IP Spoofing is not DNS spoofing. Actually, there's very little in common
between the two attacks.
In DNS Spoofing, you want people who type www.amazon.com to reach your web
site (www.geocities.com/someplace/attacker.html). This way, you can build a
web page that looks like Amazon and make people send you their credit cards
thinking they just bought a Christmas present.
IP spoofing means faking another person's IP address, usually for one of two
reasons: Do something the other person can (for example: bypassing TCP
Wrappers by entering an IP address that is allowed to telnet in) or to
'frame' someone by making a third party think the victim was the one who
performed an attack (or in the example below, to curse someone on IRC and
make everybody think it was someone else).
How do we do IP spoofing:
Like someone mentioned before, hping can be used to create arbitrary
packets, which are good for the second attack (framing somone):
http://www.securiteam.com/tools/HPing__a_network_analysis_tool.html
This will not work, however, for TCP/IP sessions (like IRC). Unlike UDP, TCP
requires you to maintain a complete session, which means for example that
you need to acknowledge every packet you receive. Since you don't actually
*receive* the packet (someone else does: The person whose IP you faked) you
don't know the packet's sequence numbering and thus you can't acknowledge
it. Things start to complicate here, as some OSes have weak sequence
numbering and thus these numbers can be guesses (or rather 'brute forced')
but I'll ignore this for now.
To play a bit with TCP/IP spoofing and hijacking (the lovely attack where
you take a live TCP/IP session between the victim and a remote server and
continue it for them - for example, hijack a telnet session after the user
has logged in), try hunt or juggernaut:
http://www.securiteam.com/tools/Hunt__a_new_Hijacking_software.html
http://www.securiteam.com/tools/Juggernaut__a_session_hijacking_tool.html
Try to run it on a victim on your local network (if your network is not
switch based but rather hub based) and you'll have a lot of fun. Note that
you need to be able to 'sniff' the responses in order for the hijacking to
work.
nmap (www.insecure.org/nmap) has a nice port scanning mode where you give IP
addresses of 'decoys' and nmap spoofs port scans from them. This can be used
to 'frame' someone you hate, but also makes it very difficult for the system
administrator to know who really scanned him (imagine being scanned by 100+
machines: Now you have to find out which one of them is the one who actually
scanned you).
How to do DNS Spoofing:
The most common way is 'cache poisoning'. I won't write the whole
explanation of it, since it's available in the link below:
http://www.securiteam.com/windowsntfocus/DNS_Spoofing_and_Windows_NT_DNS.htm
l
(NOTE: URL might be wrapped)
The explanation is about Windows NT DNS, but it is mostly true for Linux as
well.
- Aviram
----- Original Message -----
From: "Sagi Bashari" <[EMAIL PROTECTED]>
To: "Tizmo" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, December 26, 2000 7:53 PM
Subject: Re: spoofing DNS..
> Tizmo,
>
> You cannot spoof your IP on IRC today. IRC works on TCP, not spoofable.
> there used to be a way to spoof by exploiting some hole in old versions
> of bind, but 99% of the DNS Servers today are patched.
>
> .. just leave it.
>
> On Tue, 26 Dec 2000, Tizmo wrote:
>
> > lets say i want to connect to an irc server with a spoofed ip, can i do
it ?
> > or i want to surf the web not with my real ip..
> > if i and if i cant tell me how can i send pings with a spoffed ip .. and
> > what is hping2 ?
> >
> > ----- Original Message -----
> > From: <[EMAIL PROTECTED]>
> > To: "'Tizmo'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > Sent: Tuesday, December 26, 2000 6:35 PM
> > Subject: RE: spoofing DNS..
> >
> >
> > >
> > > depends what you want to do with it...
> > > don't forget that sending packets from a spoofed ip, will result in no
> > > replies...
> > > if you want to do a spoof icmp or udp attacks you can use hping2 for
> > > instance...
> > > question still stands, what are you trying to accomplish?
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of Tizmo
> > > Sent: Tuesday, December 26, 2000 6:24 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: spoofing DNS..
> > >
> > >
> > > i mean spoffing my ip
> > > ----- Original Message -----
> > > From: "Eddie Harari" <[EMAIL PROTECTED]>
> > > To: "'Tizmo'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > > Sent: Tuesday, December 26, 2000 2:24 PM
> > > Subject: RE: spoofing DNS..
> > >
> > >
> > > > what exactly do you mean by spoofing DNS ,
> > > >
> > > > reply to requests that came to your dns server with fault data ???
> > > > or spoof your IP ?
> > > >
> > > > -----Original Message-----
> > > > From: Tizmo [mailto:[EMAIL PROTECTED]]
> > > > Sent: Tuesday, December 26, 2000 12:24 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: spoofing DNS..
> > > >
> > > >
> > > > hey list,
> > > > i heard about spoffing dns in linux .. like, changing your ip
address to
> > > > what ever you like it to be.
> > > > i just wanted to know if it's true and if it is i really would like
to
> > > know
> > > > how it's can be done.
> > > > thanks.
> > > >
> > > >
> > > > =================================================================
> > > > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > the word "unsubscribe" in the message body, e.g., run the command
> > > > echo unsubscribe | mail [EMAIL PROTECTED]
> > > >
> > > > =================================================================
> > > > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > the word "unsubscribe" in the message body, e.g., run the command
> > > > echo unsubscribe | mail [EMAIL PROTECTED]
> > > >
> > > >
> > >
> > >
> > > =================================================================
> > > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > the word "unsubscribe" in the message body, e.g., run the command
> > > echo unsubscribe | mail [EMAIL PROTECTED]
> > >
> > >
> > >
> > > =================================================================
> > > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > the word "unsubscribe" in the message body, e.g., run the command
> > > echo unsubscribe | mail [EMAIL PROTECTED]
> > >
> > >
> >
> >
> > =================================================================
> > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > the word "unsubscribe" in the message body, e.g., run the command
> > echo unsubscribe | mail [EMAIL PROTECTED]
> >
> >
>
> _
> ___ __ _ __ _(_) Sagi Bashari
> (_-</ _` / _` | | - [EMAIL PROTECTED]
> /__/\__,_\__, |_|
> |___/
>
>
> =================================================================
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
>
>
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
