[Tutorial] IP Spoofing, IP Address e Packet Header

Analysis
Este é um tutorial que eu preferi deixar na língua horiginal
-: IP Spoofing :-
The term IP (Internet Protocol) address spoofing refers to the creation of IP packets with
a forged (spoofed) source IP address with the purpose of concealing the identity of the
sender or impersonating another computing system.
Why it works ?
IP-Spoofing works because trusted services only rely on network address based
authentication. Since IP is easily duped, address forgery is not difficult.
The main reason is security weakness in the TCP protocol known as sequence number
prediction.
How it works ?
To completely understand how ip spoofing can take place, one must examine the
structure of the TCP/IP protocol suite. A basic understanding of these headers and
network exchanges is crucial to the process.
Internet Protocol (IP) :
It is a network protocol operating at layer 3 (network) of the OSI model. It is a
connectionless model, meaning there is no information regarding transaction state, which
is used to route packets on a network. Additionally, there is no method in place to ensure
that a packet is properly delivered to the destination.

Examining the IP header, we can see that the first 12 bytes (or the top 3 rows of the
header) contain various information about the packet. The next 8 bytes (the next 2 rows),
however, contains the source and destination IP addresses. Using one of several tools, an
attacker can easily modify these addresses – specifically the “source address” field.
Transmission Control Protocol (TCP) :
It is the connection-oriented, reliable transport protocol in the TCP/IP suite. Connection-
oriented simply means that the two hosts participating in a discussion must first establish
a connection via the 3-way handshake (SYN-SYN/ACK-ACK). Reliability is provided
by data sequencing and acknowledgement. TCP assigns sequence numbers to every
segment and acknowledges any and all data segments recieved from the other end.
As you can see above, the first 12 bytes of the TCP packet, which contain port and
sequencing information.
TCP sequence numbers can simply be thought of as 32-bit counters. They range from 0 to
4,294,967,295. Every byte of data exchanged across a TCP connection (along with
certain flags) is sequenced. The sequence number field in the TCP header will contain the
sequence number of the *first* byte of data in the TCP segment. The acknowledgement
number field in the TCP header holds the value of next *expected* sequence number, and
also acknowledges *all* data up through this ACK number minus one.
TCP packets can be manipulated using several packet crafting softwares available on the
internet.
The Attack
IP-spoofing consists of several steps. First, the target host is choosen. Next, a pattern of
trust is discovered, along with a trusted host. The trusted host is then disabled, and the
target’s TCP sequence numbers are sampled. The trusted host is impersonated, the
sequence numbers guessed, and a connection attempt is made to a service that only
requires address-based authentication. If successful, the attacker executes a simple
command to leave a backdoor.
Spoofing can be implemented by different ways as given below -
Non-Blind Spoofing :- This type of attack takes place when the attacker is on the same
subnet as the victim. The sequence and acknowledgement numbers can be sniffed,
eliminating the potential difficulty of calculating them accurately.
Blind Spoofing :- Here the sequence and acknowledgement numbers are unreachable. In
order to circumvent this, several packets are sent to the target machine in order to sample
sequence numbers.
Both types of spoofing are forms of a common security violation known as a Man In The
Middle Attack. In these attacks, a malicious party intercepts a legitimate communication
between two friendly parties. The malicious host then controls the flow of
communication and can eliminate or alter the information sent by one of the original
participants without the knowledge of either the original sender or the recipient. In this
way, an attacker can fool a victim into disclosing confidential information by “spoofing”
the identity of the original sender, who is presumably trusted by the recipient.
IP spoofing is almost always used in what is currently one of the most difficult attacks to
defend against – Denial of Service attacks, or DoS.
1) Filtering at the Router :- Implementing ingress and egress filtering on your border
routers is a great place to start your spoofing defense. You will need to implement an
ACL (access control list)
2) Encryption and Authentication :- Implementing encryption and authentication will
also reduce spoofing threats. Both of these features are included in Ipv6, which will
eliminate current spoofing threats.
3) Initial Sequence Number Randomizing.

