
SERVER
(ip.addr eq 192.168.1.103 and ip.addr eq 192.168.1.101) and (tcp.port eq 1073 and tcp.port eq 23) and eth.src eq 00:00:c0:29:36:e8

ATTACKER
(ip.addr eq 192.168.1.103 and ip.addr eq 192.168.1.101) and (tcp.port eq 1073 and tcp.port eq 23) and eth.src eq 00:01:03:87:a8:eb

only 2 packets from the attacker 521 and 716

521 inconspicuosly sets up the attack - just contains 08 and 0a (space? Return?)
server wanted seq 233 and it gave it to it

after that when real client sends 233, the server will just acknowledge that it already has it

------------------------------------------------------------------



All sent by attacker eth.src eq 00:01:03:87:a8:eb

75 total

507-510 attacker arrives and acquires an IP Address via DHCP

519 to carry out attack asks who has 192.168.0.100, sends them 521 and 716

98737 in preparation for next attack translates 192.168.0.103

98739 FIN, ACK sent to terminate connection

99095 RST end a session

99950, 99957 hijack another session 1076 - failed?

176519 (21, 23) 1086 failed telnet?
176512 and on - telnet using captured password (1067)
176532 another telnet with captured password (1088)


klogin  4 attempts

ftp using captured password 






--------------------------------------------------------------

denial of service attack - ends 4 sessions in a row


experience from victims standpoint



can get data
end connections different ways to end a connection
hijack connections





5 main connections - 4 interrupted or hihacked TCP sessions

then an FTP using the stolen password
