Week
Ten ↓
At the beginning of the session, the three-way handshake occurs. Hosts are also discovered and the transmission over the network is monitored. The right sequence number is needed for a session to be hijacked by an attacker (Cheese, 2010). To achieve this, the network must be sniffed. Sequence numbers could be guessed, but since its 32 bits giving about 4.3 billion possibilities, this is not feasible.
Ettercap or arpspoof (on command line) uses ARP poisoning to create packets intended for the server for a Man-in-the-Middle (MiTM) attack. The attacker can then analyze packets using sniffing tools like Wireshark, and the hijacked telnet connection information can be seen. Sequel to this, the command below can be used to hijack the connection using "Shijack" for the scenario described in what follows.
root:/home/root/hijack# ./shijack eth0 192.168.0.100 53517 192.168.0.200 23
When the tool runs, another packet is
created and sent to the server in an attempt to get a working sequence number. The
server receives this, thinking it is legitimate and increases the expected
sequence number for the next packet. When the legitimate client sends his
packet, it is dropped by the server and client connection is lost. The hijack
is done automatically, and we can now remotely communicate with the server
through the pre-established session.
Mitigation
Encrypted protocols should be used to
replace “clear-text” protocols as all unencrypted sessions are vulnerable to
TCP/IP session hijacking. Multi-Factor authentication techniques could also
provide an extra level of security against these attacks (Oriyano, 2016).
References
Sean-Philip Oriyano. (April, 2016). CEH
v9: Certified Ethical Hacker Version 9 Study Guide, Edition 3.
Cheese. (October, 2010). TCP Session
Hijacking. Retrieved from https://www.exploit-db.com/papers/13587/
Video Credit: Jenil Jain. February 24,
2016
No comments:
Post a Comment