Spoofing IP Addresses
February 19th, 2008 by webstersprodigy
There are many ways and many tools out there to spoof an IP address.
hping and nmap for example.
The point is you can’t trust the source field of the IP, since it can be written and there is absolutely no authentication. Although it is ‘fire and forget’ since the sender won’t receive any reply, there are a lot of vulnerabilities discovered this way.
Anyway, it’s pretty trivially easy to write in python.
#!/usr/bin/env python
import socket,sys
from impacket import ImpactDecoder, ImpactPacket
src = sys.argv[1]
dst = sys.argv[2]
#Create a new IP packet and set its source and destination addresses
ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)
#Create a new ICMP packet
icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)
#inlude a small payload inside the ICMP packet
#and have the ip packet contain the ICMP packet
icmp.contains(ImpactPacket.Data("a"*100))
ip.contains(icmp)
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
#give the ICMP packet some ID
icmp.set_icmp_id(1)
#calculate checksum
icmp.set_icmp_cksum(0)
icmp.auto_checksum = 0
s.sendto(ip.get_packet(), (dst, 0))
When run as follows:
# ./ipspoof.py 111.111.111.111 127.0.0.1
Note you need to be root to run this. This is because we are messing with raw sockets. There may be a way to get around it, but it adds to the complexity. here is a tcpdump
# tcpdump -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
13:03:52.680203 IP 111.111.111.111 > localhost: ICMP echo request, id 1, seq 0, length 108
13:03:52.680233 IP localhost > localhost: ICMP echo reply, id 1, seq 0, length 108
It’s important to note that while IP has no authentication, tcp does (whether there exist holes in it or not).