Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Spoofing...
Ben at wcom
Dec 19, 2001, 10:32 AM
Post #1 of 2 (474 views)
Permalink
In running some tests, I've found a system that is vulnerable to
nessus' teso_telnet.nasl attack. But when I told the admins about
it, they said that because it was protected by a router and that
only certain addresses could connect to it, that it was not as big
a problem as I was claiming.

My manager suggested that I try to spoof the address of one of the
machines that is allowed to connect to this system. So I've been
trying to edit teso_telnet.nasl into an attack that uses forged
packets with a particular source address.

My problem is that I'm not sure that this attack is possible with
forged addresses. The 3-way handshake can't complete, can it?
Basically, I'm fairly confused. Can I perform this attack with
a spoofed address? Anyone want to offer up a clue?

Thanks.

Benny
Re: Spoofing... [ In reply to ]
j_lampe at bellsouth
Dec 19, 2001, 5:53 AM
Post #2 of 2 (450 views)
Permalink
>
> My problem is that I'm not sure that this attack is possible with
> forged addresses. The 3-way handshake can't complete, can it?

As soon as your kernel sees the incoming SYN/ACK (after your spoofed SYN)
from the target machine it will send out a RST.

> Basically, I'm fairly confused. Can I perform this attack with
> a spoofed address? Anyone want to offer up a clue?

This is just my opinion, but after running a NESSUS scan it is now time to
break out your toolkit and attempt to get a remote shell. Do your spoofing
via your OS (not during a NESSUS scan) and run the actual exploit code
against the machine. The source code is up on bugtraq and (probably)
packetstorm. Or, send me an email offline and I'll shoot you a copy.

>
> Thanks.
>
> Benny
>

HTH,

John Lampe
https://f00dikator.hn.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal