lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Apr 11 22:12:04 2006
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: info on ip spoofing please 

On Tue, 11 Apr 2006 21:54:50 BST, Ian stuart Turnbull said:
> Excellent response Brendon. Thanks heaps.
> I was reading the infamous Markoff / Tsutomu Shimomura attack at 

That was *Mitnick*, not Markoff - Markoff wrote a book or 3 about it later.

> http://www.totse.com/en/hack/hack_attack/hacker03.html
> 
> and I guess I assumed that as they did not know each other personally then 
> Markoff must have found a way to locate 2 computers conversing with each 
> other randomly? Perhaps this assumption was not correct?
> Though from the test it appears Markoff DID find a way of doing this - ie, 
> finding 2 computers talking to each other NOT on his own LAN / network???

Well, at that time, it was a pretty good guess that if you found hostnames
george.site.dom, paul.site.dom, john.site.dom, and ringo.site.dom, and all 4
had rsh enabled, that there was a lot of rsh traffic between them, and likely
a .rhost trust between them so you wouldn't need a password....

And what Mitnick's attack did *wasnt* finding 2 computers *talking*.
In fact, the attack relied on finding a trusted computer *not* talking (or
making it not talk).

What he did was:

1) Bash george.site.dom over the head with SYN packets to make it STFU.
2) Send paul.site.dom a forged SYN packet claiming to be from george.
3) Paul sends a syn/ack to george, who can't send an RST because it's STFU.
4) send a forged ACK for the syn/ack claiming to be from george.
5) Send the rest of the TCP datastream.

The only tough part is knowing what ISN will be on the syn/ack so you can
ack it properly - and in that day, just poking its 'finger' port or something,
noting *that* ISN, and adding 32K or similar constant was almost guaranteed to work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060411/bc41cce6/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