Government Security
Network Security Resources

Jump to content

Photo

Tcp/ip Vulnerabilities And Weaknesses.

- - - - - tools shell cache distributed spoofing sniffing sniffer
  • Please log in to reply
23 replies to this topic

#16 Guest_SyN/AcK_*

Guest_SyN/AcK_*
  • Guests

Posted 18 February 2004 - 06:49 AM

Very nice description of the TCP/IP suite, as well as the vulnerabilities inherrent in the suite! :)

#17 setthesun

setthesun

    Sergeant First Class

  • Sergeant Major
  • 574 posts

Posted 18 February 2004 - 08:51 AM

Best part of this paper is code examples, It's really good tell theory and give code to readers.

setthesun me = new setthesun();

#18 bitwild

bitwild

    Private First Class

  • Members
  • 55 posts

Posted 19 February 2004 - 03:46 AM

i think this sould help too :

http://razor.bindvie...ers/tcpseq.html
http://lcamtuf.coredump.cx/newtcp/

#19 Guest_emitrax_*

Guest_emitrax_*
  • Guests

Posted 28 August 2004 - 09:31 AM

I've compiled both of your codes. But neither of them works, or at least, the IP source apparently is set back to my real one in kernel space. I've tried them in my LAN and using tcpdump I double checked the results. Neither of them is spoofed. I've been told to check out the rp_filter under /proc and set it to one. Nothing changed.

Do you any idea how can I sort it out?!? Or why the ip source is automatically set it back to the real one?!

Really good article by the way!

Thanks in Advance.
Emitrax

#20 shaun2k2

shaun2k2

    Staff Sergeant

  • Sergeant Major
  • 348 posts

Posted 30 August 2004 - 07:17 AM

Try applying a checksum to the checksum part of the header. To do this, you need to create a pseudo TCP (or otherwise) header structure, fill it in, and then invoke a checksum function to calculate the correct checksum, according to the pseudo header. Here is a fairly generic checksum calculation function:
unsigned short
getChkSumTCPUDP(unsigned short *addr, int count, unsigned short *addr2, int
count2)
{
 long  sum=0;

// pseudo header
 while(count2 > 1) {
  sum += * addr2++;
  count2 -=2;
 }
// TCP message(header + data)
 while(count > 1) {
  sum += * addr++;
  count -=2;
 }
  if (count > 0)
        sum += *(unsigned char *)addr;

 while(sum >> 16) sum = (sum & 0xffff) + (sum >> 16);
 return(~sum);
}

Source: RFC 1071

Your pseudohdr should look like this:
struct pseudohdr
  {
    struct in_addr saddr;
    struct in_addr daddr;
    unsigned char zer0
    unsigned char proto;
    unsigned short len;
}
Create an instance of your structure, fill it in accordingly, and then run your checksum function upon it. Put the returned value into the checksum field of the packet header.

One last thing; don't take that code too seriously - there are probably plenty of bugs, and it was mainly meant as example code :).


-Shaun.

#21 binhtrieu

binhtrieu

    Private

  • Members
  • 8 posts

Posted 06 April 2005 - 11:54 PM

Good paper.Thanks man :)

#22 Glyph

Glyph

    General of the Army

  • GSO Management
  • 1,602 posts

Posted 17 January 2006 - 11:29 AM

Nicely done. Good depth. Looks like you've read (as a start) all three of the 'Comer' volumes ;)

#23 rgoer

rgoer

    Private

  • Members
  • 2 posts

Posted 10 April 2006 - 04:23 AM

--] 1.3.1 ATTACKS - BLIND SPOOFING ATTACKS - SEQUENCE NUMBER PREDICTION

This is the ultimate attack in IP spoofing, to gain a connection with a host,
pretending to be another host, preferably a trusted host. All that is required
is that the attacker can predict the sequence number of the server host's
SYN|ACK packet after sending a SYN packet, but this is not as simple task as
somebody might think.
First, there's the issue of actually guessing the sequence number of this packet
of interest, and secondly, there's the issue of the host you are spoofing of
answering to the SYN|ACK packet, and sending a RST (reset connection) packet
because it was not expecting the SYN|ACK packet. The second problem is actually
simpler to deal with. A classic method of preventing the spoofed host from
replying to the SYN|ACK packet with a RST is by SYN flooding it (see above for
details). Now onto how to solve our first problem.


You can also use NMAP to scan for filtered ports, just do something like
nmap -p 1-1000 -sA --scanflags SYNACK SITE
nmap -p 1-1000 -sS SITE

It'll respond with the unfiltered ports and say that the rest are filtered. And a filtered port basically means that it doesn't respond to any traffic, not with a RST packet nor with a SYN/ACK packet. So just set the source port of your spoofed traffic to a filtered port on the host you want to spoof and no RST packet will be sent.

#24 Guest_berdo_*

Guest_berdo_*
  • Guests

Posted 15 July 2007 - 09:45 AM

Thanks man for this article it's really amazing .
but I have a question about how to kill connection which is based on a UDP ?
like games sniffing .
but I cant do it because ettercap doesn't have this function.
can you help me to learn whit another way?





Also tagged with one or more of these keywords: tools, shell, cache, distributed, spoofing, sniffing, sniffer