Chapter8 Phase3: Gaining Access Using Network Attacks

Spoofing Attack against Unix Trust Relationships

1.Attacker interacts with targeted trusting server to determine predictability of initial sequence number

2.Attacker launches a denial-of-service attack (eg. SYN flood or smurf attack) against trusted system to force it not to respond to a spoofed TCP connection

3.Attacker rsh to targeted trusting server using spoofed IP address of trusted server

4.Trusting server sends an SYN-ACK packet to the unresponsive trusted server

5.Attacker sends an ACK packet to trusting server with a guess at the sequence number. If ISN is correct, a connection is made.

6.Although attacker cannot initially see reply packets from trusting server, attacker can issue command to append “++” to hosts.equiv or .rhosts file. Trusting server will now trust all machines. IP spoofing is no longer needed