You are on page 1of 19

Ankit Fadia Certified Ethical Hacker (AFCEH) 2.

The Art of IP Spoofing by Ankit Fadia


IP Spoofing is probably the ultimate trick or attack that an attacker can execute on
the target system. Almost all wannabe computer experts dream of being able to spoof
their IP Address and fool the target system into establishing illegitimate connections. If
successfully executed, IP spoofing is definitely one of the smoothest and classic attacks
on the Internet. However, IP spoofing attacks are quite complex and very few attackers
have actually been able to spoof their identity successfully.

IP Spoofing is a process wherein an attacker fools or tricks the target system into
believing that the data packets being sent actually originated on a system other than the
real source system. In other words, IP spoofing is a technique that allows an attacker to
change or disguise his real identity while communicating with the target system. In this
technique, the data packets that the attacker sends to the target system will seem to
originate at some other arbitrary system.

For Example

Consider a scenario wherein the following system addresses exist:

1. Attacker: 111.11.11.11 (REAL)


2. Victim: 222.22.22.22 (VICTIM)
3. Fake: 33.33.33.33 (FAKE)

Under ordinary circumstances, when REAL sends certain data packets to the
VICTIM system, then the source address of these packets will clearly have REAL as the
source address. However, in case of IP spoofing, REAL will send data packets to
VICTIM in such a manner that the source address of these packets will be the FAKE
system. In other words, IP spoofing is a process wherein REAL is able to send data to
VICTIM so that it seems to have originated at FAKE. This process of fooling the remote
system into believing that you are someone else is known as IP spoofing and is
commonly exploited to carry out a variety of attacks.

A very good real life analogy to understand IP spoofing better is that of three
people: A, B and C. Consider a scenario wherein A wants to fool C over the phone into
believing that it is talking to B. In order to achieve this goal, A will telephone C and
disguise his voice so that he sounds like B. If A can successfully disguise his true identity
and pretend to be (or sound like) B, then a successful telephone spoofing is executed. In
an IP spoofing attack, three computers are involved instead of three people. However,
taking the analogy of the three people a bit further, it is quite clear that for the telephone
spoofing to succeed, the following must be true:

1. C should not already be communicating with B.

2. C should not be able to contact B using some other means and discover that B
is not actually busy on the phone with him/her.

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

Challenges Faced

The biggest challenge that an attacker faces while performing IP spoofing is the
fact that the attack is a blind one. In other words, since all data packets being sent to the
target computer in an IP spoofing attack are from spoofed addresses, hence the attacker
never receives any update on the status of the attack. In other words, an IP spoofing
attack is also known as a blind attack because throughout the attack, the attacker does not
know whether the attack is successful or not. If something goes wrong, even then on most
occasions the attacker remains oblivious about the problem. IP spoofing attacks are
literally being performed blindly with the attacker taking the liberty of assuming that
things went as planned.

This blind nature of the IP spoofing attack becomes evident in the first step of the
attack itself. Typically in such an attack, the ATTACKER sends spoofed data packets to
the VICTIM making it believe that they were actually sent by FAKE. Assuming that
these spoofed data packets were successful, then VICTIM will reply to FAKE and not
ATTACKER. Since all replies sent by VICTIM reach FAKE, as a result, ATTACKER
does not have any idea or feedback on the progress of the attack. Typically, according to
the TCP/IP connection establishment rules, each time IP spoofing is executed, the
following steps are followed:

If REAL wants to establish a TCP/IP connection with VICTIM, without spoofing


of any IP Address, then typically the below three way handshake would take place:

1. REAL sends a SYN packet to VICTIM.

2. VICTIM sends back a SYN/ACK packet to REAL.

3. REAL acknowledges this by send back an ACK packet to VICTIM.

In this case, since REAL did not attempt to spoof its identity, hence, it received a
continuous update on the status of the connection. However, if REAL is an ATTACKER
and wants to spoof his IP Address and make it appear to be FAKE, then the procedure is
quite different. In such a case, the following steps are followed:

1. ATTACKER sends a SYN packet to VICTIM in such a manner that it seems to


have originated at FAKE. In purely networking terms, in the first step, VICTIM
receives a connection request (SYN packet) from FAKE.

2. Since VICTIM received the SYN packet from FAKE, hence in the second step, it
sends back a SYN/ACK packet to FAKE. This means that ATTACKER does not
receive any reply or packets from VICTIM in this step. This step brings us to the
blind part in IP spoofing where ATTACKER needs to only wait for some time to
pass. ATTACKER then assumes that in this time the FAKE has received a
SYN/ACK packet from VICTIM. There is no way for ATTACKER to find out

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

whether the VICTIM has actually sent a SYN/ACK packet to FAKE or not. This
means that there is no way for the attacker to figure out whether the target
computer has fallen for the IP spoofing attack or not.

3. After waiting for some time to pass, ATTACKER then sends a spoofed ACK
packet to VICTIM to acknowledge that FAKE has indeed received the SYN/ACK
packet. Again, this is a blind step that simply assumes that VICTIM has actually
sent the SYN/ACK packet and that FAKE has indeed received it as well.

4. Once the above steps have been executed successfully, ATTACKER is able to
establish a complete spoofed TCP/IP connection between VICTIM and FAKE.

Unfortunately, the above procedure itself presents us with a very unique problem.
In the second step in IP spoofing, VICTIM sends a SYN/ACK packet to FAKE in
response to the spoofed SYN packet sent by the ATTACKER. This response sent by
VICTIM to FAKE can lead to a few complications. Depending upon the state of FAKE
there can be two cases:

1. FAKE exists

If FAKE is a real system on the Internet, then the SYN/ACK packet sent
by VICTIM will actually arrive at FAKE. Since FAKE never actually requested
for a connection to be established, hence, when FAKE receives this packet, it will
not know as to what to do with it. Since FAKE does not know as to what should
be done with the packet, it will simply discard it and send back a NACK (Non
Acknowledgement) packet to VICTIM. Typically, a NACK message is sent by a
system to terminate a connection, resulting in no further communication between
the two systems.

When VICTIM receives this NACK packet from FAKE, it will


immediately terminate the spoofed connection request initiated by ATTACKER.
As a result, the spoofed connection attempt between VICTIM and FAKE will be
turned down and discarded. This means that if FAKE exists and does actually
send a NACK packet to VICTIM then REAL’s attempt to perform IP spoofing
will fail.

The above problem can be compared to the analogy of a telephone


conversation. If ‘A’ telephones ‘C’ and pretends to be ‘B’, then this spoof can be
successful only if ‘B’ does not interrupt the spoofing process. This brings us to the
first golden rule of IP spoofing:

Rule 1: IP Spoofing can only be successful if the FAKE system does not interrupt
the spoofing attempt by sending packets to the VICTIM.

2. FAKE does not exist

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

When the VICTIM sends the SYN/ACK packet to FAKE, then routers
attempt to deliver the message to FAKE. However, if FAKE does not exist, then
after a while, the connection will simply get timed out and the VICTIM will drop
the connection. As a result, if FAKE does not exist, then a timed out occurs and
ATTACKER’s attempt to perform IP spoofing fails. This brings us to the second
golden rule of IP spoofing:

Rule 2: IP Spoofing can only be successful if the FAKE system exists and is
connected to the Internet.

Hence, based upon the above discussions, one can arrive at a few conclusions
regarding the challenges faced while performing IP spoofing:

1. Blind Attack
IP Spoofing is a blind attack and ATTACKER does not receive any feedback on
the progress, success or failure of an IP spoofing attack. All spoofed data packets
sent by ATTACKER to VICTIM are sent under a few assumptions or premises
and also involve a lot of luck.

2. Conditional Attack

For ATTACKER to successfully spoof his identity and pretend to be FAKE, then
the following conditions must be absolutely true:

a) FAKE must be alive and connected to the Internet.

b) FAKE must not at any point interfere in the IP spoofing attack. If that
happens, then the game is up. Hence, it is very important for ATTACKER
to somehow disable or stop FAKE from replying to VICTIM.

c) Typically an attacker chooses FAKE such that it enjoys a trust relationship


with FAKE.

Before one can start executing IP spoofing attacks, it is important to first


understand the networking concepts involved in IP spoofing.

Networking Basics involved in IP Spoofing

Sequence numbers are definitely an integral part of the TCP/IP communication


process. Without the use of sequence numbers, data could not have been properly sent
from the source system to the destination system. It is only with the help of sequence
numbers that a destination system is able to put back the smaller chunks of data to form
the larger data chunk. Typically, each time data has to be transferred from the source to
the destination then the following steps are followed:

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

1. At the source system, the data to be transferred is broken down into smaller,
more manageable chunks of data. It is important to note that the large chunk
of data is broken down by the source system into smaller chunks of data by
following a certain order or sequence. In other words, the first byte has the
first sequence number, while the second byte has the second sequence number
and so on.

2. These sequenced data chunks are then sent by the source system to the
destination system over the network. Data packets are free to independently
travel over the Internet. As a result, data packets may or may not arrive at the
destination system in the same order in which they were sent by the source
system. More often than not, data packets arrive at the destination system out
of sequence. For example, data packets may arrive in the sequence 3,2,4 and
then 1.

3. This is where the importance of sequence numbers comes in. The destination
system uses the sequence numbers of the data packets to put back the (out of
order) received data packets into the correct order. If the correct order or
sequence is not followed while putting the data back together, then the
original data may or may not be recovered. This means that sequence numbers
are extremely important for the proper functioning of TCP/IP. The application
running at the destination system automatically builds up the large chunk of
data by reassembling the smaller chunks in the correct order as directed by the
sequence numbers.

4. Moreover, sequence numbers help the Transmission Control Protocol or TCP


to remain a reliable protocol that can deal with lost, duplicated and unordered
data packets.

The following is the TCP Header of a typical data packet sent by a host to the
destination system over the network:

-----------------------------------------------------------------
| Source Port | Destination Port |
-----------------------------------------------------------------
| Sequence Number |
-----------------------------------------------------------------
| Acknowledgment Number |
-----------------------------------------------------------------
| Data | |U|A|P|R|S|F| |
| Offset | Reserved |R |C|S|S|Y|I | Window |
| | |G|K|H|T|N|N| |
-----------------------------------------------------------------
| Checksum | Urgent Pointer |
-----------------------------------------------------------------
| The Actual Data follows |

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

| |

NOTE: In the following paragraphs all fields and values discussed, actually belong to a
data packet sent by a host to a client.

Each data packet being sent across the network has a specific sequence number
that is stored in the TCP header. Typically, a sequence number is a 32-bit number and its
value can be anywhere between 1 and 4,294,967,295. From an attacker’s point of view, it
is very important to be able to understand and predict how sequence numbers are actually
assigned to data packets. The assignment of sequence numbers to data packets depends
on a number of different factors.

Each system is assigned a specific initial sequence number or ISN during the
bootstrapping period. On most occasions, the ISN value assigned to a host at the time of
bootstrapping is 1. This ISN value of a system keeps automatically changing or
incrementing with the passage of time, transfer of data packets and establishment of new
connections. Each time a system establishes a new connection, the current value of its
ISN is used as the sequence number of the first data packet sent to the client (with whom
the connection is to be established). Typically, the ISN of a system gets incremented by
128,000 with every passing second and by 64,000 with every new connection that is
established. This means that assuming that no network activity takes place on a system
then its ISN values gets wrapped every 9.32 hours.

For Example

Based upon the above rules, if the ISN of a host were 1897737287, then after 3
connections and 2 seconds, its ISN will become equal to: 1897737287+ (3*64 000) +
(2*128 000)

It is important to note that the sequence number of the first byte of data being sent
by the host to the client is equal to its ISN plus one. This is because the SYN flag takes
up 1 sequence number. This will be clearer after the sequence numbers and connection
establishment section.

Each data packet being sent across the network also has an acknowledgment
number field that contains yet another type of a 32-bit sequence number. In this example,
the sequence number that is stored in the acknowledgment field actually represents the
value of the next sequenced data that the host expects the client to send. This means that
the acknowledgment number field actually contains the sequence number of the client
and not the host. This sequence number also acknowledges that all data up to these bytes
minus one has already been safely received.

Sequence Numbers and Connection Establishment\Termination

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

For a complete TCP/IP connection to be successfully established between the


client and the host, a full 3-way handshake must be executed between the two systems. A
typical 3-way TCP/IP handshake can be executed only by following the below steps:

1. In the first step, the client sends a SYN (synchronization) packet to the host,
requesting for a connection to be established. Amongst the regular information
carried by all packets like destination and source IP addresses and port numbers
etc, the SYN packet also carries the following critical information:

Client’s ISN: The client sends it initial sequence number (ISN) to the host to
facilitate the data communication process. Let us assume that in this case study
the ISN of the client is 4894305.

Acknowledgement Number: The client sets the acknowledgement field to 0, since


there is no data (sent by the host) that needs to be acknowledged. Moreover, since
the client still does not know the sequence number of the host, hence, there is no
way the acknowledgment number can be calculated.

2. In the second step, the host sends back a SYN/ACK packet to the client. Amongst
the regular information, this data packet primarily contains the following
important information:

Server’s ISN: The host now sends its own ISN to the client to facilitate the data
communication process. Let us assume that the server’s ISN is 1896955367.

Acknowledgement Number: The host also sends an acknowledgement packet to


the client acknowledging the receipt of the data packets sent in the first step. The
value of the acknowledgment number is always one more than the client’s initial
sequence number. Hence, in this case the acknowledgement number is
4894305+1=4894306. It also signifies the expected sequence of data.

3. Finally in the third step, the client sends back an Acknowledgment (ACK) packet
to the host. The only critical information carried in this step is as follows:

Acknowledgement Number: The ACK number field is now the server’s ISN plus
one, which is equal to 1896955367+1=1896955368.

The above three steps complete the full 3-way TCP/IP handshake between the
client and the host, which can actually be diagrammatically represented as shown below:

Client---------------SYN (4894305)---------------- Host

Host-----------------SYN (1896955367) and ACK (4894306)--------- Client

Client---------------ACK (1896955368)---------- Host

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

The above is a description of how a client can establish a TCP/IP connection with
a remote host. However, let us take this example a bit further and assume a scenario
wherein either the client or host wants to immediately terminate the connection as soon as
it has been established. In such a case, the following data packets are exchanged:

1. When client terminates connection

Client-----------FIN (4894306) and ACK (1896955368)-------------Host

Host------------ACK (4894307)--------------------Client

2. When Host terminates connection

Host------------FIN (1896955368) and ACK (4894307)-------Client

Client---------------ACK (1896955368)--------------Host

A deeper look into Sequence Numbers

The quickest route to understanding the phenomenon of SYN and ACK values is
to study how connections are established and terminated. One can record and analyze the
headers of the data packets being sent or received with the help of a sniffer. For this
example, let us telnet to Port 23 of a remote test system and then immediately disconnect
from it. It is important to note that we will refer to the remote system as HOST and the
local system as CLIENT. The following is an analysis of the working and description of
the connection establishment and termination procedure:

#telnet targetsystem.com 23

As soon as you use telnet to connect to the remote test system, then the following
3-way handshake takes place between the local and remote system. On typing the above
command, the following transfer of packets takes place:

 Host
1. Client ---------------SYN (856779)---------------

The captured frame of this data transfer is given below for further study (The
sequence number of the data packet is shown in bold.):

20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 00 2C C3 00 40 00 20 06 10 0C CB
5E FD BA CB 5E F3 47 04 07 00 17 00 0D 12 CB 00 00 00 00 60 02 20 00 D9 70 00
00 02 04 05 B4 2D

In this step, the client sends a SYN packet to the remote host, requesting for a TCP/IP
connection to be established with the host. SYN stands for a synchronize data packet.
The sequence number of the data packet sent by the client in this case is 856779

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

 Client
2. Host------------SYN (758684758) and ACK (856780)------

The captured frame of this data transfer is given below for further study (The
sequence number and ACK value of the packet are shown in bold.):

44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 00 2C 8C 05 40 00 39 06 2E 07 CB
5E F3 47 CB 5E FD BA 00 17 04 07 2D 38 9C 56 00 0D 12 CC 60 12 83 2C AC A4
00 00 02 04 05 B4

Once the host system receives the SYN packet sent by the client, it then sends back a
SYN/ACK packet to the client. The SYN part of this packet contains the initial
sequence number (ISN) of the host— which in this case is 758684758. The ACK part
of the packet acknowledges the data received till now and represents the next
expected sequence number of the data that the host expects to receive. The ACK or
acknowledgement number sent by the host to the client is calculated as one plus the
client’s ISN i.e. 856779 + 1= 856780.

 Host
3. Client-----------SYN (856780) and ACK (758684759)--------------

The captured frame of this data transfer is given below for further study (The
sequence number and ACK value of the packet are shown in bold.):

20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 00 28 C4 00 40 00 20 06 0F 10 CB
5E FD BA CB 5E F3 47 04 07 00 17 00 0D 12 CC 2D 38 9C 57 50 10 22 38 25 56 00
00

In the above captured frame we find that the client replies to the SYN/ACK sent by
the host, with an ACK message that acknowledges the receipt of the data till now and
also includes the sequence of data expected next from the host by the client. In this
case the ACK value is equal to the host’s ISN plus one. Thus, ACK value= Host’s
ISN + 1= 758684758 + 1= 758684759.

It is important to note that in the above step, since the client sends only an ACK
packet (and not also a SYN packet) to the host, hence, the sequence number does not
get incremented. Typically, an ACK packet alone is not sufficient to increase the
sequence number. This means that the even the next packet sent by the client to the
server will have the same sequence number.

Once the above three steps have been successfully executed, a complete 3-way
handshake is said to have taken place and a TCP/IP connection thus gets established
between the client and the host. Taking our case study further, as soon as the above
connection gets established, we will use the QUIT command to disconnect from the
remote telnet daemon. A typical TCP/IP connection is terminated by following the below
data packets’ transfer:

 Host
1. Client---------------FIN (856780) and ACK (758684759)------------

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

The captured frame of this data transfer is given below for further study (The parts in
bold represent the Sequence number and ACK value of the packet.):

20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 00 28 C5 00 40 00 20 06 0E 10 CB
5E FD BA CB 5E F3 47 04 07 00 17 00 0D 12 CC 2D 38 9C 57 50 11 22 38 25 55
00 00

In this step, the client sends a FIN/ACK packet to the remote host. The FIN option
tells the host that the client wants to terminate the connection that has been
established between the two systems. It is crucial to notice that the hexadecimal
values i.e. the values in bold in the above captured frame are same as those in the
final step in the connection establishment process. This clearly demonstrates that the
sequence number and acknowledgment number in both cases remains the same. This
is because the third step only sends the ACK message that does not consume any
sequence number. The only difference between the two connection states remains that
here the FIN (Finish) and ACK (Acknowledgement) packets are being sent, while in
the earlier case the SYN (Synchronize) and ACK (Acknowledgment) packets were
sent.

Although this particular packet is indeed carrying a FIN message, which does in fact
consume a sequence number, however a sequence number of a fragment represents
that value which is applicable at the start of the particular fragment and not the end.
Thus, the sequence number consumed by the FIN packet will increase the sequence
number of the next packet and does not affect the sequence number of this packet.
The ACK value of this packet is 758684759, which represents the sequence of the
packet expected next by the client from the host. The ACK value in this step does not
change from that in the third step, as no data was exchanged between the client and
the host. This means that the client still expects the host to send the data with the
sequence number 758684759.

 Client
2. Host-------------------ACK (856781)-----------------------

The captured frame of this data transfer is given below for further study (The
Sequence number and the ACK value of the data packet is shown in bold.):

44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 00 28 8F BE 40 00 39 06 2A 52 CB
5E F3 47 CB 5E FD BA 00 17 04 07 2D 38 9C 57 00 0D 12 CD 50 10 83 2C C4 60
00 00

In this step, the host sends back an ACK packet to the client confirming the receipt of
the connection termination request. The acknowledgment value of this data packet is
856781 while the sequence number is 758684759. It is important to note here that the
sequence number of this data packet is same as the next data packet being sent by the
host to the client. This is because this particular message is carrying only an ACK
option that does not consume any sequence number.

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

 Client
3. Host-----------------FIN (758684759) and ACK (856781)----------

The captured frame of this data transfer is given below for further study (The
sequence number and the ACK value of the packet is shown in bold):

44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 00 28 8F E0 40 00 39 06 2A 30 CB
5E F3 47 CB 5E FD BA 00 17 04 07 2D 38 9C 57 00 0D 12 CD 50 11 83 2C C4 5F
00 00

In this step, the host sends a FIN/ACK packet to the client, with a sequence number
equal to 758684759 (same as earlier step) and an ACK value equal to 856781 (same
as earlier step). This is because no data has still been transmitted.

 Host
4. Client----------------ACK (758684760)-------------------

The captured frame of this data transfer is given below for further study (The
sequence number and ACK value of the data packets are shown in bold.):

20 53 52 43 00 00 44 45 53 54 00 00 08 00 45 00 00 28 C6 00 40 00 20 06 0D 10 CB
5E FD BA CB 5E F3 47 04 07 00 17 00 0D 12 CD 2D 38 9C 58 50 10 22 38 25 54
00 00

In this final step, the client acknowledges the host’s FIN/ACK data packet by sending
back an ACK packet. This ACK packet not only acknowledges all the data received
by the client till now, but it also terminates the connection. It is important to note that
sequence number of the current data packet is 856781, while the acknowledge
number is 758684760.

The above experiments clearly conclude that the sequence number gets incremented
under the following scenarios and cases:

Case Increment
Transfer of FIN Packet. 1
Transfer of SYN Packet. 1
Transfer of ACK Packet. 0
Transfer of SYN/ACK Packet. 1
Transfer of FIN/ACK Packet. 1
Time Period of 1 Second. 128,000
Establishment of 1 connection. 64,000

It is very important for an attacker to truly understand the working and increase in
sequence numbers, to be able to execute IP spoofing. Being able to predict sequence
number accurately can allow an attacker to exploit a number of loopholes:

1. Hijacking TCP Connections and stealing data.

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

2. Exploiting Trust Relationships

Trust Relationships

Trust relationships are an integral part of all IP spoofing attacks. A trust


relationship is nothing but a form of authentication method that is used to verify the
identity of users on the Internet. Typically, all Internet users come across some form of
authentication process or the other on a regular basis. The most common authentication
process that Internet users come across is the username-password pair. In this form of
authentication, the host asks the remote client to enter a username and password pair. If
the remote client is able to enter the correct username-password pair, then he is
authenticated otherwise he is denied access. Trust relationships are a similar
authentication process.

In trust relationships, the IP address of the remote client is used for authentication
purposes. In this form of authentication, the host finds out the IP address of the remote
client and then compares it to a predefined list of allowed IP addresses. If a match for the
remote client’s IP address is found in the allowed list, then it is allowed access even
without entering a password. However, if the client’s IP address is not found in the
allowed IP address list, then it is denied access. Hence, in trust relationships, as long as
the IP address of the client matches, no passwords are required. The form of
authentication wherein solely the IP address of the remote client is adequate security is
known as trust relationships.

Trust relationships are quite common on Unix systems in the form of a number of
r services like rsh, rlogin, rcp etc. However, trust relationships are not very secure and
have a number of security loopholes. Unfortunately, despite the various security threats
involved, many corporations continue to use trust relationships. One can establish an
rlogin connection with a remote Unix system by typing the following command at the
shell prompt:

$>rlogin IP address

____________________________

HACKING TRUTH: One can establish a trust relationship connection with a remote
system with the help of the telnet utility as well. Some of the default port numbers on
which the r services run are 512, 513,514 etc.
____________________________

Typically IP spoofing attacks are implemented to exploit trust relationships. If


there exists a trust relationship between two system i.e. client and server, then it is
possible for an attacker to spoof his IP address, pretend to be the client and gain illicit
access to the target system. In such an attack, the target system gets fooled into believing
that the attacker is the trusted system. Such attacks provide the attacker access to all
commands and files on the target system. Hence, IP spoofing when used in conjunction

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

with trust relationships can indeed prove to have serious consequences. It is quite
important for corporations to thus take adequate security measures against IP spoofing
attacks.

Spoofing your IP Address to exploit trust relationships

The problem with IP spoofing is that although it is quite easy to explain in theory,
but unfortunately it is extremely difficult to actually implement. Even hardened network
experts find it quite difficult successfully spoof their IP address, let alone security
dabblers. As discussed earlier, two of the biggest problems with IP spoofing attacks are
the blind nature and importance of luck in the attack. There are just too many
assumptions and luck involved in IP spoofing attacks. However, nonetheless, IP spoofing
attacks can indeed be perfected if practiced carefully and thoroughly. There indeed have
been numerous cases wherein attacks have successfully spoofed their IP address.
Typically, attackers poof their IP address by following the below steps:

NOTE: Please note that the following notations have been used for the below steps:

a.) The victim system will be referred to as the VICTIM or target system.

b.) The trusted system that is capable of establishing a trust relationship with
VICTIM is known as TRUSTED.

c.) The attacker is referred to as ATTACKER.

1. Identifying a Trusted System

Before an attacker can actually start exploiting trust relationships of the victim, it
needs to first figure out as to which systems enjoy a trust relationship with the
target system. In other words, the first step in IP spoofing is that an attacker needs
to somehow find out as to which systems are trusted by the target system. It is
very important to correctly identify the trusted systems with which the target
system establishes trust relationships on a regular basis. Typically, trusted systems
establish trust connections with the target system using the ‘r services’. Some of
the most common techniques of finding out the trusted systems are:

a.) The following commands can on most occasions be used to identify the trusted
systems:

rpcinfo -p
showmount -e

b.) Another very common technique of figuring out the trusted systems is to use
social engineering techniques. Refer to the section of social engineering for more
information.

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

c.) A number of attackers also use brute force tools to pinpoint the trusted system by
checking all systems on the local network

d.) A number of attackers also prefer to use brute forcing— where all systems on the
local network are checked whether or not they are capable of establishing a trust
relationship with the target system.

Once an attacker has pinpointed the identity of the trusted system, then it needs to
DOS attack the trusted system, render it useless and carry out the IP spoofing attack.

2. Blocking the real Trusted System

For an IP spoofing attack to be completely successful, it is important for the


attacker to ensure that the real trusted system does not interfere and interrupt the
spoofing process at any point of time. If the real trusted system were to respond to
any data packets sent by VICTIM, then the spoofing process would come to an
end. As discussed earlier, one of the most important rules for successful IP
spoofing is as follows:

“…FAKE must not at any point respond to the SYN/ACK packet, which VICTIM
sends to it…”

As a result, once the attacker has detected and identified the trusted system, the
attacker then needs to block or disable it with the help of a denial of services or
DOS attack. The best way to ensure that the real trusted system does not interfere
in the spoofing process is to somehow block the trusted system. In other words, an
attacker must make sure that all the memory of the trusted system is used up and
it cannot respond to the SYN/ACK packets sent by the VICTIM system. One
technique that attackers commonly use to disable the trusted system is the SYN
flooding DOS attack. For more information on SYN flooding, read the DOS
attacks section.

Once the real trusted system has been DOS attacked, then the attacker can be sure
that it will not respond to any data packets sent by VICTIM and hence not
interfere in the IP spoofing process. Since all the available buffer memory will be
busy responding to the infinite SYN requests, hence all data packets sent by
VICTIM will simply be discarded by the real trusted system. Such a strategy of
disabling the real trusted system will provide the attacker with plenty of time to
execute the IP spoofing attack.

3. Getting the Final Sequence Number and Predicting the Succeeding Ones

This is probably one of the toughest steps in IP spoofing, as it involves a large


number of quick calculations in extremely short time periods. Once the trusted
system has been DOS attacked, the attacker needs to somehow predict the
sequence number of the target computer. One technique of arriving at the

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

sequence number of the target computer is to connect to it on a particular port


(like Port 23 or 25) and record the sequence number of the last data packet that
was sent by the target system. In order to ensure accurate results, it is advisable to
repeat this procedure a few times.

Then the attacker needs to somehow deduce the round trip time or RTT value.
This can be done with the help of the ICMP protocol. It is extremely important to
calculate the RTT value correctly as an incorrect value can easily completely
sabotage an IP spoofing attack. The accuracy and success of the sequence number
prediction process is greatly dependent on the correct calculation of the RTT
value. Once the RTT value has been recorded, only then is the actual prediction of
sequence numbers done.

___________________________________

HACKING TRUTH: The RTT value or the round trip time is nothing but the
time taken by a data packet to travel from the source to the destination system and
back. Hence, an attacker can calculate the time it takes for a data packet to reach
the destination from the source system by using the formula: RTT/2.
___________________________________

Typically attackers calculate the sequence number of the target computer based
upon the following:

1. Last recorded sequence number.

2. Calculated RTT values.

3. Amount of time passed between the last recorded sequence number and
the actual execution of the attack.

4. Target system connection and port states.

Although the calculation of sequence numbers is quite hard, however, there are
indeed a few tips that one can keep in mind to make the IP Spoofing process
easier:

1. It is always advisable for an attacker to record the round trip time (RTT)
or the time it takes for data packets to travel from the target system to the
attacker system beforehand itself. This not also saves times during the
actual execution of the attack but also makes it easier for the attacker to
arrive at a correct sequence number prediction. Moreover, it is best to
repeat the procedure of recording the RTT value a few times to get an
accurate reading.

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

2. It is best to become familiar with the Case-Increment table (see earlier


sections). This will facilitate and quicken the sequence number calculation
process.

3. One must be has fast as possible. From the time the sequence number of
the target system has been recorded, all succeeding steps must be taken as
quickly as possible. The shorter the time gap between recording the
sequence number to actually executing the IP spoofing attack, the better
are the chances of the attack being a success. The longer the time one
wastes, the lesser are the chances of an attacker being able to predict the
sequence numbers accurately. For example, if one wastes one extra
second, then the sequence number increments by 64,000. Hence one must
remain as quick and as less wasteful as possible.

4. Having a few practice runs is always a good idea, as that will help you get
accustomed to the problems of fast calculations.

5. Finally, one needs to take a deep breath, close their eyes, hope for the best
and execute the IP spoofing attack.

The primary objective of sequence number prediction is that the calculated


sequence number must match the target system’s next sequence number.
Although such a scenario is the ideal, but it remains extremely difficult to attain.
However, even if the predicted sequence number is relatively close to the actual
next sequence number, then the target system merely queues it up, treating it as a
packet for future use. This step is definitely one of the most difficult steps in IP
spoofing. Once it is executed, then the remaining steps are not very hard to
implement.

4. Executing the Attack

Once the attacker is able to successfully predict the next probably sequence
number, only then the actual IP spoofing attack can be executed. This attack is
executed in the following steps:

a.) In the first step, the ATTACKER sends a spoofed SYN packet to the VICTIM
in such a manner that the VICTIM thinks that the packet was sent by the
trusted system. These SYN packets are usually sent to the VICTIM system on
those ports where the ‘r services’ are running. For example, attackers usually
like to target the rlogin port (port 513) in IP spoofing attacks. Hence, this SYN
packet sent by the ATTACKER requests the VICTIM to establish a trust
relationship with the trusted system.

b.) As per TCP/IP connection establishment rules, the VICTIM then responds to
the spoofed SYN packet (sent by the ATTACKER) by sending back a
SYN/ACK packet to the trusted system. This is where the importance of SYN

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

flooding the trusted system comes in. If the trusted system were not disabled
(DOS attacked), then it would have replied to the SYN/ACK with a NACK
and hence dropped the spoofing attempt. However, since the attacker has
already disabled the trusted system, hence there is no response to the
SYN/ACK packet sent by the victim. As a result, this SYN/ACK packet sent
by the VICTIM gets discarded.

c.) The ATTACKER then waits for an adequate amount of time to pass. This is
done to ensure that the VICTIM has already executed the above step i.e. sent a
SYN/ACK packet to the trusted system. Then the ATTACKER sends a
spoofed ACK message to the VICTIM in such a manner that it seems to have
been sent by the trusted system. In this step, the importance of predicting the
sequence number correctly comes to the foreground. It is important for an
attacker to make sure that the spoofed ACK packet has an acknowledgement
number which is the predicted sequence number plus one. Moreover, the
sequence number of this packet should be one more than the sequence number
of the packet sent by the attacker in Step 1.

d.) Assuming that all the above steps were executed without any errors or
problems, the ATTACKER is then able to successfully spoof his IP address
and establish a trust relationship with the VICTIM.

5. Putting the Trusted system out of the spell of the DOS Attack

Finally, once the complete IP spoofing attack has been executed, the attacker then
ends the SYN flood attack on the trusted system and brings it back to the normal
functioning state. The trust system can be brought back to the ‘alive’ state by sending
a large number of FIN packets to it. A FIN packet when sent to the remote system
terminates the previously established connection and frees up the buffer memory on
it. This step of ending the attack on the trusted system is important to ensure that the
system administrator of the victim trusted system does not suspect that anything is
wrong.

Fadia’s Hot Picks for Packet Generation Tools


1. Utility Name: Libnet

Features: A packet generation tool that allows a user to send customized data
packets to the target computer. It is a brilliant tool that allows the user control
over almost all fields of the custom made data packets.

Download URL: http://www.packetfactory.net/libnet

2. Utility Name: pacgen.tar.gz

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

Features: A Unix based packet generation tool that allows attackers to send
customized data packets to the target system. This tool enables custom packets
with configurable Ethernet, IP, TCP, and UDP layers as well as custom payloads.

Download URL: http://www.packetstormsecurity.org

Countermeasures
1. Avoid Trust Relationships

Most IP spoofing attacks are executed only to exploit trust relationship based
authentication being used by the target system. In other words, IP Spoofing can be
dangerous only if the target computer is using trust relationships to authenticate
its users. Corporations should avoid using trust relationships as far as possible. It
is always advisable to use a combination of password authentication and trust
relationships. Such a combination of both the authentication techniques not only
ensures proper safety, but also makes it more difficult for an attacker to execute
IP spoofing. Moreover, on many occasions the use of TCP wrappers to allow
access only from certain trusted systems has been known to be a good
countermeasure.

2. Firewalls or Filtering Mechanisms

Many trust relationship networks exist between systems in the same local
network. In such occasions, the best countermeasure is to filter out the malicious
attack traffic with the help of a firewall. A system administrator should filter out
all packets coming from outside the local network, but whose source IP address
belongs to a system within the internal network. This filtering mechanism can be
implemented with the help of the below router Access Control List (ACL):

access-list 101 deny ip Internal Address 0.0.255.255 0.0.0.0 255.255.255.255

Moreover, one should also filter all outgoing packets whose source address does
not match with an internal system’s IP address. Such a filtering rule will prevent
your network systems from being exploited to initiate an IP spoofing attack. This
filtering mechanism can be implemented using the below router ACL:

access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

3. Random Initial Sequence Numbers

Another very good countermeasure to make it all the more difficult for attackers
to execute IP spoofing attacks is to start using random Initial Sequence Numbers
(ISN) instead of the regular predictable sequence numbers. Under default
circumstances, an attacker is able to perform IP spoofing by exploiting the
predictable nature of ISN values of the target system. However, by using random

Copyright 2004. All rights Reserved.


Ankit Fadia Certified Ethical Hacker (AFCEH) 2.0

values as the ISN of a system, system administrators can make it all the more
difficult for an attacker to perform IP spoofing. Typically, such a countermeasure
is implemented with the help of pseudo random number generation tools
(PRNGs) that possess the ability to generate new random ISN values.
Unfortunately, on many occasions even PRNGs fail to provide foolproof
randomness.

4. Encryption

The latest implementations of encryption standards (like IPSec) provide a more


secure communication and authorization channel than existing standards.

5. SYN Flooding countermeasures

To prevent trusted systems in a trust relationship network from being DOS


attacked, it is advisable to take the necessary precautionary countermeasures
against SYN flooding attacks. For more information on the countermeasures, refer
to the section on DOS attacks.

Copyright 2004. All rights Reserved.