Sniffing and Session Hijacking - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Sniffing and Session Hijacking

Description:

pen registers provides access to the numbers that are dialed from a phone ... possible with cellular phones. can work even when phone not in use. Session Hijacking ... – PowerPoint PPT presentation

Number of Views:915
Avg rating:3.0/5.0
Slides: 32
Provided by: oitu
Category:

less

Transcript and Presenter's Notes

Title: Sniffing and Session Hijacking


1
Sniffing and Session Hijacking
  • Lesson 11

2
Session Hijacking
  • Passive
  • Attacker hijacks a session, but just sits back
    and watches and records all of the traffic that
    is being sent back and forth
  • Also referred to as sniffing
  • Active
  • Attacker finds an active session and takes over.
  • Done by forcing one of the parties offline, where
    the user can no longer communicate usually done
    with a Denial of Service attack.

3
Sniffing
  • Sniffers are programs or HW devices that monitor
    (listen in to) traffic flowing across a
    network.
  • They can pull in all packets or be selective and
    only grab packets destined for certain addresses
    or that carry a certain type of traffic
  • For a sniffer to work correctly, it needs to view
    all of the traffic going across a network. Thus,
    it must be on internal network or on main
    connection into/out of a network.

4
Computer Network Monitoring
  • Port Scanning
  • Keystroke Monitoring
  • Packet sniffers
  • takes advantage of friendly nature of net.
  • Grabs packets not destined for system
  • used by
  • hackers
  • sysadmins
  • Law enforcement agencies

5
IP Packet
4 8
16 19 32
Version
Length
Type of Srvc
Total Length
Identification
Flags
Fragment Offset
Time to live
Protocol
Header Checksum
Source
Address
Destination
Address

Options


Data

6
SnifferPro
7
SnifferPro
8
SnifferPro
9
SnifferPro
10
NetXray
11
TCP packet
4 8
16 32
Source Port
Destination Port
Sequence Number

Acknowledgement
Number
Unused
U A P R S F R C S S Y I G K H T NN
Window

Data offset
Urgent Pointer
Checksum
Options
Padding

Data

12
NetXray
13
Van Eck reception
  • Relies on the fact that electronic equipment
    radiates electromagnetic signals which can be
    intercepted
  • With the proper equipment signals can be
    recreated up to 1 kilometer away

14
Seizing the Signals
  • Eavesdropping on conversations
  • listening in, the content
  • Traffic analysis
  • data about the signals themselves

15
Eavesdropping
  • Cellular Intercepts
  • extremely vulnerable to interception
  • Pager Intercepts
  • also fairly simple
  • Law Enforcement Wiretaps
  • generally require court order with probable cause
  • Foreign Intelligence Intercepts
  • US and others have VERY active program in this
    arena

16
ECHELON
17
Sniffing VoIP sessions
18
Defeating Sniffer Attacks
  • Detecting and Eliminating Sniffers
  • Possible on a single box if you have control of
    the system
  • Difficult (depending on OS) to impossible (if
    somebody splices network and adds hardware) from
    network perspective
  • Safer Topologies
  • Sniffers capture data from network segment they
    are attached to, so create segments
  • Encryption
  • If you sniff encrypted packets, who cares?
  • (outside of traffic analysis, of course)

19
Traffic Analysis
  • Looks at activity, not contents
  • Pen Registers and Tap Trace
  • pen registers provides access to the numbers that
    are dialed from a phone
  • tap trace provides incoming numbers
  • Location Tracking
  • possible with cellular phones
  • can work even when phone not in use

20
Session Hijacking
  • Review for a second, the three-way handshake in
    TCP

User
Server
21
Revisit Sequence Numbers
  • Depending on the session to be hijacked, you may
    or may not be able to observe the traffic and
    thus know the sequence number.
  • Sequence numbers are
  • 32-bit numbers,
  • Used by recipient to know what order to put
    received packets in, and
  • To acknowledge packets received so sender knows
    if it has to resend a packet.
  • There is one for the sender and one for the
    receiver

22
Steps in Session Hijacking
  • Find a target
  • Perform sequence number prediction
  • Find an active session
  • Guess the sequence numbers
  • Take one of the parties offline
  • Take over the session

23
Find a target
  • Need to find a suitable target
  • Need to be able to sample sequence numbers
  • Need to be able to get through the firewall for
    this
  • Needs to have connected sessions
  • Probably should be a server that allows
    session-oriented connections (e.g. telnet or FTP)

24
Perform sequence number prediction
  • If you can view the traffic, no problem
  • Predictability of sequence number depends on OS
    (Windows more predictable)
  • Use scanning tool to determine OS (e.g. nmap)
  • Attempt several connections and observe sequence
    numbers to see how random the sequence is
    gather information.

25
Find an Active Session
  • In session hijacking you want to take over a
    session you want somebody to be around
  • This is opposite of usual hacker activity where
    you dont want folks around to notice activity
  • The more traffic the better off since there will
    less chance of somebody noticing (individual may
    assume heavy traffic is causing them any network
    problems experienced)

26
Guess the sequence number
  • For communication to occur need several things
  • IP address (doesnt change during session)
  • Port number (doesnt generally change)
  • Sequence number (changes each packet sent)
  • Thus, attacker must successfully guess sequence
    number to hijack session
  • Goal is to get server to accept packet sent, take
    some educated guessing based on knowledge of
    sequence predictability

27
Take One of the Parties Offline
  • Once youve guessed the correct sequence number,
    time to eliminate the sender so you can take over
    the session.
  • Generally done with some form of Denial of
    Service attack.
  • Server still responds to original system but it
    never knows because it has been taken out.

28
Take Over the Session
  • Now the attacker has everything set up
  • Session
  • Sequence number
  • Sender (usually client) taken out
  • Now exploit session, ideally something like a
    telnet session where you can issue commands such
    as creating a new account or adding system to
    list of trusted systems.

29
Hijacking, doesnt sound so simple
  • In theory, it is very complex, fortunately there
    are some programs out there that can help you.
  • Juggernaut
  • Hunt
  • TTY Watcher
  • IP Watcher
  • All of these are of the sniffer type, must see
    traffic to be able to hijack it.
  • Think about what is needed to hijack a session
    you cant see.
  • Remember, however, that I dont need to be able
    to sniff all traffic to a server, I can be
    sniffing at the client side.

30
Protecting Against Session Hijacking
  • Use encryption
  • Use a secure protocol (usually includes
    encryption)
  • Limit incoming connections
  • Minimize remote access (referring to outgoing)
  • Have strong authentication (though this is less
    effective in protecting against hijacking since
    you are taking over a session after
    authentication has taken place.)

31
Summary
  • Hijacking is a real threat
  • Technology is straightforward
  • Many tools available to do this
  • There are legal ramifications
Write a Comment
User Comments (0)
About PowerShow.com