Part II: Advanced spoofing (Blind)

2. General information
----------------------


What is IP spoofing? IP spoofing is pretending to be someone else on IP
level. The reason for this is that we want to abuse a relation of trust that
is based on identification by IP address (this is not the sole purpose, but
the most occurring). 

So we will have to find a trusted relation between the host we want to 
attack and another host. The most popular trust-relation is the '.rhosts' 
file, as you know many other exist. I won't discuss this topic here. 

Mind you this is not the only use for spoofing, suppose you have some
information on a system (password file and cracked it) obtained by certain
security holes (like CGI scripts), but no other connections are allowed
except from some specified hosts ('hosts.allow', 'hosts.deny'). Well you can
spoof a connection, make some 'adjustments' and open the system to you...

Throughout this document I will use the following names for the hosts:
  X is the target host (the one we want to hack).
  T is the host that is trusted by X.
  A is our host (the Attacker).

A has no relation whatsoever with X or T, this was not the case when we
discussed non-blind spoofing.
Now the problem with blind spoofing is that we do not see the contence of 
the packets that are generated by X, let me explain:
All the packets we (host A) send are apparently coming from host T (we 
spoof them as from T to X). So when X receives such a packet, it thinks T is 
contacting him (which is our goal). 
Now, host X will send all its answers (packets) to T, they will never be 
seen by host A. Thus, we will NOT be able to see what happens (and we need to 
see it, see below Sequence numbers 3.1). 
There are methods to avoid this problem, the methods are briefly 
mentioned below.


2.1 Source Routed IP
--------------------


The IP protocol has a feature (an option) that is called Source Routing 
(either 'strict' or 'loose') that makes it possible for the sender to specify 
a route to follow. 
The reverse route is recorded back in the IP header (in the place of the 
forward route) and the receiver has to send any answers along the same route.

So if we use Source Routed IP packets we could spoof a packet from 
host A and include a route that leads to us instead of to the real host T.
Luckily (depending on what side you look at it) this isn't possible 
in general. Most routers, gateways and hosts, drop Source Routed IP packets 
(standard manufacturer configuration). To give an example: when compiling a 
Linux kernel (in the 'make config' stage) you are explicitly asked if you 
want to accept or drop Source Routed IP packets.

So we can generally say this method has a very low chance of success.


2.2 Rerouting 
-------------


A similar method to retrieve the 'invisible' packets, is to mess with the 
route by sending spoofed routing packets to the target host and gateways 
on the path. For more information, read up on Routing protocols such as 
RIP, EGP, ... (See "Internet Official Protocol Standards" for goodies).
This is not discussed in this document, maybe I'll write something up 
later, maybe not...

NOTE: ICMP redirect springs to mind here, but remember it only applies to 
      existing connections and may only be sent from the first gateway on 
      the path, which turns them pretty useless for our purpose.