-=[ A short overview of IP spoofing: PART I ]=-                    -=[ Part of 'The Packet Project']=-                                                              (Includes Source for Linux 1.3.X and later kernels)    All text and Source code written by Brecht Claerhout (Copyright 1996)                 All source tested on Linux kernel 2.0.X     All packet data captured with Sniffit 0.3.2 (a pre-release at that time)-------------------------------------------------------------------------------PART I: Simple spoofing (Non blind) -----------------------------------0. Introduction 	0.1 What0.2 For whom0.3 Disclaimer0.4 Licence1. Short explanation of some words 2. Description of sourcecode2.1 Source included2.2 Programmer notes3. TCP/IP (UDP) in an hazelnutshell4. Non-blind spoofing4.1 Know what you are doing4.2 SYN flooding4.3 Connection Killing 4.3.1 Using reset (RST)4.3.2 Closing a connection (FIN)4.3.3 Improving4.4 Connection Hijacking4.5 Other5. The source code-------------------------------------------------------------------------------                    PART I: Simple spoofing (Non blind)------------------------------------------------------------------------------0. Introduction---------------0.1 What--------This document describes some IP spoofing attacks and gives you example source code of the programs used for these attacks (and packet sniffer logs, so you see what exactly happens).It also provides you with an easy to use include file for experimenting a little yourself.Oh, if you make something nice with the "spoofit.h" file, please mail it to me(or a reference where it is available) with a little explanation on what itis (a few lines are enough)...If you have interesting remarks, comment, idea's, ... please contact me	Brecht Claerhout <Coder@reptile.rug.ac.be>        PoBox 144        9000 Gent 12        BelgiumIf YOU think of yourself, you are "3><Tr3/\/\3lY 3Le3T", please don't bother contacting me. Flames >/dev/null or >/dev/echo depends on how smart you are.It is not wise to use what you don't know/understand, so read this before trying anything... it will only take a few minutes, and probably save you some hours of failure...This code is not crippled in the usual way (removing some vital parts), the power is limited by it's briefness, because I wanted to keep everything simple and illustrative (but working). It's a simple job to improve it, and that is the goal of this doc, that you improve it yourself.Thanks too Wim Vandeputte for spellchecking, and putting up with my constant nagging about IP during the writing of this sh!t...0.2 For whom------------For people with an elementary knowledge of TCP/IP, some knowledge on C (only the basic setup) and some general UNIX knowledge.It's no use reading this document if you are completely unaware of these things, but mind you, only a little knowledge is enough.0.3 Disclaimer--------------I am in no way responsible for the use of this code. By using this software and reading this document you accept the fact that any damage (emotional, physical, dataloss and the end of the world as we know it ...) caused by the use or storage of these programs/documents is not MY responsability.I state that during the writing and testing of this document/source, I never violated any law. All spoofing was done between machines where I had legit root access, or where I had the permission from the legit root.This code can be written by any competent programmer, so this source is not so harmfull as some will say (cauz' I'm sure some people won't like this degree of disclosure).0.4 Licence-----------All source code and text is freely available. You can spread it, as long as you don't charge for it (exceptions are a small reproduction fee, if it isn't spread together with commercial software, texts.)You may not spread parts of the document, it should be spread as one package. You may not modify the text and/or source code. You can use the spoofit.h or derived code in your own programs as long as they are not commercial (i.e. FREE), and you give me the credits for it.1. Short explanation of some words ----------------------------------This is a short explanation of some words you might see in the text/source. You probably know all this, but I put it in here anyway.Sniffit  My favourite Packet Sniffer, all sniffed sequences in this   document where created with it. Sniffit can be obtained from:  http://reptile.rug.ac.be/~coder/sniffit/sniffit.html  Off course any other decent sniffer will do (but this one wears my   personal marks and approval).  (At time of writing a pre-release 0.3.2)IP-spoofing (further referenced to as spoofing)  The forging of IP packets   NOTE that not only IP based protocols are spoofed.  NOTE that spoofing is also used on a constructive base (LAN spoofing,        not discussed here).  NOTE that I don't use it on a constructive base ;)Non-blind spoofing  Using the spoofing to interfer with a connection that sends packets   along your subnet (so generally one of the 2 hosts involved is located   on your subnet, or all data traffic has to be passing your network   device,... you might consider taking a job at some transatlantic route   provider).Blind spoofing  Using the spoofing to interfer with a connection (or creating one),   that does not send packets along your cable. 2. Description of sourcecode----------------------------2.1 Source included-------------------spoofit.h  The include file that provides some easy to use spoofing functions.  To understand the include file and it's functions, read the header of   that file for use of the C functions.*.c  Example programs (on the use of spoofit.h) that are discussed in this   document.  Details on these programs are included in the appropriate sections.sniper-rst.c  Basic TCP connection killer.  (denial-of-services)sniper-fin.c  Basic TCP connection killer.  (denial-of-services)hijack.c  Simple automated telnet connection hijacker.2.2 Programmer notes--------------------These programs are just examples. That means, they could be improved a lot. Because I wanted to keep them short and leave some stuff to your imagination, they are very simple.However they all work and are a good starting point.3. TCP/IP (UDP) in an hazelnutshell-----------------------------------Because it has been explained enough in 'Phrack Volume Seven, Issue Forty-Eight, File 14 of 18' by daemon9/route/infinity , and there is a lot of documentation available on the subject I will only repeat some things very briefly. (Please read the phrack #48 file or any other document on the subject before reading this).A connection is fully defined with 4 parameters, a source host and port, and a destination host and port.When you make a connection, data is send in packets. Packets take care of low level trafic, and make sure the data arrives (sometimes with special error handling). The spine of most networks is the IP protocol version 4. It is totally independent of all hardware protocols.TCP and UDP are higher level protocols wrapped up in IP packets.All those packets consist of a header and data.IP header contains (amongst other things): IP of source and destination hosts for that packet, and the protocol type of the packet wrapped up in it. (TCP=6, UDP=17, etc.).UDP packets contain (amongst other things): port number of source and destination host. UDP has no such thing as SEQ/ACK, it is a very weak protocol.TCP packets contain (amongst other things): port number of source and destination host, sequence and acknowledge numbers (further refered to as SEQ/ACK), and a bunch of flags.SEQ number: is counted byte per byte, and gives you the number of the             NEXT byte to be send, or that is send in this packet.ACK number: is the SEQ number that is expected from the other host.SEQ numbers are chosen at connection initiation.I said is was going to be short... If you didn't understand the above text, read up on it first, because you won't understand sh!t of the rest.4. Non-blind spoofing---------------------4.1 Know what you are doing---------------------------The concept of non-blind spoofing (NBS further in this doc) is pretty simple. Because packets travel within your reach, you can get the current sequence and acknowledge (SEQ/ACK further in this doc) numbers on the connection. NBS is thus a very easy and accurate method of attack, but limited to connections going over your subnet. In spoofing documentation these attacks are sometimes ommited, because they are mostly 'denial-of-service' attacks, or because people don't realise the advantage a spoof (in particulary a hijack) can have above simple password sniffing.Spoofing in generally is refered to as a verry high level of attack. This refers to blind spoofing (BlS further in this doc), because NBS is kidstuff for a competent coder.4.2 SYN flooding----------------Thoroughly discussed in 'Phrack Volume Seven, Issue Forty-Eight, File 13 of 18'. I won't waste much time on it.Setup:          host A <-----][----------X--------------->host B                                   |           host S <-----------------/   Concept:Host S impersonates SYN (connection init) coming from host A, to host B. Host A should be unreachable (e.g. turned off, non existant,...).B sends out the second packet of the 3 way TCP handshake. Host B will now wait for response of host A.If host A is reachable it will tell host B (with a reset: RST) that it DID NOT inititate a connection, and thus host B received a bogus packet. (In that casehost B will ingnore the SYN, and *normally* nothing will happen)So if A is unreachable, B will wait for response some time.When doing multiple attacks, the backlog of host B is going to be exceeded and host B will not except new connections (read on TCP bugs for additional features ;) for some time.4.3 Connection Killing----------------------Setup:          host A <------X------------------------->host B                        |      A,B have a TCP connection running          host S <------/      A,S on same subnet          (setup is the same in both cases)Use:Clearing mudders of your net, annoying that dude typing an important paper, etc... plain fun.4.3.1 Using reset (RST)-----------------------Concept:TCP packets have flags which indicate the status of the packet, like RST. That is a flag used to reset a connection. To be accepted, only the sequence number has to be correct (there is no ACK in a RST packet).So we are going to wait for packets in a connection between A and B. Assume we wait for packets to A. We will calculate (from B's packets)the sequence number for A's packets (from B's ACK's), and fire a bogus RST packet from S (faking to be A) to B.An actual attack:(These are real sniffed packets, although IP numbers of hosts were changed)host A : 166.66.66.1host B : 111.11.11.11(S on same subnet as A)(This is a good example of how things not always go as you want, see below for a solution) 1) connection running...   we wait for a packet to get current SEQ/ACK (A->B)TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23   SEQ (hex): 57E1F2A6   ACK (hex): B8BD7679   FLAGS: -AP---   Window: 3400   (data removed because irrelevant, 2 bytes data)2) This is the ACK of it + included data (witch causes SEQ number to    change, and thus messing up our scheme, because this came very fast.)   (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810   SEQ (hex): B8BD7679   ACK (hex): 57E1F2A8   FLAGS: -AP---   Window: 2238   (data removed because irrelevant, 2 bytes data)3) ACK of it. (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23