IP Spoofing to bypass a Router/Firewall???
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: IP Spoofing to bypass a Router/Firewall???

  1. #1
    Member
    Join Date
    Apr 2002
    Posts
    52

    Question IP Spoofing to bypass a Router/Firewall???

    Okay so I've been running some remote tests on my girlfriend's dad's server and his XP box is vulnerable to a major exploit, resulting in remote shell access by the attacker. Its easy enough from inside the network but he thinks his router/firewall (linksys) is enough to keep his server safe. He wants me to try and attack it from outside.

    The firewall filters all incoming traffic and only allows access to certain ports. My idea is that if I can use IP spoofing to trick the router into thinking the exploit traffic is coming from the server itself, it will let it through and open the shell to my comp, from behind the firewall.

    STEP 1:
    [Atacker] send: *exploit with w/ spoofed IP*----> (INTERNET) ----> [Firewall] ----> [Target]

    STEP 2:
    [Target] send: *remote shell* --> [Firewall] ----> (INTERNET) ----> [Attacker]

    STEP 3:
    [Target] <-- *remote connection* --> [Target]

    I am not very familiar with packet spoofing. Is what I am proposing possible or is there an easier way to go about this?

    If so, how would I accomplish it? In the meantime I will read up some more on IP spoofing.


    Any help or info would be apriciated!!!!!

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Since the exploit won't be transmitted until after the 3-way handshake how will you know that the handshake has taken place and how will you know if any of the subsequent packets are received?

    That's the problem with spoofing over TCP/IP or any other protocol.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Apr 2004
    Posts
    228
    If the firewall is set to block this kind of traffic, won't it do it all automaticaly?

    I thought, that if you set the firewall to block all the traffic on the port, it wont matter from which computer will it come. I could be wrong.
    Don\'t post if you\'ve got nothing constructive to say. Flooding is annoying

  4. #4
    Member
    Join Date
    Apr 2002
    Posts
    52
    Originally posted here by Tiger Shark
    Since the exploit won't be transmitted until after the 3-way handshake...
    hmmn... thats right, I didnt think about that. So is there an alterative teqnique or a better way to get to a blocked port behind a firewall?

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    have him open an e-mail attachment
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  6. #6
    Member
    Join Date
    Apr 2002
    Posts
    52
    I'm looking for something less conspicous then a trojaned e-mail.

    So am I correct in assuming that the only way to exploit that particular vulnurability is to:

    A) Hack the router
    B) Attack from within the network

    Meaning, it is impossible to do remotely over TCP/IP?


  7. #7
    Banned
    Join Date
    Aug 2004
    Posts
    534
    ARP cache poisoning ... if the router supports it

  8. #8
    Member
    Join Date
    Apr 2002
    Posts
    52
    Hmmn.. I dont know much about ARP poisoning.. the only thing I've read about it was an example from within the network. Could somone maybe post some resources on it? I'll see what I can find myself.

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    You could do it if you could predict the ISN of a given new connection, and then properly forge the appropriate SNs in each packet, but good luck doing that, most modern stacks guard against ISN guessing by using random ISN generation. Now, that's not to say it's impossible, it's just hard to do is all.
    Tiger is mistaken in his statement -- specifically the "any other protocol" portion; If it were a UDP based service you were exploiting, it becomes another thing entirely from TCP. Unlike TCP, UDP has no sequence numbers to have to guess, and no handshaking, so really forging the IP (which involves a separate layer) is basically all that is required.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  10. #10
    Member
    Join Date
    Apr 2002
    Posts
    52
    I see what you are saying... Thats rediculously impractical for what I am trying to accomplish but very interesting. When I realized the problem with the TCP handshake I figured UDP wouldnt have the same problem, but I was hoping there was a better way around a TCP filtering firewall.

    Thanks guys

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •