CIS 450

1
CIS 450 Network Security

• Chapter 5 Session Hijacking

2

• Definition the process of taking over an
  existing active session
• Attacker wants to bypass the authentication
  process and gain access
• Attacker takes the legitimate user offline
  (usually with a DoS attack) and then takes over
  that users session
• Concentrates on taking over session oriented
  applications HTTP, FTP, and Telnet

3

• Spoofing versus Hijacking
• In spoofing the attacker pretends to be someone
  else (either a person or a machine) to gain
  access. The real user plays no role in the attack
• In hijacking, the attacker is taking over an
  existing session and takes the legitimate user
  offline

4
Types of Session Hijacking

• Passive Attack
• An attacker hijacks the session but just sits
  back and watches and records all of the traffic.
  Used to find out passwords and source code.
• Active Attack
• Forces the user offline, takes over the session
  and executes commands
• Hybrid Attack
• Starts out passive and then becomes active
• Watch a session and periodically inject data into
  the active session without actually taking it over

5
TCP/IP Concepts

• Seven Layer OSI Model
• TCP (Transmission Control Protocol) and UDP (User
  Datagram Protocol) are at layer 4 (Transport
  layer)
• IP (Internet Protocol) resides at layer 3
  (Network layer)
• Whether you use TCP or UDP, you still use IP as
  your layer 3 protocol
• TCP is reliable UDP is not

6
TCP

• Provides reliable delivery services
• Is connection-oriented which means that a
  connection must be established between the
  communicating nodes before the protocol will
  transmit data
• Connection has to be acknowledged that packets
  have been received
• Done through three-way handshake

7
Three-Way Handshake

• First Leg
• User sends a packet to the server with the
  synchronization (SYN) bit set
• The SYN bit set is an indication that the value
  in the sequence number (SN) field is valid
• A value is put into the initial sequence (ISN)
  number

8
Three-Way Handshake

• Second Leg
• Server receives packet
• Sends back a packet with the SYN bit set and an
  ISN for the server
• Sets the Acknowledgement (ACK) bit that received
  the first packet and increments users ISN by 1

9
Three-Way Handshake

• Third Leg
• User sets the ACK bit acknowledging the receipt
  of the servers packet by incrementing the
  servers sequence number (SN-S) by 1
• At this point, the two machines have established
  a session and can begin communicating

10
Sequence Numbers

• A 32-bit counter with over 4 billion possible
  combinations
• Are used to tell the receiving machine what order
  the packets should go in when they are received
• The receiving machine uses sequence numbers to
  tell the sender which packets have been received
  and which ones have not, so that the sender can
  resend the lost packets

11
Sequence Numbers

• There is sequence number for the sender and one
  for the recipient
• The senders sequence number is used when sending
  a packet and is the receivers acknowledgement
• If the recipient is also sending (new) data back
  to the sender then the recipients sequence
  number is used by both parties
• Tcpdump/windump - http//windump.polito.it/install
  /default.htm

12
Steps in Session Hijacking

• Find a target
• Attacker wants the target to be a server that
  allows session-oriented connections like telnet
  and FTP
• Wants to make sure that he can gain access to the
  target beforehand (through the firewall) to
  sample the sequence number
• Perform sequence prediction
• Use NMAP
• Attacker connects to a machine several times to
  see how the numbers change over time
• Find an active session
• Wants to perform attack when there is a lot of
  traffic (less suspicious)

13
Steps in Session Hijacking

• Guess the sequence numbers
• IP address, port address, and sequence number is
  required for two parties to connect
• IP addresses and the port are listed in the IP
  packets and do not change throughout the session
• Attacker must successfully guess sequence number
  or the server will try to re-synch with the
  original system
• Take one of the parties offline
• Launch a Denial of Service (DoS) attack against
  the system so it can no longer respond
• Client computer is normally taken offline since
  attacker wants to hijack a session with a server

14
Steps in Session Hijacking

• Take over the session
• Attacker starts sending packets to the server and
  takes over the session
• Attacker spoofs the source information and
  sequence number
• Attacker is flying blind since he does not
  receive any of the response packets
• Critical for the attacker to predict what the
  server is going to do
• In simplest sense attacker wants to send packets
  to a telnet session that creates a new account so
  he can get back on the machine whenever he wants

15
ACK Storms

• Adverse side affect of a hijacked session
• Occurs when an attacker starts to take over a
  session and sends spoofed packets
• If sequence numbers are not correct server tries
  to re-synch them by sending SYN and ACK packets
  back to the original client which in turn
  responds with its own SYN and ACK packets
• Also can occur if hijacked user is not taken
  offline with DoS

