From: Valdis.Kletnieks () vt edu
To: Ian stuart Turnbull <ian.t7 () hotmail co uk>
CC: bmenrigh () ucsd edu, full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] info on ip spoofing please Date: Tue, 11 Apr
2006 17:11:53 -0400
Received: from turing-police.cc.vt.edu ([184.108.40.206]) by
bay0-pamc1-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Tue,
11 Apr 2006 14:11:54 -0700
Received: from turing-police.cc.vt.edu (localhost [127.0.0.1])by
turing-police.cc.vt.edu (8.13.6/8.13.6) with ESMTP id k3BLBrYM022370;Tue,
11 Apr 2006 17:11:53 -0400
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.1-RC3
References: <BAY112-F317806DFA70F524FB8414599CD0 () phx gbl>
Return-Path: Valdis.Kletnieks () vt edu
X-OriginalArrivalTime: 11 Apr 2006 21:11:55.0180 (UTC)
On Tue, 11 Apr 2006 21:54:50 BST, Ian stuart Turnbull said:
> Excellent response Brendon. Thanks heaps.
> I was reading the infamous Markoff / Tsutomu Shimomura attack at
That was *Mitnick*, not Markoff - Markoff wrote a book or 3 about it later.
> and I guess I assumed that as they did not know each other personally
> Markoff must have found a way to locate 2 computers conversing with each
> other randomly? Perhaps this assumption was not correct?
> Though from the test it appears Markoff DID find a way of doing this -
> finding 2 computers talking to each other NOT on his own LAN /
Well, at that time, it was a pretty good guess that if you found hostnames
george.site.dom, paul.site.dom, john.site.dom, and ringo.site.dom, and all
had rsh enabled, that there was a lot of rsh traffic between them, and
a .rhost trust between them so you wouldn't need a password....
And what Mitnick's attack did *wasnt* finding 2 computers *talking*.
In fact, the attack relied on finding a trusted computer *not* talking (or
making it not talk).
What he did was:
1) Bash george.site.dom over the head with SYN packets to make it STFU.
2) Send paul.site.dom a forged SYN packet claiming to be from george.
3) Paul sends a syn/ack to george, who can't send an RST because it's STFU.
4) send a forged ACK for the syn/ack claiming to be from george.
5) Send the rest of the TCP datastream.
The only tough part is knowing what ISN will be on the syn/ack so you can
ack it properly - and in that day, just poking its 'finger' port or
noting *that* ISN, and adding 32K or similar constant was almost guaranteed