3

To give as much detail as possible, I am doing a Pentest for a client that has quite a few "terminal systems" meaning that they are simply a box with a connection back to the main server. These systems are at a different location than the main server, so if connection is interrupted than critical business functions may be stopped, and my contract is not such that I can fix it. (My contract simply waives all liability allowed under law from me). All locations are on the same VLAN as each other with only 1 line leaving through the main office.

Now with this topology, some of these systems have ssh servers installed onto them so the main office can connect to this remote office. They are fairly well locked down but from some other non critical systems I was able to recover some passwords and usernames including a previous sys admin that retired a few months ago. Every time I go to connect to the ssh server I receive a connection refused. I have determined that the sole connection to it is from a specific IP Address.

Is it possible to spoof my IP Address and mac address to trick this ssh server into at least letting me try to log in? However if I do this would I kick off the current computer and possibly disrupt traffic from it AND from the terminal (with ssh server) to the main server?

The only article on here that I found was Spoof another IP address in the same network,will the spoofing source get the response? and it didn't provide the specific answer I needed. I am more worried able keeping the services up rather than proving an attacker could log in. I could simple provide a redacted version of the user/password list and the method of IP spoofing (assuming this could work).

Community
  • 1
RB4
  • 188
  • 11
  • You *can* spoof your IP address, but you're not going to get a response back. Therefore, you aren't going to be able to log in. – Mark Buffalo Feb 08 '16 at 15:06
  • what os are you using? if you are using kali, macchanger and then manually configure your ip – TheHidden Feb 08 '16 at 15:07
  • @MarkBuffalo I was hoping to be able to get a response even if I was spoofing my MAC. If this is not the case would I need to ask a new question as far as getting access to the SSH server to try to login? – RB4 Feb 08 '16 at 15:27
  • 1
    why did you think that the ssh server has an ip restriction? – Badr Bellaj Feb 08 '16 at 15:33
  • You can't get a response back. Let's say you spoof your IP. The response goes to the IP you spoofed. Are you that IP? No? So how will you get the response? You can't. – Mark Buffalo Feb 08 '16 at 15:34
  • @BadrBellaj Whenever I try to connect I receive port 22: Connection Refused. It shows up on my Nessus port scanner, nmap scan, and I can see some traffic going to it from the router as the port is forwarded. Thank you MarkBuffalo! I will start looking at alternative ways. – RB4 Feb 08 '16 at 15:44

1 Answers1

2

When you spoof ones IP the answer will not reach you at least not for a long time. As a side effect you can cause what is called Port Stealing. This is happening when one IP is seen on two different ports of a switch. The IP is then assigned to the port the IP was last seen on which might be the port you spoofed the address from. But when the original host sends another package (which will happen frequently at least by ARP, IGMP,...) the IP is assigned back to the original port on that switch.

There is I think only one realistic scenario wich will put you in a position to sucessfully fake the IP-Address and also interact with the server.

  • Perform a MitM Attack between that hosts
  • Connect to that server with faked source address
  • Take the sequence numbers from the packets you receive for that original host
  • Drop the packets though they never reach the original host (apply this only to port 22)
  • Send answers with sequence numbers taken from source packet

The easiest way to do this might be through iptable rules. But "easy" should be seen in the context of this complex problem. I stronly encourage you to try this in a lab first!

davidb
  • 4,285
  • 3
  • 19
  • 31
  • "Easy" is not too much of a worry, but I will try in my lab first and simply say a possibility of an attack could have occurred with the user/pass list I recovered. Thank you! – RB4 Feb 08 '16 at 19:52
  • Your welcome! Let me know if there come any problems up... – davidb Feb 08 '16 at 21:52