.

is that Possible???

<<

mike23

Newbie
Newbie

Posts: 12

Joined: Mon Jan 24, 2011 9:37 am

Post Mon Jan 24, 2011 10:03 am

is that Possible???

please tell me if that is possible , i have one server (dedicated/vertual)

i want to send traffic to Server "C" from my Server "A" with Server "B" IP

Server A---> IP e.g 66.77.666.71 (my server)

Server B---> IP e.g 214.21.111.23
Server C--> IP e.g 71.111.222.33

and Please Remember that: i don't have any kind of access to Server "B" and Server "C" , i have access to server "A" only.

millions of thanks in advance.....
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Mon Jan 24, 2011 10:07 am

Re: is that Possible???

There are a number of tools that will allow you to spoof source IP. You didn't tell us, though, what type of traffic you are trying to send.

Also, keep in mind, when you spoof source IP in your packets, you are flying blind since all responses will be returned to the spoofed IP and not yours.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Jan 24, 2011 10:18 am

Re: is that Possible???

If the IP ID sequence is predictable and sequentially increasing, you can do a zombie / idle (port) scan with Server B.

You can also spoof your source port, as Server B, however if you want a reply, you need to send a packet with your IP in one of them as well.

If Server B is completely secure and you just want to use it as a tunnel to send data through but you don't have access to Server B, I'd say you're trying to use a functionality which isn't built into the TCP/IP protocol stack yet but also potentially for illegal purposes as in spoofing malicious traffic from one host to another.
I'm an InterN0T'er
<<

mike23

Newbie
Newbie

Posts: 12

Joined: Mon Jan 24, 2011 9:37 am

Post Mon Jan 24, 2011 10:22 am

Re: is that Possible???

thank you very much ziggy_567,
i want to send VOICE traffic,  so that is not possible to receive the response from source IP ?

can you requiremend any best IP spoofing tool?

thanks once again...
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jan 24, 2011 11:10 am

Re: is that Possible???

I suggest you learn what spoofing does and how it works. There is a difference in spoofing and hijacking. When you spoof, you're pretending to be someone you're not.

You --> pretend to be 1.1.1.1 --> send traffic (easy to do)
Recipient --> responds to 1.1.1.1 --> this response will NEVER get to you

But anyway, to make you understand why this won't work, I will now hurt your eyes with an explanation. If you can't understand based on the information I post here, I suggest you go read the RFCs on networking and SIP. Further, there is no absolute mechanism via the PSTN for someone to track an IP from a call. A carrier can, enduser can't. But here goes. So I decided to give you a breakdown of how the call would work and why it would fail.

The follow illustrates a call between extension_1000 (71.111.222.33) and extension_2000 (214.21.111.23) - the two addresses you used for your examples. You want to trick server C into thinking you are server B (214.21.111.23) So let's make this call:


Server B sends a SIP invite

214.21.111.23:5060 -> 71.111.222.33:5060
INVITE sip:extension1000@71.111.222.33 SIP/2.0
CSeq: 1 INVITE
Via: SIP/2.0/UDP 214.21.111.23:5060
From: <sip:extension_2000@214.21.111.23:5060>
Call-ID: spoofed_caller_id@214.21.111.23
To: <sip:extension1000@71.111.222.33>
Contact: <sip:214.21.111.23:5060;transport=udp>
Allow: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER, INFO, NOTIFY, MESSAGE, SUBSCRIBE, REFER
Content-Type: application/sdp
Content-Length: 228
Max-Forwards: 70

v=0
o=- xxxxx yyyyy IN IP4 214.21.111.23
s=SIL's Example
c=IN IP4 214.21.111.23
t=0 0
m=audio 6268 RTP/AVP 18 101
a=rtpmap:18 G729/8000/1
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv


Server C responds...

U 71.111.222.33:5060 -> 214.21.111.23:5060
SIP/2.0 200 OK
v: SIP/2.0/UDP 214.21.111.23:5060
f: <sip:extension_2000@214.21.111.23:5060>
t: <sip:extension_1000@71.111.222.33>
i: spoof_whatever_you_want_it_wont_work@214.21.111.23
CSeq: 1 INVITE
m: <sip:extension_1000@71.111.222.33:5060;transport=udp>
c: application/sdp
l: 177

v=0
o=- vvvvv xxxxx IN IP4 HOW_DO_YOU_PROPOSE_TO_INTERCEPT_AUDIO_FROM_ANOTHER_ADDRESS
s=-
c=IN IP4 WHERE_IS_YOUR_MEDIA_PROXY_IN_THIS_MIX
t=0 0
m=audio 15960 RTP/AVP 18 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

Server C responds: "Alright, let me make that extension ring" ...

U 71.111.222.33:5060 -> 214.21.111.23:5060
SIP/2.0 100 Trying
CSeq: 1 INVITE
v: SIP/2.0/UDP 214.21.111.23:5060
f: <sip:extension_2000@214.21.111.23:5060>
i: spoofed_caller_id@214.21.111.23
t: <sip:extension_1000@71.111.222.33>
l: 0

Server B acknowledges the call... "I'm ready!!!"

U 214.21.111.23:5060 -> 71.111.222.33:5060
ACK sip:extension_1000@71.111.222.33:5060;transport=udp SIP/2.0
CSeq: 1 ACK
Via: SIP/2.0/UDP 214.21.111.23:5060
From: <sip:extension_2000@214.21.111.23:5060>
Call-ID: spoofed_caller_id@214.21.111.23
To: <sip:extension_2000@71.111.222.33>
Contact: <sip:214.21.111.23:5060;transport=udp>
Content-Length: 0
Max-Forwards: 70

Server C sets up audio RTP

U 71.111.222.33:5060 -> 214.21.111.23:5060
SIP/2.0 183 Session Progress
v: SIP/2.0/UDP 214.21.111.23:5060
f: <sip:extension_2000@214.21.111.23:5060>
t: <sip:extension_1000@71.111.222.33>
i: spoofed_caller_id@214.21.111.23
CSeq: 1 INVITE
m: <sip:extension_1000@71.111.222.33:5060;transport=udp>
c: application/sdp
l: 177

v=0.
o=- 41201 4120100 IN IP4 HOW_WOULD_YOU_LIKE_TO_ADDRESS_RTP_ISSUES
s=-
c=IN IP4 WHERE_IS_YOUR_MEDIA_PROXY_IN_THIS_MIX
t=0 0
m=audio 14612 RTP/AVP 18 101.
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

In the midst of this, you need to insert yourself between this connection to see this going on. Not on the same network? Good luck, you now have to hijack *something* to get inside that stream. May I suggest you go read some RFCs now. Understanding SIP and VoIP help more than spoofing. Even if you COULD hijack a session, what will you do for NAT, SRTP, TLS, and if the PBX has any redirects or proxy-auths?

And that concludes my post for the day ;) Sorry, work is overwhelming...
<<

mike23

Newbie
Newbie

Posts: 12

Joined: Mon Jan 24, 2011 9:37 am

Post Mon Jan 24, 2011 1:43 pm

Re: is that Possible???

thanks Sil.... >:(
so you mean thats not possible!!!? :-[
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jan 24, 2011 2:31 pm

Re: is that Possible???

Not trying to sound smug, but you seem to not have understood what is involved. Anything is possible however, you're looking at it via the wrong approach. With the explanation I've given you, you should now look into what I meant by inserting yourself along the path. And that wraps up my response.
<<

mike23

Newbie
Newbie

Posts: 12

Joined: Mon Jan 24, 2011 9:37 am

Post Mon Jan 24, 2011 3:35 pm

Re: is that Possible???

thx sill, can you tell me which one is the best tool for ip spoofing?
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jan 24, 2011 4:47 pm

Re: is that Possible???

