Transcript Chapter 5
CIS 450 – Network Security Chapter 5 – Session Hijacking Definition – the process of taking over an existing active session Attacker wants to bypass the authentication process and gain access Attacker takes the legitimate user offline (usually with a DoS attack) and then takes over that user’s session Concentrates on taking over session oriented applications: HTTP, FTP, and Telnet Spoofing versus Hijacking In spoofing the attacker pretends to be someone else (either a person or a machine) to gain access. The real user plays no role in the attack In hijacking, the attacker is taking over an existing session and takes the legitimate user offline Types of Session Hijacking Passive Attack An attacker hijacks the session but just sits back and watches and records all of the traffic. Used to find out passwords and source code. Active Attack Forces the user offline, takes over the session and executes commands Hybrid Attack Starts out passive and then becomes active Watch a session and periodically inject data into the active session without actually taking it over TCP/IP Concepts Seven Layer OSI Model TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are at layer 4 (Transport layer) IP (Internet Protocol) resides at layer 3 (Network layer) Whether you use TCP or UDP, you still use IP as your layer 3 protocol TCP is reliable; UDP is not TCP Provides reliable delivery services Is connection-oriented which means that a connection must be established between the communicating nodes before the protocol will transmit data Connection has to be acknowledged that packets have been received Done through three-way handshake Three-Way Handshake First Leg User sends a packet to the server with the synchronization (SYN) bit set The SYN bit set is an indication that the value in the sequence number (SN) field is valid A value is put into the initial sequence (ISN) number Three-Way Handshake Second Leg Server receives packet Sends back a packet with the SYN bit set and an ISN for the server Sets the Acknowledgement (ACK) bit that received the first packet and increments user’s ISN by 1 Three-Way Handshake Third Leg User sets the ACK bit acknowledging the receipt of the server’s packet by incrementing the server’s sequence number (SN-S) by 1 At this point, the two machines have established a session and can begin communicating Sequence Numbers A 32-bit counter with over 4 billion possible combinations Are used to tell the receiving machine what order the packets should go in when they are received The receiving machine uses sequence numbers to tell the sender which packets have been received and which ones have not, so that the sender can resend the lost packets Sequence Numbers There is sequence number for the sender and one for the recipient The sender’s sequence number is used when sending a packet and is the receiver’s acknowledgement If the recipient is also sending (new) data back to the sender then the recipient’s sequence number is used by both parties Tcpdump/windump http://windump.polito.it/install/default.htm Steps in Session Hijacking Find a target Attacker wants the target to be a server that allows session-oriented connections like telnet and FTP Wants to make sure that he can gain access to the target beforehand (through the firewall) to sample the sequence number Perform sequence prediction Use NMAP Attacker connects to a machine several times to see how the numbers change over time Find an active session Wants to perform attack when there is a lot of traffic (less suspicious) Steps in Session Hijacking Guess the sequence numbers IP address, port address, and sequence number is required for two parties to connect IP addresses and the port are listed in the IP packets and do not change throughout the session Attacker must successfully guess sequence number or the server will try to re-synch with the original system Take one of the parties offline Launch a Denial of Service (DoS) attack against the system so it can no longer respond Client computer is normally taken offline since attacker wants to hijack a session with a server Steps in Session Hijacking Take over the session Attacker starts sending packets to the server and takes over the session Attacker spoofs the source information and sequence number Attacker is flying blind since he does not receive any of the response packets Critical for the attacker to predict what the server is going to do In simplest sense attacker wants to send packets to a telnet session that creates a new account so he can get back on the machine whenever he wants ACK Storms Adverse side affect of a hijacked session Occurs when an attacker starts to take over a session and sends spoofed packets If sequence numbers are not correct server tries to re-synch them by sending SYN and ACK packets back to the original client which in turn responds with its own SYN and ACK packets Also can occur if hijacked user is not taken offline with DoS Programs the Perform Hijacking Juggernaut Network sniffer running on Linux that can also be used to hijack TCP sessions Juggernaut can be activated to watch all