Myths about TCP Spoofing _________________________________________________________________ By: Grandmaster Plague To many l33t h4x0rs and aspiring hackers, the myth is perpetuated that the surest way to not get caught at whatever it is you're doing on the internet is to "spoof" your IP address. I fully intend to clarify this belief and give examples of when spoofing can be best used. What is it? "Spoofing" is a process by which the IP address of your machine is made to appear different from what it really is. The purpose of this is so as to hide your true point of origin. Example: if your real IP is 138.13.233.182 and you spoofed it to 199.199.199.199 then your IP address would show up as 199.199.199.199 in the remote machine's logs, thus your real IP address is unknown. Many newbies (and others) think that if they get a magical "IP Spoofer" program which modifies the Source IP address (and maybe the Source MAC address) field of each outgoing packet that nobody on the Internet will know what their true IP address is. But wait... The problem with this belief is that TCP (and most other network protocols) is a two-way street. This means that for just about everything you send out to a computer on a network, you expect a response back. This is a problem because if the remote machine thinks that your IP address is 199.199.199.199 and your address is really not, then the machine will try to send information back to that spoofed address and you won't get the information (because it's not your address). TCP specific If you still think that you can use IP Spoofing for the "one-way" protocols (like rexec, etc.) on the Internet, think again. The problem is that if you want to be connected to the Internet, your machine must speak TCP/IP. TCP/IP is the foundation for the Internet, thus, every higher level protocol (such as HTTP, FTP, etc.) must use TCP/IP. TCP/IP gets information from point A to point B, what happens when it gets there is the responsibility of higher level protocols. Now, the reason that this is a problem is that TCP has a built in "feature" that makes sure information is going to and from the right place. This is called the "TCP Three-way handshake". Basically, it makes EVERY Internet communication a two-way street. Here's how it works. Assume machine A and machine B are starting a communication. Machine A says "I'm machine A", machine B responds "I'm machine B, you say you're machine A?", machine A then responds "Yes machine B, I'm machine A". A packet must pass this little test in order to be recieved by machine B. As you can see, all communication on the Internet gets turned into a two-way street. Two Solutions There are two simple solutions to this. The first solution is for one way communications, it is called "Blind Spoofing". The theory behind blind spoofing boils down to timing. Essentially, a machine (let's call it XYZ) fakes the TCP three-way handshake by saying "I'm machine FOO", then waiting for a bit as machine B responds to machine FOO, then saying "Yes machine B, I'm machine FOO". Machine FOO won't know what's going on because it will just ignore the packets that machine B sends to it, thinking that machine B is in error, and machine B won't know what's going on because it's receiving responses from machine FOO (which are really coming from machine XYZ). So, machine XYZ has fooled machine B into thinking that it is really machine FOO and it thus passes the three-way handshake. This can only work well in one-way settings, where it is not necessary that the client get any feedback from the server. An example of this is SMTP. You could blindly spoof your IP address to an SMTP server (to make it think that you're an internal IP), and thus get your mail message sent to someone else with a different originating IP. The second solution to this is a little bit tricky. It is the best way to spoof when you want information back from the server. This solution is called "Active Spoofing". Active spoofing boils down to Blind spoofing, but at the same time, you are sniffing communications going back to the spoofed host. Use the example above, but you are also sniffing the packets going from machine B to machine FOO. In order for this to work, you must either be on the same hubbed subnet as machine FOO, or you can do some route table modification to get the information to pass through your machine. You then watch what machine B sends to machine FOO for the entire session. This is an extremely complicated process and changes from protocol to protocol. Currently, I am not aware of any tools that automate this process. Conclusion Spoofing isn't really all it's cracked up to be. It isn't the be all to end all of covering your tracks. It does have it's interesting uses (sending fake mail, rexec, and more), but is extremely difficult to implement if you want information back from the target host. If you really want to cover your tracks, it's better to route all your traffic through some wingates (or something). There are loads of IP spoofers out there some are more useful than others. If you want to hack up your own spoofer you can use rawsocks. Alternately, you can use spoof (a spoofing library) availible at: http://kalug.lug.net/coding/nettools/index.html The code includes sample. For more information on spoofing, read _Hack_Proofing_Your_Network_ availible from Syngress Books (Chapter 11 is all about spoofing) it's really a great read, I recommend it.