Back to the Spoofit Page
Part II: Advanced spoofing (Blind)
4. How to use the source code
-----------------------------
4.1 SEQ-scan
------------
It all kinda explains itself...
required <args> are:
-t <target> host you want to scan
-p <server> port you want to use for scanning
[options] are:
-v verbose
-a do all tests
A little note on the output, well with some of the SunOS's I played, I got
weak relations (time relation coeff. about 9). Sometimes (due to delays)
these can slip trough and generate a higher coeff. and thus seem hard to
attack, so always do you scans at least twice, on different times.
These hosts also needed a 10000 packet guess to give a 1/10 success rate...
(This to put y'r feet back a on the ground.)
4.2 Eriu
--------
usage: eriu <arguments>
Arguments are:
-s host:port Spoofed Host (required)
This is the host you will pretend to be.
-t host:port Target Host (required)
This is the host you want to attack.
-f filename Packet contence commandfile (required, except with '-P')
This file describes the data that will be send, for exact
format see below
-p port Source Port used for scanning (default 23)
On this port the Probes will be done, note she has to be
accepting connections!
-c count Number of guesses to make (default 64k:20 other:500)
This is the number of ACK's that is send, they are
centralized around the guess.
e.g. '-c 501' will try the ACK's guess-250 to guess+250.
Mind you that numbers like 10000 are realistic for
successful attacks.
-o offset Extra offset to add to guessed ACK
It takes the guessed ACK and adds this (negative or positive)
number to it before firing any packets.
-d delay Seconds of delay between parts of the attack (default:1)
You could have to raise this number, it represents a delay
between different parts of the program.
-P Probe for guessing range
This can be used to give you an idea of the '-c' parameter.
-F Enter the ACK guess y'rself (test/practice purposes)
For home amusement when practicing...
Now let me discuss the commandfile, it is quite easy.
1) It is an ASCII file (create it with a txt editor).
2) It is line oriented, everything on one line will be put in one
packet.
3) All printable chars that you type are put in the packet.
4) '\' followed by a THREE digit number is interpreted as the ASCII char
with the decimal value of that number.
e.g. \000 will represents null character
\010 represents char 0x0A
5) '\' followed by 'a' (or 'A') and a TWO digit number is interpreted as an
increment (decimal) of the ACK that is send (remember the ACK in the
datastream). This can be useful for some situations.
e.g. \A10 will increment the ACK with 10 (decimal)
I give you here the example of the file used for the rlogin spoof showed in
this document (no space at beginning of line in real file!):
\000coder\000spoof\000vt100/9600\000
\255\255ss\000\025\000\080\000\000\000\000
spoof\010
touch This_site_was_hacked\010
Explanation is simple, the first line represents a packet that contains 4
null terminated strings: (an empty string),"coder","spoof" and "vt100/9600"
The second line is the rlogin window negotiation.
The third line is the password "spoof" and <enter>.
The forth line is the command "touch This_site_was_hacked" and an <enter>.
Don't forget those <enters>, because you are in a shell, and it waits with
execution till you hit that big key on the right.
Mind you, that the following would have had the same effect:
\000
coder\000
spoof\000
vt100/9600\000
\255\255ss\000\025\000\080\000\000\000\000
s
p
o
of\010
touch This_site_was_hacked\010
It would only take more packets.
NOTE: take care of white-spaces, make sure your lines aren't filled with
spaces at the end, as these are interpreted as real chars!
4.3 Improvements
----------------
For SEQ-scan, you figure them out yourself, you can always add fancy stuff,
or do complicated math...
For Eriu however I think some things are worth mentioning.
Beside the usual improvements that could be done (more parameter settings
etc.) some additional features could be useful to implement.
Maybe a 'step' parameter for the ACK guessing (see 'countstep' in the
source code).
For example fragmenting of the IP packets can be useful. Also adding of
stealth techniques would be nice, things like I mentioned above, like hiding
your probes in real connections (to public services).
Actually you could easily make a 'shell', by making the commands
real-time-typable... enjoy....
Brecht Claerhout:
coder@succeed.net