Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0
The Art of IP Spoofing by Ankit Fadia IP Spoofing is probably the ultimate trick or attack that an attacker can execute on the target system. Almost all wannabe computer experts dream of being able to spoof their IP Address and fool the target system into establishing illegitimate connections. If successfully executed, IP spoofing is definitely one of the smoothest and classic attacks on the Internet. However, IP spoofing attacks are quite complex and very few attackers have actually been able to spoof their identity successfully. IP Spoofing is a process wherein an attacker fools or tricks the target system into believing that the data packets being sent actually originated on a system other than the real source system. In other words, IP spoofing is a technique that allows an attacker to change or disguise his real identity while communicating with the target system. In this technique, the data packets that the attacker sends to the target system will seem to originate at some other arbitrary system. For Example Consider a scenario wherein the following system addresses exist: 1. Attacker: 111.11.11.11 (REAL) 2. Victim: 222.22.22.22 (VICTIM) 3. Fake: 33.33.33.33 (FAKE) Under ordinary circumstances, when REAL sends certain data packets to the VICTIM system, then the source address of these packets will clearly have REAL as the source address. However, in case of IP spoofing, REAL will send data packets to VICTIM in such a manner that the source address of these packets will be the FAKE system. In other words, IP spoofing is a process wherein REAL is able to send data to VICTIM so that it seems to have originated at FAKE. This process of fooling the remote system into believing that you are someone else is known as IP spoofing and is commonly exploited to carry out a variety of attacks. A very good real life analogy to understand IP spoofing better is that of three people: A, B and C. Consider a scenario wherein A wants to fool C over the phone into believing that it is talking to B. In order to achieve this goal, A will telephone C and disguise his voice so that he sounds like B. If A can successfully disguise his true identity and pretend to be (or sound like) B, then a successful telephone spoofing is executed. In an IP spoofing attack, three computers are involved instead of three people. However, taking the analogy of the three people a bit further, it is quite clear that for the telephone spoofing to succeed, the following must be true: 1. C should not already be communicating with B. 2. C should not be able to contact B using some other means and discover that B is not actually busy on the phone with him/her. Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0
Challenges Faced The biggest challenge that an attacker faces while performing IP spoofing is the fact that the attack is a blind one. In other words, since all data packets being sent to the target computer in an IP spoofing attack are from spoofed addresses, hence the attacker never receives any update on the status of the attack. In other words, an IP spoofing attack is also known as a blind attack because throughout the attack, the attacker does not know whether the attack is successful or not. If something goes wrong, even then on most occasions the attacker remains oblivious about the problem. IP spoofing attacks are literally being performed blindly with the attacker taking the liberty of assuming that things went as planned. This blind nature of the IP spoofing attack becomes evident in the first step of the attack itself. Typically in such an attack, the ATTACKER sends spoofed data packets to the VICTIM making it believe that they were actually sent by FAKE. Assuming that these spoofed data packets were successful, then VICTIM will reply to FAKE and not ATTACKER. Since all replies sent by VICTIM reach FAKE, as a result, ATTACKER does not have any idea or feedback on the progress of the attack. Typically, according to the TCP/IP connection establishment rules, each time IP spoofing is executed, the following steps are followed: If REAL wants to establish a TCP/IP connection with VICTIM, without spoofing of any IP Address, then typically the below three way handshake would take place: 1. REAL sends a SYN packet to VICTIM. 2. VICTIM sends back a SYN/ACK packet to REAL. 3. REAL acknowledges this by send back an ACK packet to VICTIM. In this case, since REAL did not attempt to spoof its identity, hence, it received a continuous update on the status of the connection. However, if REAL is an ATTACKER and wants to spoof his IP Address and make it appear to be FAKE, then the procedure is quite different. In such a case, the following steps are followed: 1. ATTACKER sends a SYN packet to VICTIM in such a manner that it seems to have originated at FAKE. In purely networking terms, in the first step, VICTIM receives a connection request (SYN packet) from FAKE. 2. Since VICTIM received the SYN packet from FAKE, hence in the second step, it sends back a SYN/ACK packet to FAKE. This means that ATTACKER does not receive any reply or packets from VICTIM in this step. This step brings us to the blind part in IP spoofing where ATTACKER needs to only wait for some time to pass. ATTACKER then assumes that in this time the FAKE has received a SYN/ACK packet from VICTIM. There is no way for ATTACKER to find out Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 whether the VICTIM has actually sent a SYN/ACK packet to FAKE or not. This means that there is no way for the attacker to figure out whether the target computer has fallen for the IP spoofing attack or not. 3. After waiting for some time to pass, ATTACKER then sends a spoofed ACK packet to VICTIM to acknowledge that FAKE has indeed received the SYN/ACK packet. Again, this is a blind step that simply assumes that VICTIM has actually sent the SYN/ACK packet and that FAKE has indeed received it as well. 4. Once the above steps have been executed successfully, ATTACKER is able to establish a complete spoofed TCP/IP connection between VICTIM and FAKE. Unfortunately, the above procedure itself presents us with a very unique problem. In the second step in IP spoofing, VICTIM sends a SYN/ACK packet to FAKE in response to the spoofed SYN packet sent by the ATTACKER. This response sent by VICTIM to FAKE can lead to a few complications. Depending upon the state of FAKE there can be two cases: 1. FAKE exists If FAKE is a real system on the Internet, then the SYN/ACK packet sent by VICTIM will actually arrive at FAKE. Since FAKE never actually requested for a connection to be established, hence, when FAKE receives this packet, it will not know as to what to do with it. Since FAKE does not know as to what should be done with the packet, it will simply discard it and send back a NACK (Non Acknowledgement) packet to VICTIM. Typically, a NACK message is sent by a system to terminate a connection, resulting in no further communication between the two systems. When VICTIM receives this NACK packet from FAKE, it will immediately terminate the spoofed connection request initiated by ATTACKER. As a result, the spoofed connection attempt between VICTIM and FAKE will be turned down and discarded. This means that if FAKE exists and does actually send a NACK packet to VICTIM then REAL’s attempt to perform IP spoofing will fail. The above problem can be compared to the analogy of a telephone conversation. If ‘A’ telephones ‘C’ and pretends to be ‘B’, then this spoof can be successful only if ‘B’ does not interrupt the spoofing process. This brings us to the first golden rule of IP spoofing: Rule 1: IP Spoofing can only be successful if the FAKE system does not interrupt the spoofing attempt by sending packets to the VICTIM. 2. FAKE does not exist
Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 When the VICTIM sends the SYN/ACK packet to FAKE, then routers attempt to deliver the message to FAKE. However, if FAKE does not exist, then after a while, the connection will simply get timed out and the VICTIM will drop the connection. As a result, if FAKE does not exist, then a timed out occurs and ATTACKER’s attempt to perform IP spoofing fails. This brings us to the second golden rule of IP spoofing: Rule 2: IP Spoofing can only be successful if the FAKE system exists and is connected to the Internet. Hence, based upon the above discussions, one can arrive at a few conclusions regarding the challenges faced while performing IP spoofing: 1. Blind Attack IP Spoofing is a blind attack and ATTACKER does not receive any feedback on the progress, success or failure of an IP spoofing attack. All spoofed data packets sent by ATTACKER to VICTIM are sent under a few assumptions or premises and also involve a lot of luck. 2. Conditional Attack For ATTACKER to successfully spoof his identity and pretend to be FAKE, then the following conditions must be absolutely true: a) FAKE must be alive and connected to the Internet. b) FAKE must not at any point interfere in the IP spoofing attack. If that happens, then the game is up. Hence, it is very important for ATTACKER to somehow disable or stop FAKE from replying to VICTIM. c) Typically an attacker chooses FAKE such that it enjoys a trust relationship with FAKE. Before one can start executing IP spoofing attacks, it is important to first understand the networking concepts involved in IP spoofing. Networking Basics involved in IP Spoofing Sequence numbers are definitely an integral part of the TCP/IP communication process. Without the use of sequence numbers, data could not have been properly sent from the source system to the destination system. It is only with the help of sequence numbers that a destination system is able to put back the smaller chunks of data to form the larger data chunk. Typically, each time data has to be transferred from the source to the destination then the following steps are followed:
Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 1.
At the source system, the data to be transferred is broken down into smaller, more manageable chunks of data. It is important to note that the large chunk of data is broken down by the source system into smaller chunks of data by following a certain order or sequence. In other words, the first byte has the first sequence number, while the second byte has the second sequence number and so on.
2.
These sequenced data chunks are then sent by the source system to the destination system over the network. Data packets are free to independently travel over the Internet. As a result, data packets may or may not arrive at the destination system in the same order in which they were sent by the source system. More often than not, data packets arrive at the destination system out of sequence. For example, data packets may arrive in the sequence 3,2,4 and then 1.
3.
This is where the importance of sequence numbers comes in. The destination system uses the sequence numbers of the data packets to put back the (out of order) received data packets into the correct order. If the correct order or sequence is not followed while putting the data back together, then the original data may or may not be recovered. This means that sequence numbers are extremely important for the proper functioning of TCP/IP. The application running at the destination system automatically builds up the large chunk of data by reassembling the smaller chunks in the correct order as directed by the sequence numbers.
4.
Moreover, sequence numbers help the Transmission Control Protocol or TCP to remain a reliable protocol that can deal with lost, duplicated and unordered data packets.
The following is the TCP Header of a typical data packet sent by a host to the destination system over the network: ----------------------------------------------------------------| Source Port | Destination Port | ----------------------------------------------------------------| Sequence Number | ----------------------------------------------------------------| Acknowledgment Number | ----------------------------------------------------------------| Data | |U|A|P|R|S|F| | | Offset | Reserved |R |C|S|S|Y|I | Window | | | |G|K|H|T|N|N| | ----------------------------------------------------------------| Checksum | Urgent Pointer | ----------------------------------------------------------------| The Actual Data follows | Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 |
|
NOTE: In the following paragraphs all fields and values discussed, actually belong to a data packet sent by a host to a client. Each data packet being sent across the network has a specific sequence number that is stored in the TCP header. Typically, a sequence number is a 32-bit number and its value can be anywhere between 1 and 4,294,967,295. From an attacker’s point of view, it is very important to be able to understand and predict how sequence numbers are actually assigned to data packets. The assignment of sequence numbers to data packets depends on a number of different factors. Each system is assigned a specific initial sequence number or ISN during the bootstrapping period. On most occasions, the ISN value assigned to a host at the time of bootstrapping is 1. This ISN value of a system keeps automatically changing or incrementing with the passage of time, transfer of data packets and establishment of new connections. Each time a system establishes a new connection, the current value of its ISN is used as the sequence number of the first data packet sent to the client (with whom the connection is to be established). Typically, the ISN of a system gets incremented by 128,000 with every passing second and by 64,000 with every new connection that is established. This means that assuming that no network activity takes place on a system then its ISN values gets wrapped every 9.32 hours. For Example Based upon the above rules, if the ISN of a host were 1897737287, then after 3 connections and 2 seconds, its ISN will become equal to: 1897737287+ (3*64 000) + (2*128 000) It is important to note that the sequence number of the first byte of data being sent by the host to the client is equal to its ISN plus one. This is because the SYN flag takes up 1 sequence number. This will be clearer after the sequence numbers and connection establishment section. Each data packet being sent across the network also has an acknowledgment number field that contains yet another type of a 32-bit sequence number. In this example, the sequence number that is stored in the acknowledgment field actually represents the value of the next sequenced data that the host expects the client to send. This means that the acknowledgment number field actually contains the sequence number of the client and not the host. This sequence number also acknowledges that all data up to these bytes minus one has already been safely received. Sequence Numbers and Connection Establishment\Termination
Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 For a complete TCP/IP connection to be successfully established between the client and the host, a full 3-way handshake must be executed between the two systems. A typical 3-way TCP/IP handshake can be executed only by following the below steps: 1. In the first step, the client sends a SYN (synchronization) packet to the host, requesting for a connection to be established. Amongst the regular information carried by all packets like destination and source IP addresses and port numbers etc, the SYN packet also carries the following critical information: Client’s ISN: The client sends it initial sequence number (ISN) to the host to facilitate the data communication process. Let us assume that in this case study the ISN of the client is 4894305. Acknowledgement Number: The client sets the acknowledgement field to 0, since there is no data (sent by the host) that needs to be acknowledged. Moreover, since the client still does not know the sequence number of the host, hence, there is no way the acknowledgment number can be calculated. 