,,+++:, _+++::,,,,,::+++_ :+:,- -,:+: :+,, --,,,,,,,-- ,,++ :+,_ ,:+++- -+++:, _,+ +:, -,+: :+:- _++ -++:,,,,,,,,,:+++ +++, _,+,,,:++- ,+,,- -,++ ++,- +:, :+ -,,+: ,+,- _,,,,,,,_ -,++ ++,- -++- _:+_- -,+, -:, -,++:+, _,+_++:,- _,+++,_ -,:++_+, ,+,++,- ,:_ _+_ ,+- :+- ,: +,, ,+:_- ,,+ : _+: -:, _+ ++- ++ ++- ,+ :++,_ -,++ +- -++ ++- -+ ,+- ,+ ++- ,+ ,+:_ _,++__:+, +- -++ +: -+ +,_ ,+: _+_ _:, _++, _:++_ ,:+, ,: _+_ ::, _,+ +:_ _,:+,_ _++,_- _,++ ++,_ _,::+++++::,_ _++ ::, _+, :+ _,++ ++,_ --_-- ,:: ,+:,- ++_ -,+,,,++_ -++,,- -,:+, ++++:++- ,:+_ -+++++::::+++++ _+, ,,+, ,+,, ,+_ +:, ,,:+++++++++:,, ,++ ,+:_- --- -_:+, ++:,_- -_,:++ _+++++++++++_ Timeless logo Copyright © 2000 - Timeless (ASCII art by Timeless using ASCII Picverter) .--{ Lessons In Life }--. / by Timeless 29 Feb 2000 \ >------------------------< ( ) [ It's human to err, ] [ We all know this, ] [ But all is wasted ] [ When the lesson is missed. ] ( ) > -- < \___________________________/ ---------------------------------------------------------------- the 'YOU HEARD IT HERE FIRST' column ---------------------------------------------------------------- Spoofing the source address using two Windows 9x computers by Timeless, 29 Feb 2000 ================================================================ The following describes how to send packets into the 'net with a fake source IP address. The source address being faked will also mean that no replies will come back your way, so this can only be used where you don't need to establish a connection with the server. For example, if you send an ICMP packet with "+++ATH0\n" in the packet data to a host which uses an older modem, the modem will disconnect. In case the modem doesn't disconnect, you don't want the source IP address set to the one you're currently using because that is traceable all the way back to your phone line. This spoofing can be achieved without even having to write your own device drivers to generate IP packets with fake source addresses. We are going to use Windows 95/98 in this example. You will need two computers networked together on a LAN, one will have dial-up access to the 'net. Here's a simple network diagram of what we need: +-------------------------------------+ | hostname: lanhost1 | | IP address on NIC: 123.123.123.123 +-----+ | default gateway: 123.123.123.254 | | +-------------------------------------+ | (LAN) +-------------------------------------+ | | hostname: lanhost2 | | | IP address on NIC: 123.123.123.254 +-----+ | default gateway: unset | | IP forwarding turned on (see below) +---(dial-up)---> ISP +-------------------------------------+ NOTE: Please don't use these numbers - they're just examples! Using private, or non-publicly routed IP addresses won't necessarily work because some (most?) ISPs filter out any packets which contain non-publicly routed IP addresses as the source or destination address. So you will need to use publicly routed IP addresses for your network interface cards (NICs). The address ranges to avoid using are: 10.x.x.x (private addresses) 172.16.0.0 to 172.31.255.255 (private addresses) 192.168.x.x (private addresses) 127.x.x.x (used for localhost) 224.x.x.x (reserved for IGMP) Lanhost1 will be the host which generates the packets. The packets will be stamped with 123.123.123.123 as the source IP address. The packets will then be sent to the default gateway, in this case 123.123.123.254. The default gateway host must be dialed up to the Internet, and must have IP forwarding turned on. When the packets arrive at the gateway host, it will determine that the packets are not destined for itself and that they should be forwarded on to it's default gateway (which will now be set to the dial-up device). This means the packets will be sent out to the Internet, with the source IP address set to 123.123.123.123. To turn on IP forwarding in Windows 9x (reported to be fairly unstable in Windows 95, although I have had no problems yet), you will need to modify the system registry. You do so at your own risk entirely of course. In fact, you do all of this at your own risk! You will need to add the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP Then add a data item called: EnableRouting and give it a value of 1. After a reboot IP forwarding will be enabled. Now you can send spoofed packets to the 'net to your heart's content. So, I hear you ask, why doesn't my ISP just block all packets coming in from their access servers which have source addresses outside of their IP blocks? Well, the answer is all about the user's choice. Firstly, no ISP can assume they know what you as an Internet user needs to do on the Internet. They can't block these kinds of packets because some users may wish to make use of asynchronous routing. Asynchronous routing is where you would send packets out through one connection, such as a dial-up connection, with the source IP address set to that of your second incoming-only connection to the Internet (such as a cable modem, satellite link, leased line or even another async modem). Blocking these packets may stir up quite an uproar, unless of course your ISP's acceptable use policy does not allow you to do this. Windows NT has a check box for turning on IP forwarding in the network properties dialogue box. Linux allows you to turn this feature on in the kernel settings. That's all for this article, maybe I'll dream up something for the next one. Take care and play nicely. - Timeless [.] ---------------------------------------------------------------- Disclaimer: The information provided here is for educational purposes only! You are not encouraged to use this information AT ALL, EVER! If you do so, then you do it entirely at your own risk, and you personally accept all responsibilities for your actions. ----------------------------------------------------------------