Module 6 Session Hijacking
-
Upload
leminhvuong -
Category
Technology
-
view
22.199 -
download
4
Transcript of Module 6 Session Hijacking
MODULE 5MODULE 5
SESSION HIJACKINGSESSION HIJACKING
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 2/25
ObjectiveObjective Session Hijacking Difference between Spoofing and Hijacking Steps to Conduct a Session Hijacking Attack Types of Session Hijacking Performing Sequence Number Prediction TCP/IP Hijacking Session Hijacking Tools Countermeasures to Session Hijacking
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 3/25
What is Session Hijacking?What is Session Hijacking? TCP session hijacking is when a hacker takes
over a TCP session between two machines Since most authentication only occurs at the
start of a TCP session, this allows the hacker to gain access to a machine
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 4/25
Spoofing vs. HijackingSpoofing vs. Hijacking In a spoofing attack, an attacker does not actively
take another user offline to perform the attack He pretends to be another user, or machine to gain
access
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 5/25
Spoofing vs. Hijacking (cont’d)Spoofing vs. Hijacking (cont’d) With a hijacking, an attacker takes over an existing
session, which means he relies on the legitimate user to make a connection and authenticate
Subsequently, the attacker takes over the session
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 6/25
Steps in Session HijackingSteps in Session Hijacking
1. Place yourself between the victim and the target (you must be able to sniff the network)
2. Monitor the flow of packets3. Predict the sequence number4. Kill the connection to the victim’s
machine5. Take over the session6. Start injecting packets to the target
server
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 7/25
Types of Session HijackingTypes of Session Hijacking
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 8/25
The 3-Way Handshake
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 9/25
TCP Concepts 3-Way HandshakeTCP Concepts 3-Way Handshake
1. Bob initiates a connection with the server. Bob sends a packet to the server with the SYN bit set
2. The server receives this packet and sends back a packet with the SYN bit and an ISN (Initial Sequence Number) for the server
3. Bob sets the ACK bit acknowledging the receipt of the packet and increments the sequence number by 1
4. The two machines have successfully established a session
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 10/25
Sequence NumbersSequence Numbers Sequence numbers are important in providing a
reliable communication and are also crucial for hijacking a session
Sequence numbers are a 32-bit counter. Therefore, the possible combinations can be over 4 billion
Sequence numbers are used to tell the receiving machine what order the packets should go in, when they are received
Therefore, an attacker must successfully guess the sequence numbers in order to hijack a session
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 11/25
Sequence Number PredictionSequence Number Prediction After a client sends a connection request (SYN)
packet to the server, the server will respond (SYN-ACK) with a sequence number of choosing, which then must be acknowledged (ACK) by the client
This sequence number is predictable; the attack connects to a server first with its own IP address, records the sequence number chosen, then opens a second connection from a forged IP address
The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct response
If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 12/25
TCP/IP HijackingTCP/IP Hijacking
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 13/25
TCP/IP HijackingTCP/IP Hijacking
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 14/25
RST HijackingRST Hijacking
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 15/25
Programs for Session HijackingPrograms for Session Hijacking There are several programs available that
perform session hijacking The following are a few that belong in this
category: Juggernaut Hunt TTY Watcher IP Watcher T-Sight Paros HTTP Hijacker
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 16/25
Hacking Tool: JuggernautHacking Tool: Juggernaut Juggernaut is a network sniffer that can be used
to hijack TCP sessions. It runs on Linux operating systems
Juggernaut can be set to watch for all network traffic, or it can be given a keyword (e.g. a password ) to look out for
The objective of this program is to provide information about ongoing network sessions
The attacker can see all of the sessions and choose a session to hijack
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 17/25
Hacking Tool: HuntHacking Tool: Hunt Hunt is a program
that can be used to listen, intercept, and hijack active sessions on a network
Hunt offers: Connection
management ARP spoofing Resetting connection Watching connection MAC address
discovery Sniffing TCP traffic
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 18/25
Hacking Tool: IP WatcherHacking Tool: IP Watcher
http://engarde.com IP watcher is a commercial
session hijacking tool that allows you to monitor connections and has active facilities for taking over a session
The program can monitor all connections on a network, allowing an attacker to display an exact copy of a session in real-time, just as the user of the session sees the data
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 19/25
Session Hijacking Tool: T-SightSession Hijacking Tool: T-Sighthttp://engarde.com T-Sight is a session
hijacking tool for Windows With T-Sight, you can
monitor all of your network connections (i.e. traffic) in real-time, and observe the composition of any suspicious activity that takes place
T-Sight has the capability to hijack any TCP sessions on the network
Due to security reasons, Engarde Systems licenses this software to pre-determined IP addresses
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 20/25
Session Hijacking Tool: T-Sight
Session Hijacking issimple by clicking
this button
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 21/25
Remote TCP Session Reset UtilityRemote TCP Session Reset Utility
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 22/25
Paros HTTP Session Hijacking ToolParos HTTP Session Hijacking Tool
Paros is a man-in-the-middle proxy and application vulnerability scanner
It allows users to intercept, modify, and debug HTTP and HTTPS data on-the-fly between a web server and a client browser
It also supports spidering, proxy-chaining, filtering, and application vulnerability scanning
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 23/25
Paros Untitled SessionParos Untitled Session
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 24/25
Paros HTTP Session Hijacking ToolParos HTTP Session Hijacking Tool
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 25/25
Protecting against Session HijackingProtecting against Session Hijacking
1. Use encryption2. Use a secure protocol3. Limit incoming connections4. Minimize remote access5. Educate the employees
Khoa CNTT – ĐH Nông Lâm TP. HCM 2008 26/25
Countermeasure: IP SecurityCountermeasure: IP Security