Sign in to follow this  
Followers 0
mungewell

Spoofing IP

4 posts in this topic

Hi,

One of the mainstream podcasts I listen to has stated multiple times that it is not possible to spoof IP packets as it is a two way communication, in that the 'callee' needs to send back to the 'caller'. This is something that makes me cringe each time it is said, but I don't know whether this is wrong or not.

If you have access (however obtained) to the network at some point between 'caller' and 'callee' is it possible to spoof an IP interaction without the 'callee' releasing that they aren't 'talking' to whom they think they are.

I would imagine that this might be possible to do with promiscious monitoring and packet injection, in that you might be able to fake a connection without the 'target' end being aware.

So two questions:

1) If an IP response (from the faker) comes back sooner than the real end, does the real response just get ignored? Guessing something to so with IP sequence numbers.

2) Is it possible to actively/selectively kill IP traffic on an ethernet/wireless segment based on it's source IP? Can you decode the IP from the ethernet package before the ethernet packet is complete, hence have the oppotunity to corrupt the packet so that the intended receiver does not receive it at all.

Note: these questions are meant to be from an understanding/defending point of view, rather than exploting it.

Cheers,

Munge.

[posted in 'Nubie' in case this has an obvious reply]

[edited for spelling]

Edited by mungewell
0

Share this post


Link to post
Share on other sites
Yeah, it's called "proxy".

I take it you meant transparent proxy.

I actually posed the question as an 'unauthorised attacker' situation without compromising the attackee's machine or the network hardware (router); for example someone siting outside your appartment and spoofing 'into' your wireless network.

Munge.

0

Share this post


Link to post
Share on other sites
If you have access (however obtained) to the network at some point between 'caller' and 'callee' is it possible

to spoof an IP interaction without the 'callee' releasing that they aren't 'talking' to whom they think they are.

I would imagine that this might be possible to do with promiscious monitoring and packet injection, in that you might be able to fake a connection without the 'target' end being aware.

Yes. Without some kind of authentication through SSL or whatever, this is possible.

So two questions:

1) If an IP response (from the faker) comes back sooner than the real end, does the real response just get

ignored? Guessing something to so with IP sequence numbers.

Ideally, you'd want to be in a position to prevent the real responses from reaching the destination. You'd want to do some testing to see, but if I recall correctly, it may result in the destination sending a RST and tearing down the connection.

2) Is it possible to actively/selectively kill IP traffic on an ethernet/wireless segment based on it's source IP? Can you decode the IP from the ethernet package before the ethernet packet is complete, hence have the oppotunity to corrupt the packet so that the intended receiver does not receive it at all.

Yes, again, if you're in a position to modify the packets in-transit.

Edit: to point you at some tools: Ettercap will do a lot of this by ARP spoofing, so you can play around with that. There are also other tools like Hunt for session hijacking. You could also roll your own in something like Scapy.

Edited by McGrewSecurity
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0