IP spoofing and stealing principle? IP deception technology is more complicated, not simply graphic cats and tigers can master, but as a routine attack method, it is necessary to understand? Its principle, at least help, it is difficult to attack . ?????????????????................................................................................................................................................................................................................................................................................... .. A TCP connection is required. And set the sequence? Number in the TCP header into the initial value ISN of this connection. ? 2.? A returns B a data segment with the SYS ACK flag, tells your own ISN, and confirms the first data segment sent by B, set the Acknowledge? Number to B ISN 1. ? 3.? B confirms the data segment of the received A, set the ACKNOWLEDGE? NUMBER to a isn 1. ? B? ----? Syn? ---->? A? B? <----? SYN ACK? ----? A? B? ----? ACK? ---- >? A? TCP SEQUENCE? Number is a 32-bit counter from 0-4294967295. • TCP selects an initial number ISN for each connection, in order to prevent three handshakes due to delay, retransmission, etc., ISN cannot be selected, different systems have different algorithms. Understanding how TCP allocates ISN and ISN changes with time, is important for successful IP spoofing attacks. • Call the RPC command based on the remote process, such as Rlogin, RCP, RSH, etc. To allow or reject the user RPC. • IP deception attack Description:? 1. Assumption z Attempt Attack A, and A trust B, the so-called trust ignition / .rhosts has related settings in the $ HOME / .RHosts. Note, how can I know A trust B? There is no exact way. My suggestion is usually paying attention to the collection of the spider silk mart, and the thickness is thin. A successful attack is actually mainly because of the technical high, but because the information collected is widely used. It is a technique that has been self-righteous, but it is not better than the clever question on the wine table. The attack is only the ultimate goal of success, does not care about the means. 2.? Hypothesis Z already knows that the trusted B is, should find a way to temporarily embrace B's network function, so as not to cause interference to attack. The famous SYN? FLOOD is often the prelude of IP spoof attack. Please see a concurrent server frame:? Int? INITSOCKID,? Newsockid;??? ((INITSOCKID? =? Socket (...)?
Error ("can't? crete? socket") ;?}? f? (bind (INITSOCKID,? ...)?
Error ("bind? error") ;?}? i? (listen (INITSOCKID,? 5)?
Error ("listen? error") ;?}? for? (; {? newsockid? =? accept (intesockid,? ...);? / *? blocking? * /? i? (newsodid?
Error ("accept? error") ;?}? i? (fork ()? ==? 0)? {? / *? child process? * /? close (IntesockID); DO (NewsockID);? / * • Handle the client request? * /? EXIT (0) ;?}? Close (newsid) ;?}? The second parameter in the Listen function is 5, which means the maximum number of connected requests allowed on the initsockid. If the number of connection requests on a time INITSOCKID has reached 5, the connection request to the initsockid will be discarded by TCP. Note Once the connection is completed by three handshakes, the Accept call has handled this connection, and the TCP connection request queue is empty out. So this 5 does not refer to INITSOCKID can only accept 5 connection requests. SYN? FLOOD is a "Denialof? Service, causing the network function of B temporarily interrupt. • Send multiple data segments with the SYN flag to connect to b, pay attention to replace the source IP? Address to a host X; b Send the SYN ACK data segment to the sub-virtue, but there is no from X ACK appears. B The IP layer reports B's TCP layer, X is not arrogant, but the TCP layer of B is not ignored, and it is considered to be temporary. So B can never receive normal connection requests upon this INITSOCKID. ? Z (x)? ----? Syn? ---->? B? Z (x)? ----? Syn? ---->? B? Z (x)? ---- ? SYN? ---->? B? Z (x)? ----? Syn? ---->? B? Z (x)? ----? Syn? ---->? B ? ...? X? <----? SYN ACK? ----? B? X? <----? SYN ACK? ----? B? X? <- ---? SYN ACK? ----? B? X? <----? SYN ACK? ----? B? X? <----? SYN ACK? ---- ? B? ...? I think this makes the B network function temporarily, but I always feel that it is not right. • Because B does not receive TCP connection requests on InitSockID, can you receive on Another® INITSOCKID, this SYN? FLOOD should only affect a specific service (port), should not affect the global. Of course, if the connection request is constantly transmitted, the flood package is used in the flood package, so that the TCP / IP of B is busy with the processing load. As for SYN? FLOOD, I have the opportunity to give me a scoop for DOS alone. How to make B network function temporary? Many ways, depending on the specific situation, no longer repeat it. ? 3. Z. Z must determine a current ISN. First, the 25-port (SMTP is no security check mechanism), similar to 1, but this time you need to record a ISN, and the rough RTT (Round® Trip® Time) of Z to A. This step is to repeat multiple times to find the average of RTT. Now z knows the ISN base value and increased regularity (such as increasing 128000 per second, add 6 *** 0 per connection), and also knows that RTT / 2 is required from Z to A. Time. You must immediately enter the attack, otherwise there are other hosts and a connection, and ISN will be more than 6 *** 0 than expected. ? 4. Z? Z Send a data segment requesting the SYN flag to A, just the source IP is changed to B, pay attention to the TCP513 port (rlogin). A Turn to b to the SYN ACK data segment, B has not responded that the TCP layer of B is simply discarding A return data segment. ? 5.? Z Pause a small party, let A have enough time to send SYN ACK, because Z can't see this package. Then z reproduce the ACK again to A. The data segment transmitted at this time is ISN 1 with Z predicted A. If the forecast is accurate, the connection is established, the data transfer begins.