2. In the second step, the host sends back a SYN/ACK packet to the client. Amongst the regular information, this data packet primarily contains the following important information: Server’s ISN: The host now sends its own ISN to the client to facilitate the data communication process. Let us assume that the server’s ISN is 1896955367. Acknowledgement Number: The host also sends an acknowledgement packet to the client acknowledging the receipt of the data packets sent in the first step. The value of the acknowledgment number is always one more than the client’s initial sequence number. Hence, in this case the acknowledgement number is 4894305+1=4894306. It also signifies the expected sequence of data. 3. Finally in the third step, the client sends back an Acknowledgment (ACK) packet to the host. The only critical information carried in this step is as follows: Acknowledgement Number: The ACK number field is now the server’s ISN plus one, which is equal to 1896955367+1=1896955368. The above three steps complete the full 3-way TCP/IP handshake between the client and the host, which can actually be diagrammatically represented as shown below: Client---------------SYN (4894305)---------------- Host Host-----------------SYN (1896955367) and ACK (4894306)--------- Client Client---------------ACK (1896955368)---------- Host
Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 The above is a description of how a client can establish a TCP/IP connection with a remote host. However, let us take this example a bit further and assume a scenario wherein either the client or host wants to immediately terminate the connection as soon as it has been established. In such a case, the following data packets are exchanged: 1. When client terminates connection Client-----------FIN (4894306) and ACK (1896955368)-------------Host Host------------ACK (4894307)--------------------Client 2. When Host terminates connection Host------------FIN (1896955368) and ACK (4894307)-------Client Client---------------ACK (1896955368)--------------Host A deeper look into Sequence Numbers The quickest route to understanding the phenomenon of SYN and ACK values is to study how connections are established and terminated. One can record and analyze the headers of the data packets being sent or received with the help of a sniffer. For this example, let us telnet to Port 23 of a remote test system and then immediately disconnect from it. It is important to note that we will refer to the remote system as HOST and the local system as CLIENT. The following is an analysis of the working and description of the connection establishment and termination procedure: #telnet targetsystem.com 23 As soon as you use telnet to connect to the remote test system, then the following 3-way handshake takes place between the local and remote system. On typing the above command, the following transfer of packets takes place: 1. Client ---------------SYN (856779)--------------- Host The captured frame of this data transfer is given below for further study (The sequence number of the data packet is shown in bold.): 20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 00 2C C3 00 40 00 20 06 10 0C CB 5E FD BA CB 5E F3 47 04 07 00 17 00 0D 12 CB 00 00 00 00 60 02 20 00 D9 70 00 00 02 04 05 B4 2D In this step, the client sends a SYN packet to the remote host, requesting for a TCP/IP connection to be established with the host. SYN stands for a synchronize data packet. The sequence number of the data packet sent by the client in this case is 856779
Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 2. Host------------SYN (758684758) and ACK (856780)------ Client The captured frame of this data transfer is given below for further study (The sequence number and ACK value of the packet are shown in bold.): 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 00 2C 8C 05 40 00 39 06 2E 07 CB 5E F3 47 CB 5E FD BA 00 17 04 07 2D 38 9C 56 00 0D 12 CC 60 12 83 2C AC A4 00 00 02 04 05 B4 Once the host system receives the SYN packet sent by the client, it then sends back a SYN/ACK packet to the client. The SYN part of this packet contains the initial sequence number (ISN) of the host— which in this case is 758684758. The ACK part of the packet acknowledges the data received till now and represents the next expected sequence number of the data that the host expects to receive. The ACK or acknowledgement number sent by the host to the client is calculated as one plus the client’s ISN i.e. 856779 + 1= 856780. 3. Client-----------SYN (856780) and ACK (758684759)-------------- Host The captured frame of this data transfer is given below for further study (The sequence number and ACK value of the packet are shown in bold.): 20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 00 28 C4 00 40 00 20 06 0F 10 CB 5E FD BA CB 5E F3 47 04 07 00 17 00 0D 12 CC 2D 38 9C 57 50 10 22 38 25 56 00 00 In the above captured frame we find that the client replies to the SYN/ACK sent by the host, with an ACK message that acknowledges the receipt of the data till now and also includes the sequence of data expected next from the host by the client. In this case the ACK value is equal to the host’s ISN plus one. Thus, ACK value= Host’s ISN + 1= 758684758 + 1= 758684759. It is important to note that in the above step, since the client sends only an ACK packet (and not also a SYN packet) to the host, hence, the sequence number does not get incremented. Typically, an ACK packet alone is not sufficient to increase the sequence number. This means that the even the next packet sent by the client to the server will have the same sequence number. Once the above three steps have been successfully executed, a complete 3-way handshake is said to have taken place and a TCP/IP connection thus gets established between the client and the host. Taking our case study further, as soon as the above connection gets established, we will use the QUIT command to disconnect from the remote telnet daemon. A typical TCP/IP connection is terminated by following the below data packets’ transfer: 1. Client---------------FIN (856780) and ACK (758684759)------------ Host Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0
