Session Hijacking-02

0 0

Spoofing Vs Hijacking
With Hijacking an attacker is taking over an existing session, which means he is relying on the legitimate user to make a connection and authenticate. Then take over the session.
With IP Spoofing there is no need to guess the sequence number since there is no session currently open with that IP address. The traffic would get back to the attacker only by using source routing. This is where the attacker tells the network how to route the output and input from a session, and he simply sniffs it from the network as it passes by him. Source routing is an IP option used today mainly by network managers to check connectivity. Normally, when an IP packet leaves a system, its path is controlled by the routers and their current configuration. Source routing provides a means to override the control of the routers.

Concept
When an attacker uses captured, reverse engineered or brute forced authentication tokens to take over the control of a legitimate user's session while he is in session, the session is said to be hijacked. Due to this attack, the legitimate user may loose access or be deprived of the normal functionality of the session to the attacker, who now acts with the user's privileges.
Most authentications occur at the beginning of a TCP session, this makes it possible for the attacker to gain access to a target machine. A popular method attackers adopt is to use source-routed IP packets. This allows an attacker to become a part of the target - host conversation by deceiving the IP packets to pass through his system. The attacker can also carry out the classic man-in-the-middle attack using a sniffing program to monitor the conversation.

In TCP session hijacking, a familiar aspect of the attacks is the carrying out of a denial-of-service (DoS) attack against the target / host to prevent it from responding by either forcing the machine to crash, or against the network connection to result in a heavy packet loss (e.g. SYN flood).

Note
 Session hijacking is even more difficult than IP address spoofing. In session hijacking, John would seek to insert himself into a session that Jane already had set up with \\Mail. John would wait until Jane established a session, then knock her off the air by some means and pick up the session as though he was her. As before, John would send a scripted set of packets to \\Mail but would not be able to see the responses. To do this, he would need to know the sequence number in use when he hijacked the session, which could be calculated knowing the ISN and the number of packets that have been exchanged.

Successful session hijacking is extremely difficult and only possible when a number of factors are under the attacker's control. Knowledge of the ISN would be the least of John's challenges. For instance, he would need a way to knock Jane off the air at will. He also would need a way to know the exact status of Jane's session at the moment he mounted his attack. Both of these require that John have far more knowledge about and control over the session than normally would be possible.
However, IP address spoofing attacks can only be successful if IP addresses are used for authentication. An attacker cannot perform IP address spoofing or session hijacking if per-packet integrity checking is executed. Similarly, neither IP address spoofing nor session hijacking are possible if the session uses encryption such as SSL or PPTP, as the attacker will not be able to participate in the key exchange. Therefore the essential requirements to hijack non-encrypted TCP communications can be listed as: Presence of non-encrypted session oriented traffic, ability to recognize TCP sequence numbers and predict the next sequence number (NSN) and capability to spoof a hosts MAC or IP address to receive communications which are not destined for the attackers host. If the attacker is on the local segment, they can sniff and predict the ISN+1 number and have the traffic routed back to them by poisoning the ARP cache.

Steps in Session Hijacking
  1. Tracking the session
  2. Desynchronizing the connection
  3. Injecting the attacker's packet
Note
 How does an attacker go about hijacking a session? The hijack can be broken down into four broad phases.
  • Tracking the connection
    The attacker will wait to find a suitable target and host. He use a network sniffer to track the victim and host or identify a suitable user by scanning with a scanning tool such as nmap to find a target with a trivial TCP sequence prediction. This is done to ensure that because the correct sequence and acknowledgement numbers are captured, as packets are checked by TCP through sequence and/or acknowledgement numbers. These will later be used by the attacker in crafting his own packets.

  • Desynchronizing the connection
    A desynchronized state is when a connection between the target and host is in the established state; or in a stable state with no data transmission; or the server's sequence number is not equal to the client's acknowledgement number; or the clients sequence number is not equal to the server's acknowledgement number. To desynchronize the connection between the target and host, the sequence number or the acknowledgement number (SEQ/ACK) of the server must be changed. This can be done if null data is sent to the server so that the server's SEQ/ACK numbers will advance; while the target machine will not register such an increment.
    The desynchronizing is preceded by the attacker monitoring the session without interference till an opportune moment, when he will send a large amount of " null data" to the server. This data serves only to change the ACK number on the server and does not affect anything else. The attacker does likewise to the target also. Now both the server and target are desynchronized.

  • Resetting the connection
    Another approach is to send a reset flag to the server and tearing down the connection on the server side. This is ideally done in the early setup stage. The goal of the attacker is to break the connection on the server side and create a new one with different sequence number.
    The attacker listens for a SYN/ACK packet from the server to the host. On detecting the packet, he sends an RST to the server and a SYN packet with exactly the same parameters such as port number but a different sequence number. The server on receiving the RST packet, closes connection with the target, but initiates another one based on the SYN packet - with a different sequence number on the same port. Having opened a new connection, the server sends a SYN/ACK packet to the target for acknowledgement. The attacker detects (but does not intercept) this and sends back an ACK packet to the server. Now, the server is in the established state. The target is oblivious to the conversation and has already switched to the established state when it received the first SYN/ACK packet from the server. Now both server and target are in desynchronized but established state.
    This can also be done using a FIN flag, but this will cause the server to respond with an ACK and give away the attack through an ACK storm. This results due to a flaw in this method of hijacking a TCP connection. When receiving an unacceptable packet the host acknowledges it by sending the expected sequence number and using its own sequence number. This packet is itself unacceptable and will generate an acknowledgement packet which in turn will generate an acknowledgement packet, thereby creating a supposedly endless loop for every data packet sent. The mismatch in SEQ/ACK numbers results in excess network traffic with both the server and target trying to verify the right sequence. Since these packets do not carry data they are not retransmitted if the packet is lost. However, since TCP uses IP the loss of a single packet puts an end to the unwanted conversation between the server and target on the network.

    The desynchronizing stage is added in the hijack sequence so that the target host is kept in the dark about the attack. Without desynchronizing, the attacker will still be able to inject data to the server and even keep his identity by spoofing an IP address. However, he will have to put up with the server's response being relayed to the target host as well.

  • Injecting the attacker's packet
    Now that the attacker has interrupted the connection between the server and target, he can choose to either inject data into the network or actively participate as the "man in the middle", and pass data from the target to the server, and vice versa, reading and injecting data as he sees fit.
Illustration:
  1. Alice opens a telnet session to Bob and starts doing some work.
  2. Eve observes the connection between Alice and Bob using a sniffer that is integrated into her hijacking tool. Eve makes a note of Alice's IP address and her hijacking software samples the TCP sequence numbers of the connection between Alice and Bob.
  3. Eve launches a DoS attack against Alice to stop Alice doing further work on Bob and to prevent an ACK storm from interfering with her attack.
  4. Eve generates spoofed packets with the correct TCP sequence numbers and connects to Bob.
  5. Bob thinks that he is still connected to Alice.
  6. Alice notices a lack of response from Bob and blames it on the network.
  7. Eve finds herself at a root prompt on Bob. She issues some commands to make a backdoor and uses the sniffer to observe the responses from Bob.
  8. After covering her tracks, Eve logs out of Bob and ceases the DoS attack against Alice.
  9. Alice notices that her connection to Bob has been dropped.
  10. Eve uses her backdoor to get directly into Bob.

COMMENTS

BLOGGER
Group Of Oceninfo™ © , All Rights Reserved.
Name

©2012 Oceninfo.co.cc,2,10:29 IST,1,2012,1,Adfly Bot,2,AFCEH,1,Ajax security,1,all posts for education purpose only...www.facebook.com/princebhalani,1,Android,1,android developer,1,android phone,1,android phone-1,1,anonymous email,1,Anti-Trojan software,8,Antivirus,1,Apple,1,article marketing,1,at risk,1,attacks,1,australian federal police,1,Auto Clicker,1,Auto surfer,1,backtrack link,2,Bank Hacking,2,BCMSN,2,BIOS Update,1,Blockchain,1,Blog and tagged Ransomware,1,boot fast...,1,boot xp faster,1,Business Deals,1,Bypass Antivirus and Hack Window Systems,1,CCIE,2,CCNA,2,CCNP,2,CEH,2,challenge-response system,1,Changing Root Bridge Election Results,2,code,2,commands,1,company deals,1,Computer Hacking,3,Connect,1,cookie stealing,3,Country,1,Crack,1,Credit Card Fraud,2,credit cards,1,Cryptography,1,cyber cell updated,1,cyber security,1,DATA CARD TRICK,1,delhi,1,Digital Marketing,1,direct admission in any colleges,2,Direct Link,3,Directory Traversal Attacks,1,Dos and Ddos,1,DotNetNuke Remote File Upload Vulnerability,1,Earn Lots of money,3,EARN MONEY PART2,1,earnings in$,1,email hacking,4,email spoofing,2,Er Prince Bhalani jobs,1,Ethical Hacker job,1,ethical hacking,8,exploit,1,facebook autoliker,1,Facebook tricks,3,Fake Mail,1,fake sms,1,FB hackz,1,FBI,1,FBI HACKERS,2,FBI Jobs,2,featured,6,Finger scan,1,fingerprint Hacking,1,format without pain,1,Free Download,1,Free Flash Templates,1,free hacking book,5,Free Recharge,1,free sms,2,Freebeacon,1,friendship day,2,friendship day image,2,friendship image,1,Future Computer,2,future of hacking,1,Gadgets,1,good clean fun,1,google,3,Google Ads,1,google adsense account,1,Google hacking,3,google hacks,1,google search,1,hack,2,hack the world,2,HACK WEBSITES USING SQL INJECTION,2,hacker,1,hacker uni,1,hacker/LPT/etc,1,hackers,2,Hackerz info,1,hacking,4,hacking games,1,hacking matterial,1,HACKING OFER,1,hacking softwares,1,hacking tools,2,Hacking with Mobile phones,1,HackingTeacher Security Solutions,1,hacks,1,hijack,1,history of hacking,1,How to,8,How to Hack,37,how to play,1,How to sniff,1,html,1,HTTPS/SSL secured sites,1,I LOVE YOU VIRUS,1,i-phone hacking,1,ICITAM 2012,1,iCloud Era,1,In Flow,1,indian cyber cell,4,information security,1,interesting,1,inurl:fcklinkgallery.as,1,IP hacks,1,iphone,1,IT Act,1,IT Decision Maker,1,IT Implem_App/LOB Spec,1,IT Implem_Desktop/EndUser Spec,1,IT Implem_Infrastructure Spec,1,IT Implem_IT Generalist and IT Manager.,1,it security,1,java,1,jobs for ethical hacker,3,jobs in hacking,5,Joe job,1,Just for education purpose only,1,Kaspersky,1,kaspersky crack 2013,1,keyboard hacking,1,keyloggers,1,keywords,1,Laptop Tracking,1,Laws of computer crime,1,Learn Cracking,1,Learn Website Hacking,7,Linkbucks Bot,1,Macromedia Flash,1,make some rules...|||_|||,1,malicious code,1,Malware,1,malware analysis,1,man in the middle attack (LAN),1,master,1,master list,1,metasploit,3,Microsoft scams,1,mobile,1,mobile recharge,1,moblie phone hacking,1,munging,1,network hack,1,Network Sniffers,1,new command set,1,new projects,1,nmap,1,No Survey,1,not infrequent,1,online scanners,1,paisa live hack,1,panetration for educational purpose only,1,Parental Controls,1,password hacking,4,Password sniffing with arp poisoning,1,PC TIPS,1,PE_PARITE (Trend Micro),1,penetration testing,1,pharming,1,phishing,1,phone hacking charged,1,PHP,1,pin ball,1,Play WMV Files,1,Press Trust of India / New Delhi Aug 15,1,Prime minister,1,prince bhalani,1,princebhalani,1,Professional job in FBI,1,Professional Penetration Testing,1,Programming,1,Programming of virus,2,protect my pc against hackin,1,proxy list by http,1,Proxy SOCKS Port,1,R-Admin With Key,1,Radmin,1,RAW Jobs,1,Real Hackers vs fake ethical hackers. ..:),1,Register of Known Spam Operations (ROKSO),1,repair corrupt hard disk,1,RFT,1,Robbery,1,Rupert Murdoch,1,SAMPLE,1,Sample dynamic flash template from TM website,1,Scams,2,Scanned Vulnerabilities,1,SEA,2,search engine hacking,1,Search Operators,1,Security,2,Security breach,1,security code brack,1,SEM,4,SEO,112,SEO Mistakes,1,SEO TOOLS,1,SEO Tricks,3,SERM,1,SERP,1,Session Hijacking,4,SET,1,shell commands...,1,shell list with download,1,SITES,1,Smart Home,1,Smartphones,1,SMM,1,SMO,2,sms spoofing,1,SMTP Servers,1,Sniffing passwords,1,Sothink SWF Decompiler,1,spam cocktail (or anti-spam cocktail),1,spam trap,1,spear phishing,2,SQL hacking,2,SQL Injection Attacks by Example,2,SSL,1,SSL Analysis,1,starting of help,1,System Information,1,System Restore,1,Tablet in 1000,1,Tablets,1,Temporary Email Service,1,time need,1,timer,1,tracing,1,Traffic,3,tricks,5,Tricks and Tips,1,Trojan,1,Trojan tools,1,Trojans and Backdoors,2,trojon,7,Turbo C++,1,UK phone hacking,1,UK phone hacking arrest,1,USA JOBS,4,Virus,2,virus writing,2,VPN,1,vulnerabilities,1,vulnerability assessment,1,W32/Pate (McAfee),1,W32/Pinfi (Symantec),1,Washington,2,web hacking,6,web security,1,Website Development,1,Website Hacking,3,White House,1,wifi hacking,3,Win32 : parite (Avast),1,Win32.Parite (Kaspersky),1,Win32/Parite,1,windows,2,Windows 8 event for IT Professionals,1,wirless hack,1,WordPress,1,WordPress hacking,1,working with Virus and worm,9,XP Hacking,1,xp hacking-1,1,XP part 3,1,xss hacking,1,
ltr
item
Group Of Oceninfo: Session Hijacking-02
Session Hijacking-02
Group Of Oceninfo
https://oceninfo.blogspot.com/2012/06/session-hijacking-02.html
https://oceninfo.blogspot.com/
https://oceninfo.blogspot.com/
https://oceninfo.blogspot.com/2012/06/session-hijacking-02.html
true
6415817773321450103
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy