>question). Since the intruder does not get the return packets he
>must be able to predict the sequence numbers and machine y's
>responses. In general the inruder uses this to rlogin to machine Y
although, if you are on the same segment you could in fact use a Sniffer to get the packet back. Writing code to "hook" your sniffer software into your spoofing software would be your best bet. Then you could actually keep a 2 way conversation going as long as the intended receiver "X" is not servicing packets (SYN flood).
I have seen code for several sniffers floating around the net, "Sniffer" for linux/solaris is free w/source from... err... well you can do a net search :)
From: Alex F[SMTP:alexf @
Sent: Tuesday, August 27, 1996 8:59 AM
To: Wearen Life
Cc: Firewalls @
Subject: Re: Hacking
> I am trying to understand how exactly firewalls work. And I Have to say
> that this has helped me alot. What intrest me is how do most hackers get
> past firewalls? I have heard of ip spoofing and sequcneing but it would be
> nice if someone could explian in detail how those methods work. And where
> would I be able to find the soucre code to some of those methods.
IP spoofing is basically when someone finds a trusted relationship
between machine X and Y. The intruder then tries to connect to
machine Y pretending to be machine X. In order to do this the
TCP/IP sequence numbers on machine Y need to be predictable.
Generally speaking sequence numbers increase by 128,000 for every new
connection, and by 64,000 for each packet after the connection. The
intruder alters the IP level of the packet to show a source address
of machine X. Replies from machine Y will actually be sent to
machine X, so machine X must be busied out (at least the port in
question). Since the intruder does not get the return packets he
must be able to predict the sequence numbers and machine y's
responses. In general the inruder uses this to rlogin to machine Y
and put a "+ +" in an .rhosts file. There are, however other methods
than rlogin to get in w/ IP Spoofing. Now the intruder can rlogin
normally to that machine.
Source code for ipspoof.c can be found
around the net. Try www.engarde.com. This source code is missing a
library called ipbpf.h, which can be bought from EnGarde (I think
around $250). You can also write it yourself. Code for busying out
hosts is in the latest issue of 2600 Magazine, which can be found at
most larger bookstores (Borders, Barnes & Noble). I'm sure that
there's more complete spoofing code around the net somewhere, but I
am not sure where.
Firewalls can prevent this quite easily by applying the following
If the address is from inside, but the packet is coming from outside,
then drop and log the packet.
Something like 3 out of 5 firewalls are misconfigured out there.
Methods such as source porting, source routing, IP Fragmentation, IP
Encapsulation are ways to get through misconfigured firewalls. More
detailed info on source porting, routing, IP Spoofing, etc. can be
found on our web site. Try
For IP fragmentation info, try RFC 1858.
Hope this helps,
Alex F alexf @
net | "Good artists copy.
Marketing Specialist | Great artists steal"
Internet Security Systems | - Pablo Picasso