Last time we had a brief intro about IP spoofing. Today, we shall see how actually a spoof attack takes place.
Methodology of Spoofing.
Spoofing attacks differ from random scanning and other techniques used to ascertain holes in the system. Spoofing attacks occur only after a particular machine has been identified as vulnerable. By the time the cracker is ready to conduct a spoofing attack, he or she knows the target network is vulnerable and which machine is to be attacked.
Nearly all forms of spoofing (and there are types other than IP spoofing) rely on trust relationships within the target network. By trust, I don't mean human or application-layer trust. Instead, I refer to trust between machines.
In Novell networks, IP spoofing is accomplished by redefining this value in the NET.CFG file, which contains parameters that are loaded upon boot and connection to the network. NET.CFG includes many options for altering the configuration by hand. To sidestep possible problems with factory configurations, changes may be made directly to the interface using this file. Options include number of buffers, what protocols are to be bound to the card, port number, MDA values, and the node address.
Hardware address spoofing is, to a certain extent, also dependent upon the card. Cards that do not allow for software-driven settings of the hardware address are generally useless in this regard. You might be able to report an address, but in most instances, the technique does not actually work. Older cards support software-driven alteration of the address, usually with a jumper setting. (This is done by shorting out the jumper pins on the card.) A good example is the old Western Digital Ethernet card. Newer cards are more likely to automatically allow software-driven changes, whereas IRQ settings may still be a jumper issue. It is likely, however, that in the near future, Ethernet cards may not have jumpers at all due to the fact that plug-and-play technology has emerged.
This type of spoofing works because each machine on a given network segment trusts its pals on that same segment. Barring the installation of a hub that hardwire-routes packets to each machine, at least a few trust relationships between machines will exist within a segment. Most commonly, those machines know each other because their addresses are listed within some database on each machine. In IP-based networks, this is done using the IP address--I hope--or with the hostname. (Using hostnames is a potential security problem in itself. Whenever possible, hard numeric addresses should be used.)
Machines within a network segment that are aware of the addresses of their
Go To Page: 1 2
