lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1144790627.7004.12.camel@localhost>
Date: Tue Apr 11 22:24:11 2006
From: bmenrigh at ucsd.edu (Brandon Enright)
Subject: info on ip spoofing please

On Tue, 2006-04-11 at 21:54 +0100, Ian stuart Turnbull wrote:
> Excellent response Brendon. Thanks heaps.
> I was reading the infamous Markoff / Tsutomu Shimomura attack at 
> http://www.totse.com/en/hack/hack_attack/hacker03.html
> 
> and I guess I assumed that as they did not know each other personally then 
> Markoff must have found a way to locate 2 computers conversing with each 
> other randomly? Perhaps this assumption was not correct?
> Though from the test it appears Markoff DID find a way of doing this - ie, 
> finding 2 computers talking to each other NOT on his own LAN / network???
> 

The attack you are referring to is known as an TCP sequence prediction
attack.  This sort of attack is not realistic with modern operating
system and TCP/IP stacks because they are careful to prevent predictable
TCP sequence numbers.

If you are curious how easy or hard a sequence attack against a machine
is, using Nmap with -O and -v you can have Nmap check the sequence
numbers and categorize them to some extent.

The output of a Windows XP machine (with either MS05-019 or SP2) looks
something like:

TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental

Conversely, the Windows 98 stack has a difficulty of 1 (by Nmap
standards) which would make a sequence attack very possible.

Reasonable ingress and egress filtering coupled with modern TCP/IP
stacks makes sequence prediction attacks totally infeasible.

Brandon

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh@...d.edu


> 
> >From: Brandon Enright <bmenrigh@...d.edu>
> >
> >On Tue, 2006-04-11 at 20:37 +0100, Ian stuart Turnbull wrote:
> > > Hello all,
> > > At
> > > 
> >http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/Spoofing/default.htm
> > >
> > > was this comment :-
> > >
> > > QUOTE "
> > > Examples of spoofing:
> > >
> > > man-in-the-middle
> > > packet sniffs on link between the two end points, and can therefore 
> >pretend
> > > to be one end of the connection "
> > >
> > > My question is How can you sniff packets on a link that your machine is 
> >NOT
> > > on ie NOT on the same subnet??
> > >
> > > Why am I at a loss to understand this. Is there a command/software that
> > > allows one to
> > > say: sniff packets on port x of IP xxx.xxx.xxx.xxx ?
> > >
> > > Please put me out of my agony on this.
> > > Thanks for any info you can give.
> > >
> > > Ian t
> > >
> >
> >In general you can not arbitrarily monitor the traffic of any random
> >host.  If the host you are trying to attack is not relatively local
> >there is little to no chance you'll be able to sniff the traffic.
> >
> >For more local hosts though, if you can directly influence the network
> >devices separating you from your victim there is a chance you will be
> >able to redirect traffic for an attack.
> >
> >The two more common methods for performing MITM attacks are ARP spoofing
> >and Spanning Tree spoofing.  Several tools can perform ARP poisoning
> >(ettercap comes to mind).  There is an excellent overview of attacks
> >with Spanning Tree in Cisco's _Network Security Architectures_ (ISBN:
> >1-58705-115-X).
> >
> >If you goal isn't to modify the stream for a MITM attack but just watch
> >the traffic, CAM table flooding can reduce the switch/vLAN to the
> >behavior of a hub.
> >
> >For a discussion of all of these attacks see
> >http://www.rootsecure.net/content/downloads/pdf/layer2sniffing.pdf
> >
> >All that being said, it still may not be possible to manipulate the
> >network in any useful way.  Cisco and other vendors have mechanisms that
> >can be turned on for most of their devices that detect and prevent many
> >or all of the above attacks.
> >
> >For those with Cisco devices looking to protect against said attacks,
> >limiting the number of MACs per port and turning on BPDU Guard
> >(http://www.cisco.com/warp/public/473/65.html) is typically all that
> >needs to be done.
> >
> >Regards,
> >
> >Brandon
> >
> >--
> >Brandon Enright
> >Network Security Analyst
> >UCSD ACS/Network Operations
> >bmenrigh@...d.edu
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