The captured frame of this data transfer is given below for further study (The parts in bold represent the Sequence number and ACK value of the packet.): 20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 00 28 C5 00 40 00 20 06 0E 10 CB 5E FD BA CB 5E F3 47 04 07 00 17 00 0D 12 CC 2D 38 9C 57 50 11 22 38 25 55 00 00 In this step, the client sends a FIN/ACK packet to the remote host. The FIN option tells the host that the client wants to terminate the connection that has been established between the two systems. It is crucial to notice that the hexadecimal values i.e. the values in bold in the above captured frame are same as those in the final step in the connection establishment process. This clearly demonstrates that the sequence number and acknowledgment number in both cases remains the same. This is because the third step only sends the ACK message that does not consume any sequence number. The only difference between the two connection states remains that here the FIN (Finish) and ACK (Acknowledgement) packets are being sent, while in the earlier case the SYN (Synchronize) and ACK (Acknowledgment) packets were sent. Although this particular packet is indeed carrying a FIN message, which does in fact consume a sequence number, however a sequence number of a fragment represents that value which is applicable at the start of the particular fragment and not the end. Thus, the sequence number consumed by the FIN packet will increase the sequence number of the next packet and does not affect the sequence number of this packet. The ACK value of this packet is 758684759, which represents the sequence of the packet expected next by the client from the host. The ACK value in this step does not change from that in the third step, as no data was exchanged between the client and the host. This means that the client still expects the host to send the data with the sequence number 758684759. 2. Host-------------------ACK (856781)----------------------- Client The captured frame of this data transfer is given below for further study (The Sequence number and the ACK value of the data packet is shown in bold.): 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 00 28 8F BE 40 00 39 06 2A 52 CB 5E F3 47 CB 5E FD BA 00 17 04 07 2D 38 9C 57 00 0D 12 CD 50 10 83 2C C4 60 00 00 In this step, the host sends back an ACK packet to the client confirming the receipt of the connection termination request. The acknowledgment value of this data packet is 856781 while the sequence number is 758684759. It is important to note here that the sequence number of this data packet is same as the next data packet being sent by the host to the client. This is because this particular message is carrying only an ACK option that does not consume any sequence number. Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0
3. Host-----------------FIN (758684759) and ACK (856781)---------- Client The captured frame of this data transfer is given below for further study (The sequence number and the ACK value of the packet is shown in bold): 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 00 28 8F E0 40 00 39 06 2A 30 CB 5E F3 47 CB 5E FD BA 00 17 04 07 2D 38 9C 57 00 0D 12 CD 50 11 83 2C C4 5F 00 00 In this step, the host sends a FIN/ACK packet to the client, with a sequence number equal to 758684759 (same as earlier step) and an ACK value equal to 856781 (same as earlier step). This is because no data has still been transmitted. 4. Client----------------ACK (758684760)------------------- Host The captured frame of this data transfer is given below for further study (The sequence number and ACK value of the data packets are shown in bold.): 20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 00 28 C6 00 40 00 20 06 0D 10 CB 5E FD BA CB 5E F3 47 04 07 00 17 00 0D 12 CD 2D 38 9C 58 50 10 22 38 25 54 00 00 In this final step, the client acknowledges the host’s FIN/ACK data packet by sending back an ACK packet. This ACK packet not only acknowledges all the data received by the client till now, but it also terminates the connection. It is important to note that sequence number of the current data packet is 856781, while the acknowledge number is 758684760. The above experiments clearly conclude that the sequence number gets incremented under the following scenarios and cases: Case Transfer of FIN Packet. Transfer of SYN Packet. Transfer of ACK Packet. Transfer of SYN/ACK Packet. Transfer of FIN/ACK Packet. Time Period of 1 Second. Establishment of 1 connection.
Increment 1 1 0 1 1 128,000 64,000
It is very important for an attacker to truly understand the working and increase in sequence numbers, to be able to execute IP spoofing. Being able to predict sequence number accurately can allow an attacker to exploit a number of loopholes: 1. Hijacking TCP Connections and stealing data. Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 2. Exploiting Trust Relationships Trust Relationships Trust relationships are an integral part of all IP spoofing attacks. A trust relationship is nothing but a form of authentication method that is used to verify the identity of users on the Internet. Typically, all Internet users come across some form of authentication process or the other on a regular basis. The most common authentication process that Internet users come across is the username-password pair. In this form of authentication, the host asks the remote client to enter a username and password pair. If the remote client is able to enter the correct username-password pair, then he is authenticated otherwise he is denied access. Trust relationships are a similar authentication process. In trust relationships, the IP address of the remote client is used for authentication purposes. In this form of authentication, the host finds out the IP address of the remote client and then compares it to a predefined list of allowed IP addresses. If a match for the remote client’s IP address is found in the allowed list, then it is allowed access even without entering a password. However, if the client’s IP address is not found in the allowed IP address list, then it is denied access. Hence, in trust relationships, as long as the IP address of the client matches, no passwords are required. The form of authentication wherein solely the IP address of the remote client is adequate security is known as trust relationships. Trust relationships are quite common on Unix systems in the form of a number of r services like rsh, rlogin, rcp etc. However, trust relationships are not very secure and have a number of security loopholes. Unfortunately, despite the various security threats involved, many corporations continue to use trust relationships. One can establish an rlogin connection with a remote Unix system by typing the following command at the shell prompt: $>rlogin IP address ____________________________ HACKING TRUTH: One can establish a trust relationship connection with a remote system with the help of the telnet utility as well. Some of the default port numbers on which the r services run are 512, 513,514 etc. ____________________________ Typically IP spoofing attacks are implemented to exploit trust relationships. If there exists a trust relationship between two system i.e. client and server, then it is possible for an attacker to spoof his IP address, pretend to be the client and gain illicit access to the target system. In such an attack, the target system gets fooled into believing that the attacker is the trusted system. Such attacks provide the attacker access to all commands and files on the target system. Hence, IP spoofing when used in conjunction Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 with trust relationships can indeed prove to have serious consequences. It is quite important for corporations to thus take adequate security measures against IP spoofing attacks. Spoofing your IP Address to exploit trust relationships The problem with IP spoofing is that although it is quite easy to explain in theory, but unfortunately it is extremely difficult to actually implement. Even hardened network experts find it quite difficult successfully spoof their IP address, let alone security dabblers. As discussed earlier, two of the biggest problems with IP spoofing attacks are the blind nature and importance of luck in the attack. There are just too many assumptions and luck involved in IP spoofing attacks. However, nonetheless, IP spoofing attacks can indeed be perfected if practiced carefully and thoroughly. There indeed have been numerous cases wherein attacks have successfully spoofed their IP address. Typically, attackers poof their IP address by following the below steps: NOTE: Please note that the following notations have been used for the below steps: a.) The victim system will be referred to as the VICTIM or target system. b.) The trusted system that is capable of establishing a trust relationship with VICTIM is known as TRUSTED. c.) The attacker is referred to as ATTACKER. 1. Identifying a Trusted System Before an attacker can actually start exploiting trust relationships of the victim, it needs to first figure out as to which systems enjoy a trust relationship with the target system. In other words, the first step in IP spoofing is that an attacker needs to somehow find out as to which systems are trusted by the target system. It is very important to correctly identify the trusted systems with which the target system establishes trust relationships on a regular basis. Typically, trusted systems establish trust connections with the target system using the ‘r services’. Some of the most common techniques of finding out the trusted systems are: a.) The following commands can on most occasions be used to identify the trusted systems: rpcinfo -p showmount -e b.) Another very common technique of figuring out the trusted systems is to use social engineering techniques. Refer to the section of social engineering for more information.
Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 c.) A number of attackers also use brute force tools to pinpoint the trusted system by checking all systems on the local network d.) A number of attackers also prefer to use brute forcing— where all systems on the local network are checked whether or not they are capable of establishing a trust relationship with the target system. Once an attacker has pinpointed the identity of the trusted system, then it needs to DOS attack the trusted system, render it useless and carry out the IP spoofing attack. 2. Blocking the real Trusted System For an IP spoofing attack to be completely successful, it is important for the attacker to ensure that the real trusted system does not interfere and interrupt the spoofing process at any point of time. If the real trusted system were to respond to any data packets sent by VICTIM, then the spoofing process would come to an end. As discussed earlier, one of the most important rules for successful IP spoofing is as follows: “…FAKE must not at any point respond to the SYN/ACK packet, which VICTIM sends to it…” As a result, once the attacker has detected and identified the trusted system, the attacker then needs to block or disable it with the help of a denial of services or DOS attack. The best way to ensure that the real trusted system does not interfere in the spoofing process is to somehow block the trusted system. In other words, an attacker must make sure that all the memory of the trusted system is used up and it cannot respond to the SYN/ACK packets sent by the VICTIM system. One technique that attackers commonly use to disable the trusted system is the SYN flooding DOS attack. For more information on SYN flooding, read the DOS attacks section. Once the real trusted system has been DOS attacked, then the attacker can be sure that it will not respond to any data packets sent by VICTIM and hence not interfere in the IP spoofing process. Since all the available buffer memory will be busy responding to the infinite SYN requests, hence all data packets sent by VICTIM will simply be discarded by the real trusted system. Such a strategy of disabling the real trusted system will provide the attacker with plenty of time to execute the IP spoofing attack. 3. Getting the Final Sequence Number and Predicting the Succeeding Ones This is probably one of the toughest steps in IP spoofing, as it involves a large number of quick calculations in extremely short time periods. Once the trusted system has been DOS attacked, the attacker needs to somehow predict the sequence number of the target computer. One technique of arriving at the Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 sequence number of the target computer is to connect to it on a particular port (like Port 23 or 25) and record the sequence number of the last data packet that was sent by the target system. In order to ensure accurate results, it is advisable to repeat this procedure a few times. Then the attacker needs to somehow deduce the round trip time or RTT value. This can be done with the help of the ICMP protocol. It is extremely important to calculate the RTT value correctly as an incorrect value can easily completely sabotage an IP spoofing attack. The accuracy and success of the sequence number prediction process is greatly dependent on the correct calculation of the RTT value. Once the RTT value has been recorded, only then is the actual prediction of sequence numbers done. ___________________________________ HACKING TRUTH: The RTT value or the round trip time is nothing but the time taken by a data packet to travel from the source to the destination system and back. Hence, an attacker can calculate the time it takes for a data packet to reach the destination from the source system by using the formula: RTT/2. ___________________________________ Typically attackers calculate the sequence number of the target computer based upon the following: 1. Last recorded sequence number. 2. Calculated RTT values. 3. Amount of time passed between the last recorded sequence number and the actual execution of the attack. 4. Target system connection and port states. Although the calculation of sequence numbers is quite hard, however, there are indeed a few tips that one can keep in mind to make the IP Spoofing process easier: 1. It is always advisable for an attacker to record the round trip time (RTT) or the time it takes for data packets to travel from the target system to the attacker system beforehand itself. This not also saves times during the actual execution of the attack but also makes it easier for the attacker to arrive at a correct sequence number prediction. Moreover, it is best to repeat the procedure of recording the RTT value a few times to get an accurate reading.
Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 2. It is best to become familiar with the Case-Increment table (see earlier sections). This will facilitate and quicken the sequence number calculation process. 3. One must be has fast as possible. From the time the sequence number of the target system has been recorded, all succeeding steps must be taken as quickly as possible. The shorter the time gap between recording the sequence number to actually executing the IP spoofing attack, the better are the chances of the attack being a success. The longer the time one wastes, the lesser are the chances of an attacker being able to predict the sequence numbers accurately. For example, if one wastes one extra second, then the sequence number increments by 64,000. Hence one must remain as quick and as less wasteful as possible. 4. Having a few practice runs is always a good idea, as that will help you get accustomed to the problems of fast calculations. 5. Finally, one needs to take a deep breath, close their eyes, hope for the best and execute the IP spoofing attack. The primary objective of sequence number prediction is that the calculated sequence number must match the target system’s next sequence number. Although such a scenario is the ideal, but it remains extremely difficult to attain. However, even if the predicted sequence number is relatively close to the actual next sequence number, then the target system merely queues it up, treating it as a packet for future use. This step is definitely one of the most difficult steps in IP spoofing. Once it is executed, then the remaining steps are not very hard to implement. 