Spoofing IP Addresses

February 19, 2008 Leave a comment

There are many ways and many tools out there to spoof an IP address.

hping and nmap for example.

The point is you can’t trust the source field of the IP, since it can be written and there is absolutely no authentication. Although it is ‘fire and forget’ since the sender won’t receive any reply. This is how you can spoof IP addresses wit Python

#!/usr/bin/env python

import socket,sys
from impacket import ImpactDecoder, ImpactPacket

src = sys.argv[1]
dst = sys.argv[2]

#Create a new IP packet and set its source and destination addresses

ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)

#Create a new ICMP packet

icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)

#inlude a small payload inside the ICMP packet
#and have the ip packet contain the ICMP packet
icmp.contains(ImpactPacket.Data("a"*100))
ip.contains(icmp)

s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

#give the ICMP packet some ID
icmp.set_icmp_id(1)
#calculate checksum
icmp.set_icmp_cksum(0)
icmp.auto_checksum = 0
s.sendto(ip.get_packet(), (dst, 0))

When run as follows:

# ./ipspoof.py 111.111.111.111 127.0.0.1

Note you need to be root to run this. This is because we are messing with raw sockets.

# tcpdump -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
13:03:52.680203 IP 111.111.111.111 > localhost: ICMP echo request, id 1, seq 0, length 108
13:03:52.680233 IP localhost > localhost: ICMP echo reply, id 1, seq 0, length 108

The most obvious thing you can do with this is like a smurf attack. The smurf attack is old and outdated, but still interesting ddos attack.  An attacker broadcasts spoofed ICMP Echo Requests.  The spoofed address is the intended target, as the idea is that everyone will reply to the same guy and potentially flood him with echo response packets.  By using a large broadcast network, there could be a large number of hosts pinging at once.  The code for smurf is at http://www.phreak.org/archives/exploits/denial/smurf.c.

There are protections you can put in your firewall/gateway to prevent these, but it’s still an interesting attack, since it is so simple and easy.

Filed under Pentest Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: