Spoofing IP Addresses
February 19, 2008 Leave a comment
There are many ways and many tools out there to spoof an IP address.
hping and nmap for example.
The point is you can’t trust the source field of the IP, since it can be written and there is absolutely no authentication. Although it is ‘fire and forget’ since the sender won’t receive any reply. This is how you can spoof IP addresses wit Python
#!/usr/bin/env python import socket,sys from impacket import ImpactDecoder, ImpactPacket src = sys.argv dst = sys.argv #Create a new IP packet and set its source and destination addresses ip = ImpactPacket.IP() ip.set_ip_src(src) ip.set_ip_dst(dst) #Create a new ICMP packet icmp = ImpactPacket.ICMP() icmp.set_icmp_type(icmp.ICMP_ECHO) #inlude a small payload inside the ICMP packet #and have the ip packet contain the ICMP packet icmp.contains(ImpactPacket.Data("a"*100)) ip.contains(icmp) s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP) s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) #give the ICMP packet some ID icmp.set_icmp_id(1) #calculate checksum icmp.set_icmp_cksum(0) icmp.auto_checksum = 0 s.sendto(ip.get_packet(), (dst, 0))
When run as follows:
# ./ipspoof.py 220.127.116.11 127.0.0.1
Note you need to be root to run this. This is because we are messing with raw sockets.
# tcpdump -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
13:03:52.680203 IP 18.104.22.168 > localhost: ICMP echo request, id 1, seq 0, length 108
13:03:52.680233 IP localhost > localhost: ICMP echo reply, id 1, seq 0, length 108
The most obvious thing you can do with this is like a smurf attack. The smurf attack is old and outdated, but still interesting ddos attack. An attacker broadcasts spoofed ICMP Echo Requests. The spoofed address is the intended target, as the idea is that everyone will reply to the same guy and potentially flood him with echo response packets. By using a large broadcast network, there could be a large number of hosts pinging at once. The code for smurf is at http://www.phreak.org/archives/exploits/denial/smurf.c.
There are protections you can put in your firewall/gateway to prevent these, but it’s still an interesting attack, since it is so simple and easy.