module 6 session hijacking

MODULE 5MODULE 5

SESSION HIJACKINGSESSION HIJACKING

Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 2/25

ObjectiveObjective Session Hijacking Difference between Spoofing and Hijacking Steps to Conduct a Session Hijacking Attack Types of Session Hijacking Performing Sequence Number Prediction TCP/IP Hijacking Session Hijacking Tools Countermeasures to Session Hijacking


What is Session Hijacking?What is Session Hijacking? TCP session hijacking is when a hacker takes

over a TCP session between two machines Since most authentication only occurs at the

start of a TCP session, this allows the hacker to gain access to a machine


Spoofing vs. HijackingSpoofing vs. Hijacking In a spoofing attack, an attacker does not actively

take another user offline to perform the attack He pretends to be another user, or machine to gain

access


Spoofing vs. Hijacking (cont’d)Spoofing vs. Hijacking (cont’d) With a hijacking, an attacker takes over an existing

session, which means he relies on the legitimate user to make a connection and authenticate

Subsequently, the attacker takes over the session


Steps in Session HijackingSteps in Session Hijacking

1. Place yourself between the victim and the target (you must be able to sniff the network)

2. Monitor the flow of packets3. Predict the sequence number4. Kill the connection to the victim’s

machine5. Take over the session6. Start injecting packets to the target

server


Types of Session HijackingTypes of Session Hijacking


The 3-Way Handshake


TCP Concepts 3-Way HandshakeTCP Concepts 3-Way Handshake

1. Bob initiates a connection with the server. Bob sends a packet to the server with the SYN bit set

2. The server receives this packet and sends back a packet with the SYN bit and an ISN (Initial Sequence Number) for the server

3. Bob sets the ACK bit acknowledging the receipt of the packet and increments the sequence number by 1

4. The two machines have successfully established a session


Sequence NumbersSequence Numbers Sequence numbers are important in providing a

reliable communication and are also crucial for hijacking a session

Sequence numbers are a 32-bit counter. Therefore, the possible combinations can be over 4 billion

Sequence numbers are used to tell the receiving machine what order the packets should go in, when they are received

Therefore, an attacker must successfully guess the sequence numbers in order to hijack a session


Sequence Number PredictionSequence Number Prediction After a client sends a connection request (SYN)

packet to the server, the server will respond (SYN-ACK) with a sequence number of choosing, which then must be acknowledged (ACK) by the client

This sequence number is predictable; the attack connects to a server first with its own IP address, records the sequence number chosen, then opens a second connection from a forged IP address

The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct response

If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server


TCP/IP HijackingTCP/IP Hijacking


RST HijackingRST Hijacking


Programs for Session HijackingPrograms for Session Hijacking There are several programs available that

perform session hijacking The following are a few that belong in this

category: Juggernaut Hunt TTY Watcher IP Watcher T-Sight Paros HTTP Hijacker


Hacking Tool: JuggernautHacking Tool: Juggernaut Juggernaut is a network sniffer that can be used

to hijack TCP sessions. It runs on Linux operating systems

Juggernaut can be set to watch for all network traffic, or it can be given a keyword (e.g. a password ) to look out for

The objective of this program is to provide information about ongoing network sessions

The attacker can see all of the sessions and choose a session to hijack


Hacking Tool: HuntHacking Tool: Hunt Hunt is a program

that can be used to listen, intercept, and hijack active sessions on a network

Hunt offers: Connection

management ARP spoofing Resetting connection Watching connection MAC address

discovery Sniffing TCP traffic


Hacking Tool: IP WatcherHacking Tool: IP Watcher

http://engarde.com IP watcher is a commercial

session hijacking tool that allows you to monitor connections and has active facilities for taking over a session

The program can monitor all connections on a network, allowing an attacker to display an exact copy of a session in real-time, just as the user of the session sees the data


Session Hijacking Tool: T-SightSession Hijacking Tool: T-Sighthttp://engarde.com T-Sight is a session

hijacking tool for Windows With T-Sight, you can

monitor all of your network connections (i.e. traffic) in real-time, and observe the composition of any suspicious activity that takes place

T-Sight has the capability to hijack any TCP sessions on the network

Due to security reasons, Engarde Systems licenses this software to pre-determined IP addresses


Session Hijacking Tool: T-Sight

Session Hijacking issimple by clicking

this button


Remote TCP Session Reset UtilityRemote TCP Session Reset Utility


Paros HTTP Session Hijacking ToolParos HTTP Session Hijacking Tool

Paros is a man-in-the-middle proxy and application vulnerability scanner

It allows users to intercept, modify, and debug HTTP and HTTPS data on-the-fly between a web server and a client browser

It also supports spidering, proxy-chaining, filtering, and application vulnerability scanning


Paros Untitled SessionParos Untitled Session


Paros HTTP Session Hijacking ToolParos HTTP Session Hijacking Tool


Protecting against Session HijackingProtecting against Session Hijacking

1. Use encryption2. Use a secure protocol3. Limit incoming connections4. Minimize remote access5. Educate the employees


Countermeasure: IP SecurityCountermeasure: IP Security

module 6 session hijacking

Technology