‘Session Hijacking’ is a high level attack vector which many systems are completely open to. Most systems are vulnerable to this type of attack as most systems use Transmission Control Protocol (TCP), the standard communication protocol used on the Internet and internal Local Area Networks (LANs). This paper assumes a level of network competency by the reader to being equivalent to that of a network engineer or experienced administrator.
Background
To establish a session with a TCP server, a client must follow a structured system of packet transmissions; this system is known as the ‘3 Way Handshake’. For two TCP enabled machines to talk to each other, they must synchronize, specifically they must inform the other machine of their communication settings such as Sequence Number (SEQ) and Window size (WIN). ALL packets transmitted in a TCP connection must have a sequence number as TCP is a connection oriented protocol; every single packet has to be assigned a session unique number that will enable the receiving machine to reassemble the stream of packets back into their original and intended order. If the packets arrive out of order, as can happen regularly over the internet, then the SEQ is used to stream them correctly.
The 3 Way Handshake
The synchronization of two TCP computers has to follow a defined process, a handshake. Both machines must inform the other of communication specific settings vital to the successful transmission of data. These settings are used so that each machine knows of the other’s capabilities in handling TCP packets. The 3 way handshake, as the name suggests, has 3 parts. The following diagram shows the 3 steps in establishing a handshake, and therefore a TCP session.
The computer wishing to initiate the TCP session, the Client in the above example, transmits a packet with the SYN control bit set, a synchronize packet. This packet includes the clients ‘Initial Sequence Number’ (ISN) and ‘Window’ size (WIN).
The ISN is a pseudo-randomly generated number. It is essential to remember that the actual sequence number space is finite, although very large. This space ranges from 0 to 2^32 – 1, which equates to 4,294,967,295 (over 4 Billion) possible combinations.
Every TCP terminal has a Window size that tells the sender how many bytes it can send before the receiver will have to toss it away due to fixed input buffer size. Imagine it as a bucket of water, if you pour too much water into my bucket, it will overflow. The Window size tells both machines what the size of bucket the other has.
You may have noticed that the acknowledgement (ACK) by each machine is the received packet sequence number plus one increment. This method of acknowledgement will tell the sender the next expected TCP packet sequence number. When within the 3 way handshake, the increment value is literally 1. When inside normal data communications, the increment value is that of the data size in bytes, e.g. you transmit 38 bytes of data, the increment goes up by 38 to ACK the 38 bytes.
Again, the ACK is the next expected packet to the sent by the client.
Great! So that’s how TCP sessions are established and normal TCP communications takes place. So what is ‘Session Hijacking’?
Session Hijacking
“Session Hijacking - A method of attack which involves a third party intercepting communications in a session, or series of communications, and pretending to be one of the parties involved in the session.” http://www.cryptnet.net/fdp/crypto/crypto-dict.html#S
I do not quite agree with the above definition by cryptnet.net. As far as the receiving computer is concerned, you ARE the other party in the session. This comes down to the subtle difference between spoofing and hijacking.
Spoofing is pretending to be someone else. This could be achieved by sniffing a logon/authentication process and replaying it to the server after the user has logged off. The server may then assume you are the user that the sniffed process actually belongs to.
Hijacking is taking over an already established TCP session and injecting your own packets into that stream so that your commands are processed as the authentic owner of the session.
One problem with TCP is that it was not built with security in mind. Any TCP session is identified by the (client IP address + client port number) and (server IP address + server port number). Any packets that reach either machine that have those identifiers are assumed to be part of the existing session. So if an attacker can spoof those items, they can pass TCP packets to the client or server and have those packets processed as someone else!
To complete a hijack you must perform 3 actions.
Monitor or track a session
Desynchronize the session
Inject your own commands
To monitor a session, you simply sniff the traffic. How do we achieve the de-synchronization of a session?? By ‘Sequence Packet Prediction’.
If we can predict the next sequence number to be used by a client (or server), we can use that sequence number before the client (or server) gets a chance to. Predicting the number may seem a difficult task to do as we have a possible 4 billion combinations, but remember that the ACK packet actually tells us the next expected sequence number. If we have access to the network and can sniff the TCP session, we don’t have to guess, we are told what sequence number to use! This is known as ‘Local Session Hijacking’. More security tools are also available..
If you do not have the ability to sniff the TCP session between client and server, you will have to attempt ‘Blind Session Hijacking’. This attack vector is much less reliable as you are transmitting data packets with guessed sequence numbers. 4 billion possible combinations then becomes a very big pool to choose from!
Below is a packet analysis of a local session hijack.
We now know the next expected sequence number. If we transmit that packet sequence number before the client, we will desynchronize the connection; basically we will bump the server up by one increment.
What happens when the real client sends the next packet that it has?
The server treats it as a resent packet as it has already received that SEQ number. So, now the client is unable to communicate with the server, the hacker is still able to communicate as they know the correct sequence number. This dropping of packets can create a problem with the network. Because the client is not receiving an ACK for his TCP packet, he assumes that it did not make it to the server and resends it, only to have it dropped by the server.
It is important to note at this point that to carry out this attack correctly, you must employ an ‘ARP Cache poisoning’ attack on both machines. The reason you must redirect the packets through the Hacker machine is so that the server does not reply directly to the client. By transferring all packets through the Hacker machine, the Hacker is able to filter out what they want the server or client to be able to see and control any communications between the two. The hijacking tools will do this for you!
If the flow of data is not completely controlled, packets may get through to either party. The server may be able to send an ACK packet to the client, this packet will contain a sequence number that the client is not expecting, so when the client receives this packet, it will try to resynchronize the TCP session with the server by sending it an ACK packet with the sequence number that it is expecting. This ACK packet will in turn contain a sequence number that the server is not expecting, and so the server will resend its last ACK packet. This cycle goes on and on and on, and this rapid passing back and forth of ACK packets creates an ‘ACK Storm’. This ‘ACK Storm’ can quite quickly grind a network to a halt, so any attack tends to be carried out rapidly by the hacker.
To clear the ACK storm, the Hacker could send TCP packets to both parties with the control bit set to RST, reset. This will essentially tear down the established session, disconnecting all connected machines. However, if the attacker is performing an ‘ARP Cache Poison’ of the two machines, the ‘ACK Storm’ should not occur as neither machine can directly communicate with each other.
Available Hacking Tools
There are a number of tools available to conduct TCP Session Hijacking, some open source, some commercial applications. In the interest of operating system independence, I will mention two.
T-Sight
T-Sight, by Engarde Systems is a Windows based ‘Local Session Hijacking’ application. It is actually much more than just that, it is a post-mortem and real-time network analysis tool.
T-Sight is really easy to use, I do not know of another session hijacking tool that is as easy to use! Its main screen is a connection monitoring window. This will display on the left hand ‘Protocols’ pane all of the connections that T-Sight can ‘see’. This means that if you are on a hub based network, you can see plenty of connections. If you are on a switch based network, you will need to perform some attack, such as ‘Switch Flooding’ or ‘ARP Cache Poisoning’ to be able to sniff or see other user’s connections.
Once you see a connection you wish to monitor, you double click on the entry in the right hand pane, the ‘connections pane’. This opens a new window with which you can analyze post-mortem packets, or by clicking on ‘Generate’, you can move into the real-time monitoring window.
If you can monitor a connection, you are performing a ‘Passive Hijack’ of that session. This is simply a real-time sniff of the data packets. For instance, if you are passively hijacking a Telnet session, you can see the Telnet commands as the Administrator types them into their window. You are not injecting packets or attempting to desynchronize the connection, you are simply watching it in real-time. This is very important as you can time your hijack to take over the session only after the Administrator has logged onto the Telnet server!
Wait for the user to authenticate against the server and click on ‘Take Over’, you can even see the username and password in the connection stream at the bottom. That’s it! You now have desynchronized the session, and have the ability to inject your own Telnet (if you have hijacked a Telnet session) commands. You do this by typing directly into the white screen. Any command you enter is processed as the Administrator that originally created the session. If you have the resource tool ‘WhoAmI’ installed, you will see that the logged on user is the creator of the session. Fantastic!! What ever you do now is logged as someone else.
Completely invisible to the user, a number of actions are running in the background. T-Sight is performing an ARP cache poison of the two victim machines to control the flow of data. It is also spoofing the IP address, MAC address and port number of the client, so that the server has no idea it is communicating with someone else.
T-Sight has the option of creating ‘Macros’ and storing commands in them. These macros can then be sent in quick succession to the server, enabling the Hacker to carry out the attack and get out before anyone notices.
As for the poor Administrator? The command prompt window that they are using to create a Telnet session hangs while the session is being hijacked. After a minute or so the window will display a message ‘Connection to host lost.’ What would most Administrators do? Blame Windows and re-establish the session!! What will you do from now on?
At the time of writing this paper, Engarde has the following pricing for T-Sight.
Class C: US$ 1,500.00
Additional Class C: US$ 225.00
Class B: US$ 3,500.00
Additional Class B: US$ 525.00
Consultant license: (unlimited networks) US$ 9,000.00
Hunt
Hunt, by Pavel Krauz is a Linux open source attack tool that performs session hijacking. The fundamental difference between Hunt and most other hijackers is that it can hand back the victim session. To hand back the session, the attacker needs to resynchronize the client sequence number to match the server. Hunt tries to solve this problem by sending a message to the logged on client user. One of those messages is shown below:
#msg from root: power failure – try to type 17 chars
The number of characters that needs to be entered is entirely dependant on the difference between the client sequence number and the server sequence number. Hunt will replace this value with whatever number of bytes is required, 1 character = 1 byte. The crux of this is if the user will obey the instruction. When the user has typed enough characters and therefore transmitted enough bytes to synchronize, Hunt will then transmit ARP update packets to restore the correct values to the ARP table entries it modified on the client and server. This technique will probably not work against well-educated users or any protocol other than Telnet or possibly FTP, both text based unencrypted protocols.
Countermeasures
To defend against session hijack attacks, a network should employ several defenses. The most effective is encryption such as ‘IPSEC’. Internet Protocol Security has the ability to encrypt your IP packets based on a Pre-Shared Key or with more complex systems like a Public Key Infrastructure ‘PKI’. This will also defend against many other attack vectors such as sniffing. The attacker may be able to passively monitor your connection, but they will not be able to read any data as it is all encrypted. There might be actions an attacker could take against an IPSEC enabled network, depending on if they use IKE-PSK or PKI to manage the encryption keys, but this would require an experienced hacker. Don’t think that IPSEC is the panacea to all your ills, there are IPSEC cracking tools available on the internet that will attempt to guess the PSK and decrypt packets.
Other countermeasures include encrypted applications like SSH (Secure SHell, an encrypted Telnet) or SSL (Secure Sockets Layer, HTTPS traffic). Again this reflects back to using encryption, but a subtle difference being that you are using the encryption within an application. Be aware though that there are known attacks against SSH and SSL. OWA, Outlook Web Access uses SSL to encrypt data between an internet client browser and the Exchange mail server, but tools like Cain & Abel (my favorite Windows based attack tool!) can spoof the SSL certificate and mount a Man-In-The-Middle (MITM) attack and decrypt everything!
Reducing your ‘Attack Surface’ (the potential methods of gaining access to your network) will help, e.g. eliminate remote access to the internal systems. By cutting out authorized remote connections, you have removed the potential for somebody to attack those remote connections. If you have remote users that need to connect to carry out their duties, then use ‘Virtual Private Networks’ that have been secured with tunneling protocols and encryption, L3TP/PPTP & IPSEC.
Again, a defense in depth approach is always the best countermeasure to any potential threat. Employing any one countermeasure may not be enough, but using them together to secure your enterprise will make the success rate of any attack minimal to anyone but the most professional and dedicated attacker. Remember, no computer system is every 100% secure! (Unless it is powered off and dropped in the ocean!!
Wednesday, April 20, 2011
Tuesday, April 5, 2011
Here is a glossary of the most common internet jargon terms, acronyms and abbreviations
HMU - Hit Me Up (contact me to follow up)
NVM -Never Mind
NWOT- New Without Tags
PMSL P*ssing myself laughing (a common UK expression)
POSSLQ Person of Opposite Sex, Sharing Living Quarters
FMV Fair Market Value
RL Real Life
RTFM Read The F*cking Manual
BISLY But I Still Love You
ITSFWI If The Shoe Fits, Wear It!
BFF Best friends, forever!
WIBAMU Well, I'll be a Monkey's Uncle
BTAIM Be That As It May
TTYL Talk To You Later
IIRC If I Recall Correctly...
AFAIK As Far as I Know
WRT With Respect To
NSFW Not Safe for Workplace viewing (warning that there is sexual or repulsive content)
NWT New With Tags
OTOH On the Other Hand
AFK Away from Keyboard
ASL Age/Sex/Location?
TPTB The Powers that Be
ROFLMAO Roll On Floor Laughing My A** Off
JMHO Just My Humble Opinion
IMHO In My Humble Opinion
OATUS On a Totally Unrelated Subject
PMFJI Pardon Me for Jumping In
SFSG So Far, So Good
TC Take Care
BTHOM Beats the Hell Out of Me
SGTM Sounds Good to Me!
O RLY Oh, Really (sarcasm)
OP The Original Poster (who started this discussion thread)
WB Welcome Back
IDK I Don't Know
OOAK One of a Kind
MEGO My Eyes Glaze Over
IBTL In Before the Lock!
BBIAB Be Back in a Bit
YMMV Y our Mileage May Vary
MTFBWY May the Force Be With You
NIMBY Not in My Back Yard
MT Mistell (mistaken chat message, please disregard)
AMAIR As Much as I Recall
Yes, Internet users will write email, instant messages, blog comments, and forum/chat postings using these abbreviations. Because they are very short, abbreviations are particularly common for cell phone texting.
5 Steps to a Good Password
Simple Choices that Deter Password Hacking
Before we begin, we must be clear on one major expectation: there is no such thing as a perfect password. A committed hacker can crack any password, given enough time and the right "dictionary" or "brute force" tools. But just like breaking into a car, if the protection is strong enough, the hacker will become discouraged and commonly give up before the protection fails.
1. Start With a Base Word Phrase.
A good password starts with a base word phrase. This means: choose a memorable catchphrase, quotation, or easy to remember saying, and take the first letter from each word. Choose a phrase that is memorable to you.
Examples of some base word phrases:
•Can't See the Forest Through the Trees: cstfttt
•Put Up or Shut Up: puosu
•If the Shoe Fits, Wear It: itsfwi
•You Can Lead a Horse to Water: yclahtw
•The Last Mile Is Always Uphill: tlmiau
•I Think, Therefore I Am: ittia
•Oh Say Can You See: oscys
•My Dog Freeway Loves Cheddar Cheese: mdflcc
Before we begin, we must be clear on one major expectation: there is no such thing as a perfect password. A committed hacker can crack any password, given enough time and the right "dictionary" or "brute force" tools. But just like breaking into a car, if the protection is strong enough, the hacker will become discouraged and commonly give up before the protection fails.
1. Start With a Base Word Phrase.
A good password starts with a base word phrase. This means: choose a memorable catchphrase, quotation, or easy to remember saying, and take the first letter from each word. Choose a phrase that is memorable to you.
Examples of some base word phrases:
•Can't See the Forest Through the Trees: cstfttt
•Put Up or Shut Up: puosu
•If the Shoe Fits, Wear It: itsfwi
•You Can Lead a Horse to Water: yclahtw
•The Last Mile Is Always Uphill: tlmiau
•I Think, Therefore I Am: ittia
•Oh Say Can You See: oscys
•My Dog Freeway Loves Cheddar Cheese: mdflcc
What Is 'Brute Force' Dictionary Hacking?
Hackers use three common methods to acquire people's computer passwords:
2) Social Engineering AttacksSocial engineering is the modern con game: the hacker manipulates you to divulge your password by using some kind of convincing personal contact. This personal contact might involve direct face-to-face communications, like a pretty girl with a clipboard doing interviews in a shopping mall. Social engineering attacks might also occur over the phone, where a hacker will masquerade as a bank representative calling to confirm your phone number and bank account numbers. The third and most common social engineering attack is called phishing or whaling. Phishing and whaling attacks are deception pages masquerading as legitimate authorities on your computer screen. Phishing/whaling emails will often redirect the victim to a convincing phishing website, where the victim types in their password, believing the website to be their actual bank or online account.
3) Administrator Back Doors
This kind of attack is akin to stealing the building master keys from the building janitor: the perpetrator accesses the system as if they were an entrusted employee. In the case of computer administrators: special all-access accounts allow the user into areas where only trusted network administrator should go. These administrator areas include password recovery options. If the hacker can enter your system with the administrator's account, the hacker can retrieve passwords of most anyone on that system.
- Brute Force ('Dictionary') Repetition
- Social Engineering (commonly: phishing)
- Administrator Back Doors
2) Social Engineering AttacksSocial engineering is the modern con game: the hacker manipulates you to divulge your password by using some kind of convincing personal contact. This personal contact might involve direct face-to-face communications, like a pretty girl with a clipboard doing interviews in a shopping mall. Social engineering attacks might also occur over the phone, where a hacker will masquerade as a bank representative calling to confirm your phone number and bank account numbers. The third and most common social engineering attack is called phishing or whaling. Phishing and whaling attacks are deception pages masquerading as legitimate authorities on your computer screen. Phishing/whaling emails will often redirect the victim to a convincing phishing website, where the victim types in their password, believing the website to be their actual bank or online account.
3) Administrator Back Doors
This kind of attack is akin to stealing the building master keys from the building janitor: the perpetrator accesses the system as if they were an entrusted employee. In the case of computer administrators: special all-access accounts allow the user into areas where only trusted network administrator should go. These administrator areas include password recovery options. If the hacker can enter your system with the administrator's account, the hacker can retrieve passwords of most anyone on that system.
Labels:
cat,
cattechie,
hacker,
hacking,
hacking tools
Subscribe to:
Posts (Atom)