|=-----------------------------------------------------------------------=| |=------------=[ T C P S e s s i o n H i j a c k i n g ]=------------=| |=-----------------------------------------------------------------------=| |=-----------------------=[ by Cheese ]=-----------------------=| |=-----------------------=[ cheese[at]mymail.ch ]=-----------------------=| |=-----------------------=[ http://myCheese.org ]=-----------------------=| |=-----------------------------------------------------------------------=| ---=[ Contents [0x01] - Intro [0x02] - Theory [0x02a] - TCP Sessions [0x02b] - Man-in-the-Middle [0x02c] - Session Hijack [0x03] - Practice [0x03a] - Tools [0x03b] - Scenario [0x03c] - Attack [0x04] - Outro ---=[ 0x01 - Intro Hi guys, in this paper I want to introduce you to the theoretical and practical aspects of attacking TCP sessions. We will aim to hijack a client-server connection, so we are able to bypass password authentications which are normally done at the start of a session. ---=[ 0x02 - Theory -------=[ 0x02a - TCP sessions At the establishment of a TCP session the client starts by sending a SYN-packet (SYN=synchronize) with an sequence number. This number is used to assure the transmission of packets in a chronological order. It is increased by one with each packet. The both sides of the connection wait for an packet with a specified sequence number. The first seq-number for both directions is random. The server responds with an SYN/ACK packet (ACK-acknowledgment) which contains the seq-number of the client+1 and also a own start seq-number. The client confirm everything with an ACK packet including the seq-number of the server+1, after that the session is established. +---+ syn seq=x +---+ | C | -------------------> | S | | L | | E | | I | syn ack=x+1 seq=y | R | | E | <-------------------- | V | | N | | E | | T | ack=y+1 seq=x+1 | R | +---+ --------------------> +---+ To hijack a session it is required to send a packet with a right seq-number, otherwise they are dropped. You have two options to get the right seq-number. Option A: You try to guess the right number. It is made up of 32bit so you _just_ have 4294967296 possibilities, good luck! Option B: You sniff the existing connection, this works at networks which use Hub's without problems, but to do this at a switched network you have one way: Man-in-the-Middle! -------=[ 0x02b - Man-in-the-Middle To get Man-in-the-Middle we use ARP Poison Routing. ARP (address resolution protocol) binds MAC addresses to IP addresses to make a data transfer on Ethernet possible. You should read up about this protocol if you do not know much about it. In order to sniff the connection between two hosts the attacker sends a manipulated ARP packet to one of the hosts which contains the IP of the second host and the MAC of the attacker. So this host sends every packet that is meant for the second host to the attacker. The same is done with the other host, the attacker himself just forwards the packets, so he acts as an invisible intermediary, as Man-in-the-Middle. +------+ +------+ |HOST-A| -------------------SWITCH------------------ |HOST-B| +------+ ................. | ................. +------+ : | : : | : : | : : | : +--------+ Hello [A], I am [B] > |ATTACKER| < Hello [B], I am [A] +--------+ -------=[ 0x02c - Session Hijack Vulnerable to hijacking is every unencrypted connection. We start with the Man-in-the-Middle attack between the victim and the server, if the server is in another subnet we attack the gateway instead of the server. If everything is successful we are able to observe every single packet with a sniffer. To hijack the session we wait for a packet and use the infos from it: source IP, destination IP, source port, destination port, and the sequence number. With this data we create a own packet and send it instantly to the server. The server accepts it and increases the expected seq-number for the next one. As soon the next packet from the real client arrives the server drops it as outdated, so the client is desynchronized and loses the connection. ---=[ 0x03 - Practice -------=[ 0x03a - Tools There are many programs which do the complete thing by itself (Hunt, Juggernaut, T-Sight), but I got some problems with some of them. For the Man-in-the-Middle attack I will use the well known program "Ettercap". "Wireshark" does the sniffing for me and the hijack is done with "Shijack", everything of course on a Linux/GNU box. Shijack: http://packetstormsecurity.org/sniffers/shijack.tgz -------=[ 0x03b - Scenario We aim to hijack a telnet session between a client and a server. Network: +--------+ +--------+ | SERVER | <.......T..E..L..N..E..T......> | CLIENT | |10.0.0.1| --------------+ +--------------|10.0.0.2| +--------+ | | +--------+ | | +------+ |SWITCH| +------+ | | +--------+ |ATTACKER| |10.0.0.3| +--------+ -------=[ 0x03c - Attack As I said in the beginning we start with the MitM attack. We will use ettercap to do it. Ettercap is started in the GTK mod and we activate "Unified sniffing" in the sniff menu. Choose your network interface and we continue with a click at "Scan for hosts" at the hosts menu. After the scan is finished we display the hosts with "Host list" in the same menu. 10.0.0.1 -> Add to Target 1 10.0.0.2 -> Add to Target 2 Press "Start sniffing" at the start menu and "Arp poisoning" at the Mitm menu. Next we start a sniffer, "Wireshark" in my case. There we click "List the available capture interfaces..." and get a list of our interfaces, choose the right one and the sniffing starts. Wait for any packet of the telnet connection, as soon as we get one we click it and see the required informations. For example: Source IP 10.0.0.2 Destination IP 10.0.0.1 Source Port 53517 Destination Port 23 Now we are finally at the hijack, I will use "Shijack" for it. If you got problems compiling you can use the binaries which are included. # #cheese:/home/cheese/hijack# ./shijack #Usage: ./shijack [-r] # The interface you are going to hijack on. # The source ip of the connection. # The source port of the connection. # The destination IP of the connection. # The destination port of the connection. #[-r] Reset the connection rather than hijacking it. # OK thats simple. # #cheese:/home/cheese/hijack# ./shijack eth0 10.0.0.2 53517 10.0.0.1 23 # Attack!!!! # #Waiting for SEQ/ACK to arrive from the srcip to the dstip. #(To speed things up, try making some traffic between the two) # The tool runs and waits for another packet to get an working seq-number. As soon as it get something it will hijack the connection automatically. # #Got packet! SEQ = 0xad6e5b8e ACK = 0x5ebaf20d #Starting hijack session, Please use ^C to terminate. #Anything you enter from now on is sent to the hijacked TCP connection. # Hijack successful! Now we are able to send everything we want through the session to the server. ---=[ 0x04 - Outro Every unencrypted session is vulnerable to TCP-session-hijacks, although it is mostly more simple to sniff the password directly. But I think it is a really dangerous technique since one-time-password like TAN or security token are also vulnerable. I really hope you like my little paper. -Thx for reading- Written by : Cheese Visit : myCheese.org : Back2Hack.cc : Core.am Shout-Outs to : Asmo, BuntspechT, der_Dude, double_check, easysurfer, : gunner, kingfinn, nonverbal, pHySSiX, PsTo, TheBotnetGuy, Ultimate : Plus everyone else who knows me