[Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Oct 25 22:14:23 BST 2007
On Fri, 26 Oct 2007 00:43:10 +0400, 3APA3A said:
> Valdis, you should back to Cretaceous period, because Oliver talks
> about man-in-the-middle attack, not about blind TCP spoofing.
> Randomized ISN doesn't protect against MitM.
Doing a MitM is basically just spoofing two connections at the same time. If
you know how to do one, you know how to do two. And if you know how to do one
of them *blind*, it vastly increases your options (as you only need to be able
to see the traffic in one direction rather than both). Also, knowing your
history gives you a leg up - I'm quite sure that very few of the skript kiddies
who now think a SYN-flood is just a useful DDoS attack realize that the
*original* use was to spam a machine into a state where it couldn't send an RST
packet to your victim box when it saw the replies to the forged packets you
were blind-spoofing.
Now - what *other* ways can you leverage the idea that you can make an RST
packet "Not Happen"? Remember - if you're the attacker, you *want* to be
exploiting odd corner cases of the protocol, and it's perfectly fair to abuse
a trick that nobody bothers defending against anymore because they've forgotten
it....
Of course, these days it's probably easier to play some DNS spoofing games so
that the victim connects to your server and you then proxy to wherever it was
really intended to go. Or just create a phish.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071025/fe752ad2/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.