[index] [text page] [<<start] [<prev] [next>] [last>>]
Page 21: Bouncing ISNs

Page 21

  
  Bouncing ISNs
  Create Raw IP packets:
  Set destination to 'bounce' host.
  Set source to actual destination host.
  Data is encoded in the ISN.
  Bounce host will see the SYN:
  Sends a SYN | ACK to forged source.
  SYN | ACK includes ISN+1.
  Actual destination server:
  Kernel sends RST.
  Sniffer sees packet.
  Decrements ISN.
  Processes covert data.

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at SecureWorld Expo, 2003.

Presentation created using vim and MagicPoint.