You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
C) The attack<br />
Description<br />
We will try to establish a spo<strong>of</strong>ed connection on a network machine by usurping existing IP confidence<br />
relations:<br />
• First, a machine must be found that the target machine trusts.<br />
• Then, the authentication <strong>of</strong> the machine is done from its address.<br />
• Once this information is obtained, the authenticated machine must be made “mute” (to prevent it<br />
from answering the target machine)<br />
• Then the sequence number, which is expected by the target machine, has to be determined.<br />
Once that is done, we can start sending packets with the IP address <strong>of</strong> the machine that we have<br />
“withdrawn” from the discussion.<br />
The main problem with spo<strong>of</strong>ing is that it is a so-called “blind” attack. It is not the machine itself that is<br />
authenticated but the packets that the victim machine receives. This means that the packets emitted<br />
by the target machine are not recovered by the attacker but are quite simply lost (as the destination<br />
machine is “not able to answer”).<br />
This means that the attacker does not have the information sent back by the target and so does not<br />
have the sequence numbers corresponding to the packets that have been sent back by this same<br />
machine. That is why this is called a “blind” attack, which is also why it is in fact impossible to carry<br />
out.<br />
Why is that?<br />
To pass as the authorised machine for the target machine, packets have to be “forged” (using<br />
Excalibur Packet, for example); and these packets must <strong>of</strong> course present, instead <strong>of</strong> the attacking<br />
machine's IP address, the address <strong>of</strong> the authorised machine now made “mute”. But the packets must<br />
also present sequence numbers corresponding to the exchange that the target machine believes to be<br />
having with a trusted machine.<br />
As the packets emitted by the target machine are not recovered by the attacker, the latter has no way<br />
<strong>of</strong> determining the sequence number sent by the target machine and therefore the sequence number<br />
that this machine will expect in response to the last packet it has sent.<br />
This would be possible if packets were generated in a foreseeable manner, however that is not the<br />
case, at least concerning systems such as BSD, SUN, Linux, or more generally UNIX.<br />
These various OS have a sequence number generation system that make these numbers totally<br />
unforeseeable (because they are far too random).<br />
In the case <strong>of</strong> Micros<strong>of</strong>t, the latest studies <strong>of</strong> the problem pointed to the fact that the sequence<br />
numbers generated by Windows are linear and thus easily predictable, and so making the machines<br />
using them particularly vulnerable to this type <strong>of</strong> attack.<br />
Example<br />
As seen previously, blind spo<strong>of</strong>ing is <strong>of</strong> no interest because it is almost impossible to carry out. The<br />
only solution is therefore to use Non Blind Spo<strong>of</strong>ing (NBS).<br />
To do this, the attacker first has to recover a router or a local network machine using HUBs (switches<br />
only give information to the machines concerned and so we would find ourselves in a blind spo<strong>of</strong>ing<br />
situation again).<br />
The <strong>Hack</strong>ademy DMP -72/209- SYSDREAM