Home    Training    Downloads    Tutorials    Arbitary    Get Fate    Proxy Info
 
Training session 11: IP Spoofing
Difficulty: Medium
Learn how IP Spoofing works
Creator: m101


Now you may ask why we would bother to spoof ip addresses or spoof anything at all. The answer is diverse, but normally always to gain in one way or another. A spoofed ip may be used to fake login attempts, DoS a computer without much possibility of being traced, reroute results to another computer, or even to send the required data to a quake server to make the person who is winning quit and lose his/her score.

Firstly you must understand that a tcp connection is nearly impossible to spoof over a length of time because you would have to intercept the return packets which are headed for another ip address, which can become extremely dificult, but not totally impossible.

When you are chatting away on irc, you probably dont realise what is actually going on. You are constantly sending information back and forth from your computer and the irc server you are connected to. Under most cercumstances the connection is either going to be UDP or TCP. So what? What does this mean to us? Well you see UDP is connectionless, it means you send a packet, and it doesnt matter if the packet even reaches the destination, neither computer really cares. This protocol is normally used for games, streaming media, and web pages as it really doesnt matter whether the data ever reaches the destination. TCP uses acknowledgement, so if the packet never arrives, the sending computer is told and the packet is resent, making the connection alot more secure than UDP. Now let us examine a basic packet:

ICMP ECHO REQUEST (ping)

1 IP_Version 4 4
1 IP_HdrLen 4 5
1 IP_Tos 8 0
1 IP_TotLen 16 48
1 IP_Id 16 1
1 IP_FragOff 16 0
1 IP_TTL 8 128
1 IP_Proto 8 1
1 IP_Hcksum 16 [Checksum]
1 IP_Src 32 [Dynamic IP]
1 IP_Dst 32 195.249.9.78
2 ICMP_Type 8 8
2 ICMP_Code 8 0
2 ICMP_Cksum 16 [Checksum]
2 ICMP_ID 16 1
2 ICMP_Seq 16 0
2 ICMP_Data 20 data

Ok, that packet would send a simple ping to the destination ip address. This is exactly the same as typing 'ping 195.249.9.78' in your shell. Now let us examine what all of this means:

1 IP_HdrLen 4 5

1: Whether the information is either data or part of the header
IP_HdrLen: Basic explanation of what the field stands for
4: The size of the field
5: The data value that is contained in the field

Information about the packet, contains the destination and source ip address, the protocol that the packet is using, the packet checksum and how long the packet will traverse the internet before the packet is killed:

1 IP_Version 4 4
1 IP_HdrLen 4 5
1 IP_Tos 8 0
1 IP_TotLen 16 48
1 IP_Id 16 1
1 IP_FragOff 16 0
1 IP_TTL 8 128
1 IP_Proto 8 1
1 IP_Hcksum 16 [Checksum]
1 IP_Src 32 [Dynamic IP]
1 IP_Dst 32 195.249.9.78

The data contained in the packet that is being sent:

2 ICMP_Type 8 8
2 ICMP_Code 8 0
2 ICMP_Cksum 16 [Checksum]
2 ICMP_ID 16 1
2 ICMP_Seq 16 0
2 ICMP_Data 20 data

So now you should have a basic idea of how a packet is formed, and what happens when one is sent. You should have also realised that by merely changing IP_Src to the ip you choose, the recieving computer will replu to the ip you choose, and you will have 'spoofed' the packet.

Now you will probably think, who cares, i can spoof a ping, like that is gonna be of any use, but the theory can be applied to other situations. For example if you were to intercept the packet that is sent to a quake server to disconnect, reassemble the packet, change the source ip address, we could force other players to disconnect. The following is an example of this in practise:

1 IP_Version 4 4
1 IP_HdrLen 4 5
1 IP_Tos 8 0
1 IP_TotLen 16 40
1 IP_Id 16 0
1 IP_FragOff 16 0
1 IP_TTL 8 32
1 IP_Proto 8 17
1 IP_Hcksum 16 [Checksum]
1 IP_Src 32 139.134.216.69
1 IP_Dst 32 203.55.240.1
2 udp_sport 16 1045
2 udp_dport 16 26000
2 udp_length 16 20
2 udp_csum 16 0
2 Qprot_flags 16 8000
2 Qproto_len 16 000c
2 Qproto_conn 8 01
2 Qproto_game1 16 5155
2 Qproto_game2 16 414b
2 Qproto_game3 16 4500
2 Qproto_ver 8 03

This packet will only do something if you are using the correct version of netquake, and only netquake. But the principal can still be studied. You will also notice the packet is using the UDP protocol and therefore does not acknowledge the request to quit, and just disconnects the victim.

To send that packet, you can either use wINJECT for winblows, or hping2 for linux. To recieve the results from any packet you send, pretty much any sniffer will give you the results. Hopefully now you should have a better idea on how ip addresses are faked.
Name

URL or Email

Message