16
Programs the Perform Hijacking

• Juggernaut
• Network sniffer running on Linux that can also be
  used to hijack TCP sessions
• Juggernaut can be activated to watch all network
  traffic on the local network, or can be set to
  listen for a special "token (keyword login). For
  example, Juggernaut can be configured to wait for
  the login prompt, and then record the network
  traffic that follows (usually capturing the
  password). By doing so, this tool can be used to
  historically capture certain types of traffic by
  simply leaving the tool running for a few days,
  and then the attacker just has to pick up the log
  file that contains the recorded traffic. This is
  different than regular network sniffers that
  record all network traffic making the log files
  extremely huge (and thus easy to detect).
• Main feature of this program is its ability to
  maintain a connection database. This means an
  attacker can watch all the TCP based connection
  made on the local network, and possibly "hijack"
  the session. After the connection is made, the
  attacker can watch the entire session (for a
  telnet session, this means the attacker sees the
  "playback" of the entire session. This is like
  actually seeing the telnet window).
• When an active session is watched, the attacker
  can perform some actions on that connection,
  besides passively watching it. Juggernaut is
  capable of resetting the connection (which
  basically means terminating it), and also
  hijacking the connection - allowing the attacker
  to insert commands in the session or even to
  completely take the session into his/her hands
  (resetting connection on the legitimate client).

17
Programs the Perform Hijacking

• Hunt - Hijacking software has the following
  functionality features
• http//www.skynet.ie/syfer/tutorials/sessionhijac
  king.htm
• Connection management Setting what connections
  you are interested in. Detecting an ongoing
  connection (not only SYN started). Normal
  active hijacking with the detection of the ACK
  storm. ARP spoofed/Normal hijacking with the
  detection of successful ARP spoof.
  Synchronization of the true client with the
  server after hijacking (so that the connection
  don't have to be reset). Resetting
  connection. Watching connection.
• Daemons Reset daemon for automatic connection
  resetting. ARP spoof/relayer daemon for ARP
  spoofing of hosts with the ability to relay all
  packets from spoofed hosts. MAC discovery
  daemon for collecting MAC addresses. Sniff
  daemon for logging TCP traffic with the ability
  to search for a particular string.
• Host Resolving Deferred host resolving through
  dedicated DNS helper servers.
• Packet engine Extensible packet engine for
  watching TCP, UDP, ICMP and ARP traffic.
  Collecting TCP connections with sequence numbers
  and the ACK storm detection.
• Misc. Determining which hosts are up.The tool
  was written by Pavel Krauz.

18
Programs the Perform Hijacking

• TTY Watcher
• Platform Solaris, SunOS
• TTY-Watcher is a utility to monitor and control
  users on a single system. It is based on
  IP-Watcher utility, which can be used to monitor
  and control users on an entire network. It is
  similar to advise or tap, but with many more
  advanced features and a user friendly (either
  X-Windows or text) interface. TTY-Watcher allows
  the user to monitor every tty on the system, as
  well as interact with them by to the real owner
  of the TTY without interfering with the commands
  he's typing. The message will only be displayed
  on his screen and will not be sent to the
  underlying process. Aside from monitoring and
  controlling TTYs, individual connections can be
  logged to either a raw logfile for later playback
  (somewhat like a VCR) or to a text file.

19
Programs the Perform Hijacking

• IP Watcher
• http//www.engarde.com/software/ipwatcher/features
  /monitoring.php

20
Dangers Posed by Hijacking

• Most computers are vulnerable
• Is inherent with how TCP/IP works
• Little can be done to prevent it
• Other than encryption there is little that can be
  done to prevent it
• Is simple (with the proper software)
• While very complex and to perform manually takes
  someone very skilled with a lot of time there are
  a number of programs available

21
Dangers Posed by Hijacking

• Is Very Dangerous
• Operating System Independent
• Can be used in both passive (capture sensitive
  information and passwords) and active (gain
  access and compromise a machine) attacks
• Most Countermeasures Do Not Work

22
Protecting Against Session Hijacking

• Use encryption
• If attacker can not read the data that is
  transmitted it is much more difficult to hijack
  the session
• Make sure that the host participating in the
  encryption is not compromised
• All connections coming from the Internet must be
  encrypted as well as connections where sensitive
  data can be transmitted
• Ideally you want all traffic on your network to
  be encrypted
• Kerberos built into Windows 2000 and IPv6 has
  encryption built into the protocl

23
Protecting Against Session Hijacking

• Use a secure protocol
• SSH (Secure SHell) or secure telnet
• VPN technologies that can go from client to
  server
• Limit incoming connections
• Block as much traffic as possible at both the
  external router and the firewall

24
Protecting Against Session Hijacking

• Minimize (outgoing) remote access
• Have strong authentication (least effective)
• User has to re-authenticate at random intervals
  throughout the session