 there for four years and lots of times I've used IP spoofing because the customers put us on a network that is not allowed to go anywhere so we have to spoof our IP addresses to get connections. First I have some free stuff if anyone is interested. There you are. These lights I mailed them to DT I hope he will put it on some web page somewhere. I will not but DT I will mail him that he how to I'm trying to see on my computer same time. What we will talk to you about today I will say some first and then we'll have some definition of spoofing it's very short one slide and language configuration how to set up linux is three lines and it's sniffing it's it will be some some things about passive network mapping because it's a cool way to to find out which who's is up and what services is running that you can't access from your normal IP address then we'll talk about how to set up IP spoofing with a source routing so we will have some slides about source routing first and then it's vanilla IP spoofing how easily it is set up and then an ending and there will be time to get to the cult of that cow show but it will be hard time to get in there full discuss spoofing there are so many people that things that IP spoofing is a something very hard to do and it's very difficult to set up but I will show you how easily it is done with full connections and I will not take up examples of session hijacking it's you making your own connections full own connections with spoofing yeah I give you one minute no it says it says that IP spoofing is used to to go through filtering routers or firewalls yes so it's rule-based router firewall that says like a is not allowed to go to be but C is okay I changed my IP address to see it's okay and and it it's it's it's really okay it sounds easy and it is easy that's that's the point I'm going to give her because yeah I will come to the point later if you have if you have any questions it's it's we have some questions at the end but it's it's so simple so if you ask a question maybe people will start looking at you it's a way to get rid of questions so how do you configure your your linux box well we use a slack where we like it because it's simple and you have to do everything on it to to you have to download all the libraries by yourself and so on but when you got it running it is perfect in the kernel you have to enable IP forwarding if it's not done already all hackers uses it it's one way to if you are redirects or something it's it's a easiest way to to make everything well easy and the next one is the default is the default of IP drop source routed frames is enamel it's it drops all routed frames the linux box you have to disable that option so your your computer is vulnerable to source routed frames and IPA listing it's like you have lots of IP addresses of your network card E ETH 0 colon 0 for example that's it now we're sitting on an untrusted network we are C dot 3 and with C phone it's a very good passive network mapper it's by subterrain security group is are they here today no they drunk and you can see traffic with cell phone it's just a passive network mapper you have to start sit and it's will show up that E dot 2 have port 80 open because someone is surfing to that box in this example is B dot 2 okay now we know it's a port 80 is open on that one when we try to connect it from C dot 3 we don't get any answers why yeah probably C dot 2 the router C dot 2 is filtering that traffic out it just allows computer some B network to reach this port on that computer that's why we use passive network mapping it's a very good key to to IP spoofing I have to just write this need also because I love that tool and it's it also shows if B dot 2 makes a login to E dot 2 it shows up and then I try to log in I don't get any connection but it always down to TCP dump of course and one use it here and it's a it's for for looking for what IP address is that sends the package and the MAC addresses of the packages it will become important later so an arrow from B dot 2 to B dot 2 nice good so five minutes and half the speech is over because this is so easy it's it's it's as I said it's some people think it's it's very hard to do but after the show you know how to do it why source route what is source routing used for anyway why is it enable default on the routers yeah you maybe have two different ways to a network you are a dot 3 I want to do to be dot 3 you can go through a router a dot 1 on the slow sheep line or a dot 2 on a fast expensive line you may choose with source routing I'll choose a dot 2 or something I will show how it is down and maybe you connected to network with the same network number it can be done but the router a dot 1 don't know which network who will choose but I may choose only my network packages but not many uses source routed frames today hackers do and it's show you now if you if you are a dot 2 here and the rule in the router a dot 1 says a is not allowed to go to network B you just pick B dot 3 here one iPad rest on the inside and you send you craft a package and it go through it's it's it's simple like that but the problem is if it just craft the package and send it it will go back to be dot 3 you don't want that you want a full connection you don't want to do blind spoofing here or something it's or guessing something it's it's I want the packages back so yeah and so here's the example there's a router called C dot 1 and it's a rule that says B are not allowed to go to be so I'm on I'm B dot 2 on this network I just pick another address a dot 2 and it's done this way yeah you are already having a legal IP address E dot 2 you just make another IP address in your network card with this command and you have a dot 2 this is this this network is a typical network on companies that using filtering routers to protect like a production network or something and it's this is way how to do get through it you add a route of course that says like net a is on my network card thank you and then you use almighty hobbits net cat and have some switches on it just network numbers verbose and I have the source of a dot 2 my spoofed IP address and I choose the gateway to my legal IP address it's on the real network and the destination it's at the end here the destination is E dot 2 port 23 so I connect from my spoofed IP address to my real IP address to myself on port 23 if you get an open here it's working okay your computer is fine it's it's it's handled source router frames in correct way and a good start what you do next is that you have of course always a dot 2 as a spoofed address source address and go to your really interface as a jump network jump and then to the routers the first downstream routers IP address E dot 1 port 23 if it's open of course and if you get to the open there it is vulnerable to source routing and it mostly are and when you've then fingers the router E dot 1 it will show up in the who's logged in you you're not you don't have to log into the router it's just have to connect to it and the finger it and it says like a dot 2 has a connection to it good