CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [62]
List the Types of Session Hijacking
Hackers can use two types of session hijacking: active and passive. The primary difference between active and passive hijacking is the hacker's level of involvement in the session. In an active attack, an attacker finds an active session and takes over the session by using tools that predict the next sequence number used in the TCP session.
In a passive attack, an attacker hijacks a session and then watches and records all the traffic that is being sent by the legitimate user. Passive session hijacking is really no more than sniffing. It's used to gather information such as passwords and then to use that information later to authenticate as a separate session.
TCP Concepts: Three-Way Handshake
One of the key features of TCP is reliability and ordered delivery of packets. To accomplish this, TCP uses acknowledgment (ACK) packets and sequence numbers. Manipulating these numbers is the basis for TCP session hijacking. To understand session hijacking, let's review the TCP three-way handshake described in earlier chapters:
1. The valid user initiates a connection with the server.This is accomplished by the valid user sending a packet to the server with the SYN bit set and the user's initial Sequence Number (ISN).
2. The server receives this packet and sends back a packet with the SYN bit set and an ISBN for the server, plus the ACK bit set identifying the user's ISN incremented by a value of one.
3. The valid user acknowledges the server by returning a packet with the ACK bit set and incrementing the servers ISN by one.
This connection can be closed from either side due to a timeout, or upon receipt of a package with the FIN or RST flag set.
Upon receipt of a packet with the RST flag set, the receiving system closes the connection, and any incoming packets for the session are discarded. If the FIN flag is set in a packet, then the receiving system goes through the process of closing the connection, and any packets received while closing the connection are still processed. Sending a packet with the FIN or RST flag set is the most common method hijackers use to close the client's session with the server and take over the session by acting as the client.
Understand Sequence Prediction
TCP is a connection-oriented protocol, responsible for reassembling streams of packets into their original intended order. Therefore, each packet must have a unique number known as a sequence number (SN). Every packet has to be assigned a unique session number that enables the receiving machine to reassemble the stream of packets into their original and intended order; this unique number is known as a sequence number. If the packets arrive out of order, as happens regularly over the Internet, then the sequence number is used to stream the packets correctly. As just illustrated, the system initiating a TCP session transmits a packet with the SYN bit set. This is called a synchronize packet and includes the client's Initial Sequence Number (ISN). The ISN is a pseudorandomly generated number with over 4 billion possible combinations, yet it is statistically possible for it to repeat.
When the acknowledgment (ACK) packet is sent, each machine uses the SN from the packet being acknowledged, plus an increment. This not only properly confirms receipt of a specific packet, but also tells the sender the next expected TCP packet sequence number. Within the three-way handshake, the increment value is 1. In normal data communications, the increment value equals the size of the data in bytes (for example, if you transmit 45 bytes of data, the ACK responds using the incoming packet's SN plus 45.
Figure 7.1 illustrates the sequence numbers and acknowledgments used during the TCP three-way handshake.
FIGURE 7 . 1 Sequence numbers and acknowledgment during the TCP three-way handshake
Hacking tools used to perform session hijacking do sequence number prediction. In order to successfully