This is setup for SunOS or Linux with an ethernet interface.
You will need the ethernet address of your local router in order to
send ip spoofed packets.  You can generally get this from arp.
Edit the appropriate Makefile and define your router's ethernet address
there.  You should also define its IP address for linux, although I
doubt this will really be necessary.

To make all you should have to do is:
   make -f Makefile.linux
or make -f Makefile.sunos

Once you've got it compiled you can type 'rbone -h' and it'll tell you
the syntax.  The program uses three 'hosts'.
  A)  the system you are attacking.  The one with the .rhosts file.
  T)  the trusted system.  The one that appears in A's .rhosts file.
  B)  a bogus host whose address is reachable, but the host is either
      not there or not responding.  You can find out with ping whether
      the host you specify meets these criteria.  If ping returns
      a 'host unreachable' message this host won't work.  ping should
      hang or eventually report something like 'host not responding'.

What's going to happen is this.  rbone will spoof a number (80 by default)
of connections requests from B to T.  T will try to respond, but will not
be able to contact B because it doesn't exist.  T is now 'hosed'.  It
has too many open requests on the given port.  Now rbone contacts A and
tries to determine a predictable pattern in its TCP sequence numbers.
(It is fairly stupid about doing this.  See Neuman's comments in rbone.c.)
When it is done it will now spoof a connection from T to A.  A will respond
to T, hopefully with the TCP sequence number we predicted.  Normally T
would say "I didn't initiate this connection.  Kill it," and send a RST
packet to A, thus ending our little ploy.  But T should still be hosed.
It has too many open connections pending and can not respond to A.  So
we come along and send a spoofed packet from T to A with the sequence
number we guess that A used.  If we're right, we're set.  We send one
more packet with the attack command and it should be executed on A.
Typically an attacker would use something like "echo + + >> /.rhosts",
but that may not work for various reasons, such as tcp wrappers.  He
could just as easily add an entry to the /etc/inetd.conf file or even
start up another inetd with /bin/sh answering on some arbitrary port.
No matter what, it's bad.  The solution?  Make sequence prediction
impossible (or at least significantly more difficult) and disable all
address based trust mechanisms.

-Mike
--
Michael R. Widner
atreus@primus.com
