Questions about IP spoofing

What's the best way to setup a home network? Why should I care about BGP?

Questions about IP spoofing

Post by 6sygma on Mon Feb 18, 2013 5:08 am
([msg=73877]see Questions about IP spoofing[/msg])

Hello all,

I'm new to this forum so first off: let me introduce myself.. 6sygma :) In my everyday life I run a very small business selling IT solutions to end users.

Anyways, at the office we have a HG520 with a static IP as the gateway. I recently decided to look into its security and I was quite surprised to discover how vulnerable it is. I managed to learn how to get the admin password in 2 different ways, how to escalate user priviliges to admin ones, and all this from outside the office network. This sent a chill down my spine. Since then: I de-activated all services for the WAN: no more HTTP, Telnet, ICMP, etc.. I also activated the FW but left aside the SPI for now. Now I'm wondering if it is possible to still get past the FW? I'm pretty sure we're still not safe.

I want to test this theory by using IP spoofing to try and fool the gateway into letting me access the config on the web server and modify settings. HTTP is still accessible from the inside, so I want to spoof from outside the TCP packets source address to an internal IP like 192.168.1.7. However it seems that if I spoof a machine which is on the network, that trusted machine will send a TCP RST packet thus killing my attempt. I have therefore the following 2 questions and would greatly appreciate any help on this:

Question 1: If I spoof an internal IP that isn't attributed to a machine on the network, then nobody should send a TCP packet with the RST flag raised to the gateway, right? This might give me enough time to predict the TCP sequence, gain a "real handshake" and continue predicting the responses of the web server and sending it the right packets until I open up again the web interface for the outside world. Am I correct in assuming this?

Question 2: Since I'm operating remotely [from home] with a D-Link router and a dynamic IP, would the TCP packet with the spoofed source adress be accepted and passed on by the routers along the way of my ISP? Please note: my ISP is quite primitive and careless I must say.

Thanks in advance for any answers.
6*Σ
6*Σ
User avatar
6sygma
New User
New User
 
Posts: 4
Joined: Mon Feb 18, 2013 4:49 am
Blog: View Blog (0)


Re: Questions about IP spoofing

Post by WallShadow on Mon Feb 18, 2013 10:16 am
([msg=73879]see Re: Questions about IP spoofing[/msg])

First up, welcome to HTS!

Second, unfortunately due to the way internet routers work, if you set the destination IP to 192.168.1.7 or some other internal IP address, it will simply be dropped by the first ISP router that gets it (There are probably anywhere from 3 to 20 internet routers between you and your office if you are on different networks). Even if it isn't dropped, it won't get anywhere because the address 192.168.1.7 isn't assigned to anyone on the internet. It will either get dropped at some point, or cause an infinite echo of routing packets between hundreds of panicking internet routers, thus destroying the internet as we know it. Lets hope that doesn't happen <3

Third, What you say about the TCP RST packet being sent is very interesting. I've actually been wondering about sending tcp packets with a guessed seq or ack number. The reason the RST is sent out by the spoofed station is because it recieves a syn ack response from the station you are trying to fool. The spoofed station realizes that the tcp connection is no longer open (because it never existed in the first place) and sends a packet to kill the communication.

To answer your question, yes, if you spoof a machine that doesn't actually exist on the network, it should work fine. but now that I think about it, sending guessed seq and ack numbers is VERY inefficient, however still doable. There is probably some side channel attacks by timing how long it takes to respond in order to choose the right ack number from a giant list of guessed numbers. It would be simpler to send the packets with a spoofed IP and MAC address (of a non-existent machine) from that same LAN or WAN, but not from outside the network, and then listen for the responses from that. The fact that you sent it from your location is enough for the response packets to be carried straight back to you. Because you spoofed the packets directly from where you are, then the switches, routers, and access points should send it back directly to you (note: you will need promiscuous or monitor mode enabled to detected the packets). Then you don't even need to guess, just answer the syn ack packet (with a spoofed IP and MAC of course) and like that, you have a full connection.

If you find anything on this, post back. I'll try to do some of my own research as well on this!

- WallShadow <3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 612
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Questions about IP spoofing

Post by 6sygma on Mon Feb 18, 2013 1:40 pm
([msg=73882]see Re: Questions about IP spoofing[/msg])

Hello WallShadow,

Thanks for welcoming me and for your detailed reply.

Now just to clarify: what I want to do is spoof the source adress, not the dest one. I want to send from my home gateway a TCP packet with a header that roughly looks like this:

+------------------------------------------------+
| srce IP: 192.168.1.x | dest IP: 41.x.x.x |
| source port: 80 | destination port: 8080 |
| Other TCP header stuff (sequence, etc.) |
+------------------------------------------------+

Note: 41.x.x.x = my office public static IP.

The idea is that my home gateway will pass it on to the ISP routers who will carry it one hop at a time all the way to the office. Now of course, I need to check 1st that my home gateway or any intermediary ISP router isn't going to fidle with this packet and change the srce IP or simply drop it in the bit bucket because the srce IP is a reserved private one as you so well said. I might handle my home gateway with a NAT maybe? I frankly don't know how to do that right now. Well anyways, if the packet does arrive, my office gateway looks like this:

+-------------------+--interf----------------------------interf--+
|--- office LAN---|--eth0---[ [HG520 gateway] ]---eth1---|----internet
+-------------------+---------------------------------------------+

My theory is that even though this packet will arrive on the wrong interface (eth1) at its destination (the office) the FW will let it through because the source IP is an internal one. I'm assuming the HG520 FW implements the weak host model and doesn't check which interface the packet came from. If this is the case, then it should be possible to select an unused internal IP adress, and figure in part the TCP sequencing used by the gateway, and carpet bomb it with response packets to predict the remainder and complete a handshake. Even if it takes thousands of attemps it should be doable in theory. For example if I can figure half of the 32 bits then I have only about 65500 packets to send which is doable. Good thing is that there seems to be a vulnerability on port 0xAAAA for this gateway model which reveals the device's MAC adress, what the internal IPs are, how many host are on the LAN, etc.

The task ahead of me does seem massive but the implications appear to make it worthwhile. If my theory turns out to be true then unless the router can be made secure by activating SPI, it needs to be thrown in the bin, and we'll have to invest in something more solid for the office.

So the to-do list right now is as so:

1) Figure out the right packet setup for initial tests.
2) Craft the packet using hping or some similar tool.
3) Figure out how to get them through the gateway and out without the src IP being changed. (NAT maybe?)
4) Identify a method to verify at the office if these packets are arriving.

If anyone has any ideas, input, comments or suggestions they would be more than welcome!

Regards,
6*Σ

-- Sun Feb 24, 2013 5:14 am --

Just to update anyone who is interested:

I managed to find another instance of the web server running on another port than the usual one. This instance is intended for the mgt interface of the cwmp service. However this service is deactivated so the server doesn't do anything: it only responds to one get request for a specific page. Otherwise it tells you've got a bad request, or page not found. I can see that the server implements 4 methods though: get, put, post and head.

I'll try to see if I can "put" anything on this server. It doesn't seem obvious at all but if it works it could be a vulnerability.

Regards,
6*Σ
User avatar
6sygma
New User
New User
 
Posts: 4
Joined: Mon Feb 18, 2013 4:49 am
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests