查看單個文章
舊 2004-06-21, 02:50 PM   #11 (permalink)
mic64
註冊會員
 
mic64 的頭像
榮譽勳章
UID - 582
在線等級: 級別:16 | 在線時長:330小時 | 升級還需:27小時級別:16 | 在線時長:330小時 | 升級還需:27小時級別:16 | 在線時長:330小時 | 升級還需:27小時級別:16 | 在線時長:330小時 | 升級還需:27小時級別:16 | 在線時長:330小時 | 升級還需:27小時級別:16 | 在線時長:330小時 | 升級還需:27小時
註冊日期: 2002-12-06
VIP期限: 2007-04
住址: MIB總部
文章: 412
精華: 0
現金: 499 金幣
資產: 499 金幣
預設

Chapter 11 • Session Hijacking
Introduction
The term session hijacking refers to an attacker’s ability to take over a portion of a
session (often a network conversation) and act as one of the participants. Session
hijacking is usually an extension of sniffing, except that sniffing is passive and
hijacking requires active participation.
Hijacking exploits the inherent weaknesses in most types of networks and
unencrypted protocols, namely that the information passes in the clear.This is the
same weakness that sniffing takes advantage of. In addition to monitoring, a
hijacking attack may also inject a packet or frame pretending to be one of the
communicating hosts.This act is similar to spoofing, except no guessing is
involved—all the necessary information is available to the attacker.
This chapter discusses what a hacker can accomplish with hijacking and the
tools that are currently available to perform hijacking attacks.
Understanding Session Hijacking
Session hijacking is probably best explained with an example: Imagine that the
hacker has accomplished enough of an attack or has positioned himself fortuitously
so that he’s able to monitor traffic between two machines. One of the
machines is a server that he’s been trying to break into.The other is obviously a
client. In our example, the attacker catches the root user logging in via Telnet,
and he successfully steals the password—only to find out that it is an s/key onetime
password. As the name implies, one-time passwords are used one time, so
even if someone is monitoring and steals the password, it will do him no good; at
that point the password has been “used up.”
What does the hacker do? Simple: He sends a packet with the appropriate
headers, sequence numbers, and the like with a body of:
<cr> echo + + > /.rhosts <cr>
where <cr> is the carriage-return character.This particular command presupposes
some other conditions before it’s useful, but it illustrates the point. If any of
the Berkeley “r” services are enabled, this particular command allows anyone in
the world to issue commands on that server as any user (including root).
Naturally, the attacker follows this action with some devastating set of commands
issued via rsh, forever giving him ownership of that box until the real owner can
format the drives and start over.
www.syngress.com
www.syngress.com
Now, there are some difficulties with this attack as outlined, and we’ll cover
all of those in detail in this chapter. Suffice it to say for now that the person sitting
in front of the original client will either have his or her connection dropped
or the command the hacker issued will be echoed back to that person’s screen.
Session Hijacking • Chapter 11 409
Got UNIX?
I don’t mean to start a religious war, but if you’re an IT professional who
does security work and so far you’ve used only Windows, someday you’ll
find that you need to work with some sort of UNIX system. The only
reason this is true that no one can really argue with you about is that
some security tools are available only for UNIX or work-alike systems. For
the purposes of this discussion, Linux, any of the BSDs, or any of the
commercial UNIX systems are all UNIX. Officially, UNIX is a trademark
and applies only to a couple of OSs from the Santa Cruz Operation (SCO)
and licensees, but for the purposes of compiling software, we don’t care
about trademarks.
So, which one to use? Probably, you’ll want a free OS to keep
expenses down. You’ll want something that runs on the Intel x86 processor
line so that you can use an old Windows box or dual-boot on a
Windows box. Linux is probably the easiest from a security tools experimentation
point of view. Because of its large user base, most of these
tools have instructions on how to get them to work on a Linux system.
Some tools (such as the previously mentioned Hunt) work only on Linux.
Linux isn’t necessarily the most secure UNIX out there, however, if that’s
a concern. (If you collect a large set of tools and with them you start to
collect information about your network, that information becomes
something you need to protect well.) For that, OpenBSD is pretty sexy to
security people because it’s one of the very few operating systems that
has security as one of its primary design goals, and it shows.
Another particularly interesting UNIX (a custom Linux distribution,
actually) is Trinux. It’s particularly useful for two reasons: First, because
it comes with a number of security tools already compiled, configured,
and ready to go. Second, it’s designed to boot off a diskette or CD-ROM
and read its software from another disk or file allocation table (FAT) hard
drive (or even FTP/HTTP servers). This means no disk partitioning! Trinux
can be found at http://trinux.sourceforge.net.
Tools & Traps…
410 Chapter 11 • Session Hijacking
TCP Session Hijacking
So, what happened under the hood in the Telnet-hijacking example we just
examined? Let’s take a look at how the hijacking of a Transmission Control
Protocol (TCP) connection works in general.When attempting to hijack a TCP
connection, a hacker must pay attention to all the details that go into a TCP connection.
These details include things like sequence numbers,TCP headers, and
ACK packets.
We won’t do a complete review of how TCP/IP works here, but let’s look
briefly at some relevant portions as a quick reminder. Recall that a TCP connection
starts out with the standard TCP three-way handshake:The client sends a
SYN (synchronization) packet, the server sends a SYN-ACK packet, and the
client responds with an ACK (acknowledgment) packet and then starts to send
data or waits for the server to send. During the information exchange, sequence
counters increment on both sides, and packet receipt must be acknowledged with
ACK packets.The connection finishes with either an exchange of FIN (finish)
packets, similar to the starting three-way handshake, or more abruptly with RST
(reset) packets.
Where during this sequence of packets does the hacker want to send?
Obviously, she wants to do it before the connection finishes, or else there will be
no connection left to hijack.The hacker almost always wants to hijack in the
middle, after a particular event has occurred.The event in question is the authentication
step.Think about what would happen if she were to hijack the connection
during the initial handshake or before the authentication phase had
completed.What would she have control of? The server would not be ready to
receive commands until the authentication phase had completed. She’d have a
hijacked connection that was waiting for her to provide a password of some sort.
In other words, she’d be in exactly the same situation as she would be if she’d just
connected as a normal client herself.
As mentioned before, the point of hijacking a connection is to steal trust.The
trust doesn’t exist before the authentication has occurred.There are some services
that can be configured to authenticate on IP address alone, such as the Berkeley
“r” services mentioned earlier, but if that’s the case, no hijacking is really
required; at that point, it becomes a matter of spoofing. If a hacker were in a
position to do TCP connection hijacking, she’d also easily be able to spoof effectively.
Note that when we say “If a hacker were in a position to…,” we mean that
the hacker must have control of the right victim machine to be able to accomplish
any of this activity. Just as with sniffing, the hacker will almost certainly
www.syngress.com
Session Hijacking • Chapter 11 411
need control of a box on the same Layer 2 network segment as either the client
or the server. Unless she’s able to pull some heavy route manipulation, the packets
won’t come to the hacker—she’ll have to go to the packets.
TCP Session Hijacking with Packet Blocking
If an attacker is able to perform a TCP session hijack in such a way that he completely
controls the transmission of packets between the two hosts, that attacker
has a considerable advantage. Contrast this scenario with the example in the preceding
section, where the attacker is likely sitting on shared network media with
one of the hosts and he can only inject packets, not remove them. Clearly, there
are a number of anomalous behaviors that either host, or perhaps an intrusion
detection system (IDS) somewhere in between, could be configured to spot.
However, if the attacker is able to drop packets at will, he can then perfectly
emulate the other end of a conversation to either host. (At least theoretically he
can “perfectly” emulate either side. It depends on the quality of the TCP host
emulation in the attacker’s software. Research is being done in the area of passive
OS fingerprinting. If there is a flaw in the attacker’s emulation of a particular
OS’s characteristics, it’s possible that a host might be able to use passive OS detection
techniques to spot a change in the TCP communications and flag an
anomaly.) Being able to drop packets will eliminate the ACK storms, duplicate
packets, and the like.
In fact, such systems to take over connections in this manner exist today; we
call them transparent firewalls. (Transparent in this case means that the client needs
no special configuration.) Some transparent firewalls can do file caching, port
redirection, extra authentication, and any number of other tricks that an attacker
would like to perform.
Route Table Modification
Typically, an attacker would be able to put himself in such a position to block
packets by modifying routing tables so that packets flow through a system he has
control of (Layer 3 redirection), by changing bridge tables by playing games with
spanning-tree frames (Layer 2 redirection), or by rerouting physical cables so that
the frames must flow through the attacker’s system (Layer 1 redirection).The last
technique implies physical access to your cable plant, so perhaps you’ve got much
worse problems than TCP session hijacking in that instance.
Most of the time, an attacker will try to change route tables remotely.There
has been some research in the area of changing route tables on a mass scale by
playing games with the Border Gateway Protocol (BGP) that most Internet
www.syngress.com
412 Chapter 11 • Session Hijacking
service providers (ISPs) use to exchange routes with each other. Insiders have
reported that most of these ISPs have too much trust in place for other ISPs,
which would enable them to do routing updates. BGP games were in large part
the basis for the L0pht’s claim before the U.S. Congress a few years ago that they
could take down the Internet in 30 minutes.
A more locally workable attack might be to spoof Internet Control Message
Protocol (ICMP) and redirect packets to fool some hosts into thinking that there
is a better route via the attacker’s IP address. Many OSs accept ICMP redirects in
their default configuration. I’ve had some Solaris SPARC 2.5.1 machines pick up
new routes from ICMP redirects and then refuse to give them up without a
reboot. (Some sort of kernel bug caused the machine to get into a weird state
that refused to accept route update calls.) Unless you want to break the connection
entirely (or you proxy it in some way), you’ll have to forward the packets
back to the real router so they can reach their ultimate destination.When that
happens, the real router is likely to send ICMP redirect packets to the original
host, too, informing it that there is a better route. So, if you attempt that sort of
attack, you’ll probably have to keep up the flow of ICMP redirect messages.
If the attacker has managed to change route tables to get packets to flow
through his system, some of the intermediate routers will be aware of the route
change, either because of route tables changing or possibly because of an Address
Resolution Protocol (ARP) table change.The end nodes would not normally be
privy to this information if there are at least a few routers between the two
nodes. Possibly the nodes could discover the change via a traceroute-style utility,
unless the attacker has planned for that and programmed his “router” to account
for it (by not sending the ICMP unreachables and not decrementing the Timeto-
Live [TTL] counter on the IP packets).
Actually, if an attacker has managed to get a system into the routing path
between two hosts, his job has gotten considerably easier. As an example, suppose
the attacker wants to hijack HTTP or File Transfer Protocol (FTP) connections
in which the client is retrieving a Windows .exe executable file.Writing or gathering
all the pieces of code necessary to emulate an IP stack and inject a new file
into the middle of a hijacked TCP connection would be daunting. However, the
attacker no longer needs to do that, as long as he doesn’t feel that he needs to go
to extraordinary measures to evade detection. Modifying an open source UNIXlike
operating system to not decrement the TTL and not send ICMP unreachables
ought to go a long way toward evading traceroute detection. Once that’s
done, it’s relatively easy to configure a caching proxy such as Squid to do transparent
proxying.
www.syngress.com
Session Hijacking • Chapter 11 413
A page of information on how to set up Squid to do transparent proxying can
be found at www.squid-cache.org/Doc/FAQ/FAQ-17.html.There are instructions
for how to get it to work with Linux, the BSDs, Solaris, and even Cisco
IOS. Squid will normally reveal itself with the way it modifies HTTP requests
slightly, but that could be programmed away without too much difficulty.
The final step would be to modify the Squid caching code to hand over a particular
.exe instead of the original one requested. Once you can fool people into
thinking that they’re downloading a legitimate executable straight from the vendor
site while actually handing them yours, getting your Trojan horse program inside
their defenses is a given.The user might not even be aware it’s happening or even
be around, because many programs now automatically check for updates to themselves,
and some of them will fall for this trick just as easily as a person would.
www.syngress.com
“Use the Force, Luke...”
Standards are a hacker’s best friend. He’s got access to all the same
information that you do; essentially everything your network does is
right at his fingertips. If you’re not just as acquainted with the Request
for Comments (RFCs) as he is, you’re in for a very long day. Take some
time to pore over the information governing the use of the protocols on
your network, especially the new standards. A good source for RFCs is
www.rfc-editor.org. Lab time is essential for keeping current on the
latest vulnerabilities and weaknesses, so make sure you’ve allotted
ample time for lab research in your schedule. You’ll find plenty of information
watering holes on the Internet, but some of the typical “hacker
hangouts” include:
 Newsgroups such as alt.hackers.malicious, alt.2600, and
alt.hacking
 Internet Relay Chat (IRC) rooms dedicated to discussions on
hacking
Also, astalavista.box.sk and securityfocus.com search engines have
hundreds of links to the latest sites. These sites tend to move around due
to the nature of content, so your bookmarks might need frequent
updating.
Notes from the Underground…
414 Chapter 11 • Session Hijacking
ARP Attacks
Another way to make sure that your attacking machine gets all the packets going
through it is to modify the ARP tables on the victim machine(s). An ARP table
controls the Media Access Control (MAC)-address-to-IP-address mapping on
each machine. ARP is designed to be a dynamic protocol, so as new machines are
added to a network or existing machines get new MAC addresses for whatever
reason, the rest update automatically in a relatively short period of time.There is
absolutely no authentication in this protocol.
When a victim machine broadcasts for the MAC address that belongs to a
particular IP address (perhaps the victim’s default gateway), all an attacker has to
do is answer before the real machine being requested does. It’s a classic race condition.
You can stack the odds in your favor by giving the real gateway a lot of
extra work to do during that time so that it can’t answer as fast.
As long as you properly forward traffic from the victim (or fake a reasonable
facsimile of the servers the victim machine is trying to talk to), the victim might
not notice that anything is different. Certainly, there are noticeable differences, if
anyone cares to pay attention. For example, after such an attack, each packet
crosses the same local area network (LAN) segment twice, which increases traffic
somewhat and is suspicious in itself. Furthermore, the biggest giveaway is that the
ARP cache on the victim machine is changed.That’s pretty easy to watch for, if
someone has prepared for that case ahead of time. One tool for monitoring such
changes is arpwatch, which can be found at: ftp://ee.lbl.gov/arpwatch.tar.gz.
A tool for performing an ARP attack is (for lack of a formal name) grat_arp,
by Mudge (and, he claims, some unidentified friends). One place it can be found
is attached to the following vuln-dev mailing list post: www.securityfocus.com/
archive/82/28493.You can find a good article on the subject (with an embedded
send_arp.c tool) in the following Bugtraq post: www.securityfocus.com/archive/
1/7665.
More to the point is arpspoof, mentioned in Chapter 10. It’s part of the dsniff
set of tools available at www.monkey.org/~dugsong/dsniff.Arpspoof automates
much of the process.
Finally, some of this functionality is already built into the Hunt tool, which
we cover in its own section later in this chapter.
Note that ARP tricks are good not only for getting traffic to flow through
your machine, but also just so you can monitor it at all when you’re in a switched
environment. Normally, when there is a switch (or any kind of Layer 2 bridge)
between the victim and attacking machine, the attacking machine will not get to
www.syngress.com
Session Hijacking • Chapter 11 415
monitor the victim’s traffic. ARP games are one way to handle this problem.
Refer to Chapter 10 for details.
UDP Hijacking
Now that we’ve seen what TCP session hijacking looks like, the rest is easy.We
have problems with TCP due to all the reliability features built into it. If it
weren’t for the sequence numbers,ACK mechanism, and other things that TCP
uses to ensure that packets get where they need to go, our job would be a lot
easier.Well, guess what? The User Datagram Protocol (UDP) doesn’t have those
features; at least, it doesn’t as it is. However, a protocol designer can implement
the equivalents to all those features on top of UDP.Very few attempt even a small
subset of the TCP features.The Network File System (NFS) has something akin
to sequence numbers and a retransmit feature, but it’s vastly simpler than TCP.
So, most of the time, “hijacking” UDP comes down to a race. Can a hacker
get an appropriate response packet in before the legitimate server or client can?
In most cases, the answer is probably yes, as long as the hacker can script the
attack.The attacker needs a tool that watches for the request, then produces the
response he wants to fake as quickly as possible, and then drops that on the wire.
For example, the Domain Name System (DNS) would be a popular protocol
to hijack. Assume that the hacker’s attacking machine is near the client and the
DNS server is located somewhere farther away on the network.Then:
 The hacker wants to pretend to be some Web server, say SecurityFocus.
 The attacker programs his attacking machine to watch for a request for
that name and store a copy of the packet.
 The hacker extracts the request ID and then uses it to finish off a
response packet that was prepared ahead of time that points to his
IP address.
 The client then contacts the hacker’s machine instead of SecurityFocus.
 The client sees a message to the effect of “SecurityFocus has been
0wned.”
Of course, the server wasn’t actually owned in this case, but the user doesn’t
know that, unless he thinks to check the IP address that securityfocus.com had
resolved to. Alternatively, perhaps the hacker made his Web server look exactly
www.syngress.com
416 Chapter 11 • Session Hijacking
like securityfocus.com’s, but all the downloadable security programs have been
turned into Trojan horses. Another piece of the dsniff package, dnsspoof, helps
accomplish this kind of attack.
Examining the Available Tools
More than a few tools that make session hijacking much easier are available
today; in some cases they can automate the process completely.These types of
tools are essential for any security toolbox.We’ve chosen a few of the more functional
and popular ones to discuss here.
Juggernaut
Juggernaut was written by route, editor of Phrack magazine. He wrote about it in
a Phrack article, which can be found at http://staff.washington.edu/dittrich/
talks/qsm-sec/P50-06.txt.
Route gave a demonstration of version 1.0 during a presentation at the first
Black Hat Briefings security conference. In the next issue of Phrack, he released a
patch file that brought the version up to 1.2.This file can be found here:
http://staff.washington.edu/dittrich...ec/P51-07.txt.
Be warned:The patch as it exists has been a little bit mangled. If you try to
apply the patch, you’ll see exactly where it has been altered. I got around this
glitch by deleting the offending patch section and applying the few lines of patch
by hand. Also be careful when you download the files; they’re not HTML, they’re
text. So, if you cut and paste from the Web site into Notepad or something, you
might end up missing some characters that the Web browser has tried to interpret.
So do a Save As instead, or make things easier on yourself and get the whole
thing here: packetstormsecurity.org/new-exploits/1.2.tar.gz.
During testing, Juggernaut was not “seeing” connections until the GREED
option was turned on in the Makefile. See the Install file for directions.
At the time, Juggernaut was a pioneering work, and no similar tools had been
demonstrated. Even today, only a small number of tools attempt the sessionhijacking
function that Juggernaut offers.
Juggernaut has two operating modes.The first is to act as a sniffer of sorts,
triggering on a particular bit of data (the second mode is Normal, which we’ll
get to later). Here’s the online help, which shows the commands:
[root@rh Juggernaut]# ./juggernaut -h
www.syngress.com
Session Hijacking • Chapter 11 417
Usage: ./juggernaut [-h] [-s TOKEN [-e xx] ] [-v] [-t xx]
-h terse help
-H expanded help for those 'specially challanged' people...
-s dedicated sniffing (bloodhound) mode, in which TOKEN
is found enticing
-e enticement factor (defaults to 16)
-v decrease verbosity (don't do this)
-V version information
-t xx network read timeout in seconds (defaults to 10)
Invoked without arguments, Juggernaut starts in `normal` mode.
Displayed is the terse help.The expanded help has much more detailed explanations
as well as some examples. As you can see from the help shown here, this
program has personality. If you start it with the –s option, it acts as a logging
sniffer. For example, you could tell it to look for a “token” of assword (short for
both password and Password) and it would log packets following that word. How
many packets it grabs is the “enticement factor,” so it will default to logging the
next 16 packets, or you can set it higher or lower. Unless you modify the filename
in the source code, it will log packet contents into a file named juggernaut.
log.snif in the directory from which the program was invoked.
Starting the program with no command-line options puts it into Normal
mode, as shown here:
Juggernaut
+------------------------------+
?) Help
0) Program information
1) Connection database
2) Spy on a connection
3) Reset a connection
4) Automated connection reset daemon
5) Simplex connection hijack
6) Interactive connection hijack
7) Packet assembly module
www.syngress.com
418 Chapter 11 • Session Hijacking
8) Souper sekret option number eight
9) Step Down
(This is following a splash screen, and no, Option 8 doesn’t do anything.)
Option 1,“Connection database,” shows a list of TCP connections that the
program has “seen.”You can see an example of a Telnet connection:
Current Connection Database:
-------------------------------------------------
ref # source target
(1) 10.0.0.5 [2211] --> 10.0.0.10 [23]
-------------------------------------------------
Database is 0.20% to capacity.
[c,q] >
The q option here, as in most places in the program, returns you to the ninechoice
main menu.The c option offers to clear the connection database. In order
for a number of the later functions to work, there must be something in the connection
database. So don’t bother with the sniffing or hijacking functions until
this part works for you.
