- Understanding the flow of message packets over the Internet by dissecting the TCP stack.
- Understanding the security issues involved in the use of IPv4 standard
- Familiarizing with the basic attacks possible due to the IPv4 standard.
| Concept | At its simplest level, TCP hijacking relies on the violation of trust relationships between two interacting hosts. Before we go into the details of session hijacking, let us take a look at the TCP stack and the IPv4 protocol, to understand why this attack is possible. |
Consider the everyday scenario when you access the Internet with your browser - say IE. IE works at the application layer and accepts the initial datagram to be sent across the Internet. The transport protocol comes into action in the next layer - aptly called the transport layer - and the appropriate protocol header is added to the datagram. Here it is TCP header, as it is the TCP protocol that is being used. This ensures the reliability of data transported over inherently unreliable communication platforms, and also controls many of the aspects in the management and initiation of communication between the two hosts. In the network layer, routers offer the functionality for the datagram to hop from source to the destination, one hop at a time. This also sees the IP header being added to the datagram. The final layer that communicated with the physical hardware is the data link layer. This layer is responsible for the delivery of signals from the source to the destination over a physical communication platform, which in this case is the Ethernet. This layer also sees the frame header being added to the datagram.
Now, the headers are peeled back on reaching the destination to reveal the original datagram. Having understood the TCP stack, let us look at IPv4. The original IPv4 standard needed to address three basic security issues - authentication, integrity and privacy. Authentication was an issue because an attacker could easily spoof an IP address and exploit a session. Spoofing was not restricted to IP address alone, but also extended to MAC addresses in ARP spoofing. An attacker sniffing on a network could sniff packets and carry out simple attacks such as change, delete, reroute, add, forge or divert data. Perhaps the most popular among these attacks is the Man-In-the-Middle attack. An attacker can grab unencrypted traffic from a victim's network-based TCP application, further tampering with the authenticity and integrity of the data before forwarding it on to the unsuspecting target.
| Note | The early record of a session hijacking is perhaps the Morris Worm episode that affected nearly 6000 computers on the ARPANET in 1988. This was ARPANET's first automated network security incident. Robert T. Morris wrote a program that would connect to another computer, find and use one of several vulnerabilities to copy itself to that second computer, and begin to run the copy of itself at the new location. Both the original code and the copy would then repeat these actions in an infinite loop to other computers on the ARPANET. |
Though this has found reference time and again in the context of worms and denial of service, the basic working of the Morris worm was based on the discovery that the security of a TCP/IP connection rested in the sequence numbers and that it was possible to predict them.
| Concept | Blind IP spoofing involves predicting the sequence numbers that the victimized host will send in order to create a connection which appears to originate from the host. Before exploring blind spoofing further, let us take a look at sequence number prediction. |
TCP sequence numbers are used to provide flow control and data integrity for TCP sessions. Every byte in a TCP session has a unique sequence number. Moreover, every TCP segment provides the sequence number of the initial byte (ISN), as part of the segment header. The initial sequence number does not start at zero for each session. Instead, the participants specify initial sequence numbers as part of the handshake process-a different ISN for each direction-and begin numbering the bytes sequentially from there.
Blind IP spoofing relies on the attacker's ability to predict sequence numbers as he is unable to sniff the communication between the two hosts by virtue of not being on the same network segment. He cannot spoof a trusted host on a different network and see the reply packets because the packets are not routed back to him. He cannot resort to ARP cache poisoning as well because routers do not route ARP broadcasts across the Internet. As he is not able to see the replies he is forced to anticipate the responses from the victim and prevent the host from sending a RST to the victim. The attacker then injects himself into the communication by predicting what sequence number the remote host is expecting from the victim. This is used extensively to exploit the trust relationships between users and remote machines, these services include NFS, telnet, IRC, etc.
IP spoofing is relatively easy to accomplish. The only pre-requisite on part of the attacker is to have root access on a machine in order to create raw packets. In order to establish a spoofed connection the attacker must know what sequence numbers are being used. Therefore, IP spoofing forces the attacker to have to predict the next sequence number.
The attacker can use "blind" hijacking, to send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net. The attack became famous when Kevin Mitnick used it to hack into Tsutomu Shimomura's computer network. The attack exploited the trust that Shimomura's machines had with the other network. By SYN flooding the trusted host, Mitnick was able to establish a short connection which was then used to gain access through traditional methods.
COMMENTS