Are you talking about TCP connection spoofing? A good start is to dig up Steven Belovin's overview of the Mitnick-Shimomura attack. Also I think Tsutomo Shimomura might also have a short write up. It is a beautifuly complex attack, dependent on multiple flaws. In a nutshell, there are three actors. The victim source, the victim destination and the attacker. The victim destination must have a guessable initial TCP sequence number. A series of SYN followed by RST packets from the attacker to the victim destination must allow a pattern to emerge so as the next sequence number is easily guessed. The attacker then DoSs the victim source so that any packets received are either discarded or just placed on a long queue. Think SYN flood. Another ploy is to pick an unused ip address. fping is good for finding unused ip addresses. The attacker then forges a connection setup packet from the victim src (SYN). The victim dst sends the victim src a SYN-ACK. Normally the victim src would then respond with a RST since it did not initiate the connection, but since it is DoS'd or non-existent there is no response. The attacker can not see the SYN-ACK so it does not know for sure what the sequence number was. If the sequence number was guessable, then it is easy for the attacker to send out an ACK completing the connection. This establishes a connection from the victim src to the victim destination. Pick a nice port like one of the bsd r-services (rsh). Say the victim dst trusts, say via .rhosts, victim dst. Say the data sent over the established connection is "echo + + > /.rhosts". Say there is no firewall or tcpwrappers. MMMmm, the victim dst is toast. The entire attack takes very little time, something like 5 seconds. This is all easier to visualize with diagrams. Visit takedown.com to pickup some voicemail messages Mitnick(?) and his minions left for Tsutomo after the attack. Damn funny if you are not easily offended and are a fan of Kung Foo Theater :) Sorry if this was not what you were talking about. :D -Ricardo Henry House <[EMAIL PROTECTED]> writes: > On Wed, Nov 08, 2000 at 02:45:16PM -0800, Peter Jay Salzman wrote: > > how about something about how people can spoof packets and still maintain a > > two way connection with the victim. > > > > prolly not a 'talk', but i've always been curious how people do that... > > Second that; I've often wondered about the same. > > -- > Henry House > OpenPGP key available from http://hajhouse.org/hajhouse.asc
