CIS 450 – Network Security

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 11 months ago)


CIS 450


Chapter 5

Session Hijacking


the process of taking over an
existing active session

Attacker wants to bypass the authentication
process and gain access

Attacker takes the legitimate user offline
(usually with a DoS attack) and then takes
over that user’s session

Concentrates on taking over session oriented
applications: HTTP, FTP, and Telnet

Spoofing versus Hijacking

In spoofing the attacker pretends to be
someone else (either a person or a machine)
to gain access. The real user plays no role in
the attack

In hijacking, the attacker is taking over an
existing session and takes the legitimate user

Types of Session Hijacking

Passive Attack

An attacker hijacks the session but just sits back
and watches and records all of the traffic. Used to
find out passwords and source code.

Active Attack

Forces the user offline, takes over the session and
executes commands

Hybrid Attack

Starts out passive and then becomes active

Watch a session and periodically inject data into the
active session without actually taking it over

TCP/IP Concepts

Seven Layer OSI Model

TCP (Transmission Control Protocol) and UDP
(User Datagram Protocol) are at layer 4
(Transport layer)

IP (Internet Protocol) resides at layer 3
(Network layer)

Whether you use TCP or UDP, you still use IP
as your layer 3 protocol

TCP is reliable; UDP is not


Provides reliable delivery services

Is connection
oriented which means that a
connection must be established between the
communicating nodes before the protocol will
transmit data

Connection has to be acknowledged that packets
have been received

Done through three
way handshake

Way Handshake

First Leg

User sends a packet to the server with the
synchronization (SYN) bit set

The SYN bit set is an indication that the value
in the sequence number (SN) field is valid

A value is put into the initial sequence (ISN)

Way Handshake

Second Leg

Server receives packet

Sends back a packet with the SYN bit set and an
ISN for the server

Sets the Acknowledgement (ACK) bit that received
the first packet and increments user’s ISN by 1

Way Handshake

Third Leg

User sets the ACK bit acknowledging the receipt of
the server’s packet by incrementing the server’s
sequence number (SN
S) by 1

At this point, the two machines have established a
session and can begin communicating

Sequence Numbers

A 32
bit counter with over 4 billion possible

Are used to tell the receiving machine what
order the packets should go in when they are

The receiving machine uses sequence
numbers to tell the sender which packets
have been received and which ones have
not, so that the sender can resend the lost

Sequence Numbers

There is sequence number for the sender and
one for the recipient

The sender’s sequence number is used when
sending a packet and is the receiver’s

If the recipient is also sending (new) data
back to the sender then the recipient’s
sequence number is used by both parties


Steps in Session Hijacking

Find a target

Attacker wants the target to be a server that allows
oriented connections like telnet and FTP

Wants to make sure that he can gain access to the target
beforehand (through the firewall) to sample the sequence

Perform sequence prediction


Attacker connects to a machine several times to see how
the numbers change over time

Find an active session

Wants to perform attack when there is a lot of traffic
(less suspicious)

Steps in Session Hijacking

Guess the sequence numbers

IP address, port address, and sequence number is
required for two parties to connect

IP addresses and the port are listed in the IP packets and
do not change throughout the session

Attacker must successfully guess sequence number or
the server will try to re
synch with the original system

Take one of the parties offline

Launch a Denial of Service (DoS) attack against the
system so it can no longer respond

Client computer is normally taken offline since attacker
wants to hijack a session with a server

Steps in Session Hijacking

Take over the session

Attacker starts sending packets to the server and
takes over the session

Attacker spoofs the source information and
sequence number

Attacker is flying blind since he does not receive any
of the response packets

Critical for the attacker to predict what the server is
going to do

In simplest sense attacker wants to send packets to
a telnet session that creates a new account so he
can get back on the machine whenever he wants

ACK Storms

Adverse side affect of a hijacked session

Occurs when an attacker starts to take over a
session and sends spoofed packets

If sequence numbers are not correct server
tries to re
synch them by sending SYN and
ACK packets back to the original client which
in turn responds with its own SYN and ACK

Also can occur if hijacked user is not taken
offline with DoS

Programs the Perform Hijacking


Network sniffer running on Linux that can also be used to hijack TCP sessions

Juggernaut can be activated to watch all network traffic on the local network, or can be set to
listen for a special "token“ (keyword login). For example, Juggernaut can be configured to
wait for the login prompt, and then record the network traffic that follows (usually capturing
the password). By doing so, this tool can be used to historically capture certain types of traffic
by simply leaving the tool running for a few days, and then the attacker just has to pick up the
log file that contains the recorded traffic. This is different than regular network sniffers that
record all network traffic making the log files extremely huge (and thus easy to detect).

Main feature of this program is its ability to maintain a connection database. This means an
attacker can watch all the TCP based connection made on the local network, and possibly
"hijack" the session. After the connection is made, the attacker can watch the entire session
(for a telnet session, this means the attacker sees the "playback" of the entire session. This is
like actually seeing the telnet window).

When an active session is watched, the attacker can perform some actions on that
connection, besides passively watching it. Juggernaut is capable of resetting the connection
(which basically means terminating it), and also hijacking the connection

allowing the
attacker to insert commands in the session or even to completely take the session into
his/her hands (resetting connection on the legitimate client).

Programs the Perform Hijacking


Hijacking software has the following functionality features:

Connection management

* Setting what connections you are interested in.

* Detecting an ongoing connection (not only SYN started).

* Normal active hijacking with the detection of the ACK storm.

* ARP spoofed/Normal hijacking with the detection of successful ARP spoof.

* Synchronization of the true client with the server after hijacking (so that the
connection don't have to be reset).

* Resetting connection.

* Watching connection.


* Reset daemon for automatic connection resetting.

* ARP spoof/relayer daemon for ARP spoofing of hosts with the ability to relay all
packets from spoofed hosts.

* MAC discovery daemon for collecting MAC addresses.

* Sniff daemon for logging TCP traffic with the ability to search for a particular string.

Host Resolving

* Deferred host resolving through dedicated DNS helper servers.

Packet engine

* Extensible packet engine for watching TCP, UDP, ICMP and ARP traffic.

* Collecting TCP connections with sequence numbers and the ACK storm detection.


* Determining which hosts are up.

The tool was written by: Pavel Krauz.

Programs the Perform Hijacking

TTY Watcher

Platform :Solaris, SunOS

Watcher is a utility to monitor and control users on a
single system. It is based on IP
Watcher utility, which can be
used to monitor and control users on an entire network. It is
similar to advise or tap, but with many more advanced
features and a user friendly (either X
Windows or text)
interface. TTY
Watcher allows the user to monitor every tty
on the system, as well as interact with them by: to the real
owner of the TTY without interfering with the commands he's
typing. The message will only be displayed on his screen
and will not be sent to the underlying process. Aside from
monitoring and controlling TTYs, individual connections can
be logged to either a raw logfile for later playback (somewhat
like a VCR) or to a text file.

Programs the Perform Hijacking

IP Watcher

Dangers Posed by Hijacking

Most computers are vulnerable

Is inherent with how TCP/IP works

Little can be done to prevent it

Other than encryption there is little that can be
done to prevent it

Is simple (with the proper software)

While very complex and to perform manually
takes someone very skilled with a lot of time
there are a number of programs available

Dangers Posed by Hijacking

Is Very Dangerous

Operating System Independent

Can be used in both passive (capture
sensitive information and passwords) and
active (gain access and compromise a
machine) attacks

Most Countermeasures Do Not Work

Protecting Against Session Hijacking

Use encryption

If attacker can not read the data that is transmitted it is
much more difficult to hijack the session

Make sure that the host participating in the encryption
is not compromised

All connections coming from the Internet must be
encrypted as well as connections where sensitive data
can be transmitted

Ideally you want all traffic on your network to be

Kerberos built into Windows 2000 and IPv6 has
encryption built into the protocl

Protecting Against Session Hijacking

Use a secure protocol

ell) or secure telnet

VPN technologies that can go from client to

Limit incoming connections

Block as much traffic as possible at both the
external router and the firewall

Protecting Against Session Hijacking

Minimize (outgoing) remote access

Have strong authentication (least effective)

User has to re
authenticate at random
intervals throughout the session