Hope the Works for you guys!I was unable to put the images so ill upload them and name them according to the post:)
Session Hijacking in Windows Networks
1 TCP/IP Basics.........................................................................................................7
1.1 Three-Way-Handshake....................................................................................7
1.1.1 Step 1 - SYN ...............................................................................................8
1.1.2 Step 2 – SYN/ACK ......................................................................................9
1.1.3 Step 3 - ACK .............................................................................................10
1.2 Sequence Numbers .......................................................................................11
2 Session Hijacking Definition..................................................................................12
2.1 Advantages of Session Hijack for the Attacker ..............................................16
2.2 What Makes the Attack so Dangerous?.........................................................17
3 The Session Hijack Attack ....................................................................................19
3.1 Procedural Overview of the Session Hijack Attack ........................................19
3.1.1 Step 1 - Locating a Target .........................................................................19
3.1.2 Step 2 - Find an Active Session ................................................................20
3
3.1.3 Step 3 - Perform Sequence Number Prediction ........................................20
3.1.4 Step 4 - Take One of the Parties Offline....................................................21
3.1.5 Step 5 - Take over the Session and Maintain the Connection...................22
4 Session Hijack Tools.............................................................................................22
5 Detecting Session Hijack Attacks..........................................................................24
5.1 Packet Sniffers...............................................................................................24
5.1.1 Normal Telnet Session ..............................................................................25
5.1.2 The Attack Begins - Forcing an ARP Entry................................................26
5.1.3 Hijack Traffic..............................................................................................28
6 Session Hijacking Remediation.............................................................................33
6.1 Protect Against Spoofing ...............................................................................35
6.2 IPSec and Encryption ....................................................................................36
6.3 Intrusion Detection Systems and IPS Intrusion Prevention Systems .............38
4
6.4 Eliminating Insecure Network Protocols and Operating Systems ..................39
6.5 GPO - Group Policy Objects ..........................................................................40
7 Summary ..............................................................................................................45
8 References ...........................................................................................................47
5
Introduction
Before we can explore the session hijack attack, it is essential that we gain a basic
understanding of network communications. The first section of this paper covers some of this
background information needed to understand how computers communicate on a network.
First we take a look at the TCP/IP protocol (Transmission Control Protocol/Internet Protocol)
examining a concept critical to network communication called the three-way-handshake.
Once we have a basic understanding of these concepts, we can then work towards
understanding how the session hijack attack exploits the design flaws inherent in the TCP/IP
protocol.
In section two, the session hijacking attack is defined. The benefits of the attack are
closely examined as well as the danger the attack presents to your network.
Section three examines the session hijack attack in detail. The session hijack attack is
broken down into five steps including locating a target, finding an active session, sequence
number prediction, taking a user offline, and taking over a session.
Detecting the session hijack attack on a network can be very difficult. In section four , session hijacking detection will be examined. Attack signatures will be examined
and real world examples provided.
6
Section five examines session hijacking software applications that are used by
attackers to compromise computers. Windows and Linux/Unix applications will be reviewed,
and their features described.
Section six discusses the various ways in which session hijacking can be detected on
the network. Using Wireshark, packet captures of a session hijack attack are examined.
Section seven looks at the various countermeasures that can be implemented on your
network that will help reduce your exposure to this attack. Microsoft Group Policy Objects,
IPSec, IDS and IPS systems, and insecure network protocols and operating system will be
examined.
7
1 TCP/IP Basics
Before we explore the session hijack attack, readers must possess a basic
understanding of how computers communicate with one another on a network. In the section
that follows, we will look at some basic elements of TCP/IP (Transmission Control
Protocol/Internet Protocol) protocol specifically the concepts of the three-way-handshake and
random initial sequence number generation.
In order for two machines to communicate on a network they have to negotiate
common communication parameters. This is done by transmitting a series of data packets
between the two machines in a process known as the three-way-handshake. All computers
on the network must complete this process in order to establish a connection with another
computer on the network.
1.1 Three-Way-Handshake
When two computers want to communicate with one another, they have to negotiate
the technical parameters that they will use to communicate with one another. This is done
through a process known as the three-way-handshake. Once the connection is established,
the session remains open until one of the machines sends a RST (reset) or FIN (finish)
8
packet to their communication partner.
The three-way-handshake is comprised of three main processes. Please note that the
discussion that follows is based on a scenario where a single workstation computer is
attempting to communicate with a file server.
1.1.1 Step 1 - SYN
When a workstation wants to communicate with a server it builds a packet with
the SYN or synchronization bit set and then sends the packet to the server. Included in this
SYN packet is an initial sequence number (denoted in figure 1 as X)
Figure 1 – Step 1 SYN
When the client computer generates the sequence number, it uses a random number
generator. Random number generators are used to help prevent communication sessions
from being compromised (more on this in the next section). Sequence numbers are critical to
network communications as they are used to guarantee packet delivery. Source computers
9
use sequence numbers for tracking incoming packets and reassembling them as they arrive
at their destination. From the attacker’s perspective; however, the ability to predict sequence
numbers provides the mechanisms needed to successfully hijack a communication session.
1.1.2 Step 2 – SYN/ACK
When the server receives the clients SYN (synchronization) packet, it responds to the
workstation computer with a packet containing both the SYN and ACK (Synchronization and
Acknowledgement) bits set. The packet includes the server’s own randomly generated
sequence number (represented in the drawing by the letter P). The server also acknowledges
the clients sequence number by adding 1 to the sequence number sent by the client computer
(X + 1) (Lamb, 2006).
Figure 2 – Step 2 SYN/ACK
10
1.1.3 Step 3 - ACK
The final phase of the three-way-handshake involves the client sending an ACK packet
to the server confirming its desire to communicate. The workstation prepares a packet with
the ACK (acknowledgement) bit set and includes an acknowledgement sequence number (X
+ 1). When the packet arrives at the destination server, the communication session is
established and communication can now begin. An active communication session will be
maintained until one of the machines sends a RST (Reset) or FIN (Finish) packet to the other
computer
Figure 3 – Step 3 ACK
The following screen output from Wireshark shows what a three way handshake looks
like in Wireshark. Packet number three begins the three-way-handshake process by sending
a SYN (synchronization) packet to the server. The server then acknowledges the receipt of
the SYN packet by sending the workstation computer a SYN/ACK
(Synchronization/Acknowledgement) packet (show in packet four). The final step in the three
11
way-handshake is an ACK packet sent to the workstation by the server.
Figure 4 - Example of the Three-Way-Handshake in Wireshark (Resultspk.com, 2006)
1.2 Sequence Numbers
Sequence numbers are an essential component of network communications. It is the
sequence number that insures reliable communication on the network. As packets leave the
transmitting computer, each packet is assigned a unique sequence number. Sequence
numbers provide a mechanism which allows the receiving computer to track incoming packets
12
and reassemble then into a logical stream of data. Sequence numbers can also be used to
detect packets that have not arrived at the destination computer. When packet loss is
detected, the destination machine notifies the source computer to resend the missing packet.
TCP/IP sequence numbers are 32-bit numbers, thus providing four million possible
number combinations. While this seems like a sufficient quantity of numbers to reduce the
chance of sequence number prediction, modern computers make this number arbitrary. Most
modern operating systems implement pseudo random number generators that produce
complex sequence numbers sufficient enough to make sequence number prediction difficult if
not impossible. However, older operating systems, such as Windows NT 4.0, did not provide
sufficient random number generation as discussed in Microsoft knowledge base article MS99-
046. As you will see in the sections that follow, sequence numbers, and the ability to predict
sequence numbers, are a vital component necessary to successfully wage a session hijack
attack.
2 Session Hijacking Definition
If you are like most security professionals, session hijacking is not an attack that gets a
lot of your attention. In recent years, the session hijack attack has been overshadowed by
spyware, root kits, bot networks, and denial of service attacks. Although the session hijack
13
attack is not in the forefront of everyone’s mind, it still remains a commonly used attack. In
fact, Kevin Mitnick used many of the underlying principals common to session hijacking in his
famous breach of Tsutomu Shimomura’s computers (Meriwether, 1995).
Session hijack attacks are defined as taking over an active TCP/IP communication
session without their permission or knowledge. When implemented successfully, attackers
assume the identity of the compromised user, enjoying the same access to resources as the
compromised user.
Session hijack attacks are usually waged against users that are members of large
networks containing a substantial number of open sessions. Network protocols like FTP,
Telnet, and rlogin are especially attractive to the attacker, because of the session oriented
nature of their connections, and the length of their communication sessions. Additionally,
FTP, TELNET, and rlogin do not implement any security during logon, authentication, or data
transmission. In fact, data sent using these protocols is sent in clear text which can be easily
be viewed by anyone monitoring the network.
There are three different types of session hijack attacks; active, passive, and hybrid.
The active attack is when the attacker hijacks a session on the network. The attacker will
silence one of the machines, usually the client computer, and take over the clients’ position in
14
the communication exchange between the workstation and the server. The active attack also
allows the attacker to issue commands on the network making it possible to create new user
accounts on the network, which can later be used to gain access to the network without
having to perform the session hijack attack.
Figure 5 - Aggressive Session Hijack Attack
Passive session hijack attacks are similar to the active attack, but rather than removing
the user from the communication session, the attacker monitors the traffic between the
15
workstation and server. The primary motivation for the passive attack is it provides the
attacker with the ability to monitor network traffic and potentially discover valuable data or
passwords.
File Server
`
Workstation PC
`
Attacker
The workstation remains online
while the attacker listens to all
traffic that is sent between the
server and workstation.
The attacker listens to
the traffic sent between
the two machines, but
does not remove the
workstation computer
from the session.
Figure 6 - Passive Session Hijack
The final type of session hijack attack is referred to as the hybrid attack. This attack is
a combination of the active and passive attacks, which allow the attacker to listen to network
traffic until something of interest is found. The attacker can then modify the attack by
removing the workstation computer from the session, and assuming their identity.
16
2.1 Advantages of Session Hijack for the Attacker
So what makes the session hijack attack worthwhile for the attacker? One of the most
valuable byproducts of this type of attack is the ability to gain access to a server without
having to authenticate to it. Once the attacker hijacks a session, they no longer have to worry
about authenticating to the server as long as the communication session remains active. The
attacker also enjoys the same server access as the compromised user because the user has
already authenticated to the server prior to the attack.
A successful session hijack attack also allows the attacker to issue commands to
servers on the network. This is usually done to create user accounts that can be used to
access resources at a later date. The ability to issue commands also provides a way to mask
the attacker’s presence on the network, by removing or altering the remnants of the attack.
The session hijack attack is very stealthy. Session hijack attacks are usually waged
against busy networks with a high number of active communication sessions. The high
network utilization not only provides the attacker with a large number of sessions to exploit,
but it can also provide the attacker with a shroud of protection due to the large number of
active sessions on the server.
Most network attacks depend on software or hardware vulnerabilities as a gateway to
17
an attack. Having knowledge of specific vulnerabilities in these technologies allow the
attacker to scan servers to determine what vulnerabilities exist. However, the session hijack
attack does not depend on specific software or hardware vulnerabilities, but rather a design
limitation within the TCP/IP protocol that does not guarantee security after the connection is
made.
Session Hijacking is also very easy to do, especially on older operating systems!
Utilizing commercially available software packages, even a novice computer user has a good
chance at successfully waging a session hijack attack.
2.2 What Makes the Attack so Dangerous?
Why is the session hijack attack so dangerous? Should security professionals really be
concerned? The answer to both of these questions is yes! As I hinted in the previous
paragraph, the risks resulting from session hijack attacks can not be eliminated by software
patches, complex passwords, or multi-factor authentication. The root cause of the attack lies
with design limitations inherent to the TCP/IP protocol. In addition, all machines regardless of
operating system or hardware architecture are vulnerable to the session hijack attack
provided they are running TCP/IP.
The attack also exploits all three sides of the CIA triad. The CIA triad is a
18
representative model of security concepts consisting of three underlying principals.
Confidentiality, integrity, and availability make up the triad and A failure on any side of the
triad represents a compromise in network security (Cole, E. & Fossen, J. & Northcutt, S. &
Pomeranz, H., 2005).
Figure 7 - CIA Triad
The session hijack attack compromises all three sides of the CIA triad. When a
successful attack is achieved, the attacker has the ability to read and modify data, violating
the confidentiality and integrity portion of the model. Availability is also affected by the session
hijack attack due to ARP storms and denial of service conditions that are a byproduct of the
attack.
19
3 The Session Hijack Attack
The session hijack is a process whereby the attacker inserts themselves into an
existing communication session between two computers. Generally speaking, session hijack
attacks are usually waged against a workstation server type of communication session;
however, hijacks can be conducted between a workstation computer communicating with a
network based appliance like routers, switches or firewalls.
3.1 Procedural Overview of the Session Hijack Attack
As outlined in the book by Eric Cole, Hackers Beware: The Ultimate Guide to Network
Security, the session hijack attack contains the following steps (Cole, 2002).
3.1.1 Step 1 - Locating a Target
The first step in the session hijack attack is locating a target user. Attackers look for
two things prior to their attack. First, they look for networks that have a high level of utilization.
High volume networks provide a healthy supply of users to choose from, which also helps the
attack remain anonymous. Secondly, users who frequently use insecure network protocols
such as Telnet, rlogin (remote logon), and FTP (file transfer protocol) are also frequent targets
due to their inherently insecure design.
20
Packet sniffing software can be used to sniff network traffic for the purpose of locating
vulnerable protocols like FTP, Telnet, and rlogin. Port scanning software can also be used to
identify servers that have FTP, Telent, or rlogin ports open.
3.1.2 Step 2 - Find an Active Session
Session hijack attacks are usually waged against servers with large amounts of
activity. The reason is twofold, high network utilization provides an environment containing
adequate sessions that can be exploited. Secondly, the high usage on the server helps hide
the disruption caused by the attack. Attackers generally target session oriented protocols like
FTP, Telnet, and rlogin which provide prolonged connections to other computers.
Attackers who are looking for open sessions generally use software tools like
Wireshark or more sophisticated site detection software that is included in some of the
popular session hijacking software packages like T-Sight or Juggernaut.
3.1.3 Step 3 - Perform Sequence Number Prediction
Now that a target has been chosen, the next step in the session hijack process is
sequence number prediction. This process entails guessing the next sequence number that
the server is expecting from the workstation. Sequence number prediction is a critical step,
because failing to predict the correct sequence number will result in the server sending reset
21
packets and terminating the connection attempt. If the attacker guesses the sequence
numbers wrong repeatedly, the likelihood of detecting the attack increases.
So how do you accurately predict the next session number? While sequencing number
guessing can be done manually by skilled attackers, software tools are available to automate
the process. Programs such as Juggernaut (www.packetstorm.securify.com), Hunt
(http://fsid.cvut.cz/~kra/index.html), and T-Sight (http://www.engarde.c...ftware/t-sight/)
are very effective tools that can be successfully used by attackers of moderate skill levels.
3.1.4 Step 4 - Take One of the Parties Offline
Once a session is chosen and sequence numbers predicted, you need to
silence the workstation computer. This is generally done with a denial of service attack;
however, any attack that renders the computer unable to communication on the network
would work just as well. The attacker must ensure that the client computer remains offline for
the duration of the attack or the client computer will begin transmitting data on the network
causing the workstation and the server to repeatedly attempt to synchronize their connections
resulting in a condition known as an ACK storm.
Taking the client computer offline is only done in an aggressive session hijack attack.
Remember, the passive attack is used to view data as it flows across the network; therefore,
22
removing the workstation in this scenario would prohibit the attacker from examining the
communications between the two machines.
3.1.5 Step 5 - Take over the Session and Maintain the Connection
The final phase of the session hijack attack entails taking over the communication
session between the workstation and server. The attacker will spoof their client IP address, to
avoid detection, and include a sequence number that was predicted earlier. If the server
accepts this information, the attacker has successfully attacked the communication session.
Because the attackers’ source address has been spoofed, the attacker will not receive any
feedback regarding the status of the attack. As a result, the attacker will have to understand
what the server is expecting to maintain the attack.
At this point in the attack, full access to the network is limited only by the permissions
of the compromised user or computer. Provided that the TCP/IP session is maintained, the
attacker will not have to repeat the hijack process for the duration of the connection.
4 Session Hijack Tools
While session hijacking is possible without the assistance of hijacking software, many
attackers choose to use software tools due to their ease of use. The session hijacking tools
available today provide precision, timing, and session prediction capabilities.
23
Juggernaut is one of the most popular software packages for session hijacking and it
runs only on the LINUX operating system. Juggernaut contains a built in network sniffer which
aids in the hijacking process and allows the attacker to watch for keywords as they flow
across the network. Juggernaut is frequently used when attackers want to capture passwords
as they flow across the network.
Hunt, another UNIX based software application, is primarily used for session hijacking
attacks where attackers want to listen and intercept network communications, as well as
hijack open sessions on a network. Sequence number prediction, and silencing the
workstation computer are all handled internally by the software.
T-Sight, written for the Windows Operating system, is a commercially available product
that provides most of the functionality of the UNIX software variants. The application can be
purchased from Engarde at the following web site (http://www.engarde.c...oftware/t-sight).
This commercial application was intended to be used by professional security engineers;
however, it is very effective in the hands of an attacker. T-Sight automates the selection of
open sessions, provides accurate sequence number predication, and is capable of silencing
target workstations.
24
5 Detecting Session Hijack Attacks
There are two primary technologies that assist in session hijack detection. The more
manual of the two methods is packet sniffing software which can be used to scan for
signatures of an attack. Intrusion detection systems (IDS) and intrusion prevention systems
(IPS) provide a more automated method of detection, but they can also create more analysis
work for the security administrator.
5.1 Packet Sniffers
Packet sniffers are software applications that possess the ability to capture packets as
they flow across the network. Once captured, the contents of the packets can be examined
using a variety of filtering tools. One of the most popular packet sniffers on the market is
called Wireshark and it is available for free at http://www.wireshark.org/.
Using packet sniffing software to detect session hijack attacks can be very difficult.
Doing so requires the user to configure the software to scan the network while displaying the
results to the computer screen in real time. After initiating the scan, the operator would have
to analyze the data in real time as it is displayed on the screen. Due to the difficultly
surrounding this method, packet sniffing software is generally used as an investigative tool
rather than a front line detection or defense tool.
Session Hijacking in Windows Networks
25
The following Wireshark screen shots show us what the various steps of the session
hijack attack look like within Wireshark.
5.1.1 Normal Telnet Session
Now that the communication session has been established, the client and server can
communicate via the Telnet protocol. This screen shot shows what a normal telnet
communication session looks like in Wireshark. You can clearly see data packets being sent
to the server and subsequently acknowledged by the server.
26
42
settings.
The group policy material outlined below is based on a Windows 2003 Native domain
structure with client computers running Windows 2000 Professional or Windows XP
Professional workstations. Networks consisting of older operating systems like Windows
95/98/ME or Windows NT 4.0 can not be secured using GPO’s due to their lack of support for
Active Directory.
SummaryIn the era of viruses, worms, malware, buffer overflows and alike, the session hijack
attack is still alive and well. The attack is very effective and can provide the attacker with
unlimited access to server resources. The session hijack attacks allows the attacker to
monitor the network for password information which can later be used to create access
accounts on the compromised machine, or intercept data flowing between the client and
server.
Defending against the session hijack attack is very difficult because the attack is not
dependant on software vulnerabilities, but rather, protocol limitations within the TCP/IP
protocol. Some of the byproducts of the attack are subtle, and are usually dismissed by users
and network administrators as normal network events.
A variety of methods can be used to reduce your exposure to the attack including
intrusion detection and intrusion prevention systems, firewall configuration, IPSec, secure
FTP and Telnet, and Windows 2000/2003 Group policy objects. These technologies
implemented together for form a defense in depth strategy, can provide a great deal of
protection against the session hijack attack.
Session Hijacking in Windows Networks
1 TCP/IP Basics.........................................................................................................7
1.1 Three-Way-Handshake....................................................................................7
1.1.1 Step 1 - SYN ...............................................................................................8
1.1.2 Step 2 – SYN/ACK ......................................................................................9
1.1.3 Step 3 - ACK .............................................................................................10
1.2 Sequence Numbers .......................................................................................11
2 Session Hijacking Definition..................................................................................12
2.1 Advantages of Session Hijack for the Attacker ..............................................16
2.2 What Makes the Attack so Dangerous?.........................................................17
3 The Session Hijack Attack ....................................................................................19
3.1 Procedural Overview of the Session Hijack Attack ........................................19
3.1.1 Step 1 - Locating a Target .........................................................................19
3.1.2 Step 2 - Find an Active Session ................................................................20
3
3.1.3 Step 3 - Perform Sequence Number Prediction ........................................20
3.1.4 Step 4 - Take One of the Parties Offline....................................................21
3.1.5 Step 5 - Take over the Session and Maintain the Connection...................22
4 Session Hijack Tools.............................................................................................22
5 Detecting Session Hijack Attacks..........................................................................24
5.1 Packet Sniffers...............................................................................................24
5.1.1 Normal Telnet Session ..............................................................................25
5.1.2 The Attack Begins - Forcing an ARP Entry................................................26
5.1.3 Hijack Traffic..............................................................................................28
6 Session Hijacking Remediation.............................................................................33
6.1 Protect Against Spoofing ...............................................................................35
6.2 IPSec and Encryption ....................................................................................36
6.3 Intrusion Detection Systems and IPS Intrusion Prevention Systems .............38
4
6.4 Eliminating Insecure Network Protocols and Operating Systems ..................39
6.5 GPO - Group Policy Objects ..........................................................................40
7 Summary ..............................................................................................................45
8 References ...........................................................................................................47
5
Introduction
Before we can explore the session hijack attack, it is essential that we gain a basic
understanding of network communications. The first section of this paper covers some of this
background information needed to understand how computers communicate on a network.
First we take a look at the TCP/IP protocol (Transmission Control Protocol/Internet Protocol)
examining a concept critical to network communication called the three-way-handshake.
Once we have a basic understanding of these concepts, we can then work towards
understanding how the session hijack attack exploits the design flaws inherent in the TCP/IP
protocol.
In section two, the session hijacking attack is defined. The benefits of the attack are
closely examined as well as the danger the attack presents to your network.
Section three examines the session hijack attack in detail. The session hijack attack is
broken down into five steps including locating a target, finding an active session, sequence
number prediction, taking a user offline, and taking over a session.
Detecting the session hijack attack on a network can be very difficult. In section four , session hijacking detection will be examined. Attack signatures will be examined
and real world examples provided.
6
Section five examines session hijacking software applications that are used by
attackers to compromise computers. Windows and Linux/Unix applications will be reviewed,
and their features described.
Section six discusses the various ways in which session hijacking can be detected on
the network. Using Wireshark, packet captures of a session hijack attack are examined.
Section seven looks at the various countermeasures that can be implemented on your
network that will help reduce your exposure to this attack. Microsoft Group Policy Objects,
IPSec, IDS and IPS systems, and insecure network protocols and operating system will be
examined.
7
1 TCP/IP Basics
Before we explore the session hijack attack, readers must possess a basic
understanding of how computers communicate with one another on a network. In the section
that follows, we will look at some basic elements of TCP/IP (Transmission Control
Protocol/Internet Protocol) protocol specifically the concepts of the three-way-handshake and
random initial sequence number generation.
In order for two machines to communicate on a network they have to negotiate
common communication parameters. This is done by transmitting a series of data packets
between the two machines in a process known as the three-way-handshake. All computers
on the network must complete this process in order to establish a connection with another
computer on the network.
1.1 Three-Way-Handshake
When two computers want to communicate with one another, they have to negotiate
the technical parameters that they will use to communicate with one another. This is done
through a process known as the three-way-handshake. Once the connection is established,
the session remains open until one of the machines sends a RST (reset) or FIN (finish)
8
packet to their communication partner.
The three-way-handshake is comprised of three main processes. Please note that the
discussion that follows is based on a scenario where a single workstation computer is
attempting to communicate with a file server.
1.1.1 Step 1 - SYN
When a workstation wants to communicate with a server it builds a packet with
the SYN or synchronization bit set and then sends the packet to the server. Included in this
SYN packet is an initial sequence number (denoted in figure 1 as X)
Figure 1 – Step 1 SYN
When the client computer generates the sequence number, it uses a random number
generator. Random number generators are used to help prevent communication sessions
from being compromised (more on this in the next section). Sequence numbers are critical to
network communications as they are used to guarantee packet delivery. Source computers
9
use sequence numbers for tracking incoming packets and reassembling them as they arrive
at their destination. From the attacker’s perspective; however, the ability to predict sequence
numbers provides the mechanisms needed to successfully hijack a communication session.
1.1.2 Step 2 – SYN/ACK
When the server receives the clients SYN (synchronization) packet, it responds to the
workstation computer with a packet containing both the SYN and ACK (Synchronization and
Acknowledgement) bits set. The packet includes the server’s own randomly generated
sequence number (represented in the drawing by the letter P). The server also acknowledges
the clients sequence number by adding 1 to the sequence number sent by the client computer
(X + 1) (Lamb, 2006).
Figure 2 – Step 2 SYN/ACK
10
1.1.3 Step 3 - ACK
The final phase of the three-way-handshake involves the client sending an ACK packet
to the server confirming its desire to communicate. The workstation prepares a packet with
the ACK (acknowledgement) bit set and includes an acknowledgement sequence number (X
+ 1). When the packet arrives at the destination server, the communication session is
established and communication can now begin. An active communication session will be
maintained until one of the machines sends a RST (Reset) or FIN (Finish) packet to the other
computer
Figure 3 – Step 3 ACK
The following screen output from Wireshark shows what a three way handshake looks
like in Wireshark. Packet number three begins the three-way-handshake process by sending
a SYN (synchronization) packet to the server. The server then acknowledges the receipt of
the SYN packet by sending the workstation computer a SYN/ACK
(Synchronization/Acknowledgement) packet (show in packet four). The final step in the three
11
way-handshake is an ACK packet sent to the workstation by the server.
Figure 4 - Example of the Three-Way-Handshake in Wireshark (Resultspk.com, 2006)
1.2 Sequence Numbers
Sequence numbers are an essential component of network communications. It is the
sequence number that insures reliable communication on the network. As packets leave the
transmitting computer, each packet is assigned a unique sequence number. Sequence
numbers provide a mechanism which allows the receiving computer to track incoming packets
12
and reassemble then into a logical stream of data. Sequence numbers can also be used to
detect packets that have not arrived at the destination computer. When packet loss is
detected, the destination machine notifies the source computer to resend the missing packet.
TCP/IP sequence numbers are 32-bit numbers, thus providing four million possible
number combinations. While this seems like a sufficient quantity of numbers to reduce the
chance of sequence number prediction, modern computers make this number arbitrary. Most
modern operating systems implement pseudo random number generators that produce
complex sequence numbers sufficient enough to make sequence number prediction difficult if
not impossible. However, older operating systems, such as Windows NT 4.0, did not provide
sufficient random number generation as discussed in Microsoft knowledge base article MS99-
046. As you will see in the sections that follow, sequence numbers, and the ability to predict
sequence numbers, are a vital component necessary to successfully wage a session hijack
attack.
2 Session Hijacking Definition
If you are like most security professionals, session hijacking is not an attack that gets a
lot of your attention. In recent years, the session hijack attack has been overshadowed by
spyware, root kits, bot networks, and denial of service attacks. Although the session hijack
13
attack is not in the forefront of everyone’s mind, it still remains a commonly used attack. In
fact, Kevin Mitnick used many of the underlying principals common to session hijacking in his
famous breach of Tsutomu Shimomura’s computers (Meriwether, 1995).
Session hijack attacks are defined as taking over an active TCP/IP communication
session without their permission or knowledge. When implemented successfully, attackers
assume the identity of the compromised user, enjoying the same access to resources as the
compromised user.
Session hijack attacks are usually waged against users that are members of large
networks containing a substantial number of open sessions. Network protocols like FTP,
Telnet, and rlogin are especially attractive to the attacker, because of the session oriented
nature of their connections, and the length of their communication sessions. Additionally,
FTP, TELNET, and rlogin do not implement any security during logon, authentication, or data
transmission. In fact, data sent using these protocols is sent in clear text which can be easily
be viewed by anyone monitoring the network.
There are three different types of session hijack attacks; active, passive, and hybrid.
The active attack is when the attacker hijacks a session on the network. The attacker will
silence one of the machines, usually the client computer, and take over the clients’ position in
14
the communication exchange between the workstation and the server. The active attack also
allows the attacker to issue commands on the network making it possible to create new user
accounts on the network, which can later be used to gain access to the network without
having to perform the session hijack attack.
Figure 5 - Aggressive Session Hijack Attack
Passive session hijack attacks are similar to the active attack, but rather than removing
the user from the communication session, the attacker monitors the traffic between the
15
workstation and server. The primary motivation for the passive attack is it provides the
attacker with the ability to monitor network traffic and potentially discover valuable data or
passwords.
File Server
`
Workstation PC
`
Attacker
The workstation remains online
while the attacker listens to all
traffic that is sent between the
server and workstation.
The attacker listens to
the traffic sent between
the two machines, but
does not remove the
workstation computer
from the session.
Figure 6 - Passive Session Hijack
The final type of session hijack attack is referred to as the hybrid attack. This attack is
a combination of the active and passive attacks, which allow the attacker to listen to network
traffic until something of interest is found. The attacker can then modify the attack by
removing the workstation computer from the session, and assuming their identity.
16
2.1 Advantages of Session Hijack for the Attacker
So what makes the session hijack attack worthwhile for the attacker? One of the most
valuable byproducts of this type of attack is the ability to gain access to a server without
having to authenticate to it. Once the attacker hijacks a session, they no longer have to worry
about authenticating to the server as long as the communication session remains active. The
attacker also enjoys the same server access as the compromised user because the user has
already authenticated to the server prior to the attack.
A successful session hijack attack also allows the attacker to issue commands to
servers on the network. This is usually done to create user accounts that can be used to
access resources at a later date. The ability to issue commands also provides a way to mask
the attacker’s presence on the network, by removing or altering the remnants of the attack.
The session hijack attack is very stealthy. Session hijack attacks are usually waged
against busy networks with a high number of active communication sessions. The high
network utilization not only provides the attacker with a large number of sessions to exploit,
but it can also provide the attacker with a shroud of protection due to the large number of
active sessions on the server.
Most network attacks depend on software or hardware vulnerabilities as a gateway to
17
an attack. Having knowledge of specific vulnerabilities in these technologies allow the
attacker to scan servers to determine what vulnerabilities exist. However, the session hijack
attack does not depend on specific software or hardware vulnerabilities, but rather a design
limitation within the TCP/IP protocol that does not guarantee security after the connection is
made.
Session Hijacking is also very easy to do, especially on older operating systems!
Utilizing commercially available software packages, even a novice computer user has a good
chance at successfully waging a session hijack attack.
2.2 What Makes the Attack so Dangerous?
Why is the session hijack attack so dangerous? Should security professionals really be
concerned? The answer to both of these questions is yes! As I hinted in the previous
paragraph, the risks resulting from session hijack attacks can not be eliminated by software
patches, complex passwords, or multi-factor authentication. The root cause of the attack lies
with design limitations inherent to the TCP/IP protocol. In addition, all machines regardless of
operating system or hardware architecture are vulnerable to the session hijack attack
provided they are running TCP/IP.
The attack also exploits all three sides of the CIA triad. The CIA triad is a
18
representative model of security concepts consisting of three underlying principals.
Confidentiality, integrity, and availability make up the triad and A failure on any side of the
triad represents a compromise in network security (Cole, E. & Fossen, J. & Northcutt, S. &
Pomeranz, H., 2005).
Figure 7 - CIA Triad
The session hijack attack compromises all three sides of the CIA triad. When a
successful attack is achieved, the attacker has the ability to read and modify data, violating
the confidentiality and integrity portion of the model. Availability is also affected by the session
hijack attack due to ARP storms and denial of service conditions that are a byproduct of the
attack.
19
3 The Session Hijack Attack
The session hijack is a process whereby the attacker inserts themselves into an
existing communication session between two computers. Generally speaking, session hijack
attacks are usually waged against a workstation server type of communication session;
however, hijacks can be conducted between a workstation computer communicating with a
network based appliance like routers, switches or firewalls.
3.1 Procedural Overview of the Session Hijack Attack
As outlined in the book by Eric Cole, Hackers Beware: The Ultimate Guide to Network
Security, the session hijack attack contains the following steps (Cole, 2002).
3.1.1 Step 1 - Locating a Target
The first step in the session hijack attack is locating a target user. Attackers look for
two things prior to their attack. First, they look for networks that have a high level of utilization.
High volume networks provide a healthy supply of users to choose from, which also helps the
attack remain anonymous. Secondly, users who frequently use insecure network protocols
such as Telnet, rlogin (remote logon), and FTP (file transfer protocol) are also frequent targets
due to their inherently insecure design.
20
Packet sniffing software can be used to sniff network traffic for the purpose of locating
vulnerable protocols like FTP, Telnet, and rlogin. Port scanning software can also be used to
identify servers that have FTP, Telent, or rlogin ports open.
3.1.2 Step 2 - Find an Active Session
Session hijack attacks are usually waged against servers with large amounts of
activity. The reason is twofold, high network utilization provides an environment containing
adequate sessions that can be exploited. Secondly, the high usage on the server helps hide
the disruption caused by the attack. Attackers generally target session oriented protocols like
FTP, Telnet, and rlogin which provide prolonged connections to other computers.
Attackers who are looking for open sessions generally use software tools like
Wireshark or more sophisticated site detection software that is included in some of the
popular session hijacking software packages like T-Sight or Juggernaut.
3.1.3 Step 3 - Perform Sequence Number Prediction
Now that a target has been chosen, the next step in the session hijack process is
sequence number prediction. This process entails guessing the next sequence number that
the server is expecting from the workstation. Sequence number prediction is a critical step,
because failing to predict the correct sequence number will result in the server sending reset
21
packets and terminating the connection attempt. If the attacker guesses the sequence
numbers wrong repeatedly, the likelihood of detecting the attack increases.
So how do you accurately predict the next session number? While sequencing number
guessing can be done manually by skilled attackers, software tools are available to automate
the process. Programs such as Juggernaut (www.packetstorm.securify.com), Hunt
(http://fsid.cvut.cz/~kra/index.html), and T-Sight (http://www.engarde.c...ftware/t-sight/)
are very effective tools that can be successfully used by attackers of moderate skill levels.
3.1.4 Step 4 - Take One of the Parties Offline
Once a session is chosen and sequence numbers predicted, you need to
silence the workstation computer. This is generally done with a denial of service attack;
however, any attack that renders the computer unable to communication on the network
would work just as well. The attacker must ensure that the client computer remains offline for
the duration of the attack or the client computer will begin transmitting data on the network
causing the workstation and the server to repeatedly attempt to synchronize their connections
resulting in a condition known as an ACK storm.
Taking the client computer offline is only done in an aggressive session hijack attack.
Remember, the passive attack is used to view data as it flows across the network; therefore,
22
removing the workstation in this scenario would prohibit the attacker from examining the
communications between the two machines.
3.1.5 Step 5 - Take over the Session and Maintain the Connection
The final phase of the session hijack attack entails taking over the communication
session between the workstation and server. The attacker will spoof their client IP address, to
avoid detection, and include a sequence number that was predicted earlier. If the server
accepts this information, the attacker has successfully attacked the communication session.
Because the attackers’ source address has been spoofed, the attacker will not receive any
feedback regarding the status of the attack. As a result, the attacker will have to understand
what the server is expecting to maintain the attack.
At this point in the attack, full access to the network is limited only by the permissions
of the compromised user or computer. Provided that the TCP/IP session is maintained, the
attacker will not have to repeat the hijack process for the duration of the connection.
4 Session Hijack Tools
While session hijacking is possible without the assistance of hijacking software, many
attackers choose to use software tools due to their ease of use. The session hijacking tools
available today provide precision, timing, and session prediction capabilities.
23
Juggernaut is one of the most popular software packages for session hijacking and it
runs only on the LINUX operating system. Juggernaut contains a built in network sniffer which
aids in the hijacking process and allows the attacker to watch for keywords as they flow
across the network. Juggernaut is frequently used when attackers want to capture passwords
as they flow across the network.
Hunt, another UNIX based software application, is primarily used for session hijacking
attacks where attackers want to listen and intercept network communications, as well as
hijack open sessions on a network. Sequence number prediction, and silencing the
workstation computer are all handled internally by the software.
T-Sight, written for the Windows Operating system, is a commercially available product
that provides most of the functionality of the UNIX software variants. The application can be
purchased from Engarde at the following web site (http://www.engarde.c...oftware/t-sight).
This commercial application was intended to be used by professional security engineers;
however, it is very effective in the hands of an attacker. T-Sight automates the selection of
open sessions, provides accurate sequence number predication, and is capable of silencing
target workstations.
24
5 Detecting Session Hijack Attacks
There are two primary technologies that assist in session hijack detection. The more
manual of the two methods is packet sniffing software which can be used to scan for
signatures of an attack. Intrusion detection systems (IDS) and intrusion prevention systems
(IPS) provide a more automated method of detection, but they can also create more analysis
work for the security administrator.
5.1 Packet Sniffers
Packet sniffers are software applications that possess the ability to capture packets as
they flow across the network. Once captured, the contents of the packets can be examined
using a variety of filtering tools. One of the most popular packet sniffers on the market is
called Wireshark and it is available for free at http://www.wireshark.org/.
Using packet sniffing software to detect session hijack attacks can be very difficult.
Doing so requires the user to configure the software to scan the network while displaying the
results to the computer screen in real time. After initiating the scan, the operator would have
to analyze the data in real time as it is displayed on the screen. Due to the difficultly
surrounding this method, packet sniffing software is generally used as an investigative tool
rather than a front line detection or defense tool.
Session Hijacking in Windows Networks
25
The following Wireshark screen shots show us what the various steps of the session
hijack attack look like within Wireshark.
5.1.1 Normal Telnet Session
Now that the communication session has been established, the client and server can
communicate via the Telnet protocol. This screen shot shows what a normal telnet
communication session looks like in Wireshark. You can clearly see data packets being sent
to the server and subsequently acknowledged by the server.
26
42
settings.
The group policy material outlined below is based on a Windows 2003 Native domain
structure with client computers running Windows 2000 Professional or Windows XP
Professional workstations. Networks consisting of older operating systems like Windows
95/98/ME or Windows NT 4.0 can not be secured using GPO’s due to their lack of support for
Active Directory.
SummaryIn the era of viruses, worms, malware, buffer overflows and alike, the session hijack
attack is still alive and well. The attack is very effective and can provide the attacker with
unlimited access to server resources. The session hijack attacks allows the attacker to
monitor the network for password information which can later be used to create access
accounts on the compromised machine, or intercept data flowing between the client and
server.
Defending against the session hijack attack is very difficult because the attack is not
dependant on software vulnerabilities, but rather, protocol limitations within the TCP/IP
protocol. Some of the byproducts of the attack are subtle, and are usually dismissed by users
and network administrators as normal network events.
A variety of methods can be used to reduce your exposure to the attack including
intrusion detection and intrusion prevention systems, firewall configuration, IPSec, secure
FTP and Telnet, and Windows 2000/2003 Group policy objects. These technologies
implemented together for form a defense in depth strategy, can provide a great deal of
protection against the session hijack attack.
No comments:
Post a Comment