Just out of curiousity, how is it possible at all that IP spoofing can be accomplished under Windows without a pure, raw socket mode available in Winsock? (This is a general programming question, though I imagine doing it in assembler is the easiest way to accomplish it). I've seen it done in one program, that appeared to use direct hardware access to the -modem- if one exists..is the TCP stack for the 9x product line simply incapable of any form of IP spoofing? It's becoming a bit of a hindrance in porting some popular security tools.. :>
Posted on 2000-12-04 16:30:00 by CDial
They are not popular security tools if they are using IP spoofing!!! A security tool usually intercepts all sockets on the winsock stack and decides whether to let them through. So it may by default only let port 80 through using the TCP/IP protocol (For internet access) then you can allow more ports through if you want to allow for email, ftp, ICQ, quake servers, etc... that way you don't leave all 65535 ports open on your computer for trojans to use... The security tool may also examine the senders IP for validity for example an IP address beginning with 192.168.x.x cannot be an external IP. That whole set is reserved for internal network use only... there are lot's more of reserved addresses I just don't know them, but do some research! Now if your trying to write a trojan, I'd guess (and hope!) most people here would agree with me that we won't promote that especially on one of the only good asm pages around. Then if someone was visiting the boards they would think we are all a bunch of crazed criminal hackers, writing low level programs to intercept the worlds leaders top secret information and selling it on the black market. And that's not the image were aiming for! :P See ya, Ben
Posted on 2000-12-04 21:51:00 by cyberben
it's not necessary to use asm, u can write the program in C using windis32 which is the driver to direct access to the ndis network card, with this tools u can open raw socket, to make network analyzing tools, the sniffer to see all package passed in ur comp. and whatever same as on unix. but this tools is comercial tools and seem expensive. u can found it at http://www.pcausa.com/
Posted on 2000-12-05 03:54:00 by doby
sorry if i dont have an answer to your question but what is the program you were referring too? thanks
Posted on 2000-12-05 10:30:00 by steelglass
under windows 2000 you can use 'pure raw sockets' and of course, ip spoofing :). Cheers,
Posted on 2000-12-05 12:09:00 by unknow
cyberben: I believe NMAP uses IP spoofing for the decoy addresses in scans..that's a popular security tool, isn't it? ^.^ (It works for a couple of other things pretty well anyway :P) I will let you know, however, that I'm not quite interested in writing a trojan..my actual project was to combine a raw mode packet sniffer/analyzer with a scanner close to NMAP's level of options..decoy addresses included, hence the need for a way to construct false addresses ;> Trojans are just a little too..well, lame really. There's better ways of having fun than moving someone's mouse around in Netbus :P I was familiar with Win2000's raw socket mode (one of the perks of installing W2K ;>) but I thought I'd check into 95/98 as well..I suppose W2K is probably in more need of security tools anyway, perhaps I'll just move on to that ^.^ (And sorry, but I think it'd be in the best interest of the human race if I don't mention the program I found that -did- use IP spoofing..it's readily available, but I don't want to promote that sort of usage :>)
Posted on 2000-12-05 21:52:00 by CDial