At 07:00 PM 6/3/99 -0700, Ben Keepper wrote:
>
>----- Original Message -----
>From: Ben Keepper <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Wednesday, June 02, 1999 6:54 PM
>Subject: 'Snarfing'
>
>> "Snarfing"
Now there is a term I have not heard in some time. Although it has several
meanings, such as
eating piggishly, its also an unfortunate but funny accident but typically
refers to copying large files
across the network (sometimes there is the connotation that the copying is
taking place without the author's/
owner's permission).
>> Not sure if this is the correct term, but I've heard it several times of
>> late. It seems to refer to the ability to take control of a session from
>> someone else and essentially spoof their identity.
It seems to me that what you are describing here is commonly referred to as
"session hijacking",
although its quite possible that snarf was used as a slang term for this.
If you are interested
in more information on session hijacking there is an excellent paper on
http://www.rootshell.com/docs/tcp_attack.ps.gz
or http://www.rootshell.com/docs/tcp_attack.pdf.
>> How do "attackers" monitor these sessions and what tools do they use to
>> monitor and take control?
Typically by compromising a host close to the intended victim's network and
passively
monitoring the network traffic, ISP's are typically target rich
environments but a poorly configured
host or service with known vulnerabilities running on your perimeter
network will do just as well
for their ends. As far as tools used, its pretty much whatever gets the job
done. Specifically
for session hijacking the tool hunt comes to mind and for passive
monitoring snoop or tcpdump.
For "taking control" misconfigurations, buffer overflows, social
engineering, war dialing and dumpster
diving can all be used to get access. If interested in commonly used tools
you might want to read through:
http://www.trinux.org/
http://www.opensec.net/
http://www.insecure.org/
http://www.genocide2600.com/~tattoman/
http://www.rootshell.com/
>> Is this "attack" a danger only to certain protocols?
TCP is the common example of this.
>> What are the defenses against this attack?
It depends upon what OS you are using, I am pretty sure that recent
versions of UNIX and derivatives
have a reasonable amount of randomness when it comes to initial sequence
numbering. Even Windows NT with
Service Pack 4 took steps to address this.
>>
>> Any discussion is appreciated.
>>
>> Ben
As well, there is always the jargon file which is still probably at
ftp://prep.ai.mit.edu/pub/gnu/jarg300.txt.gz.
Cheers,
Cohen
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
--
Cohen Liota
Information Security Specialist +1.416.815.3041 - v
Secure Computing Corporation +1.416.815.3001 - f
[EMAIL PROTECTED] http://www.securecomputing.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
