8/2/2019 TCP IP Hijacking

1/4

TCP/IP Hijacking:-

TCP/IP hijacking, also called active sniffing, involves the attacker gaining access to a host in the

network and logically disconnecting it from the network. The attacker then inserts anothermachine with the same IP address. This happens quickly and gives the attacker access to the

session and to all the information on the original system. The server wont know that this hasoccurred and will respond as if the client were trusted.

TCP/IP hijacking presents the greatest danger to a network because the hijacker will probably

acquire privileges and access to all the information on the server. As with a sequence number

attack, there is little you can do to counter the threat. Fortunately, these attacks require fairlysophisticated software and are harder to engineer than a DOS attack, such as a TCP SYN attack.

TCP/IP hijacking is a clever technique that uses spoofed packets to take over a connectionbetween a victim and a host machine. The victim's connection hangs, and the attacker is able to

communicate with the host machine as if the attacker were the victim. This technique isexceptionally useful when the victim uses a one-time password to connect to the host machine. Aone-time password can be used to authenticate once, and only once, which means that sniffing

the authentication is useless for the attacker. In this case, TCP/IP hijacking is an excellent means

of attack.

As mentioned earlier in the chapter, during any TCP connection, each side maintains a sequence

number. As packets are sent back and forth, the sequence number is incremented with eachpacket sent. Any packet that has an incorrect sequence number isn't passed up to the next layer

by the receiving side. The packet is dropped if earlier sequence numbers are used, or it is stored

for later reconstruction if later sequence numbers are used. If both sides have incorrect sequence

numbers, any communications that are attempted by either side aren't passed up by thecorresponding receiving side, even though the connection remains in the established state. This

condition is called a desynchronizedstate, which causes the connection to hang.

To carry out a TCP/IP hijacking attack, the attacker must be on the same network as the victim.

The host machine the victim is communicating with can be anywhere. The first step is for the

attacker to use a sniffing technique to sniff the victim's connection, which allows the attacker towatch the sequence numbers of both the victim (system A in the following illustration) and the

host machine (system B). Then the attacker sends a spoofed packet from the victim's IP address

to the host machine, using the correct sequence number, as shown on the facing page.

The host machine receives the spoofed packet and, believing it came from the victim's machine,

increments the sequence number and responds to the victim's IP. Because the victim's machinedoesn't know about the spoofed packet, the host machine's response has an incorrect sequencenumber, so the victim ignores the response packet. And because the victim's machine ignored the

host machine's response packet, the victim's sequence number count is off. Therefore any packet

the victim tries to send to the host machine will have an incorrect sequence number as well,causing the host machine to ignore the packet.

8/2/2019 TCP IP Hijacking

2/4

The attacker has forced the victim's connection with the host machine into a desynchronized

state. And because the attacker sent out the first spoofed packet that caused all this chaos, theattacker can keep track of sequence numbers and continue spoofing packets from the victim's IP

address to the host machine. This lets the attacker continue communicating with the host

machine while the victim's connection hangs.

Wireless Security:-

Wireless security is the prevention of unauthorized access or damage to computers

using wireless networks. The most common types of wireless security are Wired Equivalent

Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is one of the least secure forms of

security. A network that is secured with WEP has been cracked in 3 minutes by the FBI. WEP is

an old IEEE 802.11 standard from 1999 which was outdated in 2003 by WPA or Wi-Fi Protected

Access. WPA was a quick alternative for those wishing to get away from the problematic WEP

security. There are some pieces of hardware that cannot support WPA2 without being replacedor having the firmware upgraded. WPA2 uses an encryption device which encrypts the network

with a 256 bit key. This adds a multitude of security more than WEP does to the wireless

network.

Many laptop computers have wireless cards pre-installed. The ability to enter a network while

mobile has great benefits. However, wireless networking is prone to some security

issues. Crackers have found wireless networks relatively easy to break into, and even use

wireless technology to crack into wired networks. As a result, it's very important that enterprises

define effective wireless security policies that guard against unauthorized access to important

resources. Wireless Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection

Systems (WIDS) are commonly used to enforce wireless security policies.

The risks to users of wireless technology have increased as the service has become more popular.

There were relatively few dangers when wireless technology was first introduced. Crackers had

not yet had time to latch on to the new technology and wireless was not commonly found in the

work place. However, there are a great number of security risks associated with the current

wireless protocols and encryption methods, and in the carelessness and ignorance that exists at

the user and corporate IT level. Cracking methods have become much more sophisticated and

http://users.atw.hu/exploitation/images/figu157_1_0.jpg

8/2/2019 TCP IP Hijacking

3/4

innovative with wireless. Cracking has also become much easier and more accessible with easy-

to-use Windows or Linux-based tools being made available on the web at no charge.

Some organizations that have no wireless access points installed do not feel that they need to

address wireless security concerns. In-Stat MDR and META Group have estimated that 95% of

all corporate laptop computers that were planned to be purchased in 2005 were equipped with

wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop isplugged into the corporate network. A cracker could sit out in the parking lot and gather info

from it through laptops and/or other devices as handhelds, or even break in through this wireless

card-equipped laptop and gain access to the wired network.

WEB SECURITY:-

We have just studied two important areas where security is needed: communications and e-mail.

You can think of these as the soup and appetizer. Now it is time for the main course: Web

security. The Web is where most of the Trudies hang out nowadays and do their dirty work. Inthe following sections we will look at some of the problems and issues relating to Web security.

Web security can be roughly divided into three parts. First, how is object sand resources named

securely? Second, how can secure, authenticated connections be established? Third, what

happens when a Web site sends a client a piece of executable code? After looking at somethreats, we will examine all these issues.

Threats: - One reads about Web site security problems in the newspaper almost weekly. Thesituation is really pretty grim. Let us look at a few examples of what has already happened. First,

the home page of numerous organizations has been attacked and replaced by a new home page of

the crackers choosing. (The popularpress calls people who break into computers hackers,

but many programmers reserve that term for great programmers. We prefer to call these people

crackers.) Sites that have been cracked include Yahoo, the U.S. Army, the CIA, NASA, and

the New York Times. In most cases, the crackers just put up some funny text and the sites were

repaired within a few hours.Numerous sites have been brought down by denial-of-service attacks, in which the cracker floods

the site with traffic, rendering it unable to respond to legitimate queries. Often the attack is

mounted from a large number of machines that the cracker has already broken into (DDoSatacks). These attacks are so common that they do not even make the news any more, but they

can cost the attacked site thousands of dollars in lost business.

Mobile Code Security: - Naming and connections are two areas of concern related to Websecurity. But there are more. In the early days, when Web pages were just static HTML files,

they did not contain executable code. Now they often contain small programs, including Java

applets, ActiveX controls, and JavaScripts. Downloading and executing such mobile code is

obviously a massive security risk, so various methods have been devised to minimize it. We willnow take a quick peek at some of the issues raised by mobile code and some approaches to

dealing with it.

8/2/2019 TCP IP Hijacking

4/4

ActiveX: - ActiveX controls are Pentium binary programs that can be embedded in Web pages.

When one of them is encountered, a check is made to see if it should be executed, and it if passesthe test, it is executed. It is not interpreted or sandboxed in any way, so it has as much power as

any other user program and can potentially do great harm. Thus, all the security is in the decision

whether to run the ActiveX control.

JavaScript: -JavaScript does not have any formal security model, but it does have a longhistory

of leaky implementations. Each vendor handles security in a different way. For example,

Netscape Navigator version 2 used something akin to the Java model, but by version 4 that hadbeen abandoned for a code signing model.

Viruses: -Viruses are another form of mobile code. Only unlike the examples above, viruses arenot invited in at all. The difference between a virus and ordinary mobile code is that viruses are

written to reproduce themselves. When a virus arrives, either via a Web page, an e-mail

attachment, or some other way, it usually starts out by infecting executable programs on the disk.

Other are:-

Secure Naming

DNS Spoofing

Secure DNS

SSLThe Secure Sockets Layer

Java Applet Security