CIS 450 – Network Security

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 11 months ago)

70 views

CIS 450


Network
Security

Chapter 5


Session Hijacking


Definition


the process of taking over an
existing active session


Attacker wants to bypass the authentication
process and gain access


Attacker takes the legitimate user offline
(usually with a DoS attack) and then takes
over that user’s session


Concentrates on taking over session oriented
applications: HTTP, FTP, and Telnet


Spoofing versus Hijacking


In spoofing the attacker pretends to be
someone else (either a person or a machine)
to gain access. The real user plays no role in
the attack


In hijacking, the attacker is taking over an
existing session and takes the legitimate user
offline

Types of Session Hijacking


Passive Attack


An attacker hijacks the session but just sits back
and watches and records all of the traffic. Used to
find out passwords and source code.


Active Attack


Forces the user offline, takes over the session and
executes commands


Hybrid Attack


Starts out passive and then becomes active


Watch a session and periodically inject data into the
active session without actually taking it over

TCP/IP Concepts


Seven Layer OSI Model


TCP (Transmission Control Protocol) and UDP
(User Datagram Protocol) are at layer 4
(Transport layer)


IP (Internet Protocol) resides at layer 3
(Network layer)


Whether you use TCP or UDP, you still use IP
as your layer 3 protocol


TCP is reliable; UDP is not

TCP


Provides reliable delivery services


Is connection
-
oriented which means that a
connection must be established between the
communicating nodes before the protocol will
transmit data


Connection has to be acknowledged that packets
have been received


Done through three
-
way handshake

Three
-
Way Handshake


First Leg


User sends a packet to the server with the
synchronization (SYN) bit set


The SYN bit set is an indication that the value
in the sequence number (SN) field is valid


A value is put into the initial sequence (ISN)
number




Three
-
Way Handshake


Second Leg


Server receives packet


Sends back a packet with the SYN bit set and an
ISN for the server


Sets the Acknowledgement (ACK) bit that received
the first packet and increments user’s ISN by 1


Three
-
Way Handshake


Third Leg


User sets the ACK bit acknowledging the receipt of
the server’s packet by incrementing the server’s
sequence number (SN
-
S) by 1


At this point, the two machines have established a
session and can begin communicating

Sequence Numbers


A 32
-
bit counter with over 4 billion possible
combinations


Are used to tell the receiving machine what
order the packets should go in when they are
received


The receiving machine uses sequence
numbers to tell the sender which packets
have been received and which ones have
not, so that the sender can resend the lost
packets

Sequence Numbers


There is sequence number for the sender and
one for the recipient


The sender’s sequence number is used when
sending a packet and is the receiver’s
acknowledgement


If the recipient is also sending (new) data
back to the sender then the recipient’s
sequence number is used by both parties


Tcpdump/windump
-

http://windump.polito.it/install/default.htm

Steps in Session Hijacking


Find a target


Attacker wants the target to be a server that allows
session
-
oriented connections like telnet and FTP


Wants to make sure that he can gain access to the target
beforehand (through the firewall) to sample the sequence
number


Perform sequence prediction


Use NMAP


Attacker connects to a machine several times to see how
the numbers change over time


Find an active session


Wants to perform attack when there is a lot of traffic
(less suspicious)

Steps in Session Hijacking


Guess the sequence numbers


IP address, port address, and sequence number is
required for two parties to connect


IP addresses and the port are listed in the IP packets and
do not change throughout the session


Attacker must successfully guess sequence number or
the server will try to re
-
synch with the original system


Take one of the parties offline


Launch a Denial of Service (DoS) attack against the
system so it can no longer respond


Client computer is normally taken offline since attacker
wants to hijack a session with a server


Steps in Session Hijacking


Take over the session


Attacker starts sending packets to the server and
takes over the session


Attacker spoofs the source information and
sequence number


Attacker is flying blind since he does not receive any
of the response packets


Critical for the attacker to predict what the server is
going to do


In simplest sense attacker wants to send packets to
a telnet session that creates a new account so he
can get back on the machine whenever he wants


ACK Storms


Adverse side affect of a hijacked session


Occurs when an attacker starts to take over a
session and sends spoofed packets


If sequence numbers are not correct server
tries to re
-
synch them by sending SYN and
ACK packets back to the original client which
in turn responds with its own SYN and ACK
packets


Also can occur if hijacked user is not taken
offline with DoS

Programs the Perform Hijacking


Juggernaut


Network sniffer running on Linux that can also be used to hijack TCP sessions


Juggernaut can be activated to watch all network traffic on the local network, or can be set to
listen for a special "token“ (keyword login). For example, Juggernaut can be configured to
wait for the login prompt, and then record the network traffic that follows (usually capturing
the password). By doing so, this tool can be used to historically capture certain types of traffic
by simply leaving the tool running for a few days, and then the attacker just has to pick up the
log file that contains the recorded traffic. This is different than regular network sniffers that
record all network traffic making the log files extremely huge (and thus easy to detect).


Main feature of this program is its ability to maintain a connection database. This means an
attacker can watch all the TCP based connection made on the local network, and possibly
"hijack" the session. After the connection is made, the attacker can watch the entire session
(for a telnet session, this means the attacker sees the "playback" of the entire session. This is
like actually seeing the telnet window).


When an active session is watched, the attacker can perform some actions on that
connection, besides passively watching it. Juggernaut is capable of resetting the connection
(which basically means terminating it), and also hijacking the connection
-

allowing the
attacker to insert commands in the session or even to completely take the session into
his/her hands (resetting connection on the legitimate client).


Programs the Perform Hijacking


Hunt
-

Hijacking software has the following functionality features:


http://www.skynet.ie/~syfer/tutorials/sessionhijacking.htm


Connection management

* Setting what connections you are interested in.

* Detecting an ongoing connection (not only SYN started).

* Normal active hijacking with the detection of the ACK storm.

* ARP spoofed/Normal hijacking with the detection of successful ARP spoof.

* Synchronization of the true client with the server after hijacking (so that the
connection don't have to be reset).

* Resetting connection.

* Watching connection.


Daemons

* Reset daemon for automatic connection resetting.

* ARP spoof/relayer daemon for ARP spoofing of hosts with the ability to relay all
packets from spoofed hosts.

* MAC discovery daemon for collecting MAC addresses.

* Sniff daemon for logging TCP traffic with the ability to search for a particular string.


Host Resolving

* Deferred host resolving through dedicated DNS helper servers.


Packet engine

* Extensible packet engine for watching TCP, UDP, ICMP and ARP traffic.

* Collecting TCP connections with sequence numbers and the ACK storm detection.


Misc.

* Determining which hosts are up.


The tool was written by: Pavel Krauz.




Programs the Perform Hijacking


TTY Watcher


Platform :Solaris, SunOS



TTY
-
Watcher is a utility to monitor and control users on a
single system. It is based on IP
-
Watcher utility, which can be
used to monitor and control users on an entire network. It is
similar to advise or tap, but with many more advanced
features and a user friendly (either X
-
Windows or text)
interface. TTY
-
Watcher allows the user to monitor every tty
on the system, as well as interact with them by: to the real
owner of the TTY without interfering with the commands he's
typing. The message will only be displayed on his screen
and will not be sent to the underlying process. Aside from
monitoring and controlling TTYs, individual connections can
be logged to either a raw logfile for later playback (somewhat
like a VCR) or to a text file.

Programs the Perform Hijacking


IP Watcher


http://www.engarde.com/software/ipwatcher/fe
atures/monitoring.php

Dangers Posed by Hijacking


Most computers are vulnerable


Is inherent with how TCP/IP works


Little can be done to prevent it


Other than encryption there is little that can be
done to prevent it


Is simple (with the proper software)


While very complex and to perform manually
takes someone very skilled with a lot of time
there are a number of programs available

Dangers Posed by Hijacking


Is Very Dangerous


Operating System Independent


Can be used in both passive (capture
sensitive information and passwords) and
active (gain access and compromise a
machine) attacks


Most Countermeasures Do Not Work



Protecting Against Session Hijacking


Use encryption


If attacker can not read the data that is transmitted it is
much more difficult to hijack the session


Make sure that the host participating in the encryption
is not compromised


All connections coming from the Internet must be
encrypted as well as connections where sensitive data
can be transmitted


Ideally you want all traffic on your network to be
encrypted


Kerberos built into Windows 2000 and IPv6 has
encryption built into the protocl



Protecting Against Session Hijacking


Use a secure protocol


SSH (
S
ecure
SH
ell) or secure telnet


VPN technologies that can go from client to
server


Limit incoming connections


Block as much traffic as possible at both the
external router and the firewall

Protecting Against Session Hijacking


Minimize (outgoing) remote access


Have strong authentication (least effective)


User has to re
-
authenticate at random
intervals throughout the session