10.3 Network Level Session Hijacking
Network-level Session Hijacking
- The network-level hijacking relies on hijacking transport and Internet protocols used by web applications in the application layer.
- By attacking the network-level sessions, the attacker gathers some critical information which is used to attack the application level.
- Network-level hijacking includes:
- Blind Hijacking
- UDP Hijacking
- TCP/IP Hijacking
- RST Hijacking
- Man-in-the-Middle: Packet Sniffer
- IP Spoofing: Source Routed Packets
The 3-Way Handshake
- If the attacker can anticipate the next sequence and ACK number that Bob will send, he/she will spoof Bob's address and start a communication with the server.
- For the three parties to communicate, the following information is required:
- IP address → 在IP封包裡,且不會改變
- Port numbers → 在IP封包裡,且不會改變
- Sequence numbers → 時時改變,所以要想辦法猜中sequence number,且要在server收到受害者的封包之前,讓server收下攻擊者的封包,一旦成功,就取下受害者的session了。
TCP/IP Hijacking
- TCP/IP hijacking is a hacking technique that uses spoofed packets to take over a connection between a victim and a target machine.
- The victim's connection hangs and the attacker is then able to communicate with the host's machine as if the attacker is the victim.
- To launch a TCP/IP hijacking attack, the attacker must be on the same network as the victim.
- The target and the victim machines can be anywhere.
- 送欺騙封包(spoofed packet)
- 攻擊者必須和受害者同個內網下
TCP/IP Hijacking Process
- The attacker sniffs the victim's connection and uses the victim's IP to send a spoofed packet with the predicted sequence number.
- The receiver processes the spoofed packet, increments the sequence number, and sends acknowledgement to the victim's IP.
- The victim machine is unaware of the spoofed packet, so it ignores the receiver machine's ACK packet and turns sequence number count off.
- Therefore, the receiver receives packets with the incorrect sequence number.
- The attacker forces the victim's connection with the receiver machine to a desynchronized state.
- The attacker tracks sequence numbers and continuously spoofs packets that comes from the victim's IP.
- The attacker continues to communicate with the receiver machine while the victim's connection hangs.
IP Spoofing: Source Routed Packets (?)
- Packet source routing technique is used for gaining unauthorized access to a computer with the help of a trusted host's IP address.
- The attackers spoofs the host's IP address so that the server managing a session with the host, accepts the packets from the attacker.
- When the session is established, the attacker injects forged packets before the host responds to the server.
- The original packet from the host is lost as the server gets the packet with a sequence number already used by the attacker.
- The packets are source-routed where the path to the destination IP can be specified by the attacker.
RST Hijacking
- RST hijacking involves injecting an authentic-looking reset (RST) packet using spoofed source address and predicting the acknowledgment number.
- The hacker can reset the victim's connection if it uses an accurate acknowledgement number.
- The victim believes that the source actually sent the reset packet and resets the connection.
- RST Hijacking can be carried out using a packet crafting tool such as Colasoft's Packet Builder and TCP/IP analysis tool such as tcpdump.
Blind Hijacking
- The attacker can inject the malicious data or commands into the intercepted communications in the TCP session even if the source-routing is disabled.
- The attacker can send the data or commands but has no access to see the response.
MiTM Attack Using Forged ICMP and ARP Spoofing (?)
- In this attack, the packet sniffer is used as an interface between the client and the server.
- ARP spoofing involves fooling the host by broadcasting the ARP request and changing its ARP tables by sending the forged ARP replies.
- The packets between the client and the server are routed through the hijacker's host by using two techniques:
- Using Forged Internet Control Message Protocol (ICMP): It is an extension of IP to send error messages where the attacker can send messages to fool the client and the server.
- The technique used is to forge ICMP packets to redirect traffic between the client and the host through the hijacker's host.
- The hacker's packets send error messages that indicate problems in processing packets through the original connection.
- This fool the server and client into routing through its path instead.
- Using Address Resolution Protocol (ARP) Spoofing: ARP is used to map the network layer address (IP address) to link layer addresses (MAC address).
- Using Forged Internet Control Message Protocol (ICMP): It is an extension of IP to send error messages where the attacker can send messages to fool the client and the server.
UDP Hijacking (?)
- A network-level session hijacking where the attacker sends forged server reply to a victim's UDP request before the intended server replies to it.
- The attacker uses man-in-the-middle attack to intercept server's response to the client and sends its own forged reply.
- UDP does not use packet sequencing and synchronizing.
- victim執行 udp查詢時,在真正回應回來之前,attacker就送一個假的給victim,假的udp可包含惡意資訊,例如victim執行dns query時,attacker送一個假的dns response,讓victim去錯誤的地方
Q1) Julie has sniffed an ample amount of traffic between the targeted victim and an authenticated resource. She has been able to correctly guess the packet sequence numbers and inject packets, but she is unable to receive any of the responses. What does this scenario define?
- Switched network
- SSL encryption
- TCP hijacking
- Blind hijacking
A1) The key portion of the question is that Julie is not receiving a response to her injected packets and commands. Although the sequence prediction does relate to TCP hijacking, the best answer is blind hijacking.
Q2) TCP/IP Session Hijacking is carried out in which OSI layer?
- Datalink layer
- Transport layer
- Network layer
- Physical layer