Penetration Testing and Network Defense
< Day Day Up > |
Session hijacking is the attempt to overtake an already active session between two hosts. This is different from IP spoofing, in which you spoof an IP address or MAC address of another host. With IP spoofing, you still need to authenticate to the target. With session hijacking, you take over an already-authenticated host as it communicates with the target. You will probably spoof the IP address or MAC address of the host, but session hijacking involves more than just spoofing. Session hijacking is attractive to malicious hackers because the host that is being hijacked is already authenticated to the target. Therefore, the malicious hacker does not need to waste time performing password cracking. It does not matter how secure the process of authentication is because most systems send clear text communication after they are authenticated. This makes most computers vulnerable to this type of attack. Session hijacking attacks are one of two types:
A distinction must also be made between session replay and session hijacking. Both are considered man-in-the-middle (MITM) attacks, but in session replay, you capture packets and modify the data before sending it to the target. In true session hijacking, you take over the IP session by spoofing the source (or destination) and changing your TCP sequence numbers to match that of the host and target. Often, you perform a denial-of-service (DoS) attack against the originating host to take it offline while you spoof its existence on the network. Figures 6-1 and 6-2 illustrate the differences between session replay and session hijacking. Figure 6-1. Session Replay
Figure 6-2. Session Hijacking
You can break down session hijacking further into two categories:
Nonblind Spoofing
Nonblind spoofing is when you can see the traffic being sent between the host and the target. This is the easiest type of session hijacking to perform, but it requires you to capture packets as they are passing between the two machines. In a switched network, this is difficult to do. By default, you are unable to capture packets between two hosts on a switch without additional configuration. Note If you can compromise the switch, you might be able to capture packets between two hosts. With Cisco devices, this feature is called Switched Port Analyzer (SPAN). It allows you to monitor one or more ports or VLANs from a single switched port. If you cannot access the switch to configure port monitoring, you have other options. On some switches, you can use a Linux utility called MACOF, which floods a switch with MAC addresses in an attempt to fill up its MAC table to effectively convert the switch into a hub and allow you to monitor all ports. Although this tool works against some vendor equipment, the authors of this book have been unsuccessful in using this tool against Cisco switches. A second option to gain the ability to monitor traffic of a port is to craft bogus Address Resolution Protocol (ARP) replies so that the switch thinks that the real end user has moved to your port. This forces the switch to send traffic destined for that user to your port instead.
Blind Spoofing
In blind spoofing, you cannot see the traffic being sent between the host and the target. This is the most difficult type of session hijacking because of the near impossibility of correctly guessing TCP sequence numbers. (The section "TCP Sequence Prediction (Blind Hijacking)" covers TCP sequence prediction in greater detail.) You should keep a few things in mind when performing session hijacking attacks:
Session hijacking only works against session-oriented TCP protocols. Although UDP-based tools exist, most attacks are executed against TCP sessions. Session-oriented TCP communication includes FTP, rlogin, tn3270, and Telnet. Session hijacking does not work against non-session-oriented protocols such as DNS. Perform your attack when lots of sessions are taking place between hosts and your target. This makes your attack less conspicuous. If you perform the attack at night or during the lunch hour when fewer sessions are active, your activities will be spotted more easily. Finally, be on the same LAN as both the host and the target. Although it is possible with some tools to be on different networks, this makes the hijacking attempt much more difficult because it requires you to spoof the MAC address of routers and the host or target. Your chances of success improve greatly if you are on the same network as your host and target. Following are the steps to perform session hijacking:
TCP Sequence Prediction (Blind Hijacking)
When you are blind session hijacking, you need to make an educated guess on the sequence numbers between the host and target. In TCP-based applications, sequence numbers inform the receiving machine what order to put the packets in if they are received out of order. Sequence numbers are a 32-bit field in the TCP header; therefore, they range from 1 to 4,294,967,295. Every byte is sequenced, but only the sequence number of the first byte in the segment is put in the TCP header. To effectively hijack a TCP session, you must accurately predict the sequence numbers being used between the target and host. Also included in a TCP header is a window size. The window size is a two-byte field giving you values between 1 and 65,535. Window size indicates how many bytes of data the host can send before the receiver can expect an acknowledgement. Figure 6-3 illustrates the use of window size. In this simplified diagram, the host sends a packet with a window size of 5 bytes. After the host sends the 5 bytes of data, the receiver of the data expects an acknowledgement. If the receiver does not receive an acknowledgement, the sender knows that data was lost and he should resend it. Figure 6-3. TCP Window Size Operation
You have some leniency when it comes to guessing TCP sequence numbers. If the sequence number is less than the current sequence number sent between the targets, the packet is dropped. However, if the packet is greater than the current sequence number yet still within the window size, the data is held and considered an out-of-sequence packet. Of course, this requires more packets to be sent with lower sequence numbers to fill the gap, so guessing TCP sequence numbers correctly is important. Luckily, some platforms make it easy to guess their sequence number increment. RFC 793 states that hosts should increment the four-byte sequence number counter by one ever 4 microseconds. Most platforms are nonconformists and implement their own method of incrementing sequence numbers. BSD and Linux increment their sequence number by 128,000 every second. This results in their sequence numbers wrapping back to one every 9.32 hours. However, each time a TCP connect() is made to establish a TCP session, the sequence number is incremented by 64,000 every second for the duration of the session. This makes sequence number guessing more predictable and thus more favorable to those who are performing session hijacking attacks. Note Many packet sniffers use relative sequence numbers, in which the initial sequence number is listed as zero. This is a bit misleading because in reality, your initial sequence number is different for every session. With blind hijacking, you need to effectively guess both the sequence numbers and window sizes of two hosts. Like the term suggests, blind hijacking is like shooting in the dark; you just do not know when you will get an accurate guess. Active hijacking, in contrast, is much easier and much more commonly attempted. Several tools can assist in making active hijacking easier to perform, as the sections that follow describe. |
< Day Day Up > |