CHAPTER 10

Session Hijacking

INTRODUCTION

The act of taking over a connection of some sort, for examples, network connection, a modem connection or other type of connection.

If compared with sniffing, session hijacking is an active attack, sniffing is a passive attack.

The point of hijacking a connection is to exploit trust.

As example, imagine we are able to monitor traffic between two machines, one is a server and other is a client.

We can catch the root user logging in via Telnet and we have successfully stolen the password.

TYPES OF HIJACKING

TCP Session Hijacking In TCP Hijacking, an attacker pay attention to all

the details that go into a TCP connection. TCP connection include things like sequence

numbers, TCP headers, ACK packets, etc. TCP connection starts out with the standard TCP

three-way handshake: the client sends a SYN packet, the server sends a SYN-ACK packet and the client responds with an ACK packet and starts to end data or wait for the server to send.

TYPES OF HIJACKING

An attacker can hijack the connection in some ways, such as, during the initial handshake or before the authentication phase had completed.

TCP Session Hijacking with Packet Blocking Without packet blocking, an attacker only can

inject packets but not remove them. In this technique, an attacker has completely

controls the transmission of packets between two hosts.

In fact, such systems to take over connections in this manner exist today we call them transparent firewalls.

TYPES OF HIJACKING

TCP Session Hijacking Tools There are two widely known tools that can be

used for session hijacking: Juggernaut Juggernaut was written by route, editor of Phrack

magazine. It has two operating modes: The first to act as a sniffer of sorts, triggering on

a particular bit of data. The second is to act as session hijacker and

connection reset.

TYPES OF HIJACKING

Hunt Hunt is a tool created by Pavel Krauz. Like Juggernaut, Hunt has sniffing modes and

session hijacking modes. Unlike Juggernaut, Hunt adds some ARP tools to

perform ARP spoofing in order to get victim hosts to go through an attacking machine.

Hunt also can eliminate the ACK storm problems typically associated with a TCP session hijack.

TYPES OF HIJACKING

UDP Session Hijacking In UDP session hijacking, an attacker doesn’t

need features like TCP, for example, sequence numbers and ACK mechanism to do session hijacking.

Terminal Session These attacks taking place in the wild back in the

beginning of 1995. In this attack, an attacker concern on connection

between terminal.

HIJACKING PROTECTION

There are a couple of techniques that can be employed to protect specific hijacking attempts.

Encryption Ssh Ssh can replaced the functionality of Telnet, ftp,

rlogin and rcp. In addition, we can tunnel other protocols like

HTTP over an Ssh connection. SSL It is obviously available for Web server where it

is most widely deployed.

HIJACKING PROTECTION

It also can be used with POP, SMTP and IMAP. Storm Watchers This technique is used to watch for something

that doesn’t match retransmission and duplicate packets.

Basically this is the IDS approach.