CIS 450 - PowerPoint PPT Presentation

About This Presentation
Title:

CIS 450

Description:

In hijacking, the attacker is taking over an existing session and takes the ... Normal active hijacking with the detection of the ACK storm. ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 25
Provided by: jbpackma
Category:

less

Transcript and Presenter's Notes

Title: CIS 450


1
CIS 450 Network Security
  • Chapter 5 Session Hijacking

2
  • Definition the process of taking over an
    existing active session
  • Attacker wants to bypass the authentication
    process and gain access
  • Attacker takes the legitimate user offline
    (usually with a DoS attack) and then takes over
    that users session
  • Concentrates on taking over session oriented
    applications HTTP, FTP, and Telnet

3
  • Spoofing versus Hijacking
  • In spoofing the attacker pretends to be someone
    else (either a person or a machine) to gain
    access. The real user plays no role in the attack
  • In hijacking, the attacker is taking over an
    existing session and takes the legitimate user
    offline

4
Types of Session Hijacking
  • Passive Attack
  • An attacker hijacks the session but just sits
    back and watches and records all of the traffic.
    Used to find out passwords and source code.
  • Active Attack
  • Forces the user offline, takes over the session
    and executes commands
  • Hybrid Attack
  • Starts out passive and then becomes active
  • Watch a session and periodically inject data into
    the active session without actually taking it over

5
TCP/IP Concepts
  • Seven Layer OSI Model
  • TCP (Transmission Control Protocol) and UDP (User
    Datagram Protocol) are at layer 4 (Transport
    layer)
  • IP (Internet Protocol) resides at layer 3
    (Network layer)
  • Whether you use TCP or UDP, you still use IP as
    your layer 3 protocol
  • TCP is reliable UDP is not

6
TCP
  • Provides reliable delivery services
  • Is connection-oriented which means that a
    connection must be established between the
    communicating nodes before the protocol will
    transmit data
  • Connection has to be acknowledged that packets
    have been received
  • Done through three-way handshake

7
Three-Way Handshake
  • First Leg
  • User sends a packet to the server with the
    synchronization (SYN) bit set
  • The SYN bit set is an indication that the value
    in the sequence number (SN) field is valid
  • A value is put into the initial sequence (ISN)
    number

8
Three-Way Handshake
  • Second Leg
  • Server receives packet
  • Sends back a packet with the SYN bit set and an
    ISN for the server
  • Sets the Acknowledgement (ACK) bit that received
    the first packet and increments users ISN by 1

9
Three-Way Handshake
  • Third Leg
  • User sets the ACK bit acknowledging the receipt
    of the servers packet by incrementing the
    servers sequence number (SN-S) by 1
  • At this point, the two machines have established
    a session and can begin communicating

10
Sequence Numbers
  • A 32-bit counter with over 4 billion possible
    combinations
  • Are used to tell the receiving machine what order
    the packets should go in when they are received
  • The receiving machine uses sequence numbers to
    tell the sender which packets have been received
    and which ones have not, so that the sender can
    resend the lost packets

11
Sequence Numbers
  • There is sequence number for the sender and one
    for the recipient
  • The senders sequence number is used when sending
    a packet and is the receivers acknowledgement
  • If the recipient is also sending (new) data back
    to the sender then the recipients sequence
    number is used by both parties
  • Tcpdump/windump - http//windump.polito.it/install
    /default.htm

12
Steps in Session Hijacking
  • Find a target
  • Attacker wants the target to be a server that
    allows session-oriented connections like telnet
    and FTP
  • Wants to make sure that he can gain access to the
    target beforehand (through the firewall) to
    sample the sequence number
  • Perform sequence prediction
  • Use NMAP
  • Attacker connects to a machine several times to
    see how the numbers change over time
  • Find an active session
  • Wants to perform attack when there is a lot of
    traffic (less suspicious)

13
Steps in Session Hijacking
  • Guess the sequence numbers
  • IP address, port address, and sequence number is
    required for two parties to connect
  • IP addresses and the port are listed in the IP
    packets and do not change throughout the session
  • Attacker must successfully guess sequence number
    or the server will try to re-synch with the
    original system
  • Take one of the parties offline
  • Launch a Denial of Service (DoS) attack against
    the system so it can no longer respond
  • Client computer is normally taken offline since
    attacker wants to hijack a session with a server

14
Steps in Session Hijacking
  • Take over the session
  • Attacker starts sending packets to the server and
    takes over the session
  • Attacker spoofs the source information and
    sequence number
  • Attacker is flying blind since he does not
    receive any of the response packets
  • Critical for the attacker to predict what the
    server is going to do
  • In simplest sense attacker wants to send packets
    to a telnet session that creates a new account so
    he can get back on the machine whenever he wants

15
ACK Storms
  • Adverse side affect of a hijacked session
  • Occurs when an attacker starts to take over a
    session and sends spoofed packets
  • If sequence numbers are not correct server tries
    to re-synch them by sending SYN and ACK packets
    back to the original client which in turn
    responds with its own SYN and ACK packets
  • Also can occur if hijacked user is not taken
    offline with DoS

16
Programs the Perform Hijacking
  • Juggernaut
  • Network sniffer running on Linux that can also be
    used to hijack TCP sessions
  • Juggernaut can be activated to watch all network
    traffic on the local network, or can be set to
    listen for a special "token (keyword login). For
    example, Juggernaut can be configured to wait for
    the login prompt, and then record the network
    traffic that follows (usually capturing the
    password). By doing so, this tool can be used to
    historically capture certain types of traffic by
    simply leaving the tool running for a few days,
    and then the attacker just has to pick up the log
    file that contains the recorded traffic. This is
    different than regular network sniffers that
    record all network traffic making the log files
    extremely huge (and thus easy to detect).
  • Main feature of this program is its ability to
    maintain a connection database. This means an
    attacker can watch all the TCP based connection
    made on the local network, and possibly "hijack"
    the session. After the connection is made, the
    attacker can watch the entire session (for a
    telnet session, this means the attacker sees the
    "playback" of the entire session. This is like
    actually seeing the telnet window).
  • When an active session is watched, the attacker
    can perform some actions on that connection,
    besides passively watching it. Juggernaut is
    capable of resetting the connection (which
    basically means terminating it), and also
    hijacking the connection - allowing the attacker
    to insert commands in the session or even to
    completely take the session into his/her hands
    (resetting connection on the legitimate client).

17
Programs the Perform Hijacking
  • Hunt - Hijacking software has the following
    functionality features
  • http//www.skynet.ie/syfer/tutorials/sessionhijac
    king.htm
  • Connection management Setting what connections
    you are interested in. Detecting an ongoing
    connection (not only SYN started). Normal
    active hijacking with the detection of the ACK
    storm. ARP spoofed/Normal hijacking with the
    detection of successful ARP spoof.
    Synchronization of the true client with the
    server after hijacking (so that the connection
    don't have to be reset). Resetting
    connection. Watching connection.
  • Daemons Reset daemon for automatic connection
    resetting. ARP spoof/relayer daemon for ARP
    spoofing of hosts with the ability to relay all
    packets from spoofed hosts. MAC discovery
    daemon for collecting MAC addresses. Sniff
    daemon for logging TCP traffic with the ability
    to search for a particular string.
  • Host Resolving Deferred host resolving through
    dedicated DNS helper servers.
  • Packet engine Extensible packet engine for
    watching TCP, UDP, ICMP and ARP traffic.
    Collecting TCP connections with sequence numbers
    and the ACK storm detection.
  • Misc. Determining which hosts are up.The tool
    was written by Pavel Krauz.

18
Programs the Perform Hijacking
  • TTY Watcher
  • Platform Solaris, SunOS
  • TTY-Watcher is a utility to monitor and control
    users on a single system. It is based on
    IP-Watcher utility, which can be used to monitor
    and control users on an entire network. It is
    similar to advise or tap, but with many more
    advanced features and a user friendly (either
    X-Windows or text) interface. TTY-Watcher allows
    the user to monitor every tty on the system, as
    well as interact with them by to the real owner
    of the TTY without interfering with the commands
    he's typing. The message will only be displayed
    on his screen and will not be sent to the
    underlying process. Aside from monitoring and
    controlling TTYs, individual connections can be
    logged to either a raw logfile for later playback
    (somewhat like a VCR) or to a text file.

19
Programs the Perform Hijacking
  • IP Watcher
  • http//www.engarde.com/software/ipwatcher/features
    /monitoring.php

20
Dangers Posed by Hijacking
  • Most computers are vulnerable
  • Is inherent with how TCP/IP works
  • Little can be done to prevent it
  • Other than encryption there is little that can be
    done to prevent it
  • Is simple (with the proper software)
  • While very complex and to perform manually takes
    someone very skilled with a lot of time there are
    a number of programs available

21
Dangers Posed by Hijacking
  • Is Very Dangerous
  • Operating System Independent
  • Can be used in both passive (capture sensitive
    information and passwords) and active (gain
    access and compromise a machine) attacks
  • Most Countermeasures Do Not Work

22
Protecting Against Session Hijacking
  • Use encryption
  • If attacker can not read the data that is
    transmitted it is much more difficult to hijack
    the session
  • Make sure that the host participating in the
    encryption is not compromised
  • All connections coming from the Internet must be
    encrypted as well as connections where sensitive
    data can be transmitted
  • Ideally you want all traffic on your network to
    be encrypted
  • Kerberos built into Windows 2000 and IPv6 has
    encryption built into the protocl

23
Protecting Against Session Hijacking
  • Use a secure protocol
  • SSH (Secure SHell) or secure telnet
  • VPN technologies that can go from client to
    server
  • Limit incoming connections
  • Block as much traffic as possible at both the
    external router and the firewall

24
Protecting Against Session Hijacking
  • Minimize (outgoing) remote access
  • Have strong authentication (least effective)
  • User has to re-authenticate at random intervals
    throughout the session
Write a Comment
User Comments (0)
About PowerShow.com