lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <12625.1193346863@turing-police.cc.vt.edu>
Date: Thu, 25 Oct 2007 17:14:23 -0400
From: Valdis.Kletnieks@...edu
To: 3APA3A <3APA3A@...URITY.NNOV.RU>
Cc: Oliver <olivereatsolives@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: TCP Hijacking (aka Man-in-the-Middle)

On Fri, 26 Oct 2007 00:43:10 +0400, 3APA3A said:

>  Valdis,  you  should  back  to  Cretaceous period, because Oliver talks
>  about   man-in-the-middle   attack,   not  about  blind  TCP  spoofing.
>  Randomized ISN doesn't protect against MitM.

Doing a MitM is basically just spoofing two connections at the same time. If
you know how to do one, you know how to do two. And if you know how to do one
of them *blind*, it vastly increases your options (as you only need to be able
to see the traffic in one direction rather than both).  Also, knowing your
history gives you a leg up - I'm quite sure that very few of the skript kiddies
who now think a SYN-flood is just a useful DDoS attack realize that the
*original* use was to spam a machine into a state where it couldn't send an RST
packet to your victim box when it saw the replies to the forged packets you
were blind-spoofing.

Now - what *other* ways can you leverage the idea that you can make an RST
packet "Not Happen"?  Remember - if you're the attacker, you *want* to be
exploiting odd corner cases of the protocol, and it's perfectly fair to abuse
a trick that nobody bothers defending against anymore because they've forgotten
it....

Of course, these days it's probably easier to play some DNS spoofing games so
that the victim connects to your server and you then proxy to wherever it was
really intended to go.  Or just create a phish.





Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