CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [63]
When the hacker is unable to sniff the connection, it becomes much more difficult to guess the next sequence number. For this reason, most session-hijacking tools include features to permit sniffing the packets to determine the sequence numbers.
Hackers generate packets using a spoofed IP address of the system that had a session with the target system. The hacking tools issue packets with the sequence numbers that the target system is expecting. But the hacker's packets must arrive before the packets from the trusted system whose connection is being hijacked. This is accomplished by flooding the trusted system with packets or sending a RST packet to the trusted system so that it is unavailable to send packets to the target system.
What Are the Steps in Performing Session Hijacking?
In summary, session hijacking involves the following three steps to perpetuate the attack:
Tracking the session The hacker identifies an open session and predicts the sequence number of the next packet.
Desynchronizing the connection The hacker sends the valid user's system a TCP reset (RST) or finish (FIN) packet to cause them to close their session. Alternately the hacker can use a DoS tool to disconnect the user from the server.
Injecting the attacker's packet The hacker sends the server a TCP packet with the predicted sequence number, and the server accepts it as the valid user's next packet.
Hacking Tools
Juggernaut is a network sniffer that can be used to hijack TCP sessions. It runs on Linux operating systems and can be used to watch for all network traffic, or it can be given a keyword such as a password to look for. The program shows all active network connections and the attacker can then choose a session to hijack.
Hunt is a program that can be used to sniff and hijack active sessions on a network. Hunt performs connection management, Address Resolution Protocol (ARP) spoofing, resetting of connections, monitoring of connections, Media Access Control (MAC) address discovery, and sniffing of TCP traffic.
TTYWatcher is a session-hijacking utility that allows the hijiacker to return the stolen session to the valid user as though it was never hijacked. TTYWatcher is only for Sun Solaris systems.
IP Watcher is a commercial session-hijacking tool that lets an attacker monitor connections and take over a session. This program can monitor all connections on a network, allowing the attacker to watch an exact copy of a session in real time.
T-Sight is a session monitoring and hijacking tool for Windows that can assist when an attempt at a network break-in or compromise occurs. With T-Sight, a systems administrator can monitor all network connections in real time and observe any suspicious activity that takes place. T-Sight can also hijack any TCP session on the network. For security reasons, Engarde Systems licenses this software only to predetermined IP addresses.
The Remote TCP Session Reset Utility displays current TCP session and connection information such as IP addresses and port numbers. The utility is primarily used to reset TCP sessions.
Dangers Posed by Session Hijacking
TCP session hijacking is a dangerous attack: Most systems are vulnerable to it, because they use TCP/IP as their primary communication protocol. Newer operating systems have attempted to secure themselves from session hijacking by using pseudorandom number generators to calculate the ISN, making the sequence number harder to guess. However, this security measure is ineffective if the attacker is able to sniff packets, which gives all the information required to perform this attack.
The following are reasons why it's important for a CEH to be aware of session hijacking:
■ Most computers are vulnerable.
■ Few countermeasures are available