Sunday, 3 February 2013

TCP Session Hijacking


TCP Session HijackingHistory

In 1995 the Lawrence Livermore National Laboratories (llnl.gov) issued
an Advisory Notice warning Internet users of a new type of active
attack known as a “Hijacked Session Attack”. By following the detail of
the advisory, a remote attacker could take over a user's interactive
session (e.g. telnet) to a remote host, and execute commands as if they
were that user.
In 1999 'kra' (kra@gncz.cz) released a know well-known tool called
hunt. Rather than take over a user's session in its entirety, hunt could
simply intercept the TCP packets from the source host (e.g. HTTP
server), modify the contents, and send the modified version of the
packet to the end-user without them knowing what was happening.
Passive and Active Sniffing Attacks
Passive attacks (sniffing a username/password combination and
abusing it) are fairly common on the Internet today. With the advent of
one-time password protocols such as skey and ticketing identification
protocols such as kerberos, passive attacks are becoming more and
more difficult (although not entirely impossible).
While these methods may prevent password sniffing on a network,
they do not prevent active sniffing of the TCP data stream (kerberos can
provide an encrypted TCP stream option). Many people are under the
false impression that these attacks are more difficult, and therefore of a
lesser risk than passive attacks.

Session Hijacking

There are 2 main types of session hijacking attacks:
• Man-in-the-middle.
• Complete hijack.

Both these rely on being able to predict the TCP sequence numbers of
packets being exchanged between a client and server. In order to
understand how both types of attack work, an understanding of TCP
connections is required. To explain this, we will take you through the
negotiation of a simple telnet session.
The following terms will be used for this explanation:
• SVR_SEQ - Sequence number of the next byte to be sent by the
server.
• SVR_ACK - Next byte to be received by the server (the sequence
number of the last byte received plus one).
• SVR_WIND - Server's receive window.
• CLT_SEQ - Sequence number of the next byte to be sent by the
client.
• CLT_ACK - Next byte to be received by the client.
• CLT_WIND - Client's receive window.




at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)