Just something that came to mind today ....
Is it somehow possible to "filter" and change data that is being transfered? I mean in theory, it sounds like it would, because it sounds logic ^^
Like if I send a file on msn, I send a picture, but I have a program running that will change all the data of that picture that is being sent, to something else, like something "malicious", so that when the contact uses the files, it will spread my evil deeds (or happy deeds, or mr deeds) all over tah computah...
Ok so I'm just tired, it's late... and I need sleep... but I would like to discuss the possibilities of this ^^
Packeforging during transfer?
Packeforging during transfer?
"The best place to hide a tree, is in a forest"
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
hm, wouldn't it make more sense as part of a man in the middle attack? like you capture data sent from user 1 to user 2 and you edit it before it reaches user 2? because if you are the sender of the data anyway you don't need to edit the data while being sent if you can send the data directly anyway, right? ^^
meh, I think I also need some sleep....
but so much for now: the biggest problem would be to edit the data in realtime, because to do this you would have to know in advance already what will be send so you can replace specific patterns.
but in general it's no problem, with Wireshark for example you can edit captured packets (and whole sequences) and re-send them.
meh, I think I also need some sleep....
but so much for now: the biggest problem would be to edit the data in realtime, because to do this you would have to know in advance already what will be send so you can replace specific patterns.
but in general it's no problem, with Wireshark for example you can edit captured packets (and whole sequences) and re-send them.
Its like session hijacking, you would eventually have to take over the connection between your two targets. As man in the middle you need to pretend you are two computers - the reciever from target one (as the file is broken up in to packets you have to ack each one) and as the sender to computer number two - you take over the session between the two computers and send your file instead.
Simply though, its more like a virus - you would have a file type virus that perpetuates everytime the file is used.
DNR
Simply though, its more like a virus - you would have a file type virus that perpetuates everytime the file is used.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
-
n3rd
- Staff Member
- Posts: 1474
- Joined: 15 Nov 2005, 17:00
- 18
- Location: my own perfect world in ma head :)
- Contact:
so basicly the following setup would suffice?: Cats computers | Computer A | Computer target then Computer A alters the packets right?
To add to that, a friend of mine uses this setup to hack games, he edits his packets with computer A which is also in his network.
To add to that, a friend of mine uses this setup to hack games, he edits his packets with computer A which is also in his network.
[img]http://img580.imageshack.us/img580/8009/userbar2k.png[/img]
Although that kind of hack can be done on the computer you are sitting at, so technically, this idea would somewhat work =/ ... like send a "picture" on someone, and since they believe they are receiving an image, they wont suspect anything, thus making the possibilities of a succeeded attack higher.
"The best place to hide a tree, is in a forest"
BTW, the simplest I suppose would be to change the gateway or router to the attackers computer - then all traffic is routed through the attacker's box, and you can check the packets before they are passed on. (people send email everyday and never know if it actually was sent yet). This is called the poisoned ARP tactic.
I also modded packets of a IM converstation and injected it while the two people were talking. It was on my segment of network in college. I was packetsniffing their convo, and then I used an app in the sniffer program to recraft a packet (easy as you are just changing the data part, not the complex headers). The application then easily guesses the sequence number (also easy to do because of a flaw in TCP - you can just put a higher seq number in the header). So I got person #1 to insult person #2, when the fireworks started, the two students stood up in class like "WTF". This is called the side-blind spoof.
This tactic is the real man-in-the-middle hack - the actual session hijack.
The key here is to shut out computer A from computer B, and tricking computer B into talking to you as if you were computer A. The goal is to wait until after authentication was performed, the three-way hand shake (this is the security flaw in TCP, it relies on this for authentication, and then the rest of the converstation is not really monitored). Once the handshake is completed, there really is no security to prevent someone from taking over the converstation. Once the handshake is completed, TCP then relies on Sequence and Acknowledgement numbers for 'authentication'.
What the attacker does is performs a denial of service attack on computer A to keep it from talking to computer B. The attacker then sends packets to Computer B, crafted with its own IP, but using the same Port number and the same seq and ack packets. TCP allows you to change the IP during a session, but not the port - otherwise you would need to perform another thre-way handshake, authentication.
You must keep computer A from contacting computer B, otherwise they will reset the converstation and re-do the three-way handshake. Hence the DoS attack on computer A.
yea, very complex. I wrote all this out real quick and without my morning coffee. If you want to continue this, let me wake up!
I still think the best way would be to infect the target computer with a virus that will inject itself into the traffic - like adding a sig to every email sent or replacing any .jpg sent with yours. The virus would have to be crafted to attack certain files or ports.
DNR
I also modded packets of a IM converstation and injected it while the two people were talking. It was on my segment of network in college. I was packetsniffing their convo, and then I used an app in the sniffer program to recraft a packet (easy as you are just changing the data part, not the complex headers). The application then easily guesses the sequence number (also easy to do because of a flaw in TCP - you can just put a higher seq number in the header). So I got person #1 to insult person #2, when the fireworks started, the two students stood up in class like "WTF". This is called the side-blind spoof.
This tactic is the real man-in-the-middle hack - the actual session hijack.
The key here is to shut out computer A from computer B, and tricking computer B into talking to you as if you were computer A. The goal is to wait until after authentication was performed, the three-way hand shake (this is the security flaw in TCP, it relies on this for authentication, and then the rest of the converstation is not really monitored). Once the handshake is completed, there really is no security to prevent someone from taking over the converstation. Once the handshake is completed, TCP then relies on Sequence and Acknowledgement numbers for 'authentication'.
TCP is kind of dumb, it looks at the seq and ack numbers and the port numbers during the converstation. So you can change the IP/mac adress in the headers and TCP will not consider it a security issue.Once the hijacker reads the TCP header, he can know the sequence number expected by the server , the acknowledgement number, the ports and the protocol numbers ; so that hijacker can forge the packet and send it to the server before the client does so.
What the attacker does is performs a denial of service attack on computer A to keep it from talking to computer B. The attacker then sends packets to Computer B, crafted with its own IP, but using the same Port number and the same seq and ack packets. TCP allows you to change the IP during a session, but not the port - otherwise you would need to perform another thre-way handshake, authentication.
You must keep computer A from contacting computer B, otherwise they will reset the converstation and re-do the three-way handshake. Hence the DoS attack on computer A.
yea, very complex. I wrote all this out real quick and without my morning coffee. If you want to continue this, let me wake up!
I still think the best way would be to infect the target computer with a virus that will inject itself into the traffic - like adding a sig to every email sent or replacing any .jpg sent with yours. The virus would have to be crafted to attack certain files or ports.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
I think of all the hacks you can use to impress people, session hijacking is most impressive. Anyone can set an app to cracking passwords, but it takes some quick thinking to take over a converstation as it is happening.
You can also hijack a session that failed to close properly. Back in the old days I could sit down at a computer, and as long as the previous user did not close the browser (or reboot) I could re-use a cookie and impersonate that person. It is similar to "remember my password on this computer" if that is selected, then only the cookie is used to authenticate the user.
Now days admins make cookies expire or use say port and session ID for validation. If you try to intiate the convo with the cookie, but with the wrong port or session ID, it fails.
DNR
You can also hijack a session that failed to close properly. Back in the old days I could sit down at a computer, and as long as the previous user did not close the browser (or reboot) I could re-use a cookie and impersonate that person. It is similar to "remember my password on this computer" if that is selected, then only the cookie is used to authenticate the user.
Now days admins make cookies expire or use say port and session ID for validation. If you try to intiate the convo with the cookie, but with the wrong port or session ID, it fails.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.