sniffing and session hijacking n.
Skip this Video
Loading SlideShow in 5 Seconds..
Sniffing and Session Hijacking PowerPoint Presentation
Download Presentation
Sniffing and Session Hijacking

Loading in 2 Seconds...

play fullscreen
1 / 31

Sniffing and Session Hijacking - PowerPoint PPT Presentation

  • Uploaded on

Sniffing and Session Hijacking. Lesson 12. Session Hijacking. Passive Attacker hijacks a session, but just sits back and watches and records all of the traffic that is being sent back and forth Also referred to as “sniffing” Active Attacker finds an active session and takes over.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Sniffing and Session Hijacking' - ghita

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
session hijacking
Session Hijacking
  • Passive
    • Attacker hijacks a session, but just sits back and watches and records all of the traffic that is being sent back and forth
    • Also referred to as “sniffing”
  • Active
    • Attacker finds an active session and takes over.
    • Done by forcing one of the parties offline, where the user can no longer communicate – usually done with a Denial of Service attack.
  • Sniffers are programs or HW devices that monitor (“listen in to”) traffic flowing across a network.
    • They can pull in all packets or be selective and only grab packets destined for certain addresses or that carry a certain type of traffic
  • For a sniffer to work correctly, it needs to view all of the traffic going across a network. Thus, it must be on internal network or on main connection into/out of a network.
computer network monitoring
Computer Network Monitoring
  • Port Scanning
  • Keystroke Monitoring
  • Packet sniffers
    • takes advantage of “friendly” nature of net.
    • Grabs packets not destined for system
    • used by
      • hackers
      • sysadmins
      • Law enforcement agencies
ip packet
IP Packet

4 8 16 19 32



Type of Srvc

Total Length



Fragment Offset

Time to live


Header Checksum

Source Address

Destination Address



tcp packet
TCP packet

4 8 16 32

Source Port

Destination Port

Sequence Number

Acknowledgement Number









Urgent Pointer

Options Padding


van eck reception
Van Eck reception
  • Relies on the fact that electronic equipment radiates electromagnetic signals which can be intercepted
  • With the proper equipment signals can be recreated up to 1 kilometer away
seizing the signals
Seizing the Signals
  • Eavesdropping on conversations
    • “listening in”, the content
  • Traffic analysis
    • data about the signals themselves
  • Cellular Intercepts
    • extremely vulnerable to interception
  • Pager Intercepts
    • also fairly simple
  • Law Enforcement Wiretaps
    • generally require court order with probable cause
  • Foreign Intelligence Intercepts
    • US and others have VERY active program in this arena
defeating sniffer attacks
Defeating Sniffer Attacks
  • Detecting and Eliminating Sniffers
    • Possible on a single box if you have control of the system
    • Difficult (depending on OS) to impossible (if somebody splices network and adds hardware) from network perspective
  • Safer Topologies
    • Sniffers capture data from network segment they are attached to, so – create segments
  • Encryption
    • If you sniff encrypted packets, who cares?
      • (outside of traffic analysis, of course)
traffic analysis
Traffic Analysis
  • Looks at activity, not contents
  • Pen Registers and Tap & Trace
    • pen registers provides access to the numbers that are dialed from a phone
    • tap & trace provides incoming numbers
  • Location Tracking
    • possible with cellular phones
    • can work even when phone not in use
session hijacking1

ACK (SN-S+1)



Session Hijacking
  • Review for a second, the three-way handshake in TCP:



revisit sequence numbers
Revisit Sequence Numbers
  • Depending on the session to be hijacked, you may or may not be able to observe the traffic and thus know the sequence number.
  • Sequence numbers are
    • 32-bit numbers,
    • Used by recipient to know what order to put received packets in, and
    • To acknowledge packets received so sender knows if it has to resend a packet.
    • There is one for the sender and one for the receiver
steps in session hijacking
Steps in Session Hijacking
  • Find a target
  • Perform sequence number prediction
  • Find an active session
  • Guess the sequence numbers
  • Take one of the parties offline
  • Take over the session
find a target
Find a target
  • Need to find a suitable target
    • Need to be able to sample sequence numbers
      • Need to be able to get through the firewall for this
    • Needs to have connected sessions
    • Probably should be a server that allows session-oriented connections (e.g. telnet or FTP)
perform sequence number prediction
Perform sequence number prediction
  • If you can view the traffic, no problem…
  • Predictability of sequence number depends on OS (Windows more predictable)
    • Use scanning tool to determine OS (e.g. nmap)
  • Attempt several connections and observe sequence numbers to see how random the sequence is – gather information.
find an active session
Find an Active Session
  • In session hijacking you want to take over a session – you want somebody to be around
    • This is opposite of usual hacker activity where you don’t want folks around to notice activity
    • The more traffic the better off since there will less chance of somebody noticing (individual may assume heavy traffic is causing them any network problems experienced)
guess the sequence number
Guess the sequence number
  • For communication to occur need several things:
    • IP address (doesn’t change during session)
    • Port number (doesn’t generally change)
    • Sequence number (changes each packet sent)
  • Thus, attacker must successfully guess sequence number to hijack session
  • Goal is to get server to accept packet sent, take some educated guessing based on knowledge of sequence predictability
take one of the parties offline
Take One of the Parties Offline
  • Once you’ve guessed the correct sequence number, time to eliminate the sender so you can take over the session.
  • Generally done with some form of Denial of Service attack.
    • Server still responds to original system but it never knows because it has been taken out.
take over the session
Take Over the Session
  • Now the attacker has everything set up
    • Session
    • Sequence number
    • Sender (usually client) taken out
  • Now exploit session, ideally something like a telnet session where you can issue commands such as creating a new account or adding system to list of trusted systems.
hijacking doesn t sound so simple
Hijacking, doesn’t sound so simple…
  • In theory, it is very complex, fortunately there are some programs out there that can help you.
    • Juggernaut
    • Hunt
    • TTY Watcher
    • IP Watcher
  • All of these are of the “sniffer” type, must see traffic to be able to hijack it.
    • Think about what is needed to hijack a session you can’t see.
      • Remember, however, that I don’t need to be able to sniff all traffic to a server, I can be sniffing at the client side.
protecting against session hijacking
Protecting Against Session Hijacking
  • Use encryption
    • Use a secure protocol (usually includes encryption)
  • Limit incoming connections
  • Minimize remote access (referring to outgoing)
  • Have strong authentication (though this is less effective in protecting against hijacking since you are taking over a session after authentication has taken place.)
  • Hijacking is a real threat
  • Technology is straightforward
  • Many tools available to do this
  • There are legal ramifications