4. Executing the Attack Once the attacker is able to successfully predict the next probably sequence number, only then the actual IP spoofing attack can be executed. This attack is executed in the following steps: a.) In the first step, the ATTACKER sends a spoofed SYN packet to the VICTIM in such a manner that the VICTIM thinks that the packet was sent by the trusted system. These SYN packets are usually sent to the VICTIM system on those ports where the ‘r services’ are running. For example, attackers usually like to target the rlogin port (port 513) in IP spoofing attacks. Hence, this SYN packet sent by the ATTACKER requests the VICTIM to establish a trust relationship with the trusted system. b.) As per TCP/IP connection establishment rules, the VICTIM then responds to the spoofed SYN packet (sent by the ATTACKER) by sending back a SYN/ACK packet to the trusted system. This is where the importance of SYN Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 flooding the trusted system comes in. If the trusted system were not disabled (DOS attacked), then it would have replied to the SYN/ACK with a NACK and hence dropped the spoofing attempt. However, since the attacker has already disabled the trusted system, hence there is no response to the SYN/ACK packet sent by the victim. As a result, this SYN/ACK packet sent by the VICTIM gets discarded. c.) The ATTACKER then waits for an adequate amount of time to pass. This is done to ensure that the VICTIM has already executed the above step i.e. sent a SYN/ACK packet to the trusted system. Then the ATTACKER sends a spoofed ACK message to the VICTIM in such a manner that it seems to have been sent by the trusted system. In this step, the importance of predicting the sequence number correctly comes to the foreground. It is important for an attacker to make sure that the spoofed ACK packet has an acknowledgement number which is the predicted sequence number plus one. Moreover, the sequence number of this packet should be one more than the sequence number of the packet sent by the attacker in Step 1. d.) Assuming that all the above steps were executed without any errors or problems, the ATTACKER is then able to successfully spoof his IP address and establish a trust relationship with the VICTIM. 5. Putting the Trusted system out of the spell of the DOS Attack Finally, once the complete IP spoofing attack has been executed, the attacker then ends the SYN flood attack on the trusted system and brings it back to the normal functioning state. The trust system can be brought back to the ‘alive’ state by sending a large number of FIN packets to it. A FIN packet when sent to the remote system terminates the previously established connection and frees up the buffer memory on it. This step of ending the attack on the trusted system is important to ensure that the system administrator of the victim trusted system does not suspect that anything is wrong.
Fadia’s Hot Picks for Packet Generation Tools 1. Utility Name: Libnet Features: A packet generation tool that allows a user to send customized data packets to the target computer. It is a brilliant tool that allows the user control over almost all fields of the custom made data packets. Download URL: http://www.packetfactory.net/libnet
2. Utility Name: pacgen.tar.gz
Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 Features: A Unix based packet generation tool that allows attackers to send customized data packets to the target system. This tool enables custom packets with configurable Ethernet, IP, TCP, and UDP layers as well as custom payloads. Download URL: http://www.packetstormsecurity.org
Countermeasures 1. Avoid Trust Relationships Most IP spoofing attacks are executed only to exploit trust relationship based authentication being used by the target system. In other words, IP Spoofing can be dangerous only if the target computer is using trust relationships to authenticate its users. Corporations should avoid using trust relationships as far as possible. It is always advisable to use a combination of password authentication and trust relationships. Such a combination of both the authentication techniques not only ensures proper safety, but also makes it more difficult for an attacker to execute IP spoofing. Moreover, on many occasions the use of TCP wrappers to allow access only from certain trusted systems has been known to be a good countermeasure. 2. Firewalls or Filtering Mechanisms Many trust relationship networks exist between systems in the same local network. In such occasions, the best countermeasure is to filter out the malicious attack traffic with the help of a firewall. A system administrator should filter out all packets coming from outside the local network, but whose source IP address belongs to a system within the internal network. This filtering mechanism can be implemented with the help of the below router Access Control List (ACL): access-list 101 deny ip Internal Address 0.0.255.255 0.0.0.0 255.255.255.255 Moreover, one should also filter all outgoing packets whose source address does not match with an internal system’s IP address. Such a filtering rule will prevent your network systems from being exploited to initiate an IP spoofing attack. This filtering mechanism can be implemented using the below router ACL: access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 3. Random Initial Sequence Numbers Another very good countermeasure to make it all the more difficult for attackers to execute IP spoofing attacks is to start using random Initial Sequence Numbers (ISN) instead of the regular predictable sequence numbers. Under default circumstances, an attacker is able to perform IP spoofing by exploiting the predictable nature of ISN values of the target system. However, by using random Copyright 2004. All rights Reserved.
Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0 values as the ISN of a system, system administrators can make it all the more difficult for an attacker to perform IP spoofing. Typically, such a countermeasure is implemented with the help of pseudo random number generation tools (PRNGs) that possess the ability to generate new random ISN values. Unfortunately, on many occasions even PRNGs fail to provide foolproof randomness. 4. Encryption The latest implementations of encryption standards (like IPSec) provide a more secure communication and authorization channel than existing standards. 5. SYN Flooding countermeasures To prevent trusted systems in a trust relationship network from being DOS attacked, it is advisable to take the necessary precautionary countermeasures against SYN flooding attacks. For more information on the countermeasures, refer to the section on DOS attacks.
Copyright 2004. All rights Reserved.