Ceh v5 module 10 session hijacking

Module X
Session Hijacking
Ethical Hacking
Version 5

EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
Session Hijacking
Difference between Spoofing and Hijacking
Steps to Conduct a Session Hijacking Attack
Types of Session Hijacking
Performing Sequence Number Prediction
TCP/IP Hijacking
Session Hijacking Tools
Countermeasures to Session Hijacking

EC-Council
Module Flow
Session Hijacking
Countermeasures
Session Hijacking Tools
TCP/ IP Hijacking
Types Of Session Hijacking
Session Hijacking Steps
Spoofing vs. Hijacking
Sequence Number
Prediction

EC-Council
What is Session Hijacking?
TCP session hijacking is when
a hacker takes over a TCP
session between two machines
Since most authentication
only occurs at the start of a
TCP session, this allows the
hacker to gain access to a
machine

EC-Council
Understanding Session Hijacking
Understanding the flow of
message packets over the
Internet by dissecting the TCP
stack
Understanding the security
issues involved in the use of
IPv4 standard
Familiarizing with the basic
attacks possible due to the
IPv4 standard

EC-Council
John (Victim)
Spoofing vs. Hijacking
In a spoofing attack, an attacker does not actively take
another user offline to perform the attack
He pretends to be another user, or machine to gain access
Attacker
I am
John and
here are m
y credentials
Server

EC-Council
Spoofing vs. Hijacking (cont’d)
With a hijacking, an attacker takes over an existing
session, which means he relies on the legitimate user to
make a connection and authenticate
Subsequently, the attacker takes over the session
John (Victim)
Attacker
ARP spoofs John’s IP and
hijacks the session
Server
John logs on to the server
with his credentials
Attacker predicts the sequence and
kills John’s connection

EC-Council
Steps in Session Hijacking
1. Place yourself between the victim and the
target (you must be able to sniff the
network)
2. Monitor the flow of packets
3. Predict the sequence number
4. Kill the connection to the victim’s machine
5. Take over the session
6. Start injecting packets to the target server

EC-Council
Types of Session Hijacking
There are two types of session hijacking attacks:
Active
• In an active attack, an attacker finds an active session and
takes over
Passive
• With a passive attack, an attacker hijacks a session, but sits
back, and watches and records all the traffic that is being sent
forth

EC-Council
ACK
Seq: 4002Ack :7001
Bob
Server
SYN
Seq.:4000
SYN/ACK
Seq:7000, Ack: 4001
The 3-Way Handshake
If the attacker can anticipate the next SEQ/ACK number Bob will
send, he will spoof Bob’s address and start a communication with the
server

EC-Council
TCP Concepts 3-Way Handshake
1. Bob initiates a connection with the server. Bob sends a packet to the
server with the SYN bit set
2. The server receives this packet and sends back a packet with the SYN
bit and an ISN (Initial Sequence Number) for the server
3. Bob sets the ACK bit acknowledging the receipt of the packet and
increments the sequence number by 1
4. The two machines have successfully established a session

EC-Council
Sequence Numbers
Sequence numbers are important in providing a reliable
communication and are also crucial for hijacking a
session
Sequence numbers are a 32-bit counter. Therefore, the
possible combinations can be over 4 billion
Sequence numbers are used to tell the receiving
machine what order the packets should go in, when they
are received
Therefore, an attacker must successfully guess the
sequence numbers in order to hijack a session

EC-Council
Sequence Number Prediction
After a client sends a connection request (SYN) packet to the
server, the server will respond (SYN-ACK) with a sequence number
of choosing, which then must be acknowledged (ACK) by the client
This sequence number is predictable; the attack connects to a
server first with its own IP address, records the sequence number
chosen, then opens a second connection from a forged IP address
The attack doesn't see the SYN-ACK (or any other packet) from the
server, but can guess the correct response
If the source IP address is used for authentication, then the
attacker can use the one-sided communication to break into the
server

EC-Council
TCP/IP Hijacking
TCP/IP hijacking is a hacking technique that
uses spoofed packets to take over a connection
between a victim and a target machine
The victim's connection hangs, and the hacker
is then able to communicate with the host
machine as if the attacker were the victim
To launch a TCP/IP hijacking attack, the
hacker must be on the same network as the
victim
The target and the victim machines can be
anywhere

EC-Council
TCP/IP Hijacking
Source: 10.1.0.100
Destination: 10.1.0.200
Seq#: 1429775024
Ack#: 1250510167
Len: 71
Source: 10.1.0.200
Seq#: 1250510000
Ack#: 1429775024
Len: 167
Source: 10.1.0.100
Seq#: 1429775000
Ack#: 1250510000
Len: 24
Computer A
Computer B
Hacker
1
2
3

EC-Council
RST Hijacking
RST hijacking involves injecting an authentic-looking
reset (RST) packet
Spoof the source address and predict the
acknowledgment number
The victim will believe that the source actually sent the
reset packet and will reset the connection
RST Packet
Spoofed Source Address with
predicted ACK number
Connection Reset
1
2

EC-Council
Programs that Perform Session
Hijacking
There are several programs available
that perform session hijacking
The following are a few that belong in
this category:
• Juggernaut
• Hunt
• TTY Watcher
• IP Watcher
• T-Sight
• Paros HTTP Hijacker

EC-Council
Juggernaut is a network sniffer that can be used
to hijack TCP sessions. It runs on Linux
operating systems
Juggernaut can be set to watch for all network
traffic, or it can be given a keyword (e.g. a
password ) to look out for
The objective of this program is to provide
information about ongoing network sessions
The attacker can see all of the sessions and
choose a session to hijack
Hacking Tool: Juggernaut

EC-Council
Hunt is a program that can
be used to listen, intercept,
and hijack active sessions on
a network
Hunt offers:
• Connection management
• ARP spoofing
• Resetting connection
• Watching connection
• MAC address discovery
• Sniffing TCP traffic
Hacking Tool: Hunt

EC-Council
Hacking Tool: TTY Watcher
TTY watcher is a utility to monitor and control users on
a single system
Anything the user types into a monitored TTY window
will be sent to the underlying process. In this way, you
are sharing a log in session with another user
After a TTY has been stolen, it can be returned to the
user as though nothing happened
(Available only for Sun Solaris Systems)

EC-Council
Hacking Tool: IP Watcher
http://engarde.com
IP watcher is a commercial session
hijacking tool that allows you to
monitor connections and has active
facilities for taking over a session
The program can monitor all
connections on a network, allowing
an attacker to display an exact copy
of a session in real-time, just as the
user of the session sees the data

EC-Council
Session Hijacking Tool: T-Sight
http://engarde.com
T-Sight is a session hijacking tool
for Windows
With T-Sight, you can monitor all of
your network connections (i.e.
traffic) in real-time, and observe the
composition of any suspicious
activity that takes place
T-Sight has the capability to hijack
any TCP sessions on the network
Due to security reasons, Engarde
Systems licenses this software to
pre-determined IP addresses

EC-Council
Remote TCP Session Reset Utility

EC-Council
Paros HTTP Session Hijacking Tool
Paros is a man-in-the-middle proxy and
application vulnerability scanner
It allows users to intercept, modify, and
debug HTTP and HTTPS data on-the-fly
between a web server and a client browser
It also supports spidering, proxy-chaining,
filtering, and application vulnerability
scanning

EC-Council
Paros Untitled Session

EC-Council
Paros HTTP Session Hijacking Tool
Victim in Boston
The victim’s
machine is
infected with
trojan which sets
the proxy of IE to
attacker’s
machine
Hacker in Russia
Target Server in
NYC
Hacker intercepts and
injects his own packets
since http traffic is
routed through him
IP: X.2.2.2

EC-Council
Dangers Posed by Hijacking
1. Most computers are vulnerable (using TCP/IP)
2. You can do little to protect against it unless you switch to another
secure protocol
3. Hijacking is simple to launch
4. Most countermeasures do not work unless you use encryption
5. Hijacking is dangerous (theft of identity, fraud, and so on)

EC-Council
Protecting against Session Hijacking
1. Use encryption
2. Use a secure protocol
3. Limit incoming connections
4. Minimize remote access
5. Educate the employees

EC-Council
Countermeasure: IP Security
Is a set of protocols developed by
the IETF to support the secure
exchange of packets at the IP layer
Deployed widely to implement
Virtual Private Networks (VPNs)
IPsec supports two encryption
modes:
• Transport
• Tunnel
• The sending and receiving devices
must share a public key

EC-Council
IP-SEC

EC-Council
Summary
In the case of a session hijacking, an attacker relies on the
legitimate user to connect and authenticate, and will then take over
the session
In a spoofing attack, the attacker pretends to be another user or
machine to gain access
Successful session hijacking is extremely difficult, and is only
possible when a number of factors are under the attacker's control
Session hijacking can be active or passive in nature depending on
the degree of involvement of the attacker
A variety of tools exist to aid the attacker in perpetrating a session
hijack
Session hijacking could be dangerous, and therefore, a need for
implementing strict countermeasures

Ceh v5 module 10 session hijacking

Recommended

More Related Content

What's hot (20)

Viewers also liked (9)

Similar to Ceh v5 module 10 session hijacking (20)

More from Vi Tính Hoàng Nam (20)

Recently uploaded (20)

Ceh v5 module 10 session hijacking