Before reading this article, please first understand the basic structure and working principle of TCP/IP. It is best to review common IP spoof technologies, which will help you understand this article more easily.
Let's take a brief look at it. IP spoof is IP electronic spoofing. We can say that a host device impersonates the IP address of another host and communicates with other devices to achieve a certain purpose. How can this problem be achieved? Many scanners support port scanning by forging source IP addresses. This method is very easy to do. You only need to construct a single SYN packet for testing. The difficulty is how to forge IP addresses throughout the session,
For example, how to make yourself a trusted host to log on to a terminal server, or even take over existing session relationships. To solve this problem, we can implement it according to the principle of simplicity and difficulty. Since a single SYN packet can be constructed, we can still construct the second ACK packet, AP package .... And other application packages. Theoretically feasible, but this is a huge workload. It is equivalent to using pcap to implement IP/TCP/application layer protocols completely. Even if a common module at the network layer is implemented, different applications need to continue to implement high-level protocols.
Here, we can divide advanced IP spoofing into two methods: one is to take over the established session, and the other is to create a new session.
Method 1 is also an IP spoofing method that has been widely used on the Internet. It involves guessing TCP serial numbers and DOS attacks. Here is a more detailed article.
Http://www.20cn.net/ns/hk/hacker/data/20020804015903.htm
This is the IP spoofing record of Kevin Mitnick in 1994. I have extracted the general process from it:
1. First, temporarily paralyze the network of the trusted host to avoid interference to the attack.
2. connect to a port of the target machine to guess the ISN Base Value and increase the rule !!! (Important! Difficulties !)
3. Next, disguise the source address as a trusted host and send a Data Segment request with the SYN sign to connect.
4. Then wait for the target machine to send the SYN + ACK packet to the paralyzed host, because you cannot see this package now.
5. At last, it is disguised as the ACK sent by the trusted host to the target machine. The data segment sent contains the ISN + 1 of the predicted target machine.
6. Establish a connection and send a command request.
7. Wipe your ass, open a backdoor, go offline, shut down, and go to bed .~~~ ZzzZZZzzz ~~~
One condition in this scenario is the address Trust Relationship of rlogin. That is to say, the IP address that complies with the trust relationship does not require password verification for logon.
In this process, we seem to inevitably ask how the packets returned by the target machine in 4 and 5 reach the attacker machine? Because in our current network, after attackers forge a trusted person and send it to the victim, the response packet IP address returned by the attacker points to the trusted person, even if the trusted person has been down by DOS, the response packet will not be sent to attackers.
Therefore, we need to check the network environment at that time. The conclusion is that the network topology at that time is very different from that at present. The biggest difference is that Ethernet in the shared environment and Ethernet in the switched environment work differently. It is likely that there were other topological relationships such as token ring at that time. We are looking at the development history of Ethernet.
In 1990, the Kalpana EtherSwitch EPS-700 was available, a network Switch is an architecture that provides multiple data transmission paths at the same time, similar to a telephone Switch, significantly improving the overall throughput.
In 1993, Kalpana created another breakthrough-full-duplex Ethernet.
In, during the first half of the year, the three groups were busy with other parts of the Mbps Ethernet standard, such as 100BASE-T4, MII, repeater and full duplex standards.
On June 18, March 1995, the IEEE 3u standard was passed by its members and Law Enforcement committees. The era of Fast Ethernet is coming!
In 1995, Cisco Systems merged GrandJunction Networks and provided the first 10 Mbps Working Group switch. Through this history, we can see that the industrialization process of switching equipment started in 1995, so the previous story can basically conclude that it happened in a shared environment.
How can we achieve this in the exchange environment? Knowing the differences between the shared environment and the exchange environment makes it easy to solve this problem. You can use ARP, CAM, STP, and other methods to obtain the data returned in step 4. Of course, these are all theoretical things. At present, we have not seen very practical tools. (I am also struggling with how to implement a general Hijacking an Authorized Session tool ).
Let's talk about method 2. We have a new method to implement it quickly, that is, the proxy-Based IP spoofing method to quickly create a pseudo IP session.
Yun Shu was in http://icylife.net/yunshu/show.php? Id = 732 refer to IP spoofing in special environments. It is a good but cumbersome method, because it is equivalent to fully implementing IP/TCP/application layer protocols. Next we will discuss proxy-Based IP spoofing methods. This method still requires support from ARP/CAM or other spoofing methods, because it will be mentioned later and can only be in the same subnet (strictly the same broadcast domain ). An instance is used to explain an IP spoofing process. In this scenario, attacker A, trusted user B, and server C are involved.
Step 1
IE in A accesses A non-existent ip address http: // 1.1.1.1/ip. asp. Normally there will be no response.
In A, we capture and modify the target IP address sent to the 1.1.1.1 packet to C, the source IP address to B, and the target MAC address to C before resending.
A starts an ARP thread and tells C that the MAC address of B is.
Step 2
C responds after receiving the data packet whose original IP address is B. The target IP address is B, and the target MAC address is.
Step 3
A receives the response packet from C to B, modifies the target IP address of this package to A, and resends it to A after the original IP address is 1.1.1.1.
A receives the resending data. For IE in A, it sends the request to 1.1.1.1 and receives A response from 1.1.1.1. IE will accept and process the packet.
So far, IP spoofing has been completed. The above process allows attackers to disguise themselves as any subnet IP address to gain the trust of server C.
How can I pretend to be an Internet IP address? Very simple, with the ARP thread in the First Step brush C IP-MAC relationship for a. ip = gate. mac, so that you can forge any ip address in the same intranet.
In the above two steps, we can see that we do not need to care about the TCP serial number, do not care about the survival status of the trust, do not care about the Upper-layer protocol, can be applied to RDP, FTP, SSH, HTTP and other IP protocols. The test proves the feasibility of this article.
To achieve this effect, you only need a few key codes:
Int strindex = 0; string Desmac = Function. getMACAddress (s, ref strindex); int Index = 26; string Srcip = Function. getIpAddress (s, ref Index); string Desip = Function. getIpAddress (s, ref Index); // basic parsing if (Srcip = MyLocalHost. ip [0] & Desip = tagip) // If the packet is to be forwarded, for example, send to 1.1.1.1 {// modify the original IP address to the trusted IP address and the destination MAC address to the real destination and then forward the Index = 26; Function. setipaddres (ref s, psrcip, ref Index); Function. setipaddres (ref s, tagetip, ref Index); modifydesmac (s, tagetmac); CnCerT. net. packet. doCheck. checkIP (ref s); CnCerT. net. packet. doCheck. checkTCP (ref s); mypcap. sendPacket (s);} else if (Srcip = textBox_targetip.Text & Desip = textBox_srcip.Text) // if the data packet returned by the target is {// modify the original IP address to a trusted IP address, index = 26; Function. setipaddres (ref s, tagip, ref Index); Function. setipaddres (ref s, MyLocalHost. ip [0], ref Index); CnCerT. net. packet. doCheck. checkIP (ref s); CnCerT. net. packet. doCheck. checkTCP (ref s); mypcap. sendPacket (s );
In an environment where ARP spoofing is not allowed, you can use the CAM spoofing method to perform IP spoofing. For details, refer to "no ARP spoofing sniffing technology.
By eliminating ARP, CAM, and STP spoofing, You can effectively protect against the attack methods and tools mentioned in this article.
References:
Http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html
Http://www.securityfocus.com/infocus/1674
Http://staff.washington.edu/dittrich/papers/IP-spoof-1.txt
Http://blog.csdn.net/ecrown/archive/2005/01/12/249740.aspx