IP Spoofing






"Each time we breathe
We tear our lungs with pain...
And each step forward
Is a step to hell,
Unmoved,through previous
Corpses and their smell."

Flowers of Evil.






Ok,first I got to explain the'trusted hosts' stuff.
In a UNIX network,some hosts are considered 'trusted'.Basically,it
means that they can login and execute remote commands without
giving a password.The list of trusted hosts is kept in the phile
/etc/hosts.equiv..So if you're in that list,or if they think that
you're there,you can use both rlogin and rsh with total impunity.
Let me add that the default configuration of the /etc/hosts.equiv.
has a 'wildcard' :
     +
That's it.And that means that every known host is considered a
trusted host!
There is also another phile,the .rhosts phile that allows trusted
access,but to a specific individual host rather than hosts in 
general.Each user of the system can create his or her own .rhosts
phile in his or her home directory,and allow trusted access=access
with no password,without the sysadm knowing about it.(the hosts.equiv.
phile is under sysadm control).
Now,what did I say about them believing that you're one of them?
Basically,you can fool them.How?By faking the source address of the
packets that are sent to that system,so that your computer can
impersonate a trusted host.How is that possible?Some systems decide
whether to trust another system by looking at the source address of
the incoming packets.Change the source IP address,and you're in.

Ok,second,I got to talk about TCP/IP and 3-way handshake.
When a host sends a message to another host(mail,ftp,whatever..),
the message is broken up into a number of packets and re-assembled
at the destination host by TCP.IP just routes the packets.
When a client wants to reach a server,it has to know its IP address
and its TCP port number(TCP uses port numbers to keep track of
individual connections).
Port numbers are more or less random.However,ports in the range 0 to
1023 are well-known ports,that is,used to access standardized 
services,like FTP(port 21).
A socket address = IP address + port#
A connection is identified by the socket addresses at each end of 
the connection(that is,by a set of 4 numbers).

Now,if computer A wants to talk to computer B, A picks an
initial sequence number(IS# for brevity's sake).
A sends a synchronized segment(SYN) carrying that IS# to B.
When B gets the SYN, B picks its own IS#.
B sends back a SYN containing IS# and an acknowledgement(ACK) 
 to A.

When A receives the SYN/ACK from B,A sends back an ACK .


A----->B
  SYN

A<-----B
  SYN/ACK
 
A----->B      connection opened.
  ACK

The connection procedure is called a 3-way handshake,because 3
messages(SYN,SYN/ACK and ACK),are required to set up the connection.
A and B have now synchronized their IS# and are ready to exchange
data.
Now,these IS# are supposed to be random.Instead,BSD's derived UNIX
kernels increment the counter by 128 every second,and 64 for each
new connection.
So if you open a connection,you can predict what IS# will be used
for the next connection.
First,you send a series of probes,using finger,showmount and
rpcinfo to find a trusted access.
Second,you connect to B.B gives you IS#1.
Third,you impersonate A and send:

A----->B
  SYN 

B's response B----->A goes to the legitimate A.
               SYN/ACK with IS#2

You never see that message,but guessing B's IS#2 (knowing IS#1),
you can still send:

A----->B
  ACK      connection opened!

B is fooled into believing that it has a legitimate connection with
A,while in reality it's you  sending the packets.

A little problem here is that,the real A receives B's message.
A realizes that B is ACKing something that A never sent.
A then will try to send a RST(reset) packet to terminate the
connection.
One way around this problem is to send a whole bunch of SYNs to
port 513 (login),to completely fill that port with half-opened
connections,so it will not respond to anything else,including
RSTs.
Another way would be to make A go down...
