Transcript Chapter 5

CIS 450 – Network
Security
Chapter 5 – Session Hijacking
 Definition – the process of taking over an
existing active session
 Attacker wants to bypass the authentication
process and gain access
 Attacker takes the legitimate user offline
(usually with a DoS attack) and then takes
over that user’s session
 Concentrates on taking over session oriented
applications: HTTP, FTP, and Telnet
 Spoofing versus Hijacking


In spoofing the attacker pretends to be
someone else (either a person or a machine)
to gain access. The real user plays no role in
the attack
In hijacking, the attacker is taking over an
existing session and takes the legitimate user
offline
Types of Session Hijacking
 Passive Attack

An attacker hijacks the session but just sits back
and watches and records all of the traffic. Used to
find out passwords and source code.
 Active Attack
 Forces the user offline, takes over the session and
executes commands
 Hybrid Attack
 Starts out passive and then becomes active
 Watch a session and periodically inject data into the
active session without actually taking it over
TCP/IP Concepts
 Seven Layer OSI Model




TCP (Transmission Control Protocol) and UDP
(User Datagram Protocol) are at layer 4
(Transport layer)
IP (Internet Protocol) resides at layer 3
(Network layer)
Whether you use TCP or UDP, you still use IP
as your layer 3 protocol
TCP is reliable; UDP is not
TCP
 Provides reliable delivery services
 Is connection-oriented which means that a
connection must be established between the
communicating nodes before the protocol will
transmit data
 Connection has to be acknowledged that packets
have been received
 Done through three-way handshake
Three-Way Handshake
 First Leg



User sends a packet to the server with the
synchronization (SYN) bit set
The SYN bit set is an indication that the value
in the sequence number (SN) field is valid
A value is put into the initial sequence (ISN)
number
Three-Way Handshake
 Second Leg
 Server receives packet
 Sends back a packet with the SYN bit set and an
ISN for the server
 Sets the Acknowledgement (ACK) bit that received
the first packet and increments user’s ISN by 1
Three-Way Handshake
 Third Leg

User sets the ACK bit acknowledging the receipt of
the server’s packet by incrementing the server’s
sequence number (SN-S) by 1
 At this point, the two machines have established a
session and can begin communicating
Sequence Numbers
 A 32-bit counter with over 4 billion possible
combinations
 Are used to tell the receiving machine what
order the packets should go in when they are
received
 The receiving machine uses sequence
numbers to tell the sender which packets
have been received and which ones have
not, so that the sender can resend the lost
packets
Sequence Numbers
 There is sequence number for the sender and
one for the recipient
 The sender’s sequence number is used when
sending a packet and is the receiver’s
acknowledgement
 If the recipient is also sending (new) data
back to the sender then the recipient’s
sequence number is used by both parties
 Tcpdump/windump http://windump.polito.it/install/default.htm
Steps in Session Hijacking
 Find a target
Attacker wants the target to be a server that allows
session-oriented connections like telnet and FTP
 Wants to make sure that he can gain access to the target
beforehand (through the firewall) to sample the sequence
number
 Perform sequence prediction
 Use NMAP
 Attacker connects to a machine several times to see how
the numbers change over time
 Find an active session
 Wants to perform attack when there is a lot of traffic
(less suspicious)

Steps in Session Hijacking
 Guess the sequence numbers
IP address, port address, and sequence number is
required for two parties to connect
 IP addresses and the port are listed in the IP packets and
do not change throughout the session
 Attacker must successfully guess sequence number or
the server will try to re-synch with the original system
 Take one of the parties offline
 Launch a Denial of Service (DoS) attack against the
system so it can no longer respond
 Client computer is normally taken offline since attacker
wants to hijack a session with a server

Steps in Session Hijacking
 Take over the session
 Attacker starts sending packets to the server and
takes over the session
 Attacker spoofs the source information and
sequence number
 Attacker is flying blind since he does not receive any
of the response packets
 Critical for the attacker to predict what the server is
going to do
 In simplest sense attacker wants to send packets to
a telnet session that creates a new account so he
can get back on the machine whenever he wants
ACK Storms
 Adverse side affect of a hijacked session
 Occurs when an attacker starts to take over a
session and sends spoofed packets
 If sequence numbers are not correct server
tries to re-synch them by sending SYN and
ACK packets back to the original client which
in turn responds with its own SYN and ACK
packets
 Also can occur if hijacked user is not taken
offline with DoS
Programs the Perform Hijacking

