CEHv8 module 11 session hijacking
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.29 MB, 97 trang )
Session H ijacking
M o d u l e 1 1
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n te rm e a s u re s
S e s s io n H ija c k in g
c
(•rtifwd
E H
EtfcKJl HmIu>
a
O f t
m H i j a c k i n g
M o d u le 1 1
2rs. Presented by Professionals.
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8
M o d u l e 1 1 : S e s s io n H ij a c k i n g
E x a m 3 1 2 - 5 0
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 0 4
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
S e c u r i t y N e w s
Product Services Download Contact About
J u lia G illa r d th e T a r g e t o f A b u s e o n F a c e b o o k a f t e r
T r o lls H ija c k L iv e C h a t
VILE and abusive co m m ents co ntinue to flood Prim e M inister Julia G illard's Facebook page
alm ost 24 hours afte r her online question and answ e r session w as hijacked by trolls.
M s Gillard's m edia adviser John McTernan yesterday said the PM 's Facebook page was
m oderated by staff, and offensive posts were rem oved.
However, a com m ent comparing the PM to a dog has been visible on the page since Sunday,
w hile anoth er abusing her for being "unm arried and childless and husbandless" has been
allowed to remain on the page all m orning.
Several com m ents calling M s Gillard a "liar" dating back to Friday night also rem ain on the page,
w hile anoth er comm en t left last night calls M s Gillard "scum" and "a disgrace to the country".
Other comments attacking her character are also still there.
The to rrent of abuse follows th e hijacking o f M s G illard's live online education question and
answer session yesterday, when fou l-mouthed critics posted abusive rants and offensive
messages.
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
'
nsr
S e c u r i t y N e w s
J J u l i a G i l l a r d t h e T a r g e t o f A b u s e o n F a c e b o o k a f t e r
T r o l l s H i j a c k L i v e C h a t
S o u rce : h ttp : / / w w w .th e a u s t r a lia n .c o m . a u
V ile a nd a b u s iv e c o m m e n t s c o n tin u e to flo o d P r im e M in is te r Julia G illa rd's F a c e b o o k p a g e
a lm o s t 2 4 h o u rs a fte r h e r o n lin e q u e s tio n a n d a n s w e r sessio n w a s h ijac k e d b y trolls.
M s . G illa rd 's m e d ia a d v is e r John M c T e r n a n y e s te rd a y said th e P M 's F a c e b o o k p a g e w a s
m o d e r a te d b y sta ff, a n d o f fe n s ive p o sts w e r e r e m o v e d .
H o w e v e r, a c o m m e n t c o m p a r in g t h e PM t o a d o g has b e e n vis ib le o n t h e page sin c e S u n d ay,
w h ile a n o th e r a b u s in g h e r f o r b e ing " u n m a r r ie d a n d c h ild le s s a n d h u s b a n d le s s " has b e e n
a llo w e d to re m a in o n t h e p a g e all m o rn in g .
S e vera l c o m m e n ts c a lling M s G illard a " lia r " d a t in g b a c k t o F rida y n ig h t also re m a in s o n th e
p a g e , w h ile a n o th e r c o m m e n t le ft la st n ig h t c alls M s G illard " s c u m " a n d "a d isgrace t o th e
c o u n try ."
O th e r c o m m e n t s a tta c k in g h e r c h a r a c te r a re a lso still th e r e .
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 0 5
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
T h e t o r r e n t o f a b u s e fo llo w s th e h ija c k in g o f M s G illa rd 's live o n lin e e d u c a tio n q u e s tio n a n d
a n s w e r sessio n y e s te r d a y , w h e n f o u l-m o u t h e d critic s p o s te d a b u s iv e ra n ts a n d o ffe n s iv e
m e s s a g e s .
M o s t o f th e o ffe n s iv e c o m m e n t s w e r e to o fo u l to b e r e p o r t e d .
O n e c o m m e n t e r , r e g is tere d as " M a t th e w V a n D en B o s " o f P e rth , ev e n m a d e re fe r e n c e to M s
G illa rd 's r e c e n tly d e c e a s e d fa th e r John G illa rd, w r itin g : " H o w 's y o u r d a d ? "
M a n y o f th o s e m e ssag e s w e re in c r e d ib ly s till v is ib le o n th e p a g e up t o fo u r h o u rs later, as w e r e
o th e r o ffe n s ive c o m m e n t s p o s te d as fa r b a c k as F rid a y.
M r. M c T e rn a n w o u ld n o t say h o w m a n y p e o p le m o d e r a te d th e P M 's F a c e b o o k p a ge, w h ic h has
m o r e th a n 1 3 5 ,0 0 0 fans, o r if t h e r e w e re a n y o fficia l g u id e lin e s fo r t h e m a x im u m a m o u n t o f
tim e o ffe n s ive p o s ts s h o u ld re m a in v isib le .
"T h e P rim e M in iste r 's Fa c e b o o k s ite is m o d e r a te d , b u t w h e n c o m m e n t s a re po s te d y o u ha v e to
d o it a fte r th e fac t, a n d w h e n th e r e 's a lo t o f c o m m e n ts it ta k e s t im e t o m o d e r a te t h e m o u t ,"
h e said y e s te rd a y .
" W e d o ta k e th in g s o f f w h ic h a re o ffe n s iv e . A n y th in g th a t 's o ffe n s ive t h a t's b e e n p o s ted o n
th e r e w ill b e m o d e r a te d o u t , b u t w e d o n 't h a ve t h e c a p a c ity - w i t h F a c e b o o k y o u c a n 't filte r
c o m m e n t s b e f o r e th e y 'r e p o s te d , th a t 's a ll."
O th e r c o m m e n te r s ca lle d M s . G illa rd " th e w o r s t P rim e M in is te r e v e r," a n d m a d e o th e r v ile
re m a rk s .
M s . G illard d r e w e v e n m o r e a b u s e a fte r th e Q & A sessio n w h e n sh e p o s ted a th a n k y o u n o te to
th o s e w h o h a d p a r tic ip a te d .
A F rid a y p o s t b y M s . G illa rd 's F a c e b o o k p a g e a s k ing f o r fa n s ' m e m o r ie s o f th e ir f a v o u r ite sch o o l
te a c h e r w a s als o b o m b a r d e d by t ro lls a b u s in g t h e P rim e M in is te r.
S o m e o f th e o ffe n s iv e c o m m e n ts a p p e a r e d to h a v e b e e n re m o v e d f r o m t h e p a g e a fte r inq u irie s
b y N e w s Ltd.
Copyright 2013 News Limited
By Petra Starke
h tt p ://w w w .n e w s . c o m .a u /n a tio n a l/liv e -o n lin e -c h a t-w ith - iu lia -g illa r d -tu r n 5 -n a s tv /s to r y -fn d o 4 e g 9 -
1226490891092
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 0 6
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
M o d u l e O b j e c t i v e s
C E H
f
J
<
What Is Session Hijacking?
J
ן
Man-in-the-Middle Attack
J Why Session Hijacking Is Successful? J Cross-site Script Attack
J
Key Session Hijacking Techniques
J
Network Level Session Hijacking
J
Brute Forcing Attack
. J
TCP/IP Hijacking
J
Session Hijacking Process
~ J
Session Hijacking Tools
J
Types of Session Hijacking
J
Protecting against Session Hijacking
J
Application Level Session Hijacking
J
IPsec Architecture
J Session Sniffing
j
Session Hijacking Pen Testing
ץ
,1 1
[
Copyright © by EC-G(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e O b j e c t i v e s
Ai
,
Jj
_____
T his m o d u le c o v e rs th e v a rio u s h a c kin g te c h n o lo g ie s u sed fo r s e s sio n h ijac k ing . It
d e als w ith s p o o fin g m e t h o d s , t h e t h re e - w a y TCP h a n d s h a k e , a n d h o w a tta c k e rs use th e s e
m e th o d s f o r m a n - in - t h e - m id d le a ttac k s . V a r io u s to o ls th a t can b e u s e d fo r th is p u rp o s e h a v e
b e e n h ig h lig h te d to p r o v id e y o u an ins ig h t in to th e w o rk in g s o f sessio n h ija c k ing . F inally,
c o u n te rm e a s u r e s to p r e v e n t sessio n h ija c k ing are discu s s e d .
T h is m o d u le w ill fa m ilia riz e y o u w it h :
©
W h a t Is Session H ijackin g ?
0
S e ssio n S n iffin g
e
W h y Session H ijack in g is S uccessful
0
M a n - in -th e - M i d d le A tta c k s
e
Key S ession H ijackin g T e chn iques
0
C ross-s ite S c rip t A tta c k s
e
B rute F orcing A tta c k
©
N e t w o r k - le v e l S e ssion H ijac k ing
e
Session H ija ckin g P rocess
©
T C P/IP H ijac k ing
0
T y pes o f Session H ija ckin g
©
S e ssio n H ija c k in g To o ls
©
A p p lication -le v e l Session H ija ckin g
©
P r o te c tin g a g a in st S e s sion H ija c k in g
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 0 7
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
C E H
N etw ork
Level Session
Hijacking
M o d u l e F l o w
Session
Hijacking
C oncepts
n
A pplication
Level Session
Hijacking
&
/׳
ץ
Session
Hijacking
\ j ■
Tools
J
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F l o w
In o r d e r t o u n d e r s ta n d s e s s io n h ija c k ing a n d h o w a tta c k e rs u se th is m e t h o d fo r
h a c k ing, y o u s h o u ld be f a m ilia r w ith th e b a sic c o n c e p ts o f s e s s io n h ijackin g .
Session H ija c king Concepts
A p p lica tio n Level Session H ija ckin g
> N e tw o rk Level Session H ijacking Session H ijackin g Tools
v C o u n ter-m ea su res
r ' | |
P e n e tra tio n Testin g
T h is se c tio n h ig h lig h ts sessio n h ija c kin g a n d d a n g e rs p o s e d b y it, t e c h n iq u e s u s e d f o r sessio n
h ijack in g , s p o o fin g vs. h ija c kin g , th e sessio n h ija c k in g p rocess, ty p e s o f s e s s io n h ijack in g , a n d
se ssio n h ija c k ing in th e OSI m o d e l.
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 0 8
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
W h a t I s S e s s i o n H i j a c k i n g ? C E H
The atta cker steals a valid session ID
w h ic h is used to get into th e system
and sno op th e data
Since m ost au th enticatio n only
occurs at the start of a TCP session,
th is allo w s the attacker to gain
access to a m achine
Session Hija ckin g re fers to the
exp lo ita tio n o f a va lid c om p uter session
w h ere an attacker takes over a session
betw een tw o com p uters
In TCP se ssion hijacking, an attacker
takes o ve r a TCP session between
tw o m achines
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
W h a t I s S e s s i o n H i j a c k i n g ?
&
S e ssion h ija c k in g re fe rs to th e e x p lo it a t io n o f a v a lid c o m p u t e r se ssion w h e r e a n
a tta c k e r ta k e s o v e r a s e ssio n b e tw e e n tw o c o m p u te rs . T h e a t ta c k e r s teals a v a lid sessio n ID
th a t is used to g e t in to th e s y s te m a n d e x tra c t th e d a ta . TCP s e ssion h ijac k in g m e a n s ta k ing
c o n t r o l o v e r a TCP s e s s io n e x c h a n g e d b e tw e e n t w o c o m p u te rs . It is c a rrie d o u t th r o u g h s o u rc e -
ro u t e d IP p ac k e ts. A n a tta c k e r w h o is log g e d o n t o a s y s te m c an p a r ticip a te in th e c o n v e rsa tio n
o f o t h e r u s e rs o n o th e r s ys te m s b y d iv e r tin g p a c k e ts to his o r h e r s y s te m . B lind h ijac k in g is
a n o t h e r m e th o d th r o u g h w h ich resp o n s e s o n a s y s te m can b e a s s u m e d . T h e m a n - in -th e - m id d le
(M IT M ) a tta c k is a n o th e r m e th o d in w h ic h a s n iffe r is u se d to tra c k d o w n a c o n v e rs a tio n
b e tw e e n t w o u s e rs. D e n ia l-o f-s e r v ice (D oS ) is e x e c u te d so th a t a sy s te m cra s h e s , w h ic h le a ds
to a g r e a t e r loss o f pa c k e ts .
S te p s in session h ijack ing :
© T r a c k in g th e c o n n e c tio n
© D e s y n c h ro n izin g th e c o n n e c tio n
© I n je c tin g th e a tta c k e r 's p a c k e t
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 0 9
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
Victim
FIGURE 11.1: Illustrating the process of session hijacking
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 0
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
D a n g e r s P o s e d b y H i j a c k i n g C E H
Hijacking is
simple to
launch
Threat of identity
theft, information
loss, fraud, etc.
You can do little to protect
against it unless you switch
to another secure protocol
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
-
Most counterm easures
do not work unless
you use encryption
Most computers
using TCP/IP are
vulnerable
D a n g e r s P o s e d b y H i j a c k i n g
_________
H ija c k in g is s im p le t o la u n ch . M o s t c o m p u te r s usin g T C P /IP are v u ln e r a b le t o sess io n
h ija c k ing . You can d o little to p r o t e c t a g a in s t it u n le s s y o u s w itc h to a n o th e r s e c u re p r o to c o l.
M o s t c o u n te rm e a s u r e s d o n o t w o rk u n le s s y o u us e e n c ry p tio n . Id e n t ity t h e f t, in fo r m a t io n loss,
fra u d , etc . a re th e m a jo r d a n g e rs p o se d by h ija c kin g .
T h e fo llo w in g a re th e e le m e n ts s u s c e p tib le to h ija c k in g :
O n e - t im e P a s s w o rd s ( s m a r tc a rd s , S /K e y , c h a lle n g e re s p o n s e )
A ll o n e - tim e p a s s w o rd s c h e m e s a re v u ln e ra b le to c o n n e c tio n h ijac k ing . O n c e th e u s e r/s e r v ic e
has a u t h e n t ic a te d itse lf, his o r h e r c o n n e c tio n can be ta k e n o v e r. A c c o rd in g to
w w w .w e b o p e d ia .c o m " S / k e y is a o n e - t im e , c h a lle n g e - r e s p o n s e p a s s w o r d s c h e m e u se d t o
a u t h e n t ic a t e acces s t o d a ta . T h e p u rp o s e o f S /ke y is t o e lim in a te t h e n e e d fo r th e sa m e
p a s s w o r d to b e c o n v e y e d o v e r a n e t w o r k e a ch t im e a p a s s w o rd is n e e d e d f o r a c ce ss."
K e rb e ro s
E n c ry p tio n is n o t e n a b le d o n b y d e fa u lt; d u e to this , s e c u rity is o f m a jo r c o n c e rn as it is
e q u iv a le n t t o t h e o n e - tim e p a s s w o rd s c h e m e , w h ic h is s u s c e p tib le t o h ija c k in g w it h ease .
S o u rce A d d re s s F ilte r in g R o u te r
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 1
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
A n e t w o r k is s u s c e p tib le to n e tw o r k a d d re s s s p o o f a tta c k s if its s e c u rity d e p e n d s o n filte rin g th e
p a c ke ts f r o m u n k n o w n s o u rces. A n u n k n o w n h o s t c o u ld in s e r t its e lf, m id s tre a m , in t o a p re -
e x istin g c o n n e c tio n .
S o u rce A d d re s s C o n t r o lle d P ro x ies
© M a n y p ro xie s c o n tro l a ccess t o c e rta in c o m m a n d s b a sed o n th e so u rc e a d d ress o f t h e
re q u e s to r. T h e s o u rce a d d ress is e a sily v u ln e r a b le to p a s s ive o r a c tiv e s n iffe rs.
Q N o e asy ste p s ha v e y e t b e e n f o u n d t h a t can s e c u re a n e tw o r k fro m p a s siv e o r a ctiv e
s n iffin g . By b e c o m in g a w a re o f th e e x isten c e o f th is th re a t, y o u w ill be b e t te r p re p a r e d
to m a k e in t e llig e n t s e c u rity d e c isio n s fo r y o u r n e tw o rk .
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 2
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
C E H
W h y S e s s i o n H i j a c k i n g I s
S u c c e s s f u l ?
Weak Session ID
Generation Algorithm
Indefinite Session
Expiration Time
Clear Text Transmission
No Account Lockout For
Invalid Session IDs
Insecure Handling
Small Session IDs •־־
Copyright © by EC-G(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
W h y S e s s i o n H i j a c k i n g I s S u c c e s s f u l
S e ssio n h ija c k in g is s u cce s s ful b e c a u se o f th e fo llo w in g fa c to rs:
H i
a
Q
O '
W e a k S e s s ion ID G e n e r a tio n A lg o r ith m : M o s t w e b s ite s a re c u r r e n tly u s ing lin e a r
a lg o rith m s b a s e d o n e a s ily p re d ic ta b le v a ria b le s such as t im e o r IP a d d ress fo r
g e n e ra tin g se s sio n IDs. By s tu d y in g t h e s e q u e n tia l p a t te r n a n d g e n e r a tin g m a n y
re q u e s ts , th e a tta c k e r can e a s ily a lle v iate th e s e a rch s p ace n e c e ss a ry t o p r o d u c e a v a lid
se ssio n ID.
In d e fin ite S e s s ion E x p ira tio n T im e : T h e s e s s io n IDs th a t h a v e a n in d e fin ite e x p ir a tio n
tim e a llo w an a tta c k e r w ith u n lim ite d tim e t o g u e ss a v a lid s e s s ion ID . A n e x a m p le o f
th is is th e " r e m e m b e r m e " o p tio n o n m a n y w e b s ite s . T h e a tta c k e r can use s tatic-sess ion
IDs to g a in a ccess t o th e u ser's w e b a c c o u n t, if th e c o o k ie file o f a u se r is c a p tu r e d . T he
a tta c k e r can also p e r f o r m s e s sio n h ija c k in g if th e a tta c k e r is ab le to b re a k in to a p ro x y
s e rver, w h ic h p o te n t ia lly lo gs o r caches th e s e s s ion IDs.
C lear T e x t T ra n s m is s io n : T h e se ssio n ID c o u ld b e sn iffe d a c ross a fla t n e tw o r k e a s ily, if
th e SSL is n o t b e in g used w h ile th e s e ssio n ID c o o k ie is tr a n s m itte d t o a n d f r o m t h e
b ro w s e r. In this case, th e SSL w o u ld n o t p r o te c t th e in fo r m a t io n . A n a tta c k e r's jo b
b e c o m e s e v e n e asie r, if th e s e s s io n IDs c o n ta in th e a c tu a l lo g o n i n fo r m a t io n in th e
s trin g a nd a re c a p tu re d .
©
e
e
M o d u le 1 1 P a g e 1 5 1 3 E t h ic a l H a c k in g an d C o u n te r m e a s u r e s C o p y r ig h t © b y E C -C 0U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
0 S m all S e s s io n ID s: T h o u g h c ry p to g ra p h ic a lly a s tro n g a lg o rith m is u s e d , a n a c tiv e s e ssion
ID can be d e te r m in e d e a sily if th e le n g th o f th e s trin g is s m a ll.
0 In s e c u re H a n d lin g : A n a tta c k e r c a n r e trie v e th e s to r e d s e s s io n ID in fo r m a tio n by
m is le a d in g th e user's b ro w s e r in to vis iting a n o th e r s ite. T h e n th e a tta c k e r can e x p lo it
th e in fo r m a tio n b e fo r e t h e s e s s ion e xp ire s. T h is c a n b e a c c o m p lis h e d in m a n y w a y s such
as DNS p o iso n in g , c ros s -site s c r ip tin g e x p lo ita tio n , o r b y e x p lo itin g a b u g in t h e
b r o w s e r , e tc.
© N o A c c o u n t L o c k o u t fo r In v a lid S e s s io n ID s: If t h e w e b s ite s ha v e n o fo r m o f a c c o u n t
lo c k o u t, th e a tta c k e r can m a k e a n y n u m b e r o f a t te m p ts w ith v a ry in g s e s sio n IDs
e m b e d d e d in a g e n u in e URL. A n a tta c k e r c a n c o n tin u e his o r h e r a t te m p ts u n til th e
a c tua l s e s s io n ID is d e te rm in e d . T h is is u s u a lly c a lle d b r u te fo rc in g th e session IDs.
D u rin g th e sessio n ID b r u t e f o rc e a tta c k , th e w e b se rve r w ill n o t p o p u p a n y w a r n in g
m e s s a g e o r c o m p la in t. Thu s , an a t ta c k e r c a n d e te r m in e th e o rig in a l s e s s ion ID.
A ll t h e a b o v e - m e n t io n e d fa c to rs p la y an im p o r ta n t role in th e s u ccess o f s e s s io n h ijackin g .
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 4
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
C E H
K e y S e s s i o n H i j a c k i n g
T e c h n i q u e s
B r u t e F o r c in g
The attacker attempts different
IDs until he succeeds
S te a lin g
The attacker uses
different techniques to
steal Session IDs
Copyright © by EC-G(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
C a l c u la t in g
Using non-randomly
generated IDs, an
attacker tries to calculate
the session IDs
K e y S e s s i o n H i j a c k i n g T e c h n i q u e s
S e ssion h ija c k in g has b e e n a n o n g o ing p r o b le m f o r w e b b r o w s e r d e v e lo p e rs a n d
s e c u rity ex p e rts . T h e r e a re th re e k e y m e th o d s u se d to p e r fo r m s e ss io n h ija c k a tta c k :
B r u t e F o r c i n g
B ru te fo rc in g se ssion IDs in v o lv e s m a k in g th o u s a n d s o f re q u e s ts u s in g all th e a v a ila b le
s e s s io n IDs u n til th e a tta c k e r g e ts s u c c e e d e d . T his te c h n iq u e is c o m p re h e n s iv e b u t a
tim e - c o n s u m in g p rocess.
S t e a l i n g
_____
T h e a t ta c k e r uses v a r iou s te c h n iq u e s to s tea l sessio n IDs. T he te c h n iq u e s m ay be
in s ta llin g T ro ja n s o n c lie n t PCs, s n iffin g n e tw o rk traffic , HTT P r e fe r r e r h e a d e r, a n d
c ro s s -site s c r ip tin g a tta cks .
C a l c u l a t i n g
א
U s in g n o n -ra n d o m ly g e n e r a te d ID s, a n a tta c k e r trie s to c a lc u la te th e s e s s io n IDs. T h e
n u m b e r o f a t t e m p t s th a t n e e d to b e c a rrie d o u t fo r r e t rie v in g t h e s e s s io n ID o f th e
u s e r o r c lie n t d e p e n d s o n th e ke y s p a c e o f s e ssio n IDs. T h e r e fo re , th e p r o b a b ility o f s u ccess o f
th is ty p e o f a t ta c k can b e c a lcu la te d b a sed o n th e size a n d k e y space o f sessio n IDs.
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 5
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
B r u t e F o r c i n g
A brute force attack is mostly used by attackers to guess the target's session ID to
launch the attack. In this technique, an attacker tries multiple possibilities of patterns until a
session ID works and succeeds. This technique is used when the algorithm that produces
session IDs is not random. For example, in the URLs, an attacker is trying to guess the session
ID:
/> /> />Using a "referrer attack," an attacker tries to lure a user to click on a link to another site (mysite
link, for example, www.mysite.com). For example, GET /index.html HTTP/1.0 Host:
www.mysite.com Referrer:
www.mvwebmail.com/viewmsg.asp?msgid=689645&SID=2556X54VA75. The attacker obtains
the session ID of the user by sending when the browser sends the referrer URL that contains
the session ID of the user to the attacker's site (www.mysite.com).
Some of the techniques used to steal session IDs are:
0 Using the HTTP referrer header
Q Sniffing the network traffic
© Using cross-site scripting attacks
© Sending Trojans on client PCs
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 6
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
B r u t e F o r c i n g A t t a c k C E H
Urt>fW4 ItliK4I lUilwt
Using a "referrer attack," an
attacker tries to lure a user to
click on a link to malicious site
(say www.hacksite.com)
For example, GET/index.htm l
HTTP/1.0 Host:
www.hacksite.com Referrer:
www.webmail.com/viewmsg.asp
?msgid=689645&SID=2556X54V
A75
The browser directs the referrer
URL that contains the user's
session ID to the attacker's site
(www.hacksite.com), and now
the attacker possesses the user's
session ID
Using brute force attacks, an attacker tries to guess a session ID
until he finds the correct session ID
/> /> />1. Using the HTTP referrer header
2. Sniffing the network traffic
3. Using the Cross-Site Scripting attacks
4. Sending Trojans on client PCs
For instance, in
the URLs, an
attacker is trying
to guess the
session ID
Som e o f the
te chn iq ues used
to steal session
IDs:
Note: Session ID brute forcing attack is known as session prediction attack ifthe predicted range of values fora session
ID is very small
Copyright © by EC-G(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
B r u t e F o r c i n g A t t a c k
The attacker can obtain a session ID using the brute force method to access the
legitimate target's session when the session is active. In a "referrer" attack, the attacker invites
a user to click on a link to another site. In brute force attacks, the attacker can try many IDs. For
example, take a look at the following figure with a list of URLs, in which an attacker is trying to
guess the session ID:
http://www .mysite.com /v iew /VW304221 015189 09
http://w ww.mysite.com /view /VW30422101520803
http://w ww.mysite.com /view /VW30422101522507
ServerAttack er
FIGURE 11.2: Attacker performing Brute force attack
As this technique involves guessing the session ID and attempting to hijack the session, the
possible range of values for the session ID must be limited.
E t h ic a l H a c k in g a n d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C0l1 n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 7
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
Note: A session ID brute forcing attack is known as a session prediction attack if the predicted
range of values for a session ID is very small.
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 8
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
H T T P R e f e r r e r A t t a c k
Tracking HTTP referrers can be effective for generating attacks if the parameters are
being passed through a GET request. When making any HTTP request, most web browsers are
configured to send the original URL in the HTTP header called a referrer.
In a referrer attack, the attacker lures the victim to click on a link to the site that is under an
attacker's control. Let us consider the attacker's site as a mysite link, for example,
www.mysite.com.
GET / i n d e x . h t m l H T T P /1 .0 H o s t : w w w . m y s ite . c o m R e f e r r e r :
w w w .m y w e b m a il. c o m / v ie w m s g . a s p ? m s g id = 6 8 9 6 4 5 & S ID = 2 5 5 6 X 5 4 V A 7 5
The victim's browser then sends the referrer URL containing the session ID to the attacker's
site, i.e., www.mysite.com. As the site is under attacker's control, he or she can easily
determine the session ID from the referrer URL. Once the attacker determines the session ID,
he or she can easily take over the session and steal the sensitive data of the victim.
Some of the techniques used to steal session IDs:
Q Using the HTTP referrer header
Q Sniffing the network traffic
© Using cross-site scripting attacks
Q Sending Trojans on client PCs
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 1 9
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
S p o o f i n g v s . H i j a c k i n g C E H
C«rt1fW4 itfciul IUcIm(
Hijacking
-J Session hijacking is the process of
taking over an existing active
session
J Attacker relies on the legitimate
user to make a connection and
authenticate
John logs on to the
1 server with his credentials . E f f
r u
4 F <
Q • j
John Predicts th e • • * 0 ^ erv er
(Victim) sequence and k ills : >
John's connection • *Jr
Attacker
Spoofing A ttack
J Attacker pretends to be another user
or machine (victim) to gain access
J Attacker does not take over an existing
active session. Instead he initiates a
new session using the victim's stolen
credentials
I
4 SP
John
c
Attacker
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S p o o f i n g v s . H i j a c k i n g
__
Source:
The earliest record of a session hijacking attack is perhaps the Morris Worm episode that
affected nearly 6,000 computers on the ARPANET in 1988. This was ARPANET'S first automated
network security mishap. Robert T. Morris wrote a program that could spread through a
number of computers and continue its action in an infinite loop, every time copying itself into a
new computer on the ARPANET. The basic working of the Morris Worm was based on the
discovery that the security of a TCP/IP connection rested in the sequence numbers, and that it
was possible to predict them.
Blind hijacking involves predicting the sequence numbers that the targeted host sends in order
to create a connection that appears to originate from the host. Before exploring blind spoofing
further, take a look at the sequence number prediction. TCP sequence numbers, which are
unique for each byte in a TCP session, provide flow control and data integrity for the same. In
addition, the TCP segment gives the Initial Sequence Number (ISN) as a part of the segment
header. The initial sequence number does not start at zero for each session. The participants'
state ISNs as a part of handshake process in different directions, and the bytes are numbered
sequentially. Blind IP hijacking relies on the attacker's ability to predict sequence numbers, as
he or she is unable to sniff the communication between the two hosts by virtue of not being on
the same network segment. An attacker cannot spoof a trusted host on a different network and
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 2 0
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
see the reply packets because the packets are not routed back to him or her. Neither can the
attacker resort to ARP cache poisoning because routers do not route ARP broadcasts across the
Internet. As the attacker is unable to see the replies, he or she is forced to anticipate the
responses from the target and prevent the host from sending an RST to the target. The attacker
then injects himself/herself into the communication by predicting what sequence numbers the
remote host is expecting from the target. This is used extensively to exploit the trust
relationships between users and remote machines. These services include NFS, telnet, and IRC.
IP spoofing is easy to achieve. To create new raw packets, the only condition is that the attacker
must have root access on the machine. In order to establish a spoofed connection, the attacker
must know what sequence numbers are being used. Therefore, IP spoofing forces the attacker
to forecast the next sequence number. To send a command, an attacker uses blind hijacking,
but the response cannot be viewed.
Q In the case of IP spoofing, guessing the sequence number is not required since there is
no session currently open with that IP address. In a blind hijack, the traffic would get
back to the attacker by using only source routing. This is where the attacker tells the
network how to route the output and input from a session, and he or she promiscuously
sniffs it from the network as it passes by the attacker. Captured authentication
credentials are used to establish a session in session spoofing. Here, active hijacking
eclipses a pre-existing session. Due to this attack, the legitimate user may lose access or
may be deprived of the normal functionality of his or her established telnet session that
has been hijacked by the attacker, who now acts with the user's privileges. Since most
authentications only happen at the initiation of a session, this allows the attacker to gain
access to a target machine. Another method is to use source-routed IP packets. This
allows an attacker to become a part of the target-host conversation by deceptively
guiding the IP packets to pass through his or her system.
Q Session hijacking is more difficult than IP address spoofing. In session hijacking, John (an
intruder) would seek to insert himself into a session that Jane (a legitimate user) already
had set up with \\Mail. John would wait until she establishes a session, then knock her
off the air by some means and pick up the session as though he were she. Then John
would send a scripted set of packets to \\Mail and would be able to see the responses.
To do this, he would need to know the sequence number in use when he hijacked the
session, which could be calculated as a result of knowing the ISN and the number of
packets that have been exchanged.
0 Successful session hijacking is difficult without the use of known tools and only possible
when a number of factors are under the attacker's control. Knowledge of the ISN would
be the least of John's challenges. For instance, he would need a way to knock Jane off
the air when he wanted to, and also need a way to know the exact status of Jane's
session at the moment he mounted his attack. Both of these require that John have far
more knowledge and control over the session than would normally be possible.
© However, IP address spoofing attacks can only be successful if IP addresses are used for
authentication. An attacker cannot perform IP address spoofing or session hijacking if
per-packet integrity checking is executed. In the same way, IP address spoofing and
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 2 1
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
Q session hijacking are not possible if the session uses encryptions such as SSL or PPTP.
Consequently, the attacker cannot participate in the key exchange.
© In summary, the hijacking of non-encrypted TCP communications requires the presence
of non-encrypted session-oriented traffic, the ability to recognize TCP sequence
numbers that predict the Next Sequence Number (NSN), and the ability to spoof a host's
MAC or IP address in order to receive communications that are not destined for the
attacker's host. If the attacker is on the local segment, he or she can sniff and predict
the ISN+1 number and route the traffic back to him by poisoning the ARP caches on the
two legitimate hosts participating in a session.
Hijacking
Spoofing Attack
John logs on to the
server with his credentials
o
.7 Server
א
Predicts the
sequence and kills
John s connection
Server j0hn
(Victim)
Attacker
Attacker
FIGURE 11.3: Attacker performing Spoofing Attack and Session Hijacking on victim's system
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 2 2
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
S e s s i o n H i j a c k i n g P r o c e s s C E H
r Start injecting packets to the target server
S e s s i o n H i j a c k i n g P r o c e s s
———־ It is easier to sneak in as a genuine user rather than to enter the system directly.
Session hijacking works by finding an established session and taking over that session after a
genuine user has access and has been authenticated. Once the session has been hijacked, the
attacker can stay connected for hours. This leaves ample time for the attacker to plant
backdoors or even gain additional access to a system. One of the main reasons that session
hijacking is complicated to be identified is that an attacker impersonates a genuine user.
Therefore, all routed traffic going to the user's IP address comes to the attacker's system.
How does an attacker go about hijacking a session? The hijack can be broken down into three
broad phases:
© Tracking the connection: The attacker waits to find a suitable target and host by using a
network sniffer to track the target and host, or to identify a suitable user by scanning
with a tool like Nmap to find a target with an easy TCP sequence prediction. This is to
ensure that correct sequence and acknowledgement numbers are captured, since
packets are checked by TCP through sequence and/or acknowledgement numbers. The
attacker uses these numbers to construct his or her packets.
0 Desynchronizing the connection: A desynchronized state is when a connection between
the target and host is in the established state; or in a stable state with no data
M o d u le 1 1 P a g e 1 5 2 3 E t h ic a l H a c k in g an d C o u n te r m e a s u r e s C o p y r ig h t © b y E C -C 0U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
transmission; or the server's sequence number is not equal to the client's
acknowledgement number; or the client's sequence number is not equal to the server's
acknowledgement number.
To desynchronize the connection between the target and host, the sequence number or
the acknowledgement number (SEQ/ACK) of the server must be changed. This is done
by sending null data to the server so that the server's SEQ/ACK numbers can advance
while the target machine cannot register such an increment. For example, before
desynchronization, the attacker monitors the session without any kind of interference.
The attacker then sends a large amount of "null data" to the server. This data serves
only to change the ACK number on the server and does not affect anything else. Now,
both the server and target are desynchronized.
Another approach is to send a reset flag to the server in order to bring down the
connection on the server side. Ideally, this occurs in the early setup stage of the
connection. The attacker's goal is to break the connection on the server side and create
a new one with a different sequence number.
The attacker listens for a SYN/ACK packet from the server to the host. On detecting the
packet, the attacker immediately sends an RST packet to the server and a SYN packet
with exactly the same parameters, such as a port number, but with a different sequence
number. The server, on receiving the RST packet, closes the connection with the target
and initiates another one based on the SYN packet, but with a different sequence
number on the same port. After opening a new connection, the server sends a SYN/ACK
packet to the target for acknowledgement. The attacker detects (but does not intercept)
this and sends back an ACK packet to the server. Now the server is in the established
state. The main aim is to keep the target conversant, and switch to the established state
when it receives the first SYN/ACK packet from the server. Now both server and target
are in a desynchronized, but established state.
This can also be done using a FIN flag, but this can cause the server to respond with an
ACK and give away the attack through an ACK storm. This occurs because of a flaw in
this method of hijacking a TCP connection. While receiving an unacceptable packet, the
host acknowledges it by sending the expected sequence number. This unacceptable
packet generates an acknowledgement packet, thereby creating an endless loop for
every data packet. The mismatch in SEQ/ACK numbers results in excess network traffic
with both the server and target trying to verify the right sequence. Since these packets
do not carry data, they are not retransmitted if the packet is lost. However, since TCP
uses IP, the loss of a single packet puts an end to the unwanted conversation between
the server and the target.
The desynchronizing stage is added in the hijack sequence so that the target host is
ignorant about the attack. Without desynchronizing, the attacker is able to inject data to
the server and even keep his/her identity by spoofing an IP address. However, he/she
have to put up with the server's response being relayed to the target host as well.
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 2 4
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
Injecting the attacker's packet: Now that the attacker has interrupted the connection
between the server and target, he or she can choose either to inject data into the
network or actively participate as the man-in-the-middle, passing data from the target
to the server, and vice versa, reading and injecting data as per wish.
e
FIGURE 11.4: Depicting Session Hijacking Process
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 2 5
E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s
S e s s io n H ija c k in g
C E H
P a c k e t A n a l y s i s o f a L o c a l
S e s s i o n H i j a c k
Server
Note: Before the user
could send the next
data packet, attacker
predicts the next
sequence number and
sends the data to the
server. This leads to
establishment of
connection between
attacker and the server
SYN <Clt ISN 1200><WIN 512>
SYN <Svr ISN 1500><WIN 1024> /ACK 1201
DATA=128 <Clt SEQ 1201>
ACK (Clt SEQ + DATA) 1329
DATA=91 <Clt SEQ 1329>
ACK (Clt SEQ + DATA) 1420
User
DATA=20<SEQ1420>
DATA=50<SEQ1440>
Attacker
Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P a c k e t A n a l y s i s o f a L o c a l S e s s i o n H i j a c k
m m
Session hijacking attacks are high-level attack vectors by which many systems are
affected. Many systems that are connected in a LAN or on the Internet use TCP communication
protocol for transmitting data. For connection establishment between two systems and for
successful transmission of data, the two systems should establish a three-way handshake.
Session hijacking involves exploiting this three-way handshake method to take control over the
session.
To conduct a session hijack attack, the attacker performs three activities:
© Tracks a session
© Desynchronizes the session
© Injects attacker's commands in between
A session can be monitored or tracked simply by sniffing the traffic. The next task in session
hijacking is to desynchronize. This can be accomplished easily if the next sequence number to
be used by the client is known. If the sequence number is known, then you can hijack the
session by using the sequence number before the client can. There are tw o possibilities to
determine sequence numbers. One way is to sniff the traffic, finding the ACK packet and then
determining the next sequence number based on the ACK packet. And the other way is to
transmit the data with guessed the sequence numbers. The second way is not very reliable. If
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 2 6
you can access the network and can sniff the TCP session, then you can determine the
sequence number easily. This kind of session hijacking is called "local session hijacking." The
following is the packet analysis of a normal TCP three-way handshake:
E t h ic a l H a c k in g an d C o u n te r m e a s u r e s E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e r
S e s s io n H ija c k in g
FIGURE 11.5: Packet analysis of a normal TCP three-way handshake
Based on the diagram, the next expected sequence number would be 1420. If you can transmit
that packet sequence number before the user, you can desynchronize the connection between
the user and the server. The diagram that follows shows the packet analysis of a local session
hijack:
E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il
A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d .
M o d u le 1 1 P a g e 1 5 2 7
