Penetration Testing and Network Defense
< Day Day Up > |
After you perform a few session hijacks, you will discover the dangers of ACK storms. ACK storms will soon become your greatest nemesis because they can flood your network with ACK packets and potentially take down your network. Because one of the goals of penetration testing is to perform your testing unnoticed, this is a sure way of alerting administrators of an attack taking place. (Of course, if you are attempting a DoS attack against your target network, a session hijack gone bad is a great way to do this.) Earlier, you learned of the importance of TCP sequence number prediction. When you send the wrong sequence number, the receiver assumes that the last acknowledgement was lost and it resends the last acknowledgement. In response, the original host returns its own acknowledgement in an attempt to resynchronize sequence numbers. In normal TCP operation, this is ideal because it allows for reliable communication. However, when a malicious hacker or penetration tester is injecting packets with incorrect sequence numbers, the acknowledgements sent between the host and target increase exponentially and could take down the network. Figure 6-5 demonstrates how this happens. Figure 6-5. ACK Storm
Because you are spoofing the host IP address, the ACK packets are sent to the original host in an attempt to resynchronize sequence numbers. You can circumvent the problems with ACK storms in two ways:
DoS attacks have been the traditional technique (but not the most effective) for preventing ACK storms. Figure 6-6 shows what happens with this approach. Here you are still spoofing the originating host, but because you have done a DoS attack against the host to take it out of commission, the target sends ACK packets to resynchronize sequence numbers to you instead of the host. Figure 6-6. DoS to Prevent ACK Storms
This approach works, but it is not the most effective. Many host-based intrusion detection tools and personal firewalls would notice a DoS attack. Because you want to attack without drawing attention to yourself, DoS attacks are not the best method to use when hijacking sessions. A better approach is to use the Hunt tool. Hunt prevents ACK storms through spoofing the MAC address of both the target and the host. Figure 6-7 illustrates this technique. Figure 6-7. Hunt ARP Spoofing
In Figure 6-7, a gratuitous ARP is sent to both the host and the target. A gratuitous ARP is an ARP reply that is sent unsolicited. That is, it is information about the IP and MAC address of a machine that is sent to other devices without first being queried for this information. Included in the gratuitous ARP information is the IP address of the target or host IP address with the associated MAC address of the attacker. This way, when the host sends traffic to the target, it is actually sent to the attacker (and vice versa). Subsequently, the attacker is the MITM who can either forward traffic to its destination or hijack the session. Either way, ACK storms are minimized without the use of noisy DoS attacks. |
< Day Day Up > |