December 28th, 2004, 10:26 PM
IP Spoofing to bypass a Router/Firewall???
Okay so I've been running some remote tests on my girlfriend's dad's server and his XP box is vulnerable to a major exploit, resulting in remote shell access by the attacker. Its easy enough from inside the network but he thinks his router/firewall (linksys) is enough to keep his server safe. He wants me to try and attack it from outside.
The firewall filters all incoming traffic and only allows access to certain ports. My idea is that if I can use IP spoofing to trick the router into thinking the exploit traffic is coming from the server itself, it will let it through and open the shell to my comp, from behind the firewall.
[Atacker] send: *exploit with w/ spoofed IP*----> (INTERNET) ----> [Firewall] ----> [Target]
[Target] send: *remote shell* --> [Firewall] ----> (INTERNET) ----> [Attacker]
[Target] <-- *remote connection* --> [Target]
I am not very familiar with packet spoofing. Is what I am proposing possible or is there an easier way to go about this?
If so, how would I accomplish it? In the meantime I will read up some more on IP spoofing.
Any help or info would be apriciated!!!!!
December 28th, 2004, 10:31 PM
Since the exploit won't be transmitted until after the 3-way handshake how will you know that the handshake has taken place and how will you know if any of the subsequent packets are received?
That's the problem with spoofing over TCP/IP or any other protocol.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
December 28th, 2004, 11:42 PM
If the firewall is set to block this kind of traffic, won't it do it all automaticaly?
I thought, that if you set the firewall to block all the traffic on the port, it wont matter from which computer will it come. I could be wrong.
Don\'t post if you\'ve got nothing constructive to say. Flooding is annoying
December 29th, 2004, 12:49 AM
hmmn... thats right, I didnt think about that. So is there an alterative teqnique or a better way to get to a blocked port behind a firewall?
Originally posted here by Tiger Shark
Since the exploit won't be transmitted until after the 3-way handshake...
December 29th, 2004, 01:20 AM
have him open an e-mail attachment
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
December 29th, 2004, 02:48 AM
I'm looking for something less conspicous then a trojaned e-mail.
So am I correct in assuming that the only way to exploit that particular vulnurability is to:
A) Hack the router
B) Attack from within the network
Meaning, it is impossible to do remotely over TCP/IP?
December 29th, 2004, 02:49 AM
ARP cache poisoning ... if the router supports it
December 29th, 2004, 02:56 AM
Hmmn.. I dont know much about ARP poisoning.. the only thing I've read about it was an example from within the network. Could somone maybe post some resources on it? I'll see what I can find myself.
December 29th, 2004, 06:45 AM
You could do it if you could predict the ISN of a given new connection, and then properly forge the appropriate SNs in each packet, but good luck doing that, most modern stacks guard against ISN guessing by using random ISN generation. Now, that's not to say it's impossible, it's just hard to do is all.
Tiger is mistaken in his statement -- specifically the "any other protocol" portion; If it were a UDP based service you were exploiting, it becomes another thing entirely from TCP. Unlike TCP, UDP has no sequence numbers to have to guess, and no handshaking, so really forging the IP (which involves a separate layer) is basically all that is required.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
December 29th, 2004, 07:00 PM
I see what you are saying... Thats rediculously impractical for what I am trying to accomplish but very interesting. When I realized the problem with the TCP handshake I figured UDP wouldnt have the same problem, but I was hoping there was a better way around a TCP filtering firewall.