Computer Security and Penetration Testing: Session Hijacking

Computer Security and Penetration
Testing
Chapter 8
Session Hijacking
Objectives
• Define session hijacking
• Understand what session hijacking entails
• Identify the styles of session hijacking
Computer Security and Penetration Testing 2

Objectives (continued)
• List some session-hijacking tools
• Explain the differences between TCP and UDP
hijacking
• Note measures that defend against session hijacking

TCP Session Hijacking
• Hacker takes control of a TCP session between two

hosts
• TCP session can be hijacked only after the hosts
have authenticated successfully
– Session cannot be initiated until the authentication
process is finished

TCP Session Hijacking (continued)

Session Hijacking – Hacker’s Point of
View
• TCP works with IP to manage data packets
• TCP tracks the packages sent to the receiver
• One popular method of session hijacking is using
source-routed IP packets
• If source routing is turned off
– The hacker can use blind hijacking
– Guessing the responses of the two machines
• Hacker can also be inline between B and C, using a
sniffing program to follow the conversation

View (continued)

View (continued)
• Hacker could find problems for two reasons:
– Host computer that has been hijacked will continue to
send the packets to the recipient
– Recipient gives an ACK to the host computer after
receiving packets from the hacker’s computer

View (continued)

View (continued)

View (continued)

View (continued)
• Continuous ACK Transfer
– Three ways to stop a continuous ACK transfer
• Losing the ACK packet
• Ending the connection
• Resynchronizing the client and server

TCP Session Hijacking with Packet
Blocking
• Packet blocking solves the ACK storm issue
– And facilitates TCP session hijacking
• ACK storm happens because the attacker was not
in a place to stop or delete packets sent by trusted
computer
• Attacker must be in control of the connection itself
– So that the session authentication takes place
through the attacker’s chosen channel

TCP Session Hijacking with Packet
Blocking (continued)
• Hacker can wait for the ACK packet to drop
– Or manually synchronize the server and client records
by spoofing
• If a hacker can block the packets
– Can drop exact number of packets desired for
transfer

Methods
• Route Table Modification
– All computers that use TCP/IP keep a route table
– A route table shows the way to the address sought
• Or way to nearest source that might know the address
– Route table has two sections
• Active routes and active connections
– If the route table can’t locate a perfect match of the IP
address
• It searches for the closest possible match in the list of
network addresses

Methods (continued)
• Route Table Modification (continued)
– After the match is found, the IP address of Computer
A sends the packets to the IP address
– If the route table cannot find a match, it refers the
request to the network gateway
– Active connections section shows the network
addresses of the computers
• That are connected with the host computer

Methods (continued)
– Hacker changes the route table
– Host computer assumes that the best possible path
for the transfer of data packets is through the hacker’s
computer

Methods (continued)
– Hackers can modify a route table using two methods
• Erase all necessary records from the route table
– And then provide the hacker’s own IP address as
the default gateway address
• Change the corresponding route in the route table of
the gateway router

Session Hijacking Tools - Hunt
• Developed by Pavel Krauz
– Inspired by Juggernaut
• Performs sniffing and session hijacking
• Menu options: listing, watching, and resetting
connections
• Hunt tool can hijack a session through ARP attacks

Hunt (continued)
• Hunt allows hacker to synchronize the connection
among the host and the server
– During session hijacking

UDP Hijacking
• User Datagram Protocol (UDP)

– Connectionless protocol that runs on top of IP
networks
• UDP/IP provides very few error recovery services
– Offers direct way to send and receive datagrams over
an IP network
– Used primarily for broadcasting messages

UDP Hijacking (continued)
• More vulnerable to hijacking

– Hacker needs only to sniff the network for a UDP
request for a Web site and drop a spoofed UDP
packet in before the Web server responds

Prevention and Mitigation
• To defend against session hacking, use encrypted
protocols and practice storm watching

Encryption
• Hacker needs to be authenticated on the network to
be able to successfully hijack a session
• If the data transfer is encrypted
– It is far too complicated and time consuming to get
authenticated
• Standard protocols like POP3, Telnet, IMAP, and
SMTP are excellent targets
– Because they transfer data as plaintext

Encryption (continued)

Encryption (continued)

Storm Watching
• Refers to setting an IDS rule to watch for abnormal
increases in network traffic
– And to alert the security officer when they occur
• An unexpected increase in traffic could be evidence
of an ACK storm
• Packet size can be cached for a short period
– Two packets with the same header information but
different sizes could be evidence of a hijacking in
progress

Summary
• TCP session hijacking takes place when a hacker
takes control of a TCP session between two hosts
• A successful hijacking takes place when a hacker
intervenes in a conversation, takes the role of either
host or recipient, and then receives packets before
the actual host
• Session hijacking can be accomplished by using
source-routed IP packets, blind hijacking or a man-in-
the-middle attack

Summary (continued)
• Three ways of stopping a continuous ACK transfer:
losing an ACK packet, ending the TCP connection,
and resynchronizing the client and server
• Packet blocking places the hacker in the actual flow of
packets, solving the problem of the ACK transmission
storm
• TCP session hijacking with packet blocking can be
performed in two ways:
– Modify route table
– Initiate an ARP attack

Summary (continued)
• Hunt: popular tool used for session hijacking
• UDP has a small number of error recovery features
and is therefore more vulnerable to hijacking
• Two methods to prevent session hijacking
– Encryption
– Storm watching

Computer Security and Penetration
Testing
Chapter 9
Hacking Network Devices
Objectives

Identify the vulnerabilities of proxy servers

Identify the vulnerabilities of routers and switches

Identify the vulnerabilities of firewalls

Identify the vulnerabilities of virtual private networks (VPNs)

Proxy Servers

Perform the following functions

Restrict users from accessing specific Web sites using
Internet access rules

Mask the IP of the users’ PCs within the network from
outside connections

Maintain logs of the requests and the details of users that are
accessing the Internet

Maintain a cache of the sites that users on the network have
visited

Proxy Servers (continued)

A proxy server is simple to install

It is often part of the operating system of a server

A proxy server is simple to use

And is often included in router and firewall software

The user interacting via the proxy server is hidden

But can be traced through the log stored on the proxy server

Categories of Attacks

Attacks groups:

Attacks made upon proxy servers

Attacks made through proxy servers

Attacks made through proxy servers include

Buffer overflow attacks

Denial-of-service attacks

Session-hijacking attacks

Categories of Attacks (continued)

Concealed identity

Proxy servers hide a user’s real identity

Hackers use this model to perform hacking operations
anonymously

Hacker’s IP and time of attack is, however, maintained on the
proxy server

Two ways to avoid this logging problem

Hacker might use a chain of proxy servers

Hacker can spoof the valid authentication details of a
network



Routers and Switches

Routers and switches both segment a network

And most can filter packets

Switches are considered to have lower security than routers

Switches are often viewed as internal network components

With the advent of VLAN technology on switches

Some networks are being designed with gateway switches

VLANs are a form of logical network segmentation

Routers and Switches (continued)

Attacks on Routers and Switches

If the attacker has access to the console port of the router

He can easily set a remote user for the router or switch

Default password for Cisco routers is admin/admin

See Table 9-1

Router Exploits

Port scans are used to discover whether ports are open, what
applications are using the ports

And even the operating system of the system being scanned

Hackers can perform many attacks on routers and switches
remotely

Some basic router attacks

Denial-of-Service (DoS) Attack

Distributed Denial-of-Service (DDoS) Attack

Route Table Modification Attack

Router Exploits (continued)

Firewalls

Often considered the ultimate one-point solution for securing
networks

From both internal and external threats

Main function of a firewall

Centralize access control for the network by keeping an eye
on both inbound and outbound traffic

Preventing unauthorized users and malicious code from
entering a network

Some firewalls can filter the packets on the application layer

Firewalls (continued)

Firewalls are designed to be transparent to authorized network
users

And very intrusive to unauthorized users

Firewalls (continued)

Limitations of Firewalls

Limitations

Firewalls have a limited ability to check data integrity

Firewalls cannot filter packets that are not sent through them

Firewalls from different vendors may not work well together

Firewalls do not provide robust support for application
security

Firewalls do not provide a complete solution for stopping
malicious code from entering a network

Limitations of Firewalls (continued)

Limitations (continued)

Firewalls may not detect attacks if they are not configured
properly

Firewalls cannot detect hackers using a valid username and
password

Firewalls are effective only if security policies are established
and enforced

Types and Methods of Firewall Attacks

Firewall attacks can be organized into three categories

Spoofing

Session hijacking

Denial of service

Three basic methods to hack a firewall:

Back doors

Root access

Through the Web

(continued)

Back doors

An alternate method used by hackers to access a network

After an attack, a hacker may leave an alternate route that can
be used to hack the network again

Two ways to restore a computer after an attack:

Format the computer and reinstall the data

Fix the bug used by the hacker to access the computer

Using various techniques, a hacker can lure or fool a user into
creating a back door

(continued)

(continued)

Root access

Used when hackers want to return to a network and
manipulate its data

By using root or administrative access

Hacker attempts to gain this access by either using a back
door to sniff the passwords

Or by using some other programming code to hijack a
session

Hacker installs a rootkit that is used for a variety of purposes

(continued)

(continued)

Through the Web

Hacker can break into a firewall through the Web in many
ways

Since the majority of firewalls permit access to remote Web
servers

Search engines can be used to find information about
particular firewalls

A firewall should be considered one piece of the multitier
security solution for your organization

VPNs

Virtual private network (VPN)

Allows employees to access their company’s network from a
remote location

Using the Internet as a transport vehicle

VPN uses protocols like point-to-point tunneling (encrypted
data tunneling)

To send and receive information over the network

Threats through VPN

Attacks on a company’s network through a VPN are often
indirect

And a result of successfully hacking a remote user’s computer

If a VPN connection is sometimes used on the compromised
computer

The hacker can acquire the necessary information

Threats through VPN (continued)

A VPN connection of a valid user can be used to perform many
attacks on a network, including

DoS, session hijacking, and spoofing

Ways to Safeguard the Network from
Attacks through VPNs

Basic steps for safeguarding the VPN links

Protect your home computer’s physical environment

Do not use the “save” function for VPN passwords

Install a host-based (personal) firewall on the remote
computer

Install a host-based intrusion detection system (IDS) on the
remote computer

Ways to Safeguard the Network from
Attacks through VPNs (continued)

Basic steps for safeguarding the VPN links (continued)

Install antivirus software

Perform more than one level of security checks

Audit the personal computers of remote users

Require username/password entry to remote computers

Summary

Network devices like proxy servers, routers, switches, firewalls,
and VPNs are often targeted by attackers

Networking software can be divided into three categories:
security software, connection software, and transport software

Networking devices allow the computers on a network to interact
with each other

Proxy servers restrict users from accessing specific Web sites

Summary (continued)

Attacks made through proxy servers include buffer overflow
attacks, denial-of-service attacks, and session-hijacking attacks

Routers and switches are used to segment a network

If a hacker has access to the console port of the router, he can
easily set a remote user for the router or switch

Attacks made on routers include DoS attacks, DDoS attacks, and
route table modification

Firewalls centralize access control for the network

Summary (continued)

Firewall have several liabilities

Types of firewall attacks include spoofing, session hijacking, and
denial-of-service (DoS) attacks

Firewall hacking methods include back doors, root access, and
Web access

Virtual private networks (VPNs) allow users to securely access
their network from a remote location through the Internet

Threats through VPN are considered indirect attacks

Computer Security and Penetration Testing: Session Hijacking

Uploaded by

Copyright:

Available Formats

Computer Security and Penetration Testing: Session Hijacking

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Computer Security and Penetration Testing: Session Hijacking

Uploaded by

Copyright:

Available Formats

Computer Security and Penetration

Computer Security and Penetration Testing 2

Computer Security and Penetration Testing 3

• Hacker takes control of a TCP session between two

Computer Security and Penetration Testing 4

Computer Security and Penetration Testing 5

Computer Security and Penetration Testing 6

Computer Security and Penetration Testing 7

Computer Security and Penetration Testing 8

Computer Security and Penetration Testing 9

Computer Security and Penetration Testing 10

Computer Security and Penetration Testing 11

Computer Security and Penetration Testing 12

Computer Security and Penetration Testing 13

Computer Security and Penetration Testing 15

Computer Security and Penetration Testing 16

Computer Security and Penetration Testing 18

Computer Security and Penetration Testing 21

Computer Security and Penetration Testing 22

Computer Security and Penetration Testing 24

Computer Security and Penetration Testing 25

• User Datagram Protocol (UDP)

Computer Security and Penetration Testing 26

• More vulnerable to hijacking

Computer Security and Penetration Testing 27

Computer Security and Penetration Testing 28

Computer Security and Penetration Testing 29

Computer Security and Penetration Testing 30

Computer Security and Penetration Testing 31

Computer Security and Penetration Testing 32

Computer Security and Penetration Testing 33

Computer Security and Penetration Testing 34

Computer Security and Penetration Testing 35

Computer Security and Penetration Testing 37

Computer Security and Penetration Testing 38

Computer Security and Penetration Testing 40

Computer Security and Penetration Testing 41

Computer Security and Penetration Testing 42

Computer Security and Penetration Testing 43

Computer Security and Penetration Testing 44

Computer Security and Penetration Testing 45

Computer Security and Penetration Testing 46

Computer Security and Penetration Testing 47

Computer Security and Penetration Testing 49

Computer Security and Penetration Testing 51

Computer Security and Penetration Testing 52

Computer Security and Penetration Testing 53

Computer Security and Penetration Testing 54

Computer Security and Penetration Testing 55

Computer Security and Penetration Testing 56

Computer Security and Penetration Testing 57

Computer Security and Penetration Testing 58

Computer Security and Penetration Testing 59

Computer Security and Penetration Testing 60

Computer Security and Penetration Testing 61

Computer Security and Penetration Testing 62

Computer Security and Penetration Testing 63

Computer Security and Penetration Testing 65

Computer Security and Penetration Testing 66