hacking module 10

8/9/2019 hacking Module 10

1/26

NMCSP2008 Batch-I

Module X

Session Hijacking


2/26

Scenario

Nick works as a trainee at the purchasing department

of a manufacturing plant. Most transactions are done

online through sessions with the vendors.

He had high job expectations and slogged forhours in the hope of getting a better job role. His boss

was indifferent to his hard work and was more

influenced by the sycophants. After a year, all his

colleagues had been promoted. Nick was flustered.

He decided that it was payback time for his boss..

Picture Source:

https://reader010.{domain}/reader010/html5/0530/5b0


3/26

Module Objectives

Spoofing vs. Hijacking

Types of session hijacking

TCP/IP concepts

Performing Sequence prediction

ACK Storms

Session Hijacking Tools


4/26

Module Flow

UnderstandingSession Hijacking

Countermeasures

Session Hijacking ToolsTCP 3-way handshake

Types ofSession Hijacking

Session Hijacking Steps



5/26

Understanding session hijacking

Understanding the flow

of message packets over

the Internet by dissecting

the TCP stack. Understanding the

security issues involved

in the use of IPv4

standard. Familiarizing with the

basic attacks possible

due to the IPv4 standard.


6/26

Bob (VICTIM)

I am Bob!

ATTACKER


A spoofing attack is

different from a hijack as an

attacker is not actively

taking another user offline

to perform the attack. He

pretends to be another user

or machine to gain access.


7/26

Bob logs on to server

Dial in

I am Bob!

Server


With Hijacking an attacker

is taking over an existing

session, which means he is

relying on the legitimateuser to make a connection

and authenticate. After that

the attacker takes over the

session.


8/26

Steps in Session Hijacking

1. Tracking the

session

2. Desynchronizing

the connection

3. Injecting the

attackers packet


9/26

Types of Session Hijacking

There are two types of Session Hijacking attacks:

Active

In an active attack, an attacker finds an activesession and takes over.

Passive

With a passive attack, an attacker hijacks a sessionand sits back, watching and recording all the traffic

that is being sent forth.


10/26

ACKSeq: 4002, Ack :7001

BOB

SERVER

SYNSeq.:4000

SYN/ACKSeq:4001,Ack: 7000

DATASeq:4003, Ack: 7002

DATASeq: 4004, Ack: 7003

The 3-Way Handshake

If the attacker can anticipate the next number Bob will send, he can

spoof Bobs address and start communication with the server.


11/26


12/26

Sequence Numbers

Sequence numbers are important in providing

reliable communication, which is crucial for

hijacking a session.

Sequence numbers use a 32-bit counter.

Therefore, there are over 4 billion possiblecombinations.

Sequence numbers are used to tell the receiving

machine the order the packets need to be

assembled in, once they are all received.

Therefore, an attacker must successfully guess

the sequence number in order to hijack a session.


13/26

Programs that perform Session Hijacking

There are severalprograms available thatperform sessionhijacking.

Following are a few thatbelong in this category:

Juggernaut

Hunt TTY Watcher

IP Watcher

T-Sight


14/26


15/26

http://lin.fsid.cvut.cz/^kra/index.html

Hunt is a program that can be used to listen, intercept,and hijack active sessions on a network.

Hunt Offers: Connection management

ARP Spoofing

Resetting Connections

Watching Connections

MAC Address discovery

Sniffing TCP traffic

Hacking Tool: Hunt


16/26

Hacking Tool: TTY Watcher

http://www.cerias.purdue.edu

TTY-watcher is a utility to monitor and control users on

a single system.

Anything the user types into a monitored TTY windowwill be sent to the underlying process. In this way the

login session is being shared with another user.

After a TTY has been stolen, it can be returned to the

user as though nothing happened.

(Available only for Sun Solaris Systems.)


17/26

Hacking Tool: IP watcher

http://engarde.com

IP watcher is a commercial

session hijacking tool that allows

one to monitor connections and

has active countermeasures for

taking over a session.

The program can monitor all

connections on a network

allowing an attacker to display an

exact copy of a session in real-

time.


18/26

T-Sight

http://engarde.com

T-Sight, an advanced intrusioninvestigation and response tool forWindows NT and Windows 2000,can assist when an attempt at a

break-in or compromise occurs.With T-sight one can monitor allthe network connections (i.e. traffic)in real-time and observe anysuspicious activity that takes place.

T-Sight has the capability to hijackany TCP session on the network.

For security reasons, EngardeSystems licenses this software to pre-determined IP address.


19/26


20/26

Remote TCP Session Reset Utility


21/26

Scenario (contd.)

Nick captures the authentication token of his boss' sessionwith the supply vendors and gets access to all of the vitalinformation to take over his account.

What next?

He can impersonate his boss

Place orders

Cause loss of goodwill with the vendors

Circulate malicious stuff from his boss's account

Change the account password and cause closure of the accountleading to the loss of important documents


22/26

Dangers posed by Hijacking

1. Most computers are vulnerable

2. Little can be done to protect against it

3. Hijacking is simple to launch

4. Most countermeasures do not work

5. Hijacking is very dangerous (theft of identity, fraud,

etc.)


23/26

Protecting against Session Hijacking

1. Use Encryption

2. Use a secure protocol

3. Limit incoming connections

4. Minimize remote access

5. Have strong authentication

6. Educate the employees

7. Maintain different username and

passwords for different accounts


24/26

Countermeasure: IPSec

A set ofprotocols developed by the IETF tosupport secure exchange ofpackets at the IPlayer.

Deployed widely to implementVirtual PrivateNetworks (VPNs).

IPSec supports two encryption modes

Transport

Tunnel.

The sending and receiving devices must share apublic key.


25/26

IPSec

http://h30097.www3.hp.com/unix/ipsec/


26/26

Summary

In the case of a session hijacking, an attacker relies onthe legitimate user to connect and authenticate andthen takes over the session.

In spoofing attacks, the attacker pretends to be anotheruser or machine to gain access.

Successful session hijacking is extremely difficult andonly possible when a number of factors are under theattacker's control.

Session hijacking can be either active or passive innature depending on the degree of involvement of theattacker in the attack.

A variety of tools exist to aid the attacker inperpetrating a session hijack.

Session hijacking could be very dangerous and there is aneed for implementing strict countermeasures.

hacking module 10

Documents