it's this router is fooled right now so we go on and from spoofed a dot 2 to my real network in interface to the first full downstream router to the next downstream router same thing if it's open it's it's it's believes what I'm sending so this line will do it that easy you have a full connection you can talk to pop everything FTP something this is said in the in the read me file of netcat that it can be used but it's not described have how easily it is done so people don't really I don't really understand how it's up it's important to disable source routing in routers and one more thing it's it's it's important to understand that all these hosts or routers had to accept source routed frames of course what excuse me yes that is the first thing you turn off but you may people don't you disable I will come to that well it's it's very hard it depends on the rules how the rules are set up it's it's the question is what do you do if it's turned off it's very hard it's it's hard and it depends on the rules that if it's like only this network allow or your network just deny or something it it's it depends but this is working fine in Europe and I think it will work fine here here's one more thing I will show today and we have lots of time to go to to counter that cowl then I will be there sharing and then here's a router called you dot to the small letters was called lowercase letters they represent the Mac address of the of the hosts so I'm having Mac address be my IP address legal IP address it's you dot three I'm sitting on an untrusted network nobody trust me there they're there the customers put me there when I go in for penetration tests they don't want me to find anything and the rule in in the router says like if you come from a trusted network but over untrusted you allow to go to be and everyone else is denied it is this rule we find too many times on filtering routers and firewalls because I will show you how it's could be bypassed easily because if you just spoof the IP address you craft a network package and send it to to the to the destination it will get through because I'm a dot to it says in the network network package it will pass the firewall filtering router but when the answer come back comes back the first router be dot one will see like a this package is for network a it's behind the router you dot one it put the the Mac address of a on that packet to and the destination IP address a dot to got it it will if you if you can easily just send packages and sniff the responses but it will go to the router but this is I will this is not fun it you want full connection you want to run nmap net cat nasses and everything and you don't want just sniff the responses so and then the network package will be transferred to the right host so what I don't I really don't yeah or picking pick an IP address that knots up it's it depends on the rules if you can first shoot it down or or pick an IP address it's not there it's it's it's it's working most of the times really with otherwise you know I don't do it I just pick a number it's here's here's how full connection vanilla IP spoofing it's done and don't be alarmed because it's too easy you are in you perhaps what I know but people don't understand how easily it is done here's the same network and what I do it's take my interface down and put the new Mac address on it I pick the same Mac address as the upstream router you see it and then you set my spoofed IP address as ETH 0 of course a is on my network card network a is on my network card then I take my real IP address as the as a next IP address on my network card you the three it's my legal one I add a route my legal network is on my network card and of course I need I don't need that in this example I needed the full gateway you got to and what's more you think well you have full connections now to be dot to you can run nmap you can run Nessus you can run everything you want from your linux box and you have full connections and you can talk to the services as you're used to so if you if you're allowing people into your network so I'm trust the network I think you will have to change that now you know it you're here well that's easy way do it as I said I hope dark time I will put these slides up because you have this or sorry this cool effects them if the last man is have finished you can okay sorry didn't work we have so much time you know I'm really finished with this talk I have some quirks to do it some other fun stuff okay three two yes switch yes no problem yeah yeah it is it's hard thing to do there is a more loss of problems to it because then to two network cards on the same on the same network have the same MAC address and the package don't know when it passes which what's ways will take yes it's a real big problem but you can just give a shit about the full gateway and take every package back you know you can you can just like okay I'm a forget the default gateway here you know so you have full connections so this is a very very very easy way to establish full connections over if you're sitting on trust network and some people are allowing other people through that network the same attack can be done on your local network some people on your network can just take the default gateways of your network networks MAC address he pick a random IP address on his network card and set it up as we've done the last slide he can attack her a dot three and if someone sniffs the network if it will come from X dot one and it looks like exactly looks the same way it's just it's comes from the default gateway from the internet so many security officers and saw will like checking why X is in our network it's someone is hacking here you know it's it's and who should they attack you know it's around this on the captive flag yesterday and there are lots of machine there that make automatic attacks to the to the who's attacking them so the their machines were attacking X dot one there so yeah and easy and that one wasn't internet excuse me so it will send a package it will come back and it will come back to me because my my my networking to face my ties TCP IP stack will pick it up it because it's address to a dot X dot one but the default gateway will also pick it up and send it to the right who's on a normal hubbed network but there are no security switches so the solution is of course disabled source routing is a part of IP options I don't know how it's done you have to figure it out yourself it's a default and firewalls but it's disabled and linux boxes but not default on routers you have to implement spoofing protection it's like saying this is my inside network interface these are the IP address is there if someone I sense a IP address from from the outside I should like worn drop everything don't use filter rules over untrusted network you have understand that now I hope and then you have to use some kind of VP six something encryption VPN something okay promise me that okay questions what he says like it is disabled on Cisco yes I heard of it yeah the 12 the 12 iOS as well some more questions thank you I will