Re: Hijacking tool

casperfwi.uva.nl

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Alec Muffett: "Re: Hijacking tool"
• Previous message: Paul Ferguson: "Re: Hijacking tool"
• In reply to: Paul Ferguson: "Re: Hijacking tool"
• Next in thread: Alec Muffett: "Re: Hijacking tool"

>
>> 
>> There is a tool floating around called TAP which is a kernel mod that
>> allows you to easily watch streams on SunOs, and capture what a person
>> is typing.  It is easy to modify so that you could actually write to
>> the stream thus emulating that person and hijacking their terminal 
>> connection.  
>> 
>> To load the modules, the intruder does a modload to add the module to
>> the kernel.  One way to detect the hijacking tool is to do a
>> 
>> 	modstat
>> 
>> and see if there is any unfamiliar modules loaded.  An intruder could trojan
>> modstat so it might be worthwhile to check the integrity of modstat.
>> 
>>
>
>I'm less concerned about the IP spoofing attack method than I am curious
>about this TAP tool. Does anyone have any detailed/technical information
>on this in particular?


If you're hijacking *connections* isn't it much easier to just steal
the filehandles in the kernel?

(Just go to a processes' file table and add that processes file * to
your open set, e.g., by implementing an new systemcall, interprocess
dup:  int ipcdup(int pid, int fd))

Can't be more than four or five lines of kernel code.

Casper

• Next message: Alec Muffett: "Re: Hijacking tool"
• Previous message: Paul Ferguson: "Re: Hijacking tool"
• In reply to: Paul Ferguson: "Re: Hijacking tool"
• Next in thread: Alec Muffett: "Re: Hijacking tool"