Professional Documents
Culture Documents
2008 Batch-I
Module X
Session Hijacking
Scenario
Picture Source:
http://benjamin.hodgens.net/blake/geek.jpg
Module Objectives
Understanding
Spoofing vs. Hijacking
Session Hijacking
Types of
Session Hijacking Steps
Session Hijacking
Countermeasures
Understanding session hijacking
A spoofing attack is
different from a hijack as an
attacker is not actively
taking another user offline
Bob (VICTIM)
to perform the attack. He
I am Bob!
pretends to be another user
or machine to gain access.
ATTACKER
Spoofing vs. Hijacking
1. Tracking the
session
2. Desynchronizing
the connection
3. Injecting the
attacker’s packet
Types of Session Hijacking
Passive
• With a passive attack, an attacker hijacks a session
and sits back, watching and recording all the traffic
that is being sent forth.
The 3-Way Handshake
SYN
Seq.:4000
SYN/ACK
Seq:4001,Ack: 7000
ACK
Seq: 4002, Ack :7001
DATA
Seq:4003, Ack: 7002
DATA
Seq: 4004, Ack: 7003
SERVER
BOB
If the attacker can anticipate the next number Bob will send, he can
spoof Bob’s address and start communication with the server.
TCP Concepts 3 Way Handshake
http://www.l0t3k.org/tools/Spoofing/1.2.tar.gz
Juggernaut is a network sniffer that can be used to
hijack TCP sessions. It runs on Linux operating systems.
Juggernaut can be set to watch for all network traffic or
it can be given a keyword (e.g. a password ) to look out
for.
The objective of this program is to provide information
about ongoing network sessions.
The attacker can see all the sessions and choose a
session to hijack.
Hacking Tool: Hunt
http://lin.fsid.cvut.cz/^kra/index.html
Hunt is a program that can be used to listen, intercept,
and hijack active sessions on a network.
Hunt Offers:
• Connection management
• ARP Spoofing
• Resetting Connections
• Watching Connections
• MAC Address discovery
• Sniffing TCP traffic
Hacking Tool: TTY Watcher
http://www.cerias.purdue.edu
TTY-watcher is a utility to monitor and control users on
a single system.
Anything the user types into a monitored TTY window
will be sent to the underlying process. In this way the
login session is being shared with another user.
After a TTY has been stolen, it can be returned to the
user as though nothing happened.
(Available only for Sun Solaris Systems.)
Hacking Tool: IP watcher
http://engarde.com
http://engarde.com
T-Sight, an advanced intrusion
investigation and response tool for
Windows NT and Windows 2000,
can assist when an attempt at a
break-in or compromise occurs.
With T-sight one can monitor all
the network connections (i.e. traffic)
in real-time and observe any
suspicious activity that takes place.
T-Sight has thecapability to hijack
any TCP session on the network.
For security reasons, Engarde
Systems licenses this software to pre-
determined IP address.
T-Sight (contd.)
Remote TCP Session Reset Utility
Scenario (contd.)
etc.)
Protecting against Session Hijacking
1. Use Encryption
http://h30097.www3.hp.com/unix/ipsec/
Summary