Network-level Session Hijacking

Network-level Session Hijacking

  • The network-level hijacking relies on hijacking transport and Internet protocols used by web applications in the application layer.
  • Attackers can collect vital information necessary for attacks at the application level by targeting network-level sessions.
  • Network-level hijacking includes:
    • Blind Hijacking
    • UDP Hijacking
    • TCP/IP Hijacking
    • RST Hijacking
    • Man-in-the-Middle: Packet Sniffer
    • IP Spoofing: Source Routed Packets

The 3-Way Handshake

  • The attacker will fake Bob’s address and initiate communication with the server if he or she can predict the next sequence and ACK number that Bob will send.
  • For the three parties to communicate, the following information is required:
    • IP address → in the IP packet, and will not change
    • Port numbers → in the IP packet, and will not change
    • Sequence numbers → It changes from time to time, so find a way to guess the sequence number, and let the server accept the attacker’s packet before the server receives the victim’s packet. Once successful, the victim’s session will be removed.

TCP/IP Hijacking

  • TCP/IP hijacking is a hacking technique that uses spoofed packets to take over a connection between a victim and a target machine.
  • The victim’s connection hangs and the attacker is then able to communicate with the host’s machine as if the attacker is the victim.
  • To launch a TCP/IP hijacking attack, the attacker must be on the same network as the victim.
  • The target and the victim machines can be anywhere. 
  • Send Spoofed Packets(spoofed packet)
  • The attacker must be on the same intranet as the victim

TCP/IP Hijacking Process

  1. The attacker sniffs the victim’s connection and uses the victim’s IP to send a spoofed packet with the predicted sequence number.
  2. The receiver processes the spoofed packet, increments the sequence number, and sends acknowledgement to the victim’s IP.
  3. The victim machine is unaware of the spoofed packet, so it ignores the receiver machine’s ACK packet and turns sequence number count off.
  4. Therefore, the receiver receives packets with the incorrect sequence number.
  5. The attacker forces the victim’s connection with the receiver machine to a desynchronized state.
  6. The attacker tracks sequence numbers and continuously spoofs packets that comes from the victim’s IP.
  7. The attacker continues to communicate with the receiver machine while the victim’s connection hangs.

IP Spoofing: Source Routed Packets (?)

  1. Packet source routing technique is used for gaining unauthorized access to a computer with the help of a trusted host’s IP address.
  2. The attackers spoofs the host’s IP address so that the server managing a session with the host, accepts the packets from the attacker.
  3. When the session is established, the attacker injects forged packets before the host responds to the server.
  4. The original packet from the host is lost as the server gets the packet with a sequence number already used by the attacker.
  5. The packets are source-routed where the path to the destination IP can be specified by the attacker.

RST Hijacking

  • RST hijacking involves injecting an authentic-looking reset (RST) packet using spoofed source address and predicting the acknowledgment number.
  • The hacker can reset the victim’s connection if it uses an accurate acknowledgement number.
  • The victim believes that the source actually sent the reset packet and resets the connection.
  • RST Hijacking can be carried out using a packet crafting tool such as Colasoft’s Packet Builder and TCP/IP analysis tool such as tcpdump. 

Blind Hijacking

  • The attacker can inject the malicious data or commands into the intercepted communications in the TCP session even if the source-routing is disabled.
  • The attacker can send the data or commands but has no access to see the response. 

MiTM Attack Using Forged ICMP and ARP Spoofing (?)

  • In this attack, the packet sniffer is used as an interface between the client and the server.
  • ARP spoofing involves fooling the host by broadcasting the ARP request and changing its ARP tables by sending the forged ARP replies.
  • The packets between the client and the server are routed through the hijacker’s host by using two techniques:
    • Using Forged Internet Control Message Protocol (ICMP): It is an extension of IP to send error messages where the attacker can send messages to fool the client and the server.
      • The technique used is to forge ICMP packets to redirect traffic between the client and the host through the hijacker’s host.
      • The hacker’s packets send error messages that indicate problems in processing packets through the original connection.
      • This fool the server and client into routing through its path instead.
    • Using Address Resolution Protocol (ARP) Spoofing: ARP is used to map the network layer address (IP address) to link layer addresses (MAC address).

UDP Hijacking (?)

  • A network-level session hijacking in which the attacker responds to a victim’s UDP request with a fake server response before the real server does.
  • The attacker uses man-in-the-middle attack to intercept server’s response to the client and sends its own forged reply.
    • UDP does not use packet sequencing and synchronizing.
    • victim when excuting UDP query,before the real response comes back,attacker just send a fake victim,fake UDP can contain malicious information,For example,when victim exwcutes dns query,attackersend a fake dns response,Let the victim go to the wrong place

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *