RE: RE: Session & IP Spoofing

From: Micheal Thompson (MThompson_at_brinkster.com)
Date: 12/04/03

  • Next message: Frank Knobbe: "Re: RE: Session & IP Spoofing"
    Date: Thu, 4 Dec 2003 17:11:53 -0500
    To: MARTIN M. Bénoni <benoni_martin@hotmail.com>, <pen-test@securityfocus.com>, "pire pire" <pirepire69@romandie.com>
    
    

    But the GET has to be completed in the Transmition window allowed by the specific host machine.

    The Packet has to be crafted in such a way that all information is sent in a sequenced window and the Data packet has to be sequenced in such a way that the upper layer of the host machine can properly send it to the upper layers. If the sequence is not what is to be expected the PDU will be dropped.

    So the real question is

    1. What are you going to utilize to craft the packet? And is the functionality to craft the packet going to complete you goal.

    2. Is the stimulus you are trying to provide going to produce a output that is going to need to be analyzed by the attacker or is it a hope and pray routine? Hope that the code works and pray that I can do what I want with it via another process.

    3. The history of session "playback" it to receive the data you are "playing back". So spoofing is kind of worthless unless you are spoofing the address of a host that can receive the return traffic.
          But if you are you're using the session information to gain access to
          the host to execute code that the access granted by the session will give you access to execute the code; then that is a valid reason for spoofing.
       
    3. Or is this to see if I can do this and log it.

    SOUNDS LIKE A CUSTOM JOB AND I HAVE NOT SEEN ANY TOOLS FOR THIS.
       
    -----Original Message-----
    From: MARTIN M. Bénoni [mailto:benoni_martin@hotmail.com]
    Sent: Thursday, December 04, 2003 12:15 PM
    To: pirepire69@romandie.com; Micheal Thompson; pen-test@securityfocus.com
    Subject: RE: RE: Session & IP Spoofing

    I think you have at lesat the two following solutions:
    - Two machines: the first one sends the real GET to the second one, which
    forwards the request to the target after sooping the IP (with Hping2 for
    instance).
    - Just a machine, a Windows one: a programm such as RafaleX should allow
    you to send whatever you want, even spoofing the MAC source address. Nemesis
    can create a custom packet (but i am not sure the payload can be an HTTP
    GET)

    Hope these hints will help!

    >From: "pire pire" <pirepire69@romandie.com>
    >To: MThompson@brinkster.com, <pen-test@securityfocus.com>
    >Subject: RE: RE: Session & IP Spoofing
    >Date: Thu, 4 Dec 2003 10:54:18 +0100
    >
    >No I don't care about the return traffic! All I
    >need is to sen I GET request with a spoofed IP!
    >
    >Example:
    >
    >GET /toto.php?sessionId=123456&transfer=1000
    >Host: www.toto.com
    >
    >I just need to send this request to the server
    >with the ip adress belonging to the sessionID
    >I've got throuh my XSS!
    >
    >
    >So how do you do that?
    >
    >
    >Thanks for your help
    >
    >
    >
    >
    >
    >
    >
    >---------------------------------------
    >You can spoof any IP. The question is do you
    >want the return traffic.
    >
    >-----Original Message-----
    > From: pire pire
    >[mailto:pirepire69@romandie.com]
    >Sent: Tuesday, December 02, 2003 5:02 PM
    >To: pen-test@securityfocus.com
    >Subject: Session & IP Spoofing
    >
    >Hi,
    >
    >I've found a vulnerability in a Web App which
    >gave me via an XSS the sessionID token.
    >
    >I would like to replay this token. But the
    >session ID manager (on the server) seems to
    >look
    >also to IP adresses.
    >
    >So my question is: Is there a way to spoof my
    >ip
    >address in order to replay the sessionID??
    >
    >Like:
    >http://www.tutu.com/toto.php?
    >sessionid=32443243
    >and some how spoof of my IP?!
    >
    >If I replay the sessionid from my machine or an
    >other machine behind my NAT (same outside IP)
    >it
    >works!!
    >
    >Thanks a lot for your help
    >
    >
    >_______________________________________________
    >
    >La messagerie gratuite des romands : 10 MO !!!
    >Profitez-en ! >>> http://www.romandie.com
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >

    _________________________________________________________________
    Add photos to your e-mail with MSN 8. Get 2 months FREE*.
    http://join.msn.com/?page=features/featuredemail

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Frank Knobbe: "Re: RE: Session & IP Spoofing"