hacking module 10
TRANSCRIPT
-
8/9/2019 hacking Module 10
1/26
NMCSP2008 Batch-I
Module X
Session Hijacking
-
8/9/2019 hacking Module 10
2/26
Scenario
Nick works as a trainee at the purchasing department
of a manufacturing plant. Most transactions are done
online through sessions with the vendors.
He had high job expectations and slogged forhours in the hope of getting a better job role. His boss
was indifferent to his hard work and was more
influenced by the sycophants. After a year, all his
colleagues had been promoted. Nick was flustered.
He decided that it was payback time for his boss..
Picture Source:
https://reader010.{domain}/reader010/html5/0530/5b0
-
8/9/2019 hacking Module 10
3/26
Module Objectives
Spoofing vs. Hijacking
Types of session hijacking
TCP/IP concepts
Performing Sequence prediction
ACK Storms
Session Hijacking Tools
-
8/9/2019 hacking Module 10
4/26
Module Flow
UnderstandingSession Hijacking
Countermeasures
Session Hijacking ToolsTCP 3-way handshake
Types ofSession Hijacking
Session Hijacking Steps
Spoofing vs. Hijacking
-
8/9/2019 hacking Module 10
5/26
Understanding session hijacking
Understanding the flow
of message packets over
the Internet by dissecting
the TCP stack. Understanding the
security issues involved
in the use of IPv4
standard. Familiarizing with the
basic attacks possible
due to the IPv4 standard.
-
8/9/2019 hacking Module 10
6/26
Bob (VICTIM)
I am Bob!
ATTACKER
Spoofing vs. Hijacking
A spoofing attack is
different from a hijack as an
attacker is not actively
taking another user offline
to perform the attack. He
pretends to be another user
or machine to gain access.
-
8/9/2019 hacking Module 10
7/26
Bob logs on to server
Dial in
I am Bob!
Server
Spoofing vs. Hijacking
With Hijacking an attacker
is taking over an existing
session, which means he is
relying on the legitimateuser to make a connection
and authenticate. After that
the attacker takes over the
session.
-
8/9/2019 hacking Module 10
8/26
Steps in Session Hijacking
1. Tracking the
session
2. Desynchronizing
the connection
3. Injecting the
attackers packet
-
8/9/2019 hacking Module 10
9/26
Types of Session Hijacking
There are two types of Session Hijacking attacks:
Active
In an active attack, an attacker finds an activesession and takes over.
Passive
With a passive attack, an attacker hijacks a sessionand sits back, watching and recording all the traffic
that is being sent forth.
-
8/9/2019 hacking Module 10
10/26
ACKSeq: 4002, Ack :7001
BOB
SERVER
SYNSeq.:4000
SYN/ACKSeq:4001,Ack: 7000
DATASeq:4003, Ack: 7002
DATASeq: 4004, Ack: 7003
The 3-Way Handshake
If the attacker can anticipate the next number Bob will send, he can
spoof Bobs address and start communication with the server.
-
8/9/2019 hacking Module 10
11/26
-
8/9/2019 hacking Module 10
12/26
Sequence Numbers
Sequence numbers are important in providing
reliable communication, which is crucial for
hijacking a session.
Sequence numbers use a 32-bit counter.
Therefore, there are over 4 billion possiblecombinations.
Sequence numbers are used to tell the receiving
machine the order the packets need to be
assembled in, once they are all received.
Therefore, an attacker must successfully guess
the sequence number in order to hijack a session.
-
8/9/2019 hacking Module 10
13/26
Programs that perform Session Hijacking
There are severalprograms available thatperform sessionhijacking.
Following are a few thatbelong in this category:
Juggernaut
Hunt TTY Watcher
IP Watcher
T-Sight
-
8/9/2019 hacking Module 10
14/26
-
8/9/2019 hacking Module 10
15/26
http://lin.fsid.cvut.cz/^kra/index.html
Hunt is a program that can be used to listen, intercept,and hijack active sessions on a network.
Hunt Offers: Connection management
ARP Spoofing
Resetting Connections
Watching Connections
MAC Address discovery
Sniffing TCP traffic
Hacking Tool: Hunt
-
8/9/2019 hacking Module 10
16/26
Hacking Tool: TTY Watcher
http://www.cerias.purdue.edu
TTY-watcher is a utility to monitor and control users on
a single system.
Anything the user types into a monitored TTY windowwill be sent to the underlying process. In this way the
login session is being shared with another user.
After a TTY has been stolen, it can be returned to the
user as though nothing happened.
(Available only for Sun Solaris Systems.)
-
8/9/2019 hacking Module 10
17/26
Hacking Tool: IP watcher
http://engarde.com
IP watcher is a commercial
session hijacking tool that allows
one to monitor connections and
has active countermeasures for
taking over a session.
The program can monitor all
connections on a network
allowing an attacker to display an
exact copy of a session in real-
time.
-
8/9/2019 hacking Module 10
18/26
T-Sight
http://engarde.com
T-Sight, an advanced intrusioninvestigation and response tool forWindows NT and Windows 2000,can assist when an attempt at a
break-in or compromise occurs.With T-sight one can monitor allthe network connections (i.e. traffic)in real-time and observe anysuspicious activity that takes place.
T-Sight has the capability to hijackany TCP session on the network.
For security reasons, EngardeSystems licenses this software to pre-determined IP address.
-
8/9/2019 hacking Module 10
19/26
-
8/9/2019 hacking Module 10
20/26
Remote TCP Session Reset Utility
-
8/9/2019 hacking Module 10
21/26
Scenario (contd.)
Nick captures the authentication token of his boss' sessionwith the supply vendors and gets access to all of the vitalinformation to take over his account.
What next?
He can impersonate his boss
Place orders
Cause loss of goodwill with the vendors
Circulate malicious stuff from his boss's account
Change the account password and cause closure of the accountleading to the loss of important documents
-
8/9/2019 hacking Module 10
22/26
Dangers posed by Hijacking
1. Most computers are vulnerable
2. Little can be done to protect against it
3. Hijacking is simple to launch
4. Most countermeasures do not work
5. Hijacking is very dangerous (theft of identity, fraud,
etc.)
-
8/9/2019 hacking Module 10
23/26
Protecting against Session Hijacking
1. Use Encryption
2. Use a secure protocol
3. Limit incoming connections
4. Minimize remote access
5. Have strong authentication
6. Educate the employees
7. Maintain different username and
passwords for different accounts
-
8/9/2019 hacking Module 10
24/26
Countermeasure: IPSec
A set ofprotocols developed by the IETF tosupport secure exchange ofpackets at the IPlayer.
Deployed widely to implementVirtual PrivateNetworks (VPNs).
IPSec supports two encryption modes
Transport
Tunnel.
The sending and receiving devices must share apublic key.
-
8/9/2019 hacking Module 10
25/26
IPSec
http://h30097.www3.hp.com/unix/ipsec/
-
8/9/2019 hacking Module 10
26/26
Summary
In the case of a session hijacking, an attacker relies onthe legitimate user to connect and authenticate andthen takes over the session.
In spoofing attacks, the attacker pretends to be anotheruser or machine to gain access.
Successful session hijacking is extremely difficult andonly possible when a number of factors are under theattacker's control.
Session hijacking can be either active or passive innature depending on the degree of involvement of theattacker in the attack.
A variety of tools exist to aid the attacker inperpetrating a session hijack.
Session hijacking could be very dangerous and there is aneed for implementing strict countermeasures.