Juggernaut




Network sniffer running on Linux that can also be used to hijack TCP sessions
Juggernaut can be activated to watch all network traffic on the local network, or can be set to
listen for a special "token“ (keyword login). For example, Juggernaut can be configured to
wait for the login prompt, and then record the network traffic that follows (usually capturing
the password). By doing so, this tool can be used to historically capture certain types of traffic
by simply leaving the tool running for a few days, and then the attacker just has to pick up the
log file that contains the recorded traffic. This is different than regular network sniffers that
record all network traffic making the log files extremely huge (and thus easy to detect).
Main feature of this program is its ability to maintain a connection database. This means an
attacker can watch all the TCP based connection made on the local network, and possibly
"hijack" the session. After the connection is made, the attacker can watch the entire session
(for a telnet session, this means the attacker sees the "playback" of the entire session. This is
like actually seeing the telnet window).
When an active session is watched, the attacker can perform some actions on that
connection, besides passively watching it. Juggernaut is capable of resetting the connection
(which basically means terminating it), and also hijacking the connection - allowing the
attacker to insert commands in the session or even to completely take the session into
his/her hands (resetting connection on the legitimate client).
Programs the Perform Hijacking

Hunt - Hijacking software has the following functionality features:






http://www.skynet.ie/~syfer/tutorials/sessionhijacking.htm
Connection management
* Setting what connections you are interested in.
* Detecting an ongoing connection (not only SYN started).
* Normal active hijacking with the detection of the ACK storm.
* ARP spoofed/Normal hijacking with the detection of successful ARP spoof.
* Synchronization of the true client with the server after hijacking (so that the
connection don't have to be reset).
* Resetting connection.
* Watching connection.
Daemons
* Reset daemon for automatic connection resetting.
* ARP spoof/relayer daemon for ARP spoofing of hosts with the ability to relay all
packets from spoofed hosts.
* MAC discovery daemon for collecting MAC addresses.
* Sniff daemon for logging TCP traffic with the ability to search for a particular string.
Host Resolving
* Deferred host resolving through dedicated DNS helper servers.
Packet engine
* Extensible packet engine for watching TCP, UDP, ICMP and ARP traffic.
* Collecting TCP connections with sequence numbers and the ACK storm detection.
Misc.
* Determining which hosts are up.
The tool was written by: Pavel Krauz.
Programs the Perform Hijacking
 TTY Watcher

Platform :Solaris, SunOS

TTY-Watcher is a utility to monitor and control users on a
single system. It is based on IP-Watcher utility, which can be
used to monitor and control users on an entire network. It is
similar to advise or tap, but with many more advanced
features and a user friendly (either X-Windows or text)
interface. TTY-Watcher allows the user to monitor every tty
on the system, as well as interact with them by: to the real
owner of the TTY without interfering with the commands he's
typing. The message will only be displayed on his screen
and will not be sent to the underlying process. Aside from
monitoring and controlling TTYs, individual connections can
be logged to either a raw logfile for later playback (somewhat
like a VCR) or to a text file.
Programs the Perform Hijacking
 IP Watcher

http://www.engarde.com/software/ipwatcher/fe
atures/monitoring.php
Dangers Posed by Hijacking
 Most computers are vulnerable

Is inherent with how TCP/IP works
 Little can be done to prevent it

Other than encryption there is little that can be
done to prevent it
 Is simple (with the proper software)

While very complex and to perform manually
takes someone very skilled with a lot of time
there are a number of programs available
Dangers Posed by Hijacking
 Is Very Dangerous


Operating System Independent
Can be used in both passive (capture
sensitive information and passwords) and
active (gain access and compromise a
machine) attacks
 Most Countermeasures Do Not Work
Protecting Against Session Hijacking
 Use encryption
 If attacker can not read the data that is transmitted it is
much more difficult to hijack the session
 Make sure that the host participating in the encryption
is not compromised
 All connections coming from the Internet must be
encrypted as well as connections where sensitive data
can be transmitted
 Ideally you want all traffic on your network to be
encrypted
 Kerberos built into Windows 2000 and IPv6 has
encryption built into the protocl
Protecting Against Session Hijacking
 Use a secure protocol


SSH (Secure SHell) or secure telnet
VPN technologies that can go from client to
server
 Limit incoming connections

Block as much traffic as possible at both the
external router and the firewall
Protecting Against Session Hijacking
 Minimize (outgoing) remote access
 Have strong authentication (least effective)

User has to re-authenticate at random
intervals throughout the session