>
>>
>> There is a tool floating around called TAP which is a kernel mod that
>> allows you to easily watch streams on SunOs, and capture what a person
>> is typing. It is easy to modify so that you could actually write to
>> the stream thus emulating that person and hijacking their terminal
>> connection.
>>
>> To load the modules, the intruder does a modload to add the module to
>> the kernel. One way to detect the hijacking tool is to do a
>>
>> modstat
>>
>> and see if there is any unfamiliar modules loaded. An intruder could trojan
>> modstat so it might be worthwhile to check the integrity of modstat.
>>
>>
>
>I'm less concerned about the IP spoofing attack method than I am curious
>about this TAP tool. Does anyone have any detailed/technical information
>on this in particular?
If you're hijacking *connections* isn't it much easier to just steal
the filehandles in the kernel?
(Just go to a processes' file table and add that processes file * to
your open set, e.g., by implementing an new systemcall, interprocess
dup: int ipcdup(int pid, int fd))
Can't be more than four or five lines of kernel code.
Casper
Follow-Ups:
References:
|
|
