S,
You're right in that before the operating system will even hand off the
socket to the web server process the three way handshake must be
completed first. If you can't view the return packets that you have no
idea what the web server chose as its Initial Sequence Number (ISN).
This is the biggest thing that you need to acquire in order to complete
that handshake blindly. You can use various tools (scapy, ISNsampler,
etc) to see if the remote TCP/IP stack uses a flawed algorithm to
generate that ISN number and if so construct a set of possible ISN's
that will be selected for the next connection and then create a group of
packets that contain the possible next ISN. This topic is covered in
two very important papers related to this topic here:
http://lcamtuf.coredump.cx/newtcp/ He actually graphs the ISN's to 3d
and is able to generate sets of ISN's that are potentially the next
selected ISN.
Good luck,
Z
-----Original Message-----
From: kuffya@gmail.com [mailto:kuffya@gmail.com]
Sent: Friday, September 02, 2005 9:12 AM
To: pen-test@securityfocus.com
Subject: Multiple Spoofed HTTP Requests
Hi list,
I've used a variety of tools such as Nemesis, Packet Xcalibur & Libnet
GUI to craft customized packets. Using such tools, you can create
packets at layers 2 up to 5 possibly spoofing your source IP, port
numbers or whatever you see fit.
The question is : Would it be possible to craft a HTTP request(or
multiple requests) using a spoofed IP address? I'm inclined to consider
that it's not, the reason being you must have a 3-way handshake
established before you can start talking application layer protocols
(such as HTTP). If you use a spoofed IP address, then there's no way of
doing that. On the other hand, I might be totally wrong, that's why I'm
asking the list, for the list is wise.
If, however, it is possible could you please give me some directions on
how to do it?
Thanks a lot
S.
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
