Home page logo

basics logo Security Basics mailing list archives

RE: IP Session Hijacking And Spoofing
From: "Daniel R. Miessler" <danielrm26 () hotmail com>
Date: Fri, 22 Nov 2002 04:11:54 -0500

I have read some documentation on IP Spoofing, and from what I have
read, it
sounds like you must determine the sequence number of the host before
can spoof. However, I don't understand why you would have to determine
sequence if you are creating a new session with the host under a false
Wouldn't the creation of the new TCP session negotiate the sequence
at that time?

You never do create a session.  A session requires that you have a
three-way handshake, which you can't have when the packets being sent
from the victim are going to the address you are spoofing and not to

I also failed to understand how the traffic gets back to you if you
telling it to respond to another host. Can someone shine some light on
for me?

That's the trick; they don't get back to you.  :)  

When it comes to session high-jacking, how does one go about
determining the
sequence number on a host that uses a random number seed to create the
sequence? Is it some form of complex algorithms or is it just
unless you create the session?

Yes, it is something very complex, to be sure.  There are tools for
doing it, and the degree of difficulty is based on the method used to
create pseudo-random numbers on the target OS.  This is what you are
seeing when you nmap a host with the -O switch and get back, "Random
Positive Increments: GOOD LUCK!".  It is saying that is going to be very
hard to predict sequence numbers on that host for doing these sorts of


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]