Option 2 is a sniffing function; it lets you spy on connections that it has listed
in the connection database.The following example is a capture from the same
Telnet connection we had in the database before:
Current Connection Database:
-------------------------------------------------
ref # source target
(1) 10.0.0.5 [2211] --> 10.0.0.10 [23]
-------------------------------------------------
Choose a connection [q] >1
Do you wish to log to a file as well? [y/N] >y
Spying on connection, hit `ctrl-c` when done.
www.syngress.com
Session Hijacking • Chapter 11 419
Spying on connection: 10.0.0.5 [2211] --> 10.0.0.10 [23]C
Disk Usage (Jul 3 06:01): Mail – 1705 kilobytes
File Repository - 162 kilobytes
Fax Repository - 1 kilobytes
109 Message(s) In New Mail
[TECNET:Main menu]?
As you can see, we also get the option to save the captured information to a
log. Option 5 is “Simplex connection hijack.”This option simply hijacks the connection
and sends a command without viewing the results on the attacker’s
screen. An example is shown here:
Current Connection Database:
-------------------------------------------------
ref # source target
(1) 10.0.0.5 [2211] --> 10.0.0.10 [23]
-------------------------------------------------
Choose a connection [q] >1
Enter the command string you wish executed [q] >
Finally, we look at Option 6, “Interactive connection hijack.”This is basically
the same as Option 5, but we also get to see the output (just as in Option 2).
Most of the time, a hacker will probably want to use this option when hijacking
so she can see what’s going on when she’s about to break in. For example, if a
hacker is working blind, she wouldn’t want to issues the “echo + + > /.rhosts”
command if the user was in the middle of using vi rather than at a shell prompt.
On the other hand, if the user is in the middle of doing something that is causing
a lot of output, the hacker might prefer the blind hijack so that her screen isn’t
disrupted, too.
Here’s what Option 6 looks like when used:
Current Connection Database:
-------------------------------------------------
www.syngress.com
420 Chapter 11 • Session Hijacking
ref # source target
(1) 10.0.0.5 [2211] --> 10.0.0.10 [23]
-------------------------------------------------
Choose a connection [q] >1
Spying on connection, hit `ctrl-c` when you want to hijack.
NOTE: This will cause an ACK storm and desynch the client until the
connection is RST.
Spying on connection: 10.0.0.5 [2211] --> 10.0.0.10 [23]
Route is no longer maintaining or enhancing Juggernaut, and it does not
appear that anyone else is either, at least not publicly. He did write an enhanced
version called Juggernaut++, and he showed screen shots of it at one point, but
he never released it.
Juggernaut is several years old now.That’s a long time in the world of security
tools, especially for a tool that isn’t being actively developed. It has some limitations,
such as not being able to do connection resynchronization and not being
able to act on connections that belong to the host it’s running on. It will work
on arbitrary TCP ports, though. (Other tools are limited to Telnet or similar protocols.)
Juggernaut is no longer the best tool for the job, but it’s still very enlightening
to read the research that route did to produce such a tool. (Read the
original Phrack article for the story.)
Hunt
Hunt is a tool created by Pavel Krauz.The current version at the time of this
writing is 1.5.The program does not appear to be under active development; the
1.5 version was released on May 30, 2000. It can be found at
http://lin.fsid.cvut.cz/~kra/index.html#HUNT.
Hunt is a more ambitious project than Juggernaut—at least, it has evolved
into such a project. According to the Readme file that comes with the distribution,
one of the reasons Krauz developed this program was to gain were some
features he wanted that weren’t available in Juggernaut.
Like Juggernaut, Hunt has sniffing modes and session hijack modes. Unlike
Juggernaut, Hunt adds some ARP tools to perform ARP spoofing in order to get
www.syngress.com
Session Hijacking • Chapter 11 421
victim hosts to go through an attacking machine, to eliminate the ACK storm
problems typically associated with a TCP session hijack. Here’s what Hunt looks
like when it is launched:
/*
* hunt 1.5
* multipurpose connection intruder / sniffer for Linux
* (c) 1998-2000 by kra
*/
starting hunt
--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------
l/w/r) list/watch/reset connections
u) host up tests
a) arp/simple hijack (avoids ack storm if arp used)
s) simple hijack
d) daemons rst/arp/sniff/mac
o) options
x) exit
->
The -> is Hunt’s prompt, and it is awaiting one of the letters listed as a command.
Hunt keeps track of Telnet and rlogin connections by default, but the code
is written in such a way that it would be very easy to add other types. In the file
hunt.c, in the initialization code for the entry function, is this line:
add_telnet_rlogin_policy();
This function is located in the addpolicy.c file, and here’s the function in
question:
void add_telnet_rlogin_policy(void)
{
struct add_policy_info *api;
api = malloc(sizeof(struct add_policy_info));
assert(api);
memset(api, 0, sizeof(sizeof(struct add_policy_info)));
api->src_addr = 0;
www.syngress.com
422 Chapter 11 • Session Hijacking
api->src_mask = 0;
api->dst_addr = 0;
api->dst_mask = 0;
api->src_ports[0] = 0;
api->dst_ports[0] = htons(23);
api->dst_ports[1] = htons(513);
api->dst_ports[2] = 0;
list_push(&l_add_policy, api);
};
As you can see, it would be pretty trivial to add new port numbers and
simply recompile.
When Hunt latches onto a Telnet or rlogin connection, it displays it in the list
connections menu, as shown here:
-> l
0) 10.0.1.1 [3014] --> 130.212.2.65 [23]
--- Main Menu --- rcvpkt 2664, free/alloc 63/64 ------
l/w/r) list/watch/reset connections
u) host up tests
a) arp/simple hijack (avoids ack storm if arp used)
s) simple hijack
d) daemons rst/arp/sniff/mac
o) options
x) exit
The first two lines are the ones we’re interested in; Hunt often redisplays the
menu immediately following a command.We can see here that Hunt has located
a Telnet connection. Here’s the process to “watch” (sniff ) a connection:
-> w
0) 10.0.1.1 [3014] --> 130.212.2.65 [23]
choose conn> 0
dump [s]rc/[d]st/[b]oth [b]> [cr]
print src/dst same characters y/n [n]> [cr]
CTRL-C to break
www.syngress.com
Session Hijacking • Chapter 11 423
llss
<FF><FA>!<FF><F0><FF><FC><FF><FA>"FF><F0><FF><FA>"b
<FF><F0><FF><FE><FF><FA>"<FF><F0><FF><FA>"<82><E2> <82>
<82>
<82><82><82><82><82><FF><F0><FF><FA>!<FF><F0>
Apps/ Library/ Mailboxes/ Makefile
bookmarks.html
dead.letter mail/ proj1.c public_html/
<FF><FA>!<FF><F0><FF><FB><FF><FA>"<FF><F0><FF><FA>"<FF><FF>b<FF><FF>
<FF><FF>
<FF><FF>
<FF><FF><FF><FF><FF><FF><FF><FF><FF><FF><FF><F0><FF><FA>!<FF><F0>futon>
<FF><FD>
<FF><FA>"<FF><F0><FF><FA>"<82><FF><FF><E2><FF><FF> <82><FF><FF>
<82><FF><FF>
<82><FF><FF><82><FF><FF><82><FF><FF><82><FF><FF><82><FF><FF><FF><F0>
For example, I had Hunt monitor a Telnet connection I had opened, and then
I went to my Telnet window and issued the ls command.You can see the ls command
toward the top (shown as llss) followed by some hex output, and then the
files in my directory, and then more hex.The llss is the result of Hunt displaying
what I typed as well as displaying the server’s response (echoing my characters
back to me). So, it looks like the “print src/dst same characters” choice doesn’t
work quite yet.The hex characters are the terminal formatting characters that
normally take place behind the scenes during a Telnet session.
Of course, we’re not here to use Hunt as a sniffer; that feature is just a convenience.
We want to understand how Hunt is used to hijack connections! Here’s a
demonstration:
-> s
0) 10.0.1.1 [3014] --> 130.212.2.65 [23]
choose conn> 0
www.syngress.com
424 Chapter 11 • Session Hijacking
dump connection y/n [n]> [cr]
Enter the command string you wish executed or [cr]> cd Apps
<FF><FA>!<FF><F0>cd Apps
futon>
Meanwhile, this is what displays in my Telnet window:
futon>
futon> cd Apps
futon>
The output displays on the screen just as though I had typed it into the
Telnet window. Meanwhile, back at the Hunt program:
Enter the command string you wish executed or [cr]> [cr]
[r]eset connection/[s]ynchronize/[n]one [r]> s
user have to type 8 chars and print 0 chars to synchronize connection
CTRL-C to break
When I press Enter to quit sending characters as the client, I’m presented
with the choices to try and resynchronize the client and servers, reset the connection,
or just leave it desynched.Trying the synchronize option was not successful
in this instance; it sat waiting. Entering characters in the Telnet window
didn’t seem to help the resynchronization process. Other attempts at resynchronization
were successful.The factors that seem to play into it are time, length of
the command(s) given as hijacker, how reliable (packet loss) the network is at the
moment, and, of course,TCP implementation.
In most cases, if you’re trying to cover your tracks, you’ll simply want to issue
your command as soon as possible, and then immediately reset the connection.
This is in hopes that the user in front of the legitimate client (if they’re even
there at the time) will simply think it’s another mysterious reset, and just open a
new window without being suspicious in the slightest.
Hunt is not without its faults. In all the interact/display screens I encountered,
where it says press Ctrl-C to break, I found that after I pressed Ctrl-C, I still had
to wait for the monitored machine to transmit something before Hunt would pay
attention to my key-press. (For example, when I was sniffing a Telnet connection, I
pressed Ctrl-C and nothing happened. As soon as I switched to the Telnet
window and pressed a key, Hunt then responded.) Presumably, Hunt’s monitoring
loop is such that it doesn’t check for keystrokes at all times; it probably blocks
www.syngress.com
Session Hijacking • Chapter 11 425
waiting for input from the network, and only after that has cleared does it go back
through the loop and check for input from the Hunt operator.
Hunt’s user interface is also a bit plain and terse. However, that’s one of the
easier things to fix in an application of this sort.The network stuff is the more
difficult, and therefore probably more interesting, part of this problem.The interface
is usable, though, so it’s not all bad. Possibly if one of the readers of this book
is inclined and can program, he or she might contact the Hunt author and see if
he would like help with its interface development.
Ettercap
Ettercap is a multipurpose program used primarily for sniffing, capturing, and
logging traffic on switched LANs. It supports both passive and active dissections
of various protocols. At the time of this writing, Ettercap also includes support for
Secure Shell version 1 (SSH1) and Secure Sockets Layer (SSL) connections.
Ettercap is available from http://ettercap.sourceforge.net and runs on the Mac
OS X, Linux, and BSD OSs. Ettercap uses four modes:
 IP Where the packets are filtered based on source and destination.
 MAC Packet filtering based on MAC address.
 ARP Where ARP poisoning is used to sniff/hijack switched LAN connections
(in full-duplex mode).
 PublicARP Where ARP poisoning is used (in half-duplex mode) to
allow sniffing of one host to any other host.
Let’s look into the use of Ettercap a little further.The following scenarios use
a simple switched network, using Network Address Translation (NAT) behind
RFC1918 IP addresses. It’s a simple home network, one that many small
offices/home offices (SOHOs) use today, largely due to its low cost and the rampant
availability of high-speed cable-modem or digital subscriber line (DSL).A
typical implementation looks something like the one shown in Figure 11.1. In
this particular case, 192.168.1.104 is the session hijacker.
Fire up Ettercap and you’re greeted with a screen that shows you all the hosts
located on the same-switched segment (see Figure 11.2). Use the Tab and Arrow
keys to select the two hosts you want to play with.You should see the source and
destination IPs that you’ve selected noted in the top left of the program.
www.syngress.com
426 Chapter 11 • Session Hijacking
www.syngress.com
Figure 11.1 A Typical SOHO Network
Switched network
Internet
Switch
192.168.1.1
Cable/DSL
E-mail server
Proxy server
192.168.1.101
192.168.1.100 MITM attacker
192.168.1.104 Wireless Access Point
192.168.1.250
Public IP
modem
Figure 11.2 Available Hosts on the Switched Segment
Session Hijacking • Chapter 11 427
Press a to poison the ARP cache of the selected hosts, as shown in Figure 11.3.
You’ll then be presented with a screen listing all the connections between the two
hosts you’ve selected (see Figure 11.4).
In this case, we’ve selected the switch (A Linksys BEFSR81) and a network
client running Windows 2000 Advanced Server.We’ve used the OS
Fingerprinting option to successfully determine 192.168.1.100’s operating
system. Notice the Simple Network Management Protocol (SNMP) traps being
generated by the switch (192.168.1.1) to the Windows 2000 server
(192.168.1.100).This is normally a telltale sign that this host (192.168.1.100) is
being used to manage the switch.
Pressing h anytime as the program runs brings up a short help screen.The
first help screen is from the initial page on which all the segment hosts are listed
(see Figure 11.5).The second help screen appears after a particular host is selected
from that screen (see Figure 11.6).
www.syngress.com
Figure 11.3 Poisoning the ARP Cache
Figure 11.4 Available Connections Between Selected Hosts
428 Chapter 11 • Session Hijacking
Remember what we said before, about UDP session hijacking? It’s much
easier to hijack a session over UDP than it is over TCP due to lack of error correction
and packet delivery “guarantees.” In this particular case, a hacker could
probably get a lot of “bang for the buck” simply by hijacking the SNMP connection.
Why is that, you ask? The simple answer is that if the hacker has access to
the switch’s configuration, he can do myriad things on or to this network. In this
case, the switch is also being used as a gateway to the Internet, so the possibilities
for potential mischief boggle the mind. But let’s move on to something a little
more practical.
www.syngress.com
Figure 11.5 Initial Help Screen Options
Figure 11.6 Selected Connection Options
Session Hijacking • Chapter 11 429
For this scenario, the hacker has FTP running on the server, but the originating
connections are restricted to the host IP of 192.168.1.103.When Ettercap
is run, the hacker sees port 21 on the server come up active and then go right to
a “silent” state.The hacker selects port 21 and establishes a connection between
the FTP server and the client so he can capture, modify, or inject data at will (see
Figure 11.7).
Here we see a whole slew of Microsoft Network traffic from a network client
to the server. Ports 137 and 139 are Microsoft NetBIOS name and session services.
Port 445 is used for Microsoft directory services and provides much of the
same functionality for Server Message Block (SMB) over TCP/IP on Windows
2000 that ports 138 and 139 did under previous versions of Windows OSs.A
recent article at www.newsbytes.com/news/01/169408.html illustrates some of
the security problems this port can create in a typical networked environment.
Interestingly enough, even after you disable NetBIOS over TCP/IP under the
network card’s configuration, this port will still show up.
Let’s say that the hacker selects port 445, which at this time is indicating a
status of “silent.”This is no doubt a mapped drive connection from
192.161.1.103 to the server.When the hacker gets some SMB traffic from a
directory listing or other type of browse here, things will get pretty noisy.
Figure 11.8 shows what part of an active connection looks like (using text
display) from the middle when a client connection is made to a server share. If
the hacker wants, he can also dump this information to a log file for later use.
www.syngress.com
Figure 11.7 SMB Connection Selection
430 Chapter 11 • Session Hijacking
SMBRelay
Let’s take the previous example a bit further.What would be the easiest way
to hijack an SMB session, short of injecting forged packets? Why, SMBRelay,
of course.
SMBRelay is a program written by SirDystic of cDc that allows for SMB
hijacking by forcing the client to be disconnected after the user has authenticated;
the hacker takes over the existing SMB session using the same credentials.The only
way to guard against this action is by enabling SMB signing on both ends.This will
likely cause a 10–15 percent performance drop and effectively breaks most backward-
compatible client connections, so it must be used with caution.
For more details on which registry changes need to be made to support
SMB signing, check out http://support.microsoft.com/support/kb/articles/
Q161/3/72.asp.
Storm Watchers
As we’ll see in detail, ARP games and TCP session hijacking can be very noisy. In
addition, most attacks that can only inject and can’t stop one of the original communicators
from sending will be spottable as well. For example, in our DNS scenario,
the fact that two responses are sent and that they don’t match is a huge
clue that something is wrong. Let’s see what is happening behind the scenes.
Retransmissions and duplicate packets are not uncommon on a normal network,
but in most cases, the packet contents should be the same. For our ARP
and DNS examples, it would be possible to build a tool that watched for
responses, calculated a hash of the packet, and then stored that hash for a period
www.syngress.com
Figure 11.8 SMB Connection Activity
Session Hijacking • Chapter 11 431
of time. If another packet comes in with appropriately matching characteristics,
but the hash doesn’t match, you might have a problem. (You have to take care to
throw out the pieces of the packet you don’t want to consider suspicious, such as,
perhaps, the TTL, before you calculate the hash.) Basically, this is the IDS
approach, with all its benefits and problems.
ACK Storms
We looked at a brief Telnet session-hijacking example earlier in the chapter. In
that example, the goal was to execute a command on the server. For our example,
I deliberately picked a short command from which we didn’t really need the
output.There’s a reason for this:TCP can be pretty messy to hijack.Were a hacker
to try to take over both sides of the conversation or hold a protracted hijacked
TCP conversation, she’d run into some difficulties. Let’s examine why.
Recall that TCP is a “reliable” transport. Since TCP sits atop an unreliable
layer (IP) that will sometimes drop packets, mangle them, or deliver them out of
order,TCP has to take responsibility for taking care of those problems. Essentially,
TCP does this by retransmitting packets as necessary.The TCP software on each
host keeps a copy of all the data it has sent so far, until it receives an ACK packet
from the other end. At that point, it drops the data that has been acknowledged.
If it has data in its sent queue that has not been acknowledged after a certain
amount of time, it sends it again, assuming it got lost in transit.
When a hacker tries to jump into the middle of a TCP conversation and pretend
to be one of the communicating parties, she’s going to be racing one of the
hosts to get a packet with the right sequence numbers onto the wire before the
legitimate host does. (For this example, assume that the hacker can’t block the
packets coming from the legitimate hosts; we’ve discussed cases where they can.)
At some point during the race, the hacker will get one of the packets in before
the real host.When that happens, she’s hijacked the connection.The problem is,
the host that she’s pretending to be and just beat in the race is still going to send
its packet.
The host that just received the hacker’s packet is going to mark it as received,
ACK it when the time comes, and generally move on to later parts of the data
stream.When the host receives a second packet with matching numbers, it will
simply assume that it has received a duplicate packet. Duplicate packets happen all
the time, and the TCP software on hosts is written to ignore any packets that
appear to be for data that they’ve already received.They don’t care that the information
doesn’t seem to match exactly, as would be the case with a true duplicate.
www.syngress.com
432 Chapter 11 • Session Hijacking
During this process, at some point the recipient of the faked packet is going
to send an ACK for it to the other host that it was originally talking to.
Depending on where in the sending phase is the host the hacker is pretending to
be, this ACK might or might not make sense. If the host hasn’t sent the packet
yet when it gets the ACK, as far as it’s concerned it shouldn’t have received it yet.
Most hosts in those circumstances simply ignore the early ACK, send the pending
packet anyway, and wait for another ACK to arrive.
When the server gets what it thinks is another copy of the packet, it sends
another ACK, which is intended to mean that the server had already received that
data and had moved on.When an out-of-order ACK is received, the proper
response is to reply with an ACK packet with the expected sequence number. So,
when the server sends the real client an ACK that the client didn’t expect (i.e.,
the reply to the “illegal”ACK is itself illegal), the client does the same; it sends an
ACK with the expected sequence number.The result is an ACK storm.
The resulting ACK storm continues until one of a few conditions is met.
First, if any of the ACKs get lost or corrupted along the way, the storm will stop.
On a fast, reliable LAN, packets don’t often get dropped. In such an environment,
the ACK storm may continue for some time, unless it gets bad enough to cause
the needed packet loss to stop itself.
Second, once the attacker has sent the commands she needed to send, she can
reset the connection.An RST packet sent from the attacker to the client and/or
server causes them to stop sending the ACKs and, in fact, closes the connection
entirely. From the point of view of the user sitting in front of the client, he’ll see
some sort of “connection aborted” message. For most people, this message is
common enough that they wouldn’t think twice about it and would simply open
a new window. Some Telnet clients even erase the screen the moment a connection
resets or after the dialog box saying that the connection has been reset is
acknowledged (in other words, OK has been clicked). Such behavior makes it
even easier for the attacker to avoid being spotted, since usually the only hint the
legitimate user has that something is wrong is any suspicious output on the
screen.
Third, in some cases it’s possible to resynchronize the client and the server so
that the client can resume its normal activity.This step is problematic, though, and
dependent on a couple of factors.The basic idea is that the original client
machine needs to catch up to where the attacker and server are in the conversation.
For example, if the original client were 100 bytes into a conversation, and
someone breaks in, hijacks the connection, and sends 10 characters to the server
as the client, the server then thinks the client is at 110.The attack program state
www.syngress.com
Session Hijacking • Chapter 11 433
is also at 110 (in case the attacker wants to send more, it keeps track), but the
original client is still thinking it’s at 100.When the hacker wants to resynchronize
the two, she must somehow get the client to catch up. She can’t move the server
back to 100 bytes; she can only move forward. So, as the client sends data, the
hacker spoofs ACK replies for it from the server.The client moves its internal
counter up as it goes until it reaches 110, and then the hacker simply gets out of
the way. At that point, the server and client are back in sync, and the original
client can communicate again.
Of course, the intricacies of how a particular TCP implementation will react
vary from OS to OS. During my testing of Hunt (see the section on Hunt previously
in the chapter), I discovered that a particular combination of client and
server OS would not desynchronize.When connecting to an ancient NextOS
machine (yes, those black cubes that Steve Jobs made after leaving Apple) from a
Red Hat 6.2 client using Telnet, Hunt could inject commands, but the client
would be able to as well.There was no need to resynch when done, because the
client never was desynchronized in the first place.The same test using another
Red Hat 6.2 system as the Telnet server produced the expected result:The original
client could see the commands being typed but could not issue commands.
The ACK storm problem seems to follow the synchronization problem as
well, at least in this case.There was no ACK storm on the NextOS/Linux
combo, but there was with Linux/Linux.
Playing MITM for Encrypted
Communications
As you saw in Chapter 10, widely deployed encryption is one easy way to make
many network hijacking attacks much more difficult. Solutions are available for
all the International Organization for Standardization (ISO) layers, from
encrypting network interface cards (NICs) at Layer 2 all the way up through
numerous Application layer encryption technologies. Most of your typical target
protocols for session hijacking can be replaced with SSH2, which can replace the
functionality of Telnet, FTP, rlogin, and rcp. In addition, you can tunnel other
protocols such as HTTP or X Windows over an SSH2 connection. SSH1 tackles
these problems to some degree as well, but this section, along with Chapter 13,
explains why SSH2 is better.
SSL is another good choice. It’s obviously available for Web servers where it is
most widely deployed, but a lot of folks aren’t aware that it can also be used with
www.syngress.com
434 Chapter 11 • Session Hijacking
the Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), Internet
Message Access Protocol (IMAP), and others.
If you decide to go the encryption route to protect yourself, make sure that
you favor standards-based, open, well-established algorithms and protocols.Things
such as SSH2, SSL, and Internet Protocol Security (IPSec) might not be perfect,
but they’ve had a lot more review than most products, and chances are that they
contain fewer holes. As the remaining flaws are found, they will be published
widely, so you’ll know when you need to patch. As a counter example, a number
of remote-control type programs have proved to have either bad cryptography or
bad implementations of good cryptography.
Using cryptography could help you breathe just a little bit easier, but don’t
relax completely just yet. Man-in-the-middle (MITM) attacks have come a long
way since the first printing of this chapter—just when you thought it was safe to
go back into the water.
Man-in-the-Middle Attacks
MITM attacks are probably the most productive types of attacks used today in
conjunction with encrypted protocol hijacking and connection types such as
SSH1 and SSL.
Let’s say, for example, that a typical user attempts a connection to a site that is
SSL enabled. A key exchange occurs with the SSL server and the server’s certifi-
cate is compared to the certificates stored in the Web browser’s trusted root certi-
fication authority’s store. If the certificate information is valid and the certifying
authority is present in the browser’s trusted store with no restrictions, no warning
is generated on the client end by the browser, and a session key is offered for
encrypting the communication between the SSL-enabled site and the client
system.
Suffice it to say, when an MITM attack is started, the client does not connect
to the SSL site that he thinks he does.The hijacker is instead offering bogus credentials
and replaying the client’s information to the SSL site.The hijacker is
making the connection to the SSL server on behalf of the victim and replaying
all the information sent both ways so that he can essentially pick and chose what,
if any, traffic to modify for his potential gain.
Many people have the unfortunate tendency to ignore generated warnings
such as those shown in Figures 11.9 and 11.10.These are actual screens from an
MITM attack scenario using Ettercap (which we talked about briefly before). If
you clicked the button View Certificate under the security alert in the first
www.syngress.com
Session Hijacking • Chapter 11 435
screen, you would find that this certificate is marked “Issued to:VerySign Class 1
Authority.” It’s a cute play on words (VerySign instead of VeriSign), which would
slip right by most of the user populace.This is more a social attack on people’s
ignorance than it is technological wizardry.
Dsniff
Dsniff is a suite of tools that allow passive attacks and sniffing on TCP sessions.
Certain functions, webmitm and sshmitm, also allow this program to do “double
duty” for MITM attacks on both SSH1 and SSL connections. It does this by first
www.syngress.com
Figure 11.9 SSL Certificate Warning from Web Browser
Figure 11.10 Certificate Information
436 Chapter 11 • Session Hijacking
implementing DNS spoofing (see the “UDP Hijacking” section earlier) with
dnsspoof to fool the participating host into thinking that that the Secure HTTP
(HTTPS) or SSH connection is indeed the host to which they intended to
connect.
For example, after an entry for the SSL domain the hacker wants to spoof is
added to the dnsspoof hosts file, the webmitm component presents a self-signed certificate
to the user with webmitm relaying the sniffed traffic to the real domain.
The legitimate domain’s reply is sent through the attacker back to the host that
requested the session. All subsequent communication on this channel takes place
through the attacker’s system.
A typical dnsspoof host file contents look something like this:
192.168.1.103 *.hotmail.com
192.168.1.103 *.anybank.com
Other Hijacking
The other thing we hear is hijacked frequently is terminal sessions. CERT issued
an advisory about these attacks taking place in the wild back at the beginning of
1995; you can find these alerts at www.cert.org/advisories/CA-1995-01.html.
CERT is not one to give out tools or many attack details, so we don’t know
exactly what tool was being used in that instance. However, a number of tools
along those lines were publicly released over the next couple of years following
the CERT advisory. Here’s a list of some of them:
 TTY Hijacker for Linux and FreeBSD at
www.phrack.org/show.php?p=51&a=5.
 Linux kernel loadable module for TTY hijacking at
www.phrack.org/show.php?p=50&a=5.
 Hole in pppd (if setuid root) allows for MITM attacks against TTYs at
securityfocus.com/archive/1/8035.
This is far from a complete list. If you have need of a terminal/TTY hijacker,
your best bet would be to do a search for such for the particular OS you need.
Note that most of the time you need to be root or have a security hole to
exploit.
In this chapter, we covered a number of tools that can be used for attacking
as well as defending.You’ll want your employees to be able to use both so that
they are familiar with how they work and what they look like on a network.This
www.syngress.com
Session Hijacking • Chapter 11 437
goal will probably require a small lab of some sort, and you’ll have to make sure
your employees have the time to experiment.
In order to catch a hacker, you’ve got to think like one. Just as military personnel
must know their enemy before confronting them, so must the security professional
know the hacker. By knowing what weapons hackers use, how they use
them, and when they are most effective, you could very well avoid becoming a part
of the next statistic in the latest info security magazine studies.There are many
resources available, and sometimes it can seem a bit overwhelming to keep track of
them, but it’s a part of the job that must be done regularly. An easier way to get a
handle on this deluge of information is by checking www.securityfocus.com/tools,
http://sourceforge.net, http://packetstormsecurity.org, and www.wiretrip.net.A
quick search should yield the results you desire.
Yes, a great many resources are dedicated to security.A tremendous effort
might not be required for your environment, but if it is, this is what it’s going to
cost. Security is expensive.
www.syngress.com
Required Reading
If you want to be truly proactive in your security efforts, you need to
require that your employees read the same information sources that the
bad guys do. These sources include various mailing lists, such as
Bugtraq, NTBugtraq, vuln-dev, and others. (For more information on
security-reporting mailing lists, please see Chapter 18.) They should also
read the magazines Phrack and 2600 and watch Web sites such as
SecurityFocus.com for new papers, headlines, and articles. All this
reading can be somewhat time consuming, but if you’re going to do
better than simply apply patches when they come out, this is what it’s
going to take.
Tools & Traps…
438 Chapter 11 • Session Hijacking
Summary
In this chapter, we covered session hijacking and looked at examples of how it is
done for TCP, UDP, and others.We went over in detail what happens on a packet
level when an attacker hijacks (desynchronizes) a TCP connection. Problems with
hijacking TCP connections include ARP storms, the commands being displayed
on the victim’s screen, and difficulty with resynchronizing the original client and
server.
We looked at the use of four session-hijacking tools: Juggernaut, Hunt, dsniff,
and Ettercap. Juggernaut is an older tool that can do simple sniffing, session
hijacking, and connection reset. Hunt performs those functions as well as
allowing for ARP hijacking and packet relaying in order to help eliminate ACK
storms. Ettercap and dsniff do all these things and are also useful for session
hijacking with crypted protocols. All are freely available and run on the Linux
platform.
There are two main mechanisms for dealing with hijacking problems: prevention
and detection.The main way to protect against hijacking is encryption. It
should be noted that this method applies mainly to network traffic; terminal
hijackers might still work just fine even if an encrypted protocol is used on the
wire. But as we’ve seen illustrated in this chapter, even some forms of encryption
are not a guarantee.The two main keys to successful prevention with encrypted
protocols include user education and awareness and using streamed ciphered protocols
such as IPSec.The other mechanism is detection. Most hijacking techniques
produce anomalous traffic or behavior (such as connections being reset, or
“hanging,”ACK storms, or strange garbage appearing onscreen).Tools can be and
have been written to watch for some of the signs of these types of attacks.
Solutions Fast Track
Understanding Session Hijacking
The point of hijacking a connection is to steal trust.
Hijacking is a race scenario: Can the attacker get an appropriate response
packet in before the legitimate server or client can? In most cases, the
answer is probably yes, as long as the attacker can script the attack. He’d
need a tool that would watch for the request, then produce the response
he wanted to fake as quickly as possible and then drop that on the wire.
www.syngress.com
Session Hijacking • Chapter 11 439
Anomalous behaviors (changes in protocol communications or increases
in ARP traffic) result from hijacking attempts that either host or perhaps
an intrusion detection system (IDS) can be configured to spot.
Attackers can remotely modify routing tables to redirect packets or get a
system into the routing path between two hosts.
Attackers might spoof Internet Control Message Protocol (ICMP) and
redirect packets to fool some hosts into thinking that there is a better
route via the attacker’s IP address. Modifying an open source, UNIX-like
operating system to not decrement the Time to Live (TTL) and not
send ICMP unreachables could go a long way toward evading traceroute
detection.
In an ARP attack, when a victim machine broadcasts for the Media
Access Control (MAC) address that belongs to a particular IP address
(perhaps the victim’s default gateway), all an attacker has to do is answer
before the real machine being requested does.
Examining Available Tools
Juggernaut, created by route, is the pioneering sniffing and sessionhijacking
tool; it has extensive functionality and runs on arbitrary
Transmission Control Protocol (TCP) ports. Juggernaut is very
interesting although no longer being developed.
Hunt, created by Pavel Krauz, is similar to Juggernaut but adds ARP
spoofing tools.
Ettercap is a multipurpose program used primarily for sniffing,
capturing, and logging traffic on switched local area networks (LANs),
and supports both passive and active dissections of various protocols.
SMBRelay is a program written by SirDystic of cDc that allows for
Server Message Block (SMB) hijacking by forcing the client to be
disconnected after he has authenticated and takes over the existing SMB
session using the same credentials.
ARP games and TCP session hijacking can be very noisy.The timing
and duplication of ACKs exchanged between hosts in a hijacked session
result in an ACK storm. It would be possible to build a tool that
www.syngress.com
440 Chapter 11 • Session Hijacking
watched for responses, calculated a hash of the packet, and then stored
that for a period of time. If another packet comes in with appropriately
matching characteristics but the hash doesn’t match, you might have a
problem.
Playing MITM for Encrypted Communications
Widely deployed encryption is one easy way to make many networkhijacking
attacks much more difficult. SSH2 can replace the
functionality of Telnet, FTP, rlogin, and rcp. In addition, you can tunnel
other protocols such as HTTP or X Windows over an SSH2
connection.
Man in the middle (MITM) attacks are probably the most productive
types of attacks used today in conjunction with encrypted protocol
hijacking and connection types such as SSH1 and SSL.
Q: Are there any solutions to the problems of resynchronization and the command
appearing on the victim’s screen?
A: Despite the technology having been around for a few years, the research in
the area of hijacking techniques is fairly light. No tools have been released
that solve these problems yet. However, from my own research for this
chapter, I suspect that there are some games that could be played with
window-size advertisements that could help in these areas. As new research
and tools are released in this area, we’ll post links to them on the internettradecraft.
com site.
Q: What tools are available for building my own hijacking programs?
A: The basic components of a session hijacker are a packet-sniffing function,
processing, and a raw packet-generating tool.You’ll be responsible for the
www.syngress.com
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,
are designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form.
Session Hijacking • Chapter 11 441
processing logic, but some of the harder parts have been done for you. For
packet-sniffing functions, you’ll want libpcap from the tcpdump.org site.
For packet generation, one popular library is libnet, from the folks at packetfactory.
net. Both of these libraries have a reasonable degree of platform independence,
and they even have Windows NT ports.
 www.tcpdump.org
 www.packetfactory.net
Q: What other related tools are useful in hijacking work?
A: Probably first on the list would be a more full-featured sniffing program of
some sort.The ones that come with Juggernaut and Hunt are okay for quickand-
dirty work, but they leave a lot to be desired. Check out all the sniffer
information available in Chapter 10 of this book.You want whatever tools
you’re able to collect to assist in rerouting traffic if your main session
hijacking tool isn’t adequate in this area.These can include ARP tools, ICMP
redirect tools, or RIP/OSPF/BGP routing protocol-spoofing tools.
mic64 目前離線  
送花文章: 0, 收花文章: 16 篇, 收花: 56 次