of this forged packet, the destination would send it to the "fake" address. Thus you would think that the connection couldn't be established because it didn't receive that SYN/ACK packet, but, because of the prior scan, we could "guess" or predict what that packet's information was going to be, and thus, complete the connection on our own witht the "fake" address, even though we didn't get that SYN/ACK packet back and it's lost in space somewhere.
    So, basically, both of those methods are non-practiced because either they are no longer vulnerable, or measures have been taken to make them more difficult to obtain.
    So, hopefully that clears up a little of the misconception of *most people* CANNOT IP spoof anymore.


    jparker();


    If you have any questions, or want to continue this discussion, reach me and others like me, on irc.antionline.com, #Antionline, or e-mail me at: jparker@o-negative.net
    Jason Parker - http://www.o-negative.net
    o-Negative: Information Network

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Didn't Kevin Mitnick use the second method? I'm still not exactly clear on what happened to him or what he was accused of, but don't bother enlightening me, it's old news now :P

    Don't forget, in Syn/Ack spoofing, the attacker would also (preferably, although they could also just get their reply in faster) have to suppress the *real* reply from the machine they were attempting to spoof. (Either by making sure that machine was offline temporarily, or using a DOS attack, etc.)
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    138
    If I remember correct mitnik used the second method and then flooded the computer he was maqsed as with SYC packets as a DOS to keep it from responding to the SYC/ACK packet, then used the good ol' .rlogin + + thingie...but that is just alittle info out of memory..it could be wrong...

  4. #4
    Either method that was used.. both are trackable, and both are unexploitable methods of attack. In this day in age.. Remember, the Mitnick thing was about 4 years ago.
    Jason Parker - http://www.o-negative.net
    o-Negative: Information Network

  5. #5
    Member
    Join Date
    Sep 2001
    Location
    Belgium
    Posts
    95

    Post spoofing

    According to a pal of mine, it is very possible to spoof when you telnet in on an old WinGate Server, and then telnet back out. If done on the right version and port, you'd telnet out under the WG-server's IP. What's even more, the versions of WinGate supporting this spoof, don't even log who's telnetting in and out, this would be because the system's not ment for these actions. Is my info very wrong, or could this be true?

    Enlighten me!

    Grtz,

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    138

    Wink

    well...the wingate thing is actually not a Spoof, it is more of a "mask" if you will...you are telneting into a computer that has a service running, which in turn lets you telnet, so it "appears" that your IP address is "spoofed" but actually it is not merely a system of "forwards". The wingate "spoof" is a VERY simple thing, and basically does the same as telneting into a *nix box, and then telneting out. and Just as a side note, some wingate boxes run the fingerd, so you are in turn trackable, because if someone does a null finger, you will show on the connected log... Just a little useless info.

    Also another note. one of the *good* reasons to spoof IPs was to imitate a trusted host, last time I checked 99.99999% of computers one would want to do this to do not run wingates on the trusted host...just another simple thought...
    http://www25.brinkster.com/cheeseball

    -- Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment--

  7. #7
    Uhm.. and like what was discussed on irc.antionline.com in #Antionline, WinGate's are no where NEAR spoofing. It's not spoofing of any kind. It's called TCP Piping. Pushing one connection from point be to point C without point C knoing you're coming from point A.

    Like this.. A --> B --> C..

    There are always logs, there is always a router log, you will be caught, no more spoofing, end of topic. :-/ Sheesh..
    Jason Parker - http://www.o-negative.net
    o-Negative: Information Network

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    138
    I wouldn't say NO spoofing....all it would take would be a way to guess pseudorandom numbers, which would be trivial if one could do quantum predictions... I know I know I know...theory, theory thoery...but then again...when this becomes relavant I guess we will ALL have lots of trouble anyway, because that would also mean that most likely large numbers could be factored, and then, this is probably awhile down the road...

    Just a thought...

  9. #9
    Uhm.. ya.. can do all that, and then apply it to cracking the algorithm of TCP Sequence number creation, give me a call. As a matter of fact, post the code snippet of the algorithm in use.. otherwise, no spoofing.
    Jason Parker - http://www.o-negative.net
    o-Negative: Information Network

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    138
    well..some psuedonumber generators are "exploitable", what I am talking about is they use some type of guessable alogoritm to generate a number that is not exactly random, but appears so if you do not know the meathod used. If a TCP package on an OS used something of this nature one could technically *guess* the next sequence number to be generated. I am not saying I can do it..just that IP spoofing it not 100% impossible...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides