Session Hijacking

1
Session Hijacking

• TSM 352
• System Security

2
A Word on Passwords

• Passwords typically guard access
• Password can be un-encrypted only if the
  encrypted version (hash) is available
• Otherwise
• Guessing
• Dumpster Diving/Shoulder Surfing
• Social Engineering
• Covert Information
• Sniffing

3
Introduction to Session Hijacking

• Established TCP Session is taken over after
  authentication has occurred thus avoiding the
  password issue
• Usually accomplished by taking the client offline
  (using a DoS) and impersonating that user.

4
Hijacking Programs

• Hijacking programs are basically sniffers plus
  the hijack portion.
• The sniffing portion looks specifically for
  ongoing TCP sessions and reports on these
  sessions.
• The user can then chose to simply monitor one
  of the ongoing sessions (see all the pertinent
  traffic basically the text portions), or
  hijack the session.
• The hijack portion can operate in a number of
  ways

5
The Hijack Operation

• Can inject packets
• Can eliminate the actual connection and assume
  the part of the client

6
Hijack Categories

• Blind neither end can be sniffed
• Quite difficult
• Must be able to predict the TCP sequence
  numbering for the server and client
• Local one or both ends can be sniffed
• Much easier to hijack
• The TCP sequence numbers are known
• This is the one we will study
• Host-Based
• On multi-user machine
• Network not involved
• Simply intercepts keyboard-to-screen

7
ACK Storms

• Occurs when an attacker first starts to take over
  a session and injects packets.
• There is a good chance that the attacker will not
  guess the sequence numbers correctly.
• When the server receives the spoofed packets, and
  notes that they are out of sequence, it tries to
  re-synch the sequence numbers. It does this by
  sending SYN and ACK packets, which the original
  client replies to with its own SYN and ACK
  packets, trying to correct the server.

8
Injection Process

• The potential hijacker will sniff traffic between
  a client and target until he (and the hijack
  utility) have gathered enough information to
  start the hijack procedure.
• Inject spoofed traffic using the source address
  of the client, and attempting to insure that the
  sequence numbers in the packets coincide with the
  ongoing connection between client and target.
• If the hijack is successful, the target will obey
  the commands sent by the hijacker, thinking they
  came from the client. The reply from the server
  is sniffed by the attacker.

9
Hijack Process

• The first step (sniffing) is the same
• In the hijack process, the client is typically
  taken out of the communication link so that it
  does not have an opportunity to object to the TCP
  sequence numbers.
• Denial of Service
• ARP Spoofing
• The hijacker will assume the identity of the
  client.

10
ARP Spoofing Technique

• The hijacker convinces the client that he (the
  hijacker) is the server
• The hijacker convinces the server that he is the
  client
• Therefore, all traffic from either one will come
  to the hijacker, and he can respond in any way he
  deems appropriate
• This setup is sometimes called MitM

11
ARP Spoofing Hijack

• When the hijacker is finished, it is possible to
  return the session to the original client
• However, the client will be confused with the
  sequence numbering
• Must re-sync the sequence in order to return
  client to session

12
Session Hijack Defenses

• When considering hijack defenses, consider its
  separate components sniffing and spoofing.
• We have discussed the defense for both of these
  in previous lessons. These same defenses become
  effective for session hijacking.
• Encryption nullifies sniffing
• Programs like arpwatch can be used to help
  detect and prevent ARP spoofing.