RE: RE: Session & IP Spoofing

From: Rob Shein (shoten@starpower.net)
Date: Thu Dec 04 2003 - 15:34:51 EST

• Next message: Matthew Wagenknecht: "RE: RING Fingerprinting?"
• Previous message: dshingiz@gmx.de: "Re: john the ripper"
• In reply to: pire pire: "RE: RE: Session & IP Spoofing"
• Next in thread: MARTIN M. Bénoni: "RE: RE: Session & IP Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You'd better care about the return traffic; without it you won't even be
able to complete the TCP handshake to send the request. TCP spoofing is
harder now than it used to be. Your options include positioning yourself
between the target and the IP you're impersonating (difficult to set up, but
very effective if done) and trying source routing to specify that the
packets for that spoofed IP should come back to you instead of following
their normal route (many firewalls and routers do not allow source routing
these days, and many IDSes trigger when they see it).

> -----Original Message-----
> From: pire pire [mailto:pirepire69@romandie.com]
> Sent: Thursday, December 04, 2003 4:54 AM
> To: MThompson@brinkster.com; pen-test@securityfocus.com
> Subject: RE: RE: Session & IP Spoofing
>
>
> No I don't care about the return traffic! All I
> need is to sen I GET request with a spoofed IP!
>
> Example:
>
> GET /toto.php?sessionId=123456&transfer=1000
> Host: www.toto.com
>
> I just need to send this request to the server
> with the ip adress belonging to the sessionID
> I've got throuh my XSS!
>
>
> So how do you do that?
>
>
> Thanks for your help
>
>
>
>
>
>
>
> ---------------------------------------
> You can spoof any IP. The question is do you
> want the return traffic.
>
> -----Original Message-----
> From: pire pire
> [mailto:pirepire69@romandie.com]
> Sent: Tuesday, December 02, 2003 5:02 PM
> To: pen-test@securityfocus.com
> Subject: Session & IP Spoofing
>
> Hi,
>
> I've found a vulnerability in a Web App which
> gave me via an XSS the sessionID token.
>
> I would like to replay this token. But the
> session ID manager (on the server) seems to
> look
> also to IP adresses.
>
> So my question is: Is there a way to spoof my
> ip
> address in order to replay the sessionID??
>
> Like:
> http://www.tutu.com/toto.php?
> sessionid=32443243
> and some how spoof of my IP?!
>
> If I replay the sessionid from my machine or an
> other machine behind my NAT (same outside IP)
> it
> works!!
>
> Thanks a lot for your help
>
>
> _______________________________________________
>
> La messagerie gratuite des romands : 10 MO !!!
> Profitez-en ! >>> http://www.romandie.com
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Matthew Wagenknecht: "RE: RING Fingerprinting?"
• Previous message: dshingiz@gmx.de: "Re: john the ripper"
• In reply to: pire pire: "RE: RE: Session & IP Spoofing"
• Next in thread: MARTIN M. Bénoni: "RE: RE: Session & IP Spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT