> >> >> There is a tool floating around called TAP which is a kernel mod that >> allows you to easily watch streams on SunOs, and capture what a person >> is typing. It is easy to modify so that you could actually write to >> the stream thus emulating that person and hijacking their terminal >> connection. >> >> To load the modules, the intruder does a modload to add the module to >> the kernel. One way to detect the hijacking tool is to do a >> >> modstat >> >> and see if there is any unfamiliar modules loaded. An intruder could trojan >> modstat so it might be worthwhile to check the integrity of modstat. >> >> > >I'm less concerned about the IP spoofing attack method than I am curious >about this TAP tool. Does anyone have any detailed/technical information >on this in particular? If you're hijacking *connections* isn't it much easier to just steal the filehandles in the kernel? (Just go to a processes' file table and add that processes file * to your open set, e.g., by implementing an new systemcall, interprocess dup: int ipcdup(int pid, int fd)) Can't be more than four or five lines of kernel code. Casper