{"id":130233,"date":"2009-12-09T14:21:00","date_gmt":"2009-12-09T18:21:00","guid":{"rendered":"tag:blogger.com,1999:blog-7196788127833928948.post-6112915600326007522"},"modified":"2009-12-09T14:21:00","modified_gmt":"2009-12-09T18:21:00","slug":"summary-of-ip-spoofing","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/130233","title":{"rendered":"Summary of IP Spoofing"},"content":{"rendered":"<p>If you are using any sort of IP based filtering within your application, then you need to evaluate how IP spoofing attacks affect your security controls. In order to make a fair evaluation you will need a basic understanding of IP spoofing attacks.<\/p>\n<p><a onblur=\"try {parent.deselectBloggerImageGracefully();} catch(e) {}\" href=\"http:\/\/3.bp.blogspot.com\/_Hu1rpxRsqcU\/Sx_sRHbp2rI\/AAAAAAAAAb4\/ToGUvNCsHZ4\/s1600-h\/bd_addr-spoofing.jpg\"><img decoding=\"async\" style=\"margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 301px; height: 320px;\" src=\"http:\/\/3.bp.blogspot.com\/_Hu1rpxRsqcU\/Sx_sRHbp2rI\/AAAAAAAAAb4\/ToGUvNCsHZ4\/s320\/bd_addr-spoofing.jpg\" alt=\"\" id=\"BLOGGER_PHOTO_ID_5413305055919594162\" border=\"0\" \/><\/a><br \/>Let&#8217;s look at two different scenarios.<\/p>\n<p><span style=\"font-weight: bold;\">Scenario #1<\/span> Attacker wants to spoof an arbitrary IP address and the attacker is not on the same subnet (broadcast domain) as the targeted IP address. Example: attacker is 1.2.3.4 and wishing to spoof 4.5.6.7<\/p>\n<p><span style=\"font-weight: bold;\">Scenario #2<\/span> Attacker wants to spoof an IP address of someone on his own subnet (broadcast domain). Example: attacker is 192.168.1.55 and wishing to spoof 192.168.1.58 (assuming subnet of 255.255.255.0)<\/p>\n<p><span style=\"font-weight: bold;\">Scenario #1<\/span><\/p>\n<p>The attacker can create forged TCP packets and modifies the source IP address to be any value. One tool that can do this is <a href=\"http:\/\/sourceforge.net\/projects\/hping2\/\">HPING2<\/a>.<\/p>\n<p>What can you do:<\/p>\n<ul>\n<li>Send an initial TCP packet with any source IP address<\/li>\n<li>Send a series of UDP packets with  any source IP address<\/li>\n<li>Send a series of unrelated TCP packets from the same or varying IP addresses<\/li>\n<\/ul>\n<p>What can&#8217;t you do:<\/p>\n<ul>\n<li>Receive any responses to your forged messages. The responses, if sent, would go to the forged IP address.<\/li>\n<li>Send a string of related TCP packets (e.g. reconstruct an actual TCP exchange). This is because you can&#8217;t complete the handshake or guess the necessary information to continue the TCP connection.<\/li>\n<\/ul>\n<p><span style=\"font-weight: bold;\">Scenario #2<\/span><\/p>\n<p>The attacker can perform a variety of attacks to forge or take-over the IP address on the same subnet.<\/p>\n<p>Attack Options:<\/p>\n<ul>\n<li>Simplest &#8211; Statically define your IP address to the target IP address<\/li>\n<li>Switch your MAC address to the MAC address of the current NIC for the target IP address and attempt to assume control of IP<\/li>\n<li>Execute man in the middle attack via arp spoofing (see tool <a href=\"http:\/\/www.oxid.it\/cain.html\">Cain &amp; Abel<\/a>) and then gain control of user&#8217;s unencrypted transmissions. You could likely modify or redirect traffic to accomplish your original spoofing goal.<\/li>\n<\/ul>\n<p>What can you do:<\/p>\n<ul>\n<li>Assume control of the IP address. Note: This means you can send\/receive valid data using the targeted IP address as your own. It does not grant you access to existing sessions that the user had with any websites (because you don&#8217;t have the user&#8217;s session cookies).<\/li>\n<\/ul>\n<p>What can&#8217;t you do:<\/p>\n<ul>\n<li>Intercept encrypted (e.g. SSL\/TLS) communication destined for the target IP address without alerting the targeted user in some way (browser warning message for MitM invalid certificate).<\/li>\n<\/ul>\n<p>Hope this is helpful. This is by no means an exhaustive list of attack techniques, but something to consider if your are using IP related controls within an application.<\/p>\n<p>This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.<br \/>The original text is published on<a href=\"http:\/\/michael-coates.blogspot.com\/\"> &#8230;Application Security&#8230;<\/a><\/p>\n<p>Talkback and comments are most welcome<\/p>\n<p>Related posts<br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/04\/dhcp-security-most-overlooked-service.html\">DHCP Security &#8211; The most overlooked service on the network<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/07\/example-bypassing-wifi-mac-address.html\">Example &#8211; Bypassing WiFi MAC Address Restriction<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/07\/obtaining-valid-mac-address-to-bypass.html\">Obtaining a valid MAC address to bypass WiFi MAC Restriction<\/a><\/p>\n<div class=\"blogger-post-footer\"><img width='1' height='1' src='https:\/\/blogger.googleusercontent.com\/tracker\/7196788127833928948-6112915600326007522?l=www.shortinfosec.net' alt='' \/><\/div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/shortinfosec\/~4\/CRAmV1_PL24\" height=\"1\" width=\"1\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are using any sort of IP based filtering within your application, then you need to evaluate how IP spoofing attacks affect your security controls. In order to make a fair evaluation you will need a basic understanding of IP spoofing attacks. Let&#8217;s look at two different scenarios. Scenario #1 Attacker wants to spoof [&hellip;]<\/p>\n","protected":false},"author":5679,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-130233","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/130233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/5679"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=130233"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/130233\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=130233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=130233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=130233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}