Question about IP spoofing?
Results 1 to 10 of 10

Thread: Question about IP spoofing?

  1. #1
    Senior Member HackerzMaster's Avatar
    Join Date
    Feb 2006
    Posts
    114

    Question about IP spoofing?

    Hi, I heard alot about IP spoofing, and sometimes used it, but i want to know how it really works, does it just change the source IP in all the packets sent, but how can the reply packets come back to you? does it involve kinda hack/trick?
    Details plz.

    --thanks
    The second step on the way to become a hacker is to run GNU/Linux. (first step is to buy a computer)
    My old skewl http://www.skoz.nl/spelevaert/

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The packets won't come back to you... they will be routed appropriately.

    But there are ways you can use that like "idle hosting". When you spoof the IP to the idle host you can then check that host to see if it received any packets thus allowing you to scan a third party without giving away your IP.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    144
    My slant on this is most people misunderstand this vulnerability/attack because of the name. Most assume you spoof and your computer assumes the identity of the remote computer (A). In reality it is a hijack.

    You are guessing or predicting the sequence number of the host(A) that established (SYN) connection with another host(B) and hijacking that session by sending the returning sequence number(SYN/ACK), the key is to DoS host A so it can not respond with the SYN/ACK to host B before you can. The attack is only good for that single session and allows you to inject a packets (could contain a command that executes something).

    Once the remote host(B) replies(which is sent to host A) to the packet with and ACK or what not, which goes to host A not your computer, you are unable to respond and the connection is eventually reset.

    This scenario is mainly if the remote computer is on the same subnet as you and you are able to sniff/capture some of the packets to start the spoofing predictions. There are ways to do it across the internet which is more difficult but not totally impossible.

    In a nutshell

    [edit]

    sorry for the double post, the second has been removed, not sure how it happend. I think it happens if I wait to long after typing response and hitting "post"

    [/edit]
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  5. #5
    Banned
    Join Date
    Jan 2006
    Posts
    128
    Packets have headers which contain information about the packet, what information is contained depends on what kind of packet it is. I assume you want to know about spoofing IP packets as opposed to ethernet but the principle is the same, just at a different layer.

    Within an IPv4 header two of the fields are source address and destination address, which hold the source from which the packet oriented and the destination the packet is traveling to respectively. Now to spoof a packet you would need to modify the source address and as you point out this would mean that the server you are communicating with would always reply to the spoofed address and you would not receive any of the replies. Therefore spoofing IP address for a connection oriented protocol such as tcp would mean you could not establish a connection to a server - so you couldnt do things like browse the web using a spoofed address. - you could do things like launch a SYN flood attack on a webserver since this would not require a connection to be established.

    Other protocols such as UDP are connectionless and do not receive acknowledgements from the server that they connect to - thus spoofing an ip address under these circumstances is not really an issue and you can never garauntee that UDP packets or packets from any other other connectionless protocol are not spoofed.

    I can think of a few ways round th issue of not being able to establish a connection with a spoofed IP address but they would be a bit tricky to implement.

  6. #6
    Banned
    Join Date
    Mar 2006
    Posts
    78
    While this is a topic you could goten the answer simply by doing a google search. I will lend my memory to you for a second.

    This was written by ankit fadia a couple years ago. If I remember correctly it actually explains the entire process and how to pull it off.

    http://neworder.box.sk/news/3825

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Within an IPv4 header two of the fields are source address and destination address, which hold the source from which the packet oriented and the destination the packet is traveling to respectively. Now to spoof a packet you would need to modify the source address and as you point out this would mean that the server you are communicating with would always reply to the spoofed address and you would not receive any of the replies. Therefore spoofing IP address for a connection oriented protocol such as tcp would mean you could not establish a connection to a server - so you couldnt do things like browse the web using a spoofed address. - you could do things like launch a SYN flood attack on a webserver since this would not require a connection to be established.
    True in a way - but packets usually pass through a switch before the get to the WS. Most switches have ARP caches - which can be poisoned...........

    I have a tutorial that i wrote a long time ago - I will put it back up in the tutorial section for a short while so you can read about this if you like.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Have temp posted it here:
    http://www.antionline.com/showthread...hreadid=274435
    its the second half that may interest you.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  9. #9
    Member
    Join Date
    Aug 2005
    Posts
    51
    Wow, today is indeed a great day! I have always wanted a clear answer on how IP "spoofing" worked. Sometimes Google is full of useless information that takes too much time to sort through. Thanks for the link.

  10. #10
    Banned
    Join Date
    Jan 2006
    Posts
    128
    True in a way - but packets usually pass through a switch before the get to the WS. Most switches have ARP caches - which can be poisoned...........

    Yeah ARP poisoning would work to an extent, the extent being you could only spoof an address within your network (i.e. one you owned) otherwise the traffic wouldnt be routed back to you and would be lost somewhere. However there is nothing stopping you using machines dotted around the world (one being at the spoofed IP address, or at least at an address where you can catch the data) to relay data back to you. It just gets a bit messy.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides