Version 5
Module X
Session Hijacking
Scenario
Daniel is working as a web designer at Xeemahoo Inc., a
news agency. His daily job is to upload the html files to
the website of the news agency.
Xeemahoo Inc. hires a new web-hosting agency
AgentonWeb, to host its website.
One day, while checking for the uploaded news section,
Daniel was shocked to see the wrong information posted
on Xeemahoos website.
How did the wrong information get posted?
Is there a problem in the configuration of the web
server?
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
~
Session Hijacking
TCP/IP Hijacking
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
EC-Council
Session Hijacking
Sequence Number
Prediction
TCP/ IP Hijacking
Countermeasures
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
John (Victim)
ls
nd ti a
a
n
hn de
Jo cre
m y
Ia em
r
ea
r
he
EC-Council
Attacker
Server
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Attacker
Server
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
2.
3.
4.
5.
6.
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Active
Passive
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Bob
Server
If the attacker can anticipate the next SEQ/ACK number Bob will
send, he will spoof Bobs address and start a communication with the
server
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Bob initiates a connection with the server. Bob sends a packet to the
server with the SYN bit set
2.
The server receives this packet and sends back a packet with the SYN
bit and an ISN (Initial Sequence Number) for the server
3.
Bob sets the ACK bit acknowledging the receipt of the packet and
increments the sequence number by 1
4.
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Sequence Numbers
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
The attack doesn't see the SYN-ACK (or any other packet) from the
server, but can guess the correct response
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
TCP/IP Hijacking
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
TCP/IP Hijacking
Source: 10.1.0.100
Destination: 10.1.0.200
Seq#: 1429775000
Ack#: 1250510000
Len: 24
Source: 10.1.0.200
Destination: 10.1.0.100
Seq#: 1250510000
Ack#: 1429775024
Len: 167
Computer A
2
3
Computer B
Source: 10.1.0.100
Destination: 10.1.0.200
Seq#: 1429775024
Ack#: 1250510167
Len: 71
EC-Council
Hacker
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
RST Hijacking
~
The victim will believe that the source actually sent the
reset packet and will reset the connection
RST Packet
Spoofed Source Address with
predicted ACK number
EC-Council
Connection Reset
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
# ./hijack_rst.sh
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hunt offers:
Connection management
ARP spoofing
Resetting connection
Watching connection
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~ With
~ T-Sight
~ Due
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Session Hijacking is
simple by clicking this
button
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Target Server in
NYC
Victim in Boston
The victims
machine is
infected with
trojan which sets
the proxy of IE to
attackers
machine
IP: X.2.2.2
Hacker in Russia
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
2.
3.
4.
5.
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
1.
Use encryption
2.
3.
4.
5.
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Countermeasure: IP Security
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
IP-SEC
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Summary
~
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited