[719] in bugtraq
Re: Hijacking tool
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue Jan 24 11:02:37 1995
To: paul@hawksbill.sprintmrn.com (Paul Ferguson)
Cc: cklaus@iss.net (Christopher Klaus), bugtraq@fc.net,
firewalls@GreatCircle.COM, cert@cert.org
In-Reply-To: Your message of "Tue, 24 Jan 1995 08:01:40 EST."
<9501241301.AA13672@hawksbill.sprintmrn.com>
Date: Tue, 24 Jan 1995 14:45:39 +0100
From: Casper Dik <casper@fwi.uva.nl>
>
>>
>> There is a tool floating around called TAP which is a kernel mod that
>> allows you to easily watch streams on SunOs, and capture what a person
>> is typing. It is easy to modify so that you could actually write to
>> the stream thus emulating that person and hijacking their terminal
>> connection.
>>
>> To load the modules, the intruder does a modload to add the module to
>> the kernel. One way to detect the hijacking tool is to do a
>>
>> modstat
>>
>> and see if there is any unfamiliar modules loaded. An intruder could trojan
>> modstat so it might be worthwhile to check the integrity of modstat.
>>
>>
>
>I'm less concerned about the IP spoofing attack method than I am curious
>about this TAP tool. Does anyone have any detailed/technical information
>on this in particular?
If you're hijacking *connections* isn't it much easier to just steal
the filehandles in the kernel?
(Just go to a processes' file table and add that processes file * to
your open set, e.g., by implementing an new systemcall, interprocess
dup: int ipcdup(int pid, int fd))
Can't be more than four or five lines of kernel code.
Casper
