IP Spoofing to bypass a Router/Firewall???

[Liquid_Darkness]

Okay so I've been running some remote tests on my girlfriend's dad's server and his XP box is vulnerable to a major exploit, resulting in remote shell access by the attacker. Its easy enough from inside the network but he thinks his router/firewall (linksys) is enough to keep his server safe. He wants me to try and attack it from outside.

The firewall filters all incoming traffic and only allows access to certain ports. My idea is that if I can use IP spoofing to trick the router into thinking the exploit traffic is coming from the server itself, it will let it through and open the shell to my comp, from behind the firewall.

STEP 1:
[Atacker] send: *exploit with w/ spoofed IP*----> (INTERNET) ----> [Firewall] ----> [Target]

STEP 2:
[Target] send: *remote shell* --> [Firewall] ----> (INTERNET) ----> [Attacker]

STEP 3:
[Target] <-- *remote connection* --> [Target]

I am not very familiar with packet spoofing. Is what I am proposing possible or is there an easier way to go about this?

If so, how would I accomplish it? In the meantime I will read up some more on IP spoofing.


Any help or info would be apriciated!!!!!

[Tiger Shark]

Since the exploit won't be transmitted until after the 3-way handshake how will you know that the handshake has taken place and how will you know if any of the subsequent packets are received?

That's the problem with spoofing over TCP/IP or any other protocol.

[nightcat]

If the firewall is set to block this kind of traffic, won't it do it all automaticaly?

I thought, that if you set the firewall to block all the traffic on the port, it wont matter from which computer will it come. I could be wrong.

[Liquid_Darkness]

Originally posted here by Tiger Shark
Since the exploit won't be transmitted until after the 3-way handshake...

hmmn... thats right, I didnt think about that. So is there an alterative teqnique or a better way to get to a blocked port behind a firewall?

[IKnowNot]

have him open an e-mail attachment

[Liquid_Darkness]

I'm looking for something less conspicous then a trojaned e-mail.

So am I correct in assuming that the only way to exploit that particular vulnurability is to:

A) Hack the router
B) Attack from within the network

Meaning, it is impossible to do remotely over TCP/IP?

[unhappy]

ARP cache poisoning ... if the router supports it

[Liquid_Darkness]

Hmmn.. I dont know much about ARP poisoning.. the only thing I've read about it was an example from within the network. Could somone maybe post some resources on it? I'll see what I can find myself.

[chsh]

You could do it if you could predict the ISN of a given new connection, and then properly forge the appropriate SNs in each packet, but good luck doing that, most modern stacks guard against ISN guessing by using random ISN generation. Now, that's not to say it's impossible, it's just hard to do is all.
Tiger is mistaken in his statement -- specifically the "any other protocol" portion; If it were a UDP based service you were exploiting, it becomes another thing entirely from TCP. Unlike TCP, UDP has no sequence numbers to have to guess, and no handshaking, so really forging the IP (which involves a separate layer) is basically all that is required.

[Liquid_Darkness]

I see what you are saying... Thats rediculously impractical for what I am trying to accomplish but very interesting. When I realized the problem with the TCP handshake I figured UDP wouldnt have the same problem, but I was hoping there was a better way around a TCP filtering firewall.

Thanks guys