Marcus Pinto wrote: > Something I've been thinking about for a while now.... > > If you can record arbitrary packets, can you replay them? > > For instance, go to promiscuous mode, record packets issued by a server > in a conversation with a workstation, then replay them as your own at a > later date. > > Or log a conversation locally from a trusted IP, then replay that > conversation from a spoofed address? > > Or even just send the following (where 10.0.0.1 is a trusted IP you're > spoofing with)? > > ---> 10.0.0.1 SYN > ---> 10.0.0.1 ACK > > # in theory the victim will send a SYN/ACK to the REAL 10.0.0.1, but > # you could send an ACK anyway and spoof a full connection... as long as > # you got the lag right... > > #then > > ---> 10.0.0.1 arbitrary data > > Thoughts? a replay like this should ble easy to do (a simple libpcap + libnet app could do this, takes a couple of hours to devel) - however you would not get full connection's to the server, because the sequens numbers (tcp-header-stuff) would not match, and the server would drop your packet's after the two first or so.. this could perhaps work agains a win95 box that just rebooted (someone once told me that win95 increment's the sequence-number with 1 at a time; so with some fiddling you should be able to replay traffic like this, but it would be VERY sensitive and would only work if you where alone with that computer on this network), and it could perhaps work with other systems of similar weakness. (which I believe is quite few) it is a good idea, though - you should read some whitepapers on this subject, quite interesting - session hijacking is more fun ;) -t.
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 09:15:54 PDT