Session hijacking and hijacking tools

Session hijacking and hijacking tools
1. Introduction

In real life, for example, if you go to the market to buy food, you have to do something else after paying for the food. If a stranger asks to take the food at this time, will sellers give food to strangers ?! Of course, this is just a metaphor, but it is just a metaphor for session hijacking. A session is a communication between two hosts. For example, if you Telnet to a host, This is a Telnet session; if you browse a website, this is an HTTP session. Session Hijack is an attack that combines sniffing and spoofing technologies. For example, when an attacker participates in a normal session as a third party, the attacker can insert malicious data into a normal packet or listen to the malicious data in the sessions of both parties, it can even replace a host to take over the session.

We can hijack sessions.There are two types:

1) Man In The Middle (MITM)

2) Injection attacks)

You can also hijack sessions.There are two forms:

1) passive hijacking: in fact, passive hijacking is to monitor the data streams of sessions between the two parties in the background and obtain sensitive data in the packets.

2) Active hijacking, while active Hijacking means to "kick" a host in the session and then replace and take over the session. This attack method is very harmful, attackers can do many things.

 

2. Introduction to MITM attacks

This is what we often call "man-in-the-middle attack". We often discuss SMB session hijacking on the Internet, which is also a typical man-in-the-middle attack. To correctly implement man-in-the-middle attacks, attackers must firstARP SpoofingOrDNS SpoofingTo Secretly change the communication streams of both parties, which is completely transparent to both parties.

There are many introductions on the ARP spoofing black line of defense, and there are a lot of information on the Internet, so I will not talk about it. I just want to talk about DNS spoofing. DNS (Domain Name System) is used almost every day. For normal DNS requests, for example, entering www.hacker.com.cn in a browser, and then the system first checks the Hosts file. If there is a corresponding IP address, use this IP address to access the website (in fact, you can use the Hosts file to implement DNS Spoofing). If not, you can request the DNS server. After receiving the request, the DNS server resolves the corresponding IP address and returns it to my local host, finally, you can log on to the website of the Hacker defense line. DNS Spoofing means that the target sends its DNS request to the attacker, then the attacker spoofs the DNS response and replaces the correct IP address with other IP addresses, then you log on to the IP address specified by the attacker, and the attacker has already set up a malicious webpage in the IP address, but you have already been set up by the attacker "...... DNS spoofing can also be performed in the Wide Area Network. Common examples include "Web Server redirection" and "email server redirection. However, no matter ARP spoofing or DNS spoofing, man-in-the-middle attacks change the normal communication stream, which is equivalent to a transparent proxy between the two sides of the session and can get all the information you want to know, it is even implemented using some flawed encryption protocols.

 

3. Introduction to injection attacks

In this way, session hijacking is easier than man-in-the-middle attack. It does not change the communication streams of both parties, but inserts malicious data into the normal communication streams of both parties. In injection attacks, two technologies are required:

1) IP Spoofing

2) prediction of TCP serial numbers

For the UDP protocol, you only need to forge the IP address and then send it in the past, because UDP does not have the so-called TCP three-way handshake, but the UDP-based application protocol has a traffic control mechanism, so we need to do some extra work. IP spoofing can be used in two scenarios:

1) Hide your IP address;

2) use the trust relationship between the two machines to implement intrusion.

On Unix/Linux platforms, you can directly use a Socket to construct an IP package. Enter a false IP address in the IP Address Header, but you need the root permission. On Windows platforms, you cannot use Winsock, use Winpacp (or Libnet ). For example, in Linux, first open a Raw Socket, and then write the IP header and other data. You can refer to the following instance code:

Sockfd = socket (AF_INET, fig, 255 );
Setsockopt (sockfd, IPPROTO_IP, IP_HDRINCL, & on, sizeof (on ));

Struct ip * ip;
Struct tcphdr * tcp;
Struct pseudo-HDR pseudo header;
Ip-> ip_src.s_addr = xxx;
Pseudo header. saddr. s_addr = ip-> ip_src.s_addr;
Tcp-> check = tcpchksum (u_short *) & pseudo header, 12 + sizeof (struct tcphdr ));
Sendto (sockfd, buf, len, 0, (const sockaddr *) addr, sizeof (struct sockaddr_in ));

For injection session hijacking Based on TCP protocol, the attacker should first use the sniffing technology to brief the target, and then create the correct serial number from the information that is briefly heard. If this is not the case, you must first guess the target ISN (initial serial number), which increases the difficulty of session hijacking. Why guess the serial number of both parties? Continue.

 

4. TCP session hijacking

This article describes TCP-based session hijacking. If some unreliable protocols are hijacked, it will be easy because they do not provide some authentication measures, and the TCP protocol is intended to be a reliable transmission protocol, so we should focus on it.
According to TCP/IP rules, two serial numbers are required for TCP communication. TCP uses these serial numbers to ensure connection synchronization and secure communication, the system's TCP/IP protocol stack generates these values based on time or linear. During communication, the serial numbers of both parties are mutually dependent, Which is why TCP is a reliable transmission protocol (For details, refer to RFC 793 ). If an attacker hijacks a session at this time, the result is definitely a failure. because both parties "do not know" the attacker, the attacker cannot provide a legal serial number. Therefore, the key to session hijacking is to predict the correct serial number. Attackers can use sniffing technology to obtain this information.

Serial number of the TCP protocol
Now let's talk about the serial number of TCP protocol. Each packet has two serial numbers:
SEQ: sequence number of the first byte in the current data packet
ACK: the serial number of the first byte in the packet to be received.

Assume that the two parties need to establish a connection: 
S_SEQ: sequence number of the next byte to be sent
S_ACK: sequence number of the next byte to be received
S_WIND: Receiving Window
// The above is the Server)
C_SEQ: sequence number of the next byte to be sent
C_ACK: Number of the next byte to be received
C_WIND: Receiving Window
// The above is the Client)

They must conform to the following logical relationship; otherwise, the packet will be discarded and an ACK packet (including the expected serial number) will be returned ).
C_ACK <= C_SEQ <= C_ACK + C_WIND
S_ACK <= S_SEQ <= S_ACK + S_WIND

If the above logical relationship is not met, a "fatal weakness" will be extended. For more information, see.

Critical vulnerabilities:
This fatal weakness is the Storm ). When both parties receive an unexpected packet, they will return the ACK packet with their desired serial number. At the other end, this packet is not expected, the ACK package will be returned again with the desired serial number ...... As a result, back and forth formed a vicious circle, which eventually led to the ACK storm. A better solution is to first implement ARP spoofing so that packets from both parties can be sent to the attacker "normally", then set packet forwarding, and finally session hijacking can be performed, and you don't have to worry about an ACK storm. Of course, not all systems have ACK storms. For example, the TCP/IP protocol stack in Linux is slightly different from that described in RFC. Note that the ACK storm only exists in injection session hijacking.

TCP session hijacking process:
Assume that host A and host B have A TCP session, and C is an attacker (2). the hijacking process is as follows:
A sends A data packet to B.
SEQ (hex): x ack (hex): Y
FLAGS:-AP --- Window: ZZZZ, package size: 60

B responds to A packet
SEQ (hex): y ack (hex): X + 60
FLAGS:-AP --- Window: ZZZZ, package size: 50

A responds to A data packet from B.
SEQ (hex): X + 60 ACK (hex): Y + 50
FLAGS:-AP --- Window: ZZZZ, package size: 40

B responds to A packet
SEQ (hex): Y + 50 ACK (hex): X + 100
FLAGS:-AP --- Window: ZZZZ, package size: 30

Attacker C impersonates host A and sends A packet to host B
SEQ (hex): X + 100 ACK (hex): Y + 80
FLAGS:-AP --- Window: ZZZZ, package size: 20

B responds to A packet
SEQ (hex): Y + 80 ACK (hex): X + 120
FLAGS:-AP --- Window: ZZZZ, package size: 10

Currently, host B executes the command that attacker C impersonates host A and returns A packet to host A. However, host A cannot identify the packet sent by host B, therefore, host A will return A data packet to host B with the desired serial number, and then an ACK storm is formed. If the ACK storm is successfully solved (for example, ARP spoofing mentioned above), session hijacking can be successful.

[This article is mostly Excerpted from online articles. I did not perform relevant tests. It is only used for my personal understanding of session hijacking,Non-original articles]

[I don't know much about the defense methods. I 'd like to introduce it to you]

5. References

1. Practice and prevention of session hijacking

 

(The above are some of your own opinions. If you have any shortcomings or errors, please point them out)

Author: The leaf with the wind http://www.cnblogs.com/phpstudy2015-6/

Address: http://www.cnblogs.com/phpstudy2015-6/p/6777615.html