diff options
Diffstat (limited to 'informationals/teso-i0008.txt')
| -rw-r--r-- | informationals/teso-i0008.txt | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/informationals/teso-i0008.txt b/informationals/teso-i0008.txt new file mode 100644 index 0000000..aa5bc9c --- /dev/null +++ b/informationals/teso-i0008.txt | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | 0008 2000/01/24 Check for IP spoofing abilities for a local IP address | ||
| 2 | |||
| 3 | ==== TESO Informational ======================================================= | ||
| 4 | This piece of information is to be kept confidential. | ||
| 5 | =============================================================================== | ||
| 6 | |||
| 7 | Description ..........: Check for IP spoofing abilities for a local IP address | ||
| 8 | Date .................: 2000/01/24 18:15 | ||
| 9 | Author ...............: scut | ||
| 10 | Publicity level ......: public, but not widely known | ||
| 11 | Affected .............: IP | ||
| 12 | Type of entity .......: Protocol | ||
| 13 | Type of discovery ....: interesting information | ||
| 14 | Severity/Importance ..: low | ||
| 15 | Found by .............: scut | ||
| 16 | |||
| 17 | Information =================================================================== | ||
| 18 | |||
| 19 | The ability to IP spoof has drastically decreased over the last years, mainly | ||
| 20 | to hinder either denial of service attacks to be executed or to stop | ||
| 21 | sophisticated attacks which involve IP spoofing. While in general IP spoofing | ||
| 22 | is a bad thing, sometimes you need to be capable to send spoofed datagrams. | ||
| 23 | While there are still numerous hosts on the Internet that can set arbitrary IP | ||
| 24 | source addresses, you often need to tell whether you can spoof from a host you | ||
| 25 | have superuser access on. | ||
| 26 | |||
| 27 | The only way to tell whether you can spoof from a host is to try sending of a | ||
| 28 | frame which has a source IP address that is not used within that network and is | ||
| 29 | not one of the reserved private addresses. The other part of the problem | ||
| 30 | is how we can check whether the spoofed packet got through all the routers to | ||
| 31 | it's destination. | ||
| 32 | |||
| 33 | In general we can only tell this if the packet we send has a noticeable effect. | ||
| 34 | This can be for example if we spoof a packet which triggers an attack signature | ||
| 35 | in some IDS system, where the log is displayed publically on the web (www. | ||
| 36 | antionline.com does this), or we can just send the packet to some other IP | ||
| 37 | where we can receive the packet and display it. This is the first method: | ||
| 38 | |||
| 39 | 1) Send a spoofed packet to another IP not on the local network and see if the | ||
| 40 | packet arrives. Optionally put the real source IP into the packet and send | ||
| 41 | an answer packet back to this IP, so the source host knows whether it can | ||
| 42 | spoof or not. | ||
| 43 | |||
| 44 | Another method is similar to the first, but only needs the local host and a | ||
| 45 | domain NS entry for the local IP or a sniffable IP. It works like this: | ||
| 46 | |||
| 47 | 2) Send a spoofed DNS query for a host inside your local domain, which you | ||
| 48 | have an NS entry for on your local host or on a host in the local network, | ||
| 49 | that is sniffable. Send the query to a public usable nameserver outside | ||
| 50 | your local network, then see if some nameservers issues a query for the | ||
| 51 | host you originally asked for, if it does, you can spoof. | ||
| 52 | |||
| 53 | Method 2) is used by the DNS spoofing program "zodiac" to determine if it can | ||
| 54 | spoof from the current network it is running on. | ||
| 55 | |||
| 56 | =============================================================================== | ||
| 57 | |||