Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Somebody has tried to break in. What to do with him?
  • From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
  • Date: Fri, 4 Jan 2002 15:35:33 -0700
  • Message-id: <004501c19570$1f69fcc0$6400030a@xxxxxxxxxxxx>
>This cannot be easily used, i.e. not by script kiddies, since you
>need to sniff the answer packets (at least in scans; in exploit
>not neccesarily if you guess the seqs). Those answer packets get
>routed to the faked IP and so you'd need control over a router in
>between...

no. you simply need a single box anywhere near the path that either directly
sees the packets, or can arp poison/etc to see them. Or an end host that
will accept them (like someone's hacked home machine on adsl).

>Well, then you have either to guess seq no, which is in case of
>linux not trivial or to sniff the answer packets. Usually you
>have to do something to prevent B from sendet RST. So it's not
>that easy...

I control B. end of story there =).

>Well, in the same subnet it's not a problem. Maybe you can fake
>a switch with ARP fakes, but it's more hard to spoof a router. In
>contrast to UDP (which is happily used by windows :-) SCNR) it's
>not trivial to spoof it.

You need to go take a look at dsniff, very user friendly.

>Well, it's a networking protocol :)

And that is the wrong attitude (why we are in this mess right now =).

>Steffen

-Kurt


< Previous Next >
Follow Ups