Sure however, I will do it my way:

  Code:

''=~('(?{'.(']_).[]'^'--@@/}').'"'.(':@][_["^'^']/}:(:[|').',$/})')



That obfuscation contains everything you need to know. The new problem/lesson for you would be how to un-obnfuscate it to get your answer. And I ask those here who may know how to solve this riddle keep the answer to themselves. I will throw an olive branch:

http://everything2.com/title/obfuscated+perl

Good luck!
<<

mike23

Newbie
Newbie

Posts: 12

Joined: Mon Jan 24, 2011 9:37 am

Post Tue Jan 25, 2011 3:54 am

Re: is that Possible???

dear sil..
can you explain in easy words..... if that possible what i need....

thx for your time...
<<

Methodikal

Newbie
Newbie

Posts: 10

Joined: Tue Nov 16, 2010 10:10 am

Post Tue Jan 25, 2011 9:06 am

Re: is that Possible???

$5 that Sil posted all that off the top of his head too  ;D

sil wrote:I suggest you learn what spoofing does and how it works. There is a difference in spoofing and hijacking. When you spoof, you're pretending to be someone you're not.

You --> pretend to be 1.1.1.1 --> send traffic (easy to do)
Recipient --> responds to 1.1.1.1 --> this response will NEVER get to you

But anyway, to make you understand why this won't work, I will now hurt your eyes with an explanation. If you can't understand based on the information I post here, I suggest you go read the RFCs on networking and SIP. Further, there is no absolute mechanism via the PSTN for someone to track an IP from a call. A carrier can, enduser can't. But here goes. So I decided to give you a breakdown of how the call would work and why it would fail.

The follow illustrates a call between extension_1000 (71.111.222.33) and extension_2000 (214.21.111.23) - the two addresses you used for your examples. You want to trick server C into thinking you are server B (214.21.111.23) So let's make this call:


Server B sends a SIP invite

214.21.111.23:5060 -> 71.111.222.33:5060
INVITE sip:extension1000@71.111.222.33 SIP/2.0
CSeq: 1 INVITE
Via: SIP/2.0/UDP 214.21.111.23:5060
From: <sip:extension_2000@214.21.111.23:5060>
Call-ID: spoofed_caller_id@214.21.111.23
To: <sip:extension1000@71.111.222.33>
Contact: <sip:214.21.111.23:5060;transport=udp>
Allow: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER, INFO, NOTIFY, MESSAGE, SUBSCRIBE, REFER
Content-Type: application/sdp
Content-Length: 228
Max-Forwards: 70

v=0
o=- xxxxx yyyyy IN IP4 214.21.111.23
s=SIL's Example
c=IN IP4 214.21.111.23
t=0 0
m=audio 6268 RTP/AVP 18 101
a=rtpmap:18 G729/8000/1
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv


Server C responds...

U 71.111.222.33:5060 -> 214.21.111.23:5060
SIP/2.0 200 OK
v: SIP/2.0/UDP 214.21.111.23:5060
f: <sip:extension_2000@214.21.111.23:5060>
t: <sip:extension_1000@71.111.222.33>
i: spoof_whatever_you_want_it_wont_work@214.21.111.23
CSeq: 1 INVITE
m: <sip:extension_1000@71.111.222.33:5060;transport=udp>
c: application/sdp
l: 177

v=0
o=- vvvvv xxxxx IN IP4 HOW_DO_YOU_PROPOSE_TO_INTERCEPT_AUDIO_FROM_ANOTHER_ADDRESS
s=-
c=IN IP4 WHERE_IS_YOUR_MEDIA_PROXY_IN_THIS_MIX
t=0 0
m=audio 15960 RTP/AVP 18 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

Server C responds: "Alright, let me make that extension ring" ...

U 71.111.222.33:5060 -> 214.21.111.23:5060
SIP/2.0 100 Trying
CSeq: 1 INVITE
v: SIP/2.0/UDP 214.21.111.23:5060
f: <sip:extension_2000@214.21.111.23:5060>
i: spoofed_caller_id@214.21.111.23
t: <sip:extension_1000@71.111.222.33>
l: 0

Server B acknowledges the call... "I'm ready!!!"

U 214.21.111.23:5060 -> 71.111.222.33:5060
ACK sip:extension_1000@71.111.222.33:5060;transport=udp SIP/2.0
CSeq: 1 ACK
Via: SIP/2.0/UDP 214.21.111.23:5060
From: <sip:extension_2000@214.21.111.23:5060>
Call-ID: spoofed_caller_id@214.21.111.23
To: <sip:extension_2000@71.111.222.33>
Contact: <sip:214.21.111.23:5060;transport=udp>
Content-Length: 0
Max-Forwards: 70

Server C sets up audio RTP

U 71.111.222.33:5060 -> 214.21.111.23:5060
SIP/2.0 183 Session Progress
v: SIP/2.0/UDP 214.21.111.23:5060
f: <sip:extension_2000@214.21.111.23:5060>
t: <sip:extension_1000@71.111.222.33>
i: spoofed_caller_id@214.21.111.23
CSeq: 1 INVITE
m: <sip:extension_1000@71.111.222.33:5060;transport=udp>
c: application/sdp
l: 177

v=0.
o=- 41201 4120100 IN IP4 HOW_WOULD_YOU_LIKE_TO_ADDRESS_RTP_ISSUES
s=-
c=IN IP4 WHERE_IS_YOUR_MEDIA_PROXY_IN_THIS_MIX
t=0 0
m=audio 14612 RTP/AVP 18 101.
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

In the midst of this, you need to insert yourself between this connection to see this going on. Not on the same network? Good luck, you now have to hijack *something* to get inside that stream. May I suggest you go read some RFCs now. Understanding SIP and VoIP help more than spoofing. Even if you COULD hijack a session, what will you do for NAT, SRTP, TLS, and if the PBX has any redirects or proxy-auths?

And that concludes my post for the day ;) Sorry, work is overwhelming...
Got EIP?
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jan 25, 2011 9:41 am

Re: is that Possible???

Sil, I can only imagine what you dream about at night...  ;D
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Jan 25, 2011 9:48 am

Re: is that Possible???

Methodikal wrote:$5 that Sil posted all that off the top of his head too  ;D


I was actually parsing data for my VoIP Abuse Project (http://www.infiltrated.net/index.php?op ... &Itemid=23) when I started answering the question. Figured I'd answer it concisely.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Jan 25, 2011 10:02 am

Re: is that Possible???

H1t M0nk3y wrote:Sil, I can only imagine what you dream about at night...  ;D


Oddly, no matter how hard I try, I can never recall dreams unless they're vivid dreams. Most times I don't even know. Side note... So this 300GB disk went bonkers on me (bad sectors, etc.). Not a big deal, I'll just take a forensic image and retrieve it all. Popped open FTK 1.x (3.2 with Oracle is horrible!). Anyway... 48 hours later, nice forensic copy... Neat! Let me run it through FTK for data retrieval now.... 6 days 1 hour 22 minutes later? Still churning.

Frustrated with the timing, I whip open EnCase Enterprise Edition... No need to acquire image, just mount the darn drive:

New Case
Add Drive
Select Drive

Oh, there are my folders. Right click copy folders.... Its now copying files with an elapsed time of 18 hours 22 minutes.

Lessons learned: Don't become too comfortable/reliant on tools. I love FTK (per 3.2) which made me lean on its use. I use EnCase to validate what I find with FTK and vice versa, but mainly rely on FTK for most forensics operations. I will now take a step back and swap between the two. EnCase for immediate viewing, FTK for large acquires, sorting post mounts.
<<

mike23

Newbie
Newbie

Posts: 12

Joined: Mon Jan 24, 2011 9:37 am

Post Sun Feb 06, 2011 4:49 am

Re: is that Possible???

can any one write here any best IP spoof software name...i just need for education purpose..

thx in advance...

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software