network traffic on the local network, or can be set to listen for a special "token“ (keyword login). For example, Juggernaut can be configured to wait for the login prompt, and then record the network traffic that follows (usually capturing the password). By doing so, this tool can be used to historically capture certain types of traffic by simply leaving the tool running for a few days, and then the attacker just has to pick up the log file that contains the recorded traffic. This is different than regular network sniffers that record all network traffic making the log files extremely huge (and thus easy to detect). Main feature of this program is its ability to maintain a connection database. This means an attacker can watch all the TCP based connection made on the local network, and possibly "hijack" the session. After the connection is made, the attacker can watch the entire session (for a telnet session, this means the attacker sees the "playback" of the entire session. This is like actually seeing the telnet window). When an active session is watched, the attacker can perform some actions on that connection, besides passively watching it. Juggernaut is capable of resetting the connection (which basically means terminating it), and also hijacking the connection - allowing the attacker to insert commands in the session or even to completely take the session into his/her hands (resetting connection on the legitimate client). Programs the Perform Hijacking Hunt - Hijacking software has the following functionality features: http://www.skynet.ie/~syfer/tutorials/sessionhijacking.htm Connection management * Setting what connections you are interested in. * Detecting an ongoing connection (not only SYN started). * Normal active hijacking with the detection of the ACK storm. * ARP spoofed/Normal hijacking with the detection of successful ARP spoof. * Synchronization of the true client with the server after hijacking (so that the connection don't have to be reset). * Resetting connection. * Watching connection. Daemons * Reset daemon for automatic connection resetting. * ARP spoof/relayer daemon for ARP spoofing of hosts with the ability to relay all packets from spoofed hosts. * MAC discovery daemon for collecting MAC addresses. * Sniff daemon for logging TCP traffic with the ability to search for a particular string. Host Resolving * Deferred host resolving through dedicated DNS helper servers. Packet engine * Extensible packet engine for watching TCP, UDP, ICMP and ARP traffic. * Collecting TCP connections with sequence numbers and the ACK storm detection. Misc. * Determining which hosts are up. The tool was written by: Pavel Krauz. Programs the Perform Hijacking TTY Watcher Platform :Solaris, SunOS TTY-Watcher is a utility to monitor and control users on a single system. It is based on IP-Watcher utility, which can be used to monitor and control users on an entire network. It is similar to advise or tap, but with many more advanced features and a user friendly (either X-Windows or text) interface. TTY-Watcher allows the user to monitor every tty on the system, as well as interact with them by: to the real owner of the TTY without interfering with the commands he's typing. The message will only be displayed on his screen and will not be sent to the underlying process. Aside from monitoring and controlling TTYs, individual connections can be logged to either a raw logfile for later playback (somewhat like a VCR) or to a text file. Programs the Perform Hijacking IP Watcher http://www.engarde.com/software/ipwatcher/fe atures/monitoring.php Dangers Posed by Hijacking Most computers are vulnerable Is inherent with how TCP/IP works Little can be done to prevent it Other than encryption there is little that can be done to prevent it Is simple (with the proper software) While very complex and to perform manually takes someone very skilled with a lot of time there are a number of programs available Dangers Posed by Hijacking Is Very Dangerous Operating System Independent Can be used in both passive (capture sensitive information and passwords) and active (gain access and compromise a machine) attacks Most Countermeasures Do Not Work Protecting Against Session Hijacking Use encryption If attacker can not read the data that is transmitted it is much more difficult to hijack the session Make sure that the host participating in the encryption is not compromised All connections coming from the Internet must be encrypted as well as connections where sensitive data can be transmitted Ideally you want all traffic on your network to be encrypted Kerberos built into Windows 2000 and IPv6 has encryption built into the protocl Protecting Against Session Hijacking Use a secure protocol SSH (Secure SHell) or secure telnet VPN technologies that can go from client to server Limit incoming connections Block as much traffic as possible at both the external router and the firewall Protecting Against Session Hijacking Minimize (outgoing) remote access Have strong authentication (least effective) User has to re-authenticate at random intervals throughout the session