TCP IP Hijacking
-
Upload
pranay-patel -
Category
Documents
-
view
220 -
download
0
Transcript of TCP IP Hijacking
-
8/2/2019 TCP IP Hijacking
1/4
TCP/IP Hijacking:-
TCP/IP hijacking, also called active sniffing, involves the attacker gaining access to a host in the
network and logically disconnecting it from the network. The attacker then inserts anothermachine with the same IP address. This happens quickly and gives the attacker access to the
session and to all the information on the original system. The server wont know that this hasoccurred and will respond as if the client were trusted.
TCP/IP hijacking presents the greatest danger to a network because the hijacker will probably
acquire privileges and access to all the information on the server. As with a sequence number
attack, there is little you can do to counter the threat. Fortunately, these attacks require fairlysophisticated software and are harder to engineer than a DOS attack, such as a TCP SYN attack.
TCP/IP hijacking is a clever technique that uses spoofed packets to take over a connectionbetween a victim and a host machine. The victim's connection hangs, and the attacker is able to
communicate with the host machine as if the attacker were the victim. This technique isexceptionally useful when the victim uses a one-time password to connect to the host machine. Aone-time password can be used to authenticate once, and only once, which means that sniffing
the authentication is useless for the attacker. In this case, TCP/IP hijacking is an excellent means
of attack.
As mentioned earlier in the chapter, during any TCP connection, each side maintains a sequence
number. As packets are sent back and forth, the sequence number is incremented with eachpacket sent. Any packet that has an incorrect sequence number isn't passed up to the next layer
by the receiving side. The packet is dropped if earlier sequence numbers are used, or it is stored
for later reconstruction if later sequence numbers are used. If both sides have incorrect sequence
numbers, any communications that are attempted by either side aren't passed up by thecorresponding receiving side, even though the connection remains in the established state. This
condition is called a desynchronizedstate, which causes the connection to hang.
To carry out a TCP/IP hijacking attack, the attacker must be on the same network as the victim.
The host machine the victim is communicating with can be anywhere. The first step is for the
attacker to use a sniffing technique to sniff the victim's connection, which allows the attacker towatch the sequence numbers of both the victim (system A in the following illustration) and the
host machine (system B). Then the attacker sends a spoofed packet from the victim's IP address
to the host machine, using the correct sequence number, as shown on the facing page.
The host machine receives the spoofed packet and, believing it came from the victim's machine,
increments the sequence number and responds to the victim's IP. Because the victim's machinedoesn't know about the spoofed packet, the host machine's response has an incorrect sequencenumber, so the victim ignores the response packet. And because the victim's machine ignored the
host machine's response packet, the victim's sequence number count is off. Therefore any packet
the victim tries to send to the host machine will have an incorrect sequence number as well,causing the host machine to ignore the packet.
-
8/2/2019 TCP IP Hijacking
2/4
The attacker has forced the victim's connection with the host machine into a desynchronized
state. And because the attacker sent out the first spoofed packet that caused all this chaos, theattacker can keep track of sequence numbers and continue spoofing packets from the victim's IP
address to the host machine. This lets the attacker continue communicating with the host
machine while the victim's connection hangs.
Wireless Security:-
Wireless security is the prevention of unauthorized access or damage to computers
using wireless networks. The most common types of wireless security are Wired Equivalent
Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is one of the least secure forms of
security. A network that is secured with WEP has been cracked in 3 minutes by the FBI. WEP is
an old IEEE 802.11 standard from 1999 which was outdated in 2003 by WPA or Wi-Fi Protected
Access. WPA was a quick alternative for those wishing to get away from the problematic WEP
security. There are some pieces of hardware that cannot support WPA2 without being replacedor having the firmware upgraded. WPA2 uses an encryption device which encrypts the network
with a 256 bit key. This adds a multitude of security more than WEP does to the wireless
network.
Many laptop computers have wireless cards pre-installed. The ability to enter a network while
mobile has great benefits. However, wireless networking is prone to some security
issues. Crackers have found wireless networks relatively easy to break into, and even use
wireless technology to crack into wired networks. As a result, it's very important that enterprises
define effective wireless security policies that guard against unauthorized access to important
resources. Wireless Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection
Systems (WIDS) are commonly used to enforce wireless security policies.
The risks to users of wireless technology have increased as the service has become more popular.
There were relatively few dangers when wireless technology was first introduced. Crackers had
not yet had time to latch on to the new technology and wireless was not commonly found in the
work place. However, there are a great number of security risks associated with the current
wireless protocols and encryption methods, and in the carelessness and ignorance that exists at
the user and corporate IT level. Cracking methods have become much more sophisticated and
http://users.atw.hu/exploitation/images/figu157_1_0.jpg -
8/2/2019 TCP IP Hijacking
3/4
innovative with wireless. Cracking has also become much easier and more accessible with easy-
to-use Windows or Linux-based tools being made available on the web at no charge.
Some organizations that have no wireless access points installed do not feel that they need to
address wireless security concerns. In-Stat MDR and META Group have estimated that 95% of
all corporate laptop computers that were planned to be purchased in 2005 were equipped with
wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop isplugged into the corporate network. A cracker could sit out in the parking lot and gather info
from it through laptops and/or other devices as handhelds, or even break in through this wireless
card-equipped laptop and gain access to the wired network.
WEB SECURITY:-
We have just studied two important areas where security is needed: communications and e-mail.
You can think of these as the soup and appetizer. Now it is time for the main course: Web
security. The Web is where most of the Trudies hang out nowadays and do their dirty work. Inthe following sections we will look at some of the problems and issues relating to Web security.
Web security can be roughly divided into three parts. First, how is object sand resources named
securely? Second, how can secure, authenticated connections be established? Third, what
happens when a Web site sends a client a piece of executable code? After looking at somethreats, we will examine all these issues.
Threats: - One reads about Web site security problems in the newspaper almost weekly. Thesituation is really pretty grim. Let us look at a few examples of what has already happened. First,
the home page of numerous organizations has been attacked and replaced by a new home page of
the crackers choosing. (The popularpress calls people who break into computers hackers,
but many programmers reserve that term for great programmers. We prefer to call these people
crackers.) Sites that have been cracked include Yahoo, the U.S. Army, the CIA, NASA, and
the New York Times. In most cases, the crackers just put up some funny text and the sites were
repaired within a few hours.Numerous sites have been brought down by denial-of-service attacks, in which the cracker floods
the site with traffic, rendering it unable to respond to legitimate queries. Often the attack is
mounted from a large number of machines that the cracker has already broken into (DDoSatacks). These attacks are so common that they do not even make the news any more, but they
can cost the attacked site thousands of dollars in lost business.
Mobile Code Security: - Naming and connections are two areas of concern related to Websecurity. But there are more. In the early days, when Web pages were just static HTML files,
they did not contain executable code. Now they often contain small programs, including Java
applets, ActiveX controls, and JavaScripts. Downloading and executing such mobile code is
obviously a massive security risk, so various methods have been devised to minimize it. We willnow take a quick peek at some of the issues raised by mobile code and some approaches to
dealing with it.
-
8/2/2019 TCP IP Hijacking
4/4
ActiveX: - ActiveX controls are Pentium binary programs that can be embedded in Web pages.
When one of them is encountered, a check is made to see if it should be executed, and it if passesthe test, it is executed. It is not interpreted or sandboxed in any way, so it has as much power as
any other user program and can potentially do great harm. Thus, all the security is in the decision
whether to run the ActiveX control.
JavaScript: -JavaScript does not have any formal security model, but it does have a longhistory
of leaky implementations. Each vendor handles security in a different way. For example,
Netscape Navigator version 2 used something akin to the Java model, but by version 4 that hadbeen abandoned for a code signing model.
Viruses: -Viruses are another form of mobile code. Only unlike the examples above, viruses arenot invited in at all. The difference between a virus and ordinary mobile code is that viruses are
written to reproduce themselves. When a virus arrives, either via a Web page, an e-mail
attachment, or some other way, it usually starts out by infecting executable programs on the disk.
Other are:-
Secure Naming
DNS Spoofing
Secure DNS
SSLThe Secure Sockets Layer
Java Applet Security