IP spoofing is about the most advanced attack that can be executed on a computer system. IP spoofing, if done correctly, is one of the smoothest and hardest attacks on the internet. But IP spoofing attacks are actually very complicated.
IP spoofing happens when an attacker tricks or bluffs the target system into believing that data packets being sent to them started from a source other than the actual source system. In other words, it is a process that enables the attacker to hide his real identity when communicating with the target system; therefore, the data packets the attacker sends will appear to originate at another system.
For example, suppose your IP address is 192.168.192.28, and the IP address of the target system is 202.14.12.1. Normally, when you send a message to the target system, that system detects your system’s IP address, 192.168.192.28. When you use IP spoofing, however, your IP address is replaced with a fake IP address, making it quite difficult for the target system to trace you.
For example, imagine that the following three system addresses exist
:
1. Attacker: 111.11.11.11(REAL)
2. Victim: 222.22.22.22(VICTIM)
3. Fake: 33.33.33.33(FAKE)
Normally, if REAL were to send data packets to the VICTIM system, the source address of these packets would show clearly that REAL has sent them. However, with the use of IP spoofing REAL will send the data packets to VICTIM in such a way that they will appear to have been sent from the FAKE system. IP spoofing, as you can see, is a way of disguising of hiding the source address of the attacker. It is used to carry out a variety attacks.
PROBLEMS WITH IP SPOOFING:
• FAKE must exist and must be connected to the Internet
• FAKE must not at any point respond to the SYN/ACK packet that VICITIM sends to it.
• If you are exploiting a trust relationship, then FAKE must be chosen such that VICTIM and FAKE have a trust relationship with each other.
Before you move on to a step-by-step guide to IP spoofing, there are two basic network concepts you must understand:
1. Seuence numbers
2. Trust relationships
Sequence numbers:
Whenever data is sent over the internet via a TCP/IP connection, it is broken into fragments at the source system and reassembled at the destination system. Each packet containing a fragment of that data contains a sequence number, which, along with the values in the packet’s Offset field, is used by the destination system to reassemble the data packets in the correct order. A sequence number is a 32-bit number that can range from 1 to 4,294,967,295
Each time a system is booted up, it is given an initial sequence number (ISN), 1. this initial sequence number is incremented by 128,000 every second; in addition, with every connection established, it is incremented by 64,000. For example, if a host has an ISN of 187737287, then after 3 connections and two seconds its ISN will be 1898185287—-that is, 1897737287+(3*64,000)+(2*128 000).
In addition, the ISN is incremented by 1 each time certain types of data packets are sent from the system. For example, when one system sends a SYN packet to another system, the Sequence Number field in the first packet will equal 1 plus the source system’s ISN at the exact moment the packet is sent because the packet’s SYN flag consumes 1 sequence number.
ISN Increments
Cases Increment
——————————————————–
Transfer of FIN packet 1
Transfer of SYN packet 1
Transfer of ACK packet 0
Transfer of SYN/ACK packet 1
Transfer of FIN/SCK packet 1
Passage of 1 second 1 28,000
Establishment of 1 connection 64,000
———————————————————
If a hacker learns the art of predicting sequence numbers, he or she can easily do the Hijack TCP connections and divert data and Exploit trust relationships.
In addition to sequence numbers, data packets also contain acknowledgment numbers. An ACKnumbers acts exactly like a sequence numbers, expect it represents the sequence number of the packet that the target system expects to receive next. It also acknowledges that all data packets with sequence numbers lower than the value in the Acknowledgment number field have been received.
Trust relation ships:
Any time you log on to a system, you’ll encounter some sort of authentication process. In most cases, this is the familiar username/password pair, which challenges the user to enter the correct username and password before access will be granted. There is, however, yet another form of authentication: trust relationships. When a client has a trust relationship with a remote host, then the client’s IP address itself serves to authenticate that client when it initiates a connection with the remote host
These types of trust relation ships are common in UNIX systems, which have certain ‘R services†such as rsh, rlogin, rcp and so on
Actual steps involved in IP spoofing:
Detecting a trusted system:
The first step in using a trust relationship to exploit the target system is to find a system with which VICITIM enjoys a trust relationship. You can find a system with which VICTIM establishes a trust relationship by using any of the following methods:
1. Using various useful commands like rpcinfo –p and showmount –e
2. Digging up as much information about VICTIM and the network on which it resides as possible
3. Using brute force, in which you check all systems in the same network to see whether any are capable of establishing a trust relationship with VICTIM
Then attacker must determine the ISN value of VICTIM. To do this ATTACKER connects to port 23 or port 25 of VICTIM; with help of snifferlog determine the ISN of VICTIM
LUNCHING THE ACTUAL ATTACK:
Assuming you’ve managed to predict Victim’s ISN, you lunch the attack as follows:
1. ATTACKER sends a SYN packet with the spoofed IP address to VICTIM. This SYN packet is addressed to rlogin port (513) and requests that a trust connection be established between VICTIM and TRUSTED.
2. VICTIM replies to this SYN packet with a SYN/ACK packet addressed to TRUSTED. Because TRUSTED has been disabled, its memory hogged up by a SYN-flood attack, it cannot replay to this SYN/ACK packet sent by VICTIM is discarded.
3. When you are sure enough time gas passed that VICTIM must have sent a SYN/ACK packet to TRUSTED system, you send an ACK message to VICTIM. This ACK msg is designed to appear as through it has come from TRUSTED and includes an ACK number whose value is the predicted sequence number plus 1.
If everything goes as planned, then VICTIM will accept the connection and a trust relationship between VICTIM and ATTACKER will be established.In addition, the attacker must deduce the packet’s RTT using a utility called icmptime.