-: IP Address :-
Definition :-
“An Internet Protocol (IP) address is a numerical identification (logical address) that is
assigned to devices participating in a computer network utilizing the Internet Protocol
for communication between its nodes”. — Wikipedia
The Internet Protocol (IP) has two versions currently in use which are IPv4 and IPv6.
This article represents to IPv4 version only.
In general, an IP address is a 32-bit decimal number that is normally written as four
numbers between 1 to 255 (8 bits or 1 byte each), each seperated from the other by a
decimal point. This standard is known as “Dotted Decimal Notation”.
e.g.- 117.200.77.110
IP addresses are divided into number of ranges/classes as given in the table below-
Class Range
A 0.0.0.0 to 127.255.255.255
B 128.0.0.0 to 191.255.255.255
C 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255
E 240.0.0.0 to 255.255.255.255
e.g.- IP Address 192.168.24.114 belongs to Class ‘C’.
How to find out IP Address of your system ?
1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type “netstat -n”, Press Enter.
You will get the output similar to following-
The IP Address shown in local address field denotes IP Address of your system.
In this case it is 117.200.160.151
IP Address Formats :-
Four different formats of IP Address along with example is as given below-
1) Domain Name System (DNS) : www.insecure.in
2) DWORD Format : 2928008962
3) Octal Format : 0256.0205.0337.002
4) Dotted Decimal Format : 174.133.223.2
Converting DNS IP Address into Normal IP Address :-
You can easily get the IP Address of any domain by various methods such as WHOIS,
Netstat, Ping, Traceroute, etc.
Here I have used ‘Ping’ to get IP Address.
1) Connect to the Internet.
2) Launch MS-DOS Command Prompt.
3) Type “ping domainname”, Press Enter.
You will get the output similar to following-

Here, IP Address for Domain “www.insecure.in” is “174.133.223.2″

Thus by typing “http://www.insecure.in” OR “ OR “0256.0205.0337.02″ OR
“174.133.223.2″ in your browser will take you to the same site.

: Packet Header Analysis :-

Following are the easy to analyze ICMP, TCP and UDP packet headers along with short
description.
All header Drawings by- “Matt Baxter” (www.fatpipe.org/~mjb/Drawings/)
IC
ICMP Message Types :- ICMP message type-code/name format
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
Checksum :- The checksum is the 16-bit ones’s complement of the one’s complement
sum of the ICMP message starting with the ICMP Type.
RFC 792 :- Please refer to RFC 792 for Internet Control Message Protocol (ICMP)
Specification.

TCP Flags :- C E U A P R S F
C 0×80 Reduced (CWR)
E 0×40 ECN Echo (ECE)
U 0×20 Urgent
A 0×10 Ack
P 0×08 Push
R 0×04 Reset
S 0×02 Syn
F 0×01 Fin
TCP Options :-
0 End of Options List
1 No Operation (NOP, Pad)
2 Maximum Segment Size
3 Window Scale
4 Selective ACK ok
8 Timestamp

Checksum :- Checksum of entire TCP segment and pseudo header (parts of IP header)
Offset :- Number of 32-bit words in TCP header, minimum value of 5. Multiply by 4 to
get byte count.
RFC 793 :- Please refer to RFC 793 for Transmission Control Protocol (TCP)
Specification.

Source Port :- an optional field, when meaningful, it indicates the port of the sending
process, and may be assumed to be the port to which a reply should be addressed in the
absence of any other information. If not used, a value of zero is inserted.
Destination Port :- Destination Port has a meaning within the context of a particular
internet destination address.
Length :- Length is the length in octets of this user datagram including this header and
the data. (This means the minimum value of the length is eight.)
Checksum :- Checksum is the 16-bit one’s complement of the one’s complement sum of
a pseudo header of information from the IP header, the UDP header, and the data, padded
with zero octets at the end (if necessary) to make a multiple of two octets.
RFC 768 :- Please refer to RFC 768 for User Datagram Protocol (UDP) Specification.
Fonte: Insecure
2010 03/06
CATEGORIA
Tutoriais
Escrever comentário
Like
Be the first to like this post.

• Escrever comentário

ΡΣΣ Χο µ ε ν τ 〈 ρ ι ο σ

• Trackback ( 0 )

Χο µ ε ν τ 〈 ρ ι ο σ ( 0 )
URL de TrackBack
Nenhum trackbacks ainda.

Deixe uma resposta Cancelar resposta

O seu endereço de email não será publicado Campos obrigatórios são marcados *
Nome *
Email *
Website
Comentário
Você pode usar estas tags e atributos de HTML: <a href="" title=""> <abbr
title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code>
<pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notificar-me os comentários mais recentes via e-mail.

Notifique-me de novos artigos por e-mail
Contato
Entre em contato com o admin: neuroexplo@hotmail.com
FEED RSS

Estatísticas WordSecurity
• 29,033 acessos

Categorias:
• #Elite – Privado (7)

• Χ⌠ δ ι γ ο σ Φο ν τ ε (5)

• Χυ ρ σ ο σ (7)

• ∆ο χ υ µ ε ν τ 〈 ρ ι ο σ (1)

• Εν θ υ ε τ ε σ (2)

• Φερ ρ α µ ε ν τ α σ (11)

• Φιρ ε ω α λ λ σ (1)

• Ηυ µ ο ρ Γε ε κ (1)

• Λιϖρ ο σ (4)

• Μα τ  ρ ι α σ (2)

• Ρεϖ ι σ τ α σ (1)

• Σισ τ ε µ α σ Οπ ε ρ α χ ι ο ν α ι σ (10)

• Τυ τ ο ρ ι α ι σ (28)

• Υν χ α τ ε γ ο ρ ι ζ ε δ (4)

• ςδ ε ο Αυ λ α σ (19)

Nossa cBox para Parcerias:

Nosso Banner:
<a href="http://wordsecurity.wordpress.com/" target="_blank"><img
src="http://uploaddeimagens.com.br/imagem/ver/10teste.gif" alt='Word
Security' border="0" /></a><br><a
href="http://wordsecurity.wordpress.com/"></a>

Área Administrativa
• Registrar-se

• Λο γ ι ν

• Ποσ τ σ ΡΣΣ

• ΡΣΣ δοσ χοµ ε ν τ 〈 ρ ι ο σ

Ωο ρ δ Π ρ ε σ σ . χ ο µ

Parceiros Word Security:

Parceiros de link:
www.piratwarez.com

Comentários recentes:

Cyb3r on [Livros] Muito livros Hacking…

Rique on [Curso] Curso Completo de…

Julio on [Curso]Java Se: 10 Giga sobre …

Fernando Teixeira on Perícia Forense Computacional …

Neuroexplo on [Fonte] Ferramenta para SYN…

on [Fonte] Ferramenta para SYN…

 Neuroexplo on [Fonte] Ferramenta para SYN…

on [Fonte] Ferramenta para SYN…

Neuroexplo on [Fonte] Ferramenta para SYN…

on [Fonte] Ferramenta para SYN…

Neuroexplo on [Cursos] Curso de Hacking …

radixal on [Cursos] Curso de Hacking …

Neuroexplo on [Curso] SQL + Banco de Dados +…

Marcelo Frontes on [Curso] SQL + Banco de Dados +…

Neuroexplo on Livro: Botnets – The Kil…

Tópicos recentes
• [Vídeo] Encontrando sites Vulneráveis

• [Ε ν θ υ ε τ ε ] Ρεσπ ο ν δ ε µ ν⌠σ σ α ε ν θ υ ε τ ε
πα ρ α θυ ε ποσ σ α µ ο σ µελη ο ρ α ρ ο
χον τ ε  δ ο

• [Φ ε ρ ρ α µ ε ν τ α σ ] Βο τ ε χ ο Υ ν ι ξ Βυ γ Σ ε χ
Τεα µ

• [ς  δ ε ο σ ] 23 ς ι δ ε ο σ σο β ρ ε Πε ν τ ε σ τ

• [ς  δ ε ο ] Φι ν γ ε ρ Π ρ ι ν τ

• [ς  δ ε ο ] ΜΣ Σ Θ Λ Ι ν ϕ ε χ τ ι ο ν (Α ϖ α ν  α δ ο ) νο
σιτ ε Γλο β ο σ α τ . γ λ ο β ο . χ ο µ

• [ς  δ ε ο ] ∆ ι σ τ ρ ι β υ τ ε δ ∆εν ι α λ οφ
Σερϖ ι χ ε (∆ ∆ ο Σ )

• [ς  δ ε ο ] ∆ ε φ α χ ε Σιτ ε δα Υφ ο. χ ο µ. β ρ ε
πδ τ.ο ρ γ. β ρ

• [ς  δ ε ο ] ΑΣΠ Ινϕ ε χ τ ι ο ν νο σιτ ε δο ΠΤ

 δο ∆ισ τ ρ ι τ ο Φε δ ε ρ α λ

• [ς  δ ε ο Αυ λ α] Λο χ α λ Φι λ ε Ινχλ υ σ ι ο ν
(Λ Φ Ι )

• [Μ α τ  ρ ι α ] Σ α ι β α εµ Τεµ π ο ρεα λ ασ
µα ι ο ρ ε σ Πρα γ α σ ε µ Α  ο

• [Τ υ τ ο ρ ι α λ ] Σε γ υ ρ α ν  α ΤΧΠ/ Ι Π

• [Φ ε ρ ρ α µ ε ν τ α σ ] 10 α π λ ι χ α  ⌡ ε σ οπ ε ν
σου ρ χ ε δε σε γ υ ρ α ν  α

• [Τ υ τ ο ρ ι α λ ] Τ ε σ τ ε δε πεν ε τ ρ α χ α ο εµ
απ λ ι χ α χ ο ε σ Ωε β Πα ρ τ ε 1, 2 ε 3

[Τ υ τ ο ρ ι α λ ] Πα σ σ α ν δ ο πορ ρο ο τ χ η ε χ κ
Blog no WordPress.com. | Theme: monochrome by mono-lab.

******************************************************************************
******************************************************************************
*******