The problem is that even if the connection is established, A will still send data to b, not z, z? Still can't see the data segment sent to B. Z must be a head according to the RLOGIN protocol standard counterfeit B send a similar? "Cat ? ? ? >>? ~ / .rhosts "? Such a command, then the attack is completed. If the prediction is not accurate, a will send a data segment with the RST flag to terminate the connection, and Z is only from the beginning. ? Z (b)? ----? Syn? ---->? A? B? <----? SYN ACK? ----? A? Z (b)? ----? ACK? ---->? A? Z (b)? ----? Psh? ---->? A? ...? 6.?ip spoof attack uses the RPC server only depends on The source IP address is securely verified, it is recommended to read the source code of rlogind. The most difficult place is to predict a ISN of A. I think the difficulty of attack is big, but the possibility of success is also very large, not very understanding, it seems a bit of contradiction. Consider this situation, the invader controls a router between A to B. It is assumed that z is this router, then a time to go to B data segment, now z is it can be seen, obviously attacking difficulty suddenly declined suddenly a lot of. Otherwise, Z must accurately foresee the information that may be sent from A, as well as what responds from B, which requires attackers to be quite familiar with the agreement itself. At the same time, it is necessary to understand that this attack is not possible to complete in an interaction state, and must write the program. Of course, the protocol analysis can be used in the preparation phase. ? 7. If z is not a router, can it consider the combination of ICMP redirection and ARP spoof and other technologies? There is no careful analysis, just casually guess. And there is a close relationship with the specific network topology between A, B, and Z, which obviously significantly reduces the difficulty of attacks in some cases. Note that IP spoofing attack is theoretically initiated from WAN, which is not limited to local area network, which is also the charm of this attack. Using IP spoofing to get a shell on a A, for many senior invaders, get the shell of the target host, not far from the root permissions, and is the easiest thing to think of whether it is next to Buffer? Overflow attack. ? 8. Maybe someone wants to ask, why can't Z can't set your IP to b? This problem is very bad, to analyze the network topology, of course, there is also an ARP conflict, no problem such as gateway. Then there is an ARP conflict problem during the IP spoofing attack. Recall that the ARP spoof attack I passed in front, if B's ARP? Cache is not affected, there will be no ARP conflicts. If the z-to A sends a data segment, trying to resolve a MAC address or router's MAC address, inevitably send an ARP request package, but the source IP in this ARP request package and the source Mac are z, naturally not cause ARP conflicts. . ARP? Cache will only be changed by the ARP package, not affected by the IP package, so it can be sure that there is no ARP conflict during the IP spoofing attack. Conversely, if Z modifies its own IP, this ARP conflict may appear, showing specific situations. In the attack, there is a connection between the brought B, which is nothing more than preventing B interference from attacking the attack process, if B itself has dropped, it is good. ? 9.? Fakeip once boiled, I was scanned to the port, and found that its TCP port 113 is connected to the connection. There is no direct contact with IP spoof, etc., and security checks is related. Of course, this thing is not as suggested, there is no action on the IP layer. ? 10. About predicting ISN, I think another problem. Is it how to cut off the third party identity? A and B TCP connections are actually a problem of predicting Sequence? Number.
