Professional Documents
Culture Documents
Version 5
Module X
Session Hijacking
Scenario
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Module Objective
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Module Flow
Sequence Number
Session Hijacking
Prediction
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
What is Session Hijacking?
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Understanding Session Hijacking
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Spoofing vs. Hijacking
John (Victim)
ls
and ti a
n
hn de
Jo cre
m y
Ia em
r
ea
he
r Server
d
P an
I
h n’s sion
Jo s
o fs he se
o
P sp cks t
AR hija Server
network)
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Types of Session Hijacking
~ Passive
• With a passive attack, an attacker hijacks a session, but sits
back, and watches and records all the traffic that is being sent
forth
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
The 3-Way Handshake
SYN
Seq.:4000
SYN/ACK
Seq:7000, Ack: 4001
ACK
Seq: 4002Ack :7001
Server
Bob
If the attacker can anticipate the next SEQ/ACK number Bob will
send, he will spoof Bob’s address and start a communication with the
server
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
TCP Concepts 3-Way Handshake
1. Bob initiates a connection with the server. Bob sends a packet to the
server with the SYN bit set
2. The server receives this packet and sends back a packet with the SYN
bit and an ISN (Initial Sequence Number) for the server
3. Bob sets the ACK bit acknowledging the receipt of the packet and
increments the sequence number by 1
4. The two machines have successfully established a session
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Sequence Numbers
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Sequence Number Prediction
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
TCP/IP Hijacking
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
TCP/IP Hijacking
Source: 10.1.0.100
Destination: 10.1.0.200
Seq#: 1429775000
Ack#: 1250510000
Len: 24
1
Source: 10.1.0.200
Destination: 10.1.0.100
2
Seq#: 1250510000
Ack#: 1429775024
Len: 167
Computer A 3 Computer B
Source: 10.1.0.100
Destination: 10.1.0.200
Seq#: 1429775024
Ack#: 1250510167
Len: 71
Copyright © by EC-Council
EC-Council Hacker All Rights reserved. Reproduction is strictly prohibited
RST Hijacking
RST Packet
Spoofed Source Address with
predicted ACK number 1
2 Connection Reset
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
RST Hijacking Tool: hijack_rst.sh
# ./hijack_rst.sh
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Programs that Perform Session
Hijacking
There are several programs available
that perform session hijacking
The following are a few that belong in
this category:
• Juggernaut
• Hunt
• TTY Watcher
• IP Watcher
• T-Sight
• Paros HTTP Hijacker
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: Juggernaut
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: Hunt
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: TTY Watcher
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Hacking Tool: IP Watcher
http://engarde.com
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Session Hijacking Tool: T-Sight
http://engarde.com
~ T-Sightis a session hijacking tool
for Windows
~ With T-Sight, you can monitor all of
your network connections (i.e.
traffic) in real-time, and observe the
composition of any suspicious
activity that takes place
~ T-Sighthas the capability to hijack
any TCP sessions on the network
~ Due to security reasons, Engarde
Systems licenses this software to
pre-determined IP addresses
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Session Hijacking Tool: T-Sight
Session Hijacking is
simple by clicking this
button
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Remote TCP Session Reset Utility
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Paros HTTP Session Hijacking Tool
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Paros Untitled Session
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Paros HTTP Session Hijacking Tool
Target Server in
NYC
Hacker in Russia
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Dangers Posed by Hijacking
secure protocol
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Protecting against Session Hijacking
1. Use encryption
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Countermeasure: IP Security
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
IP-SEC
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
What happened next?
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Summary
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited