The
Transport layer of the TCP/IP model is charged with getting the
packet back and forth from the Application layer through ports. The
Transport layer also uses acknowledgments to confirm the packets
arrival to it's destination. WireShark is a packet analyzer (GUI seen
below), useful in exploring the three-way handshake used by the
Transmission Control Protocol (TCP). The eight parts of the TCP
Section in WireShark are; Source & Destination Ports, Sequence &
Acknowledgment Numbers, Header Length, Flags, Window Size and
Checksum. Of these sections, Initial Sequence Number (ISN), Source
and Destination Ports and Control Flags can be manipulated by a
hacker to perform attacks.
 |
| TCP Three-Way Handshake |
Session
Hijacking is inserting yourself into a connection already
established by a client and server. Using the TCP Session with
www.webtycho.com
, a hacker would have to be filtering the traffic with Wireshark to
capture the above mentioned data or use the steps described below of
Kevin Mitnick's Christmas Day attack. Once the data is captured ,
the hacker would craft a packet to represent the sequential packet of
the last packet sent by the client. The hacker would take the last
packet sent and analyze the data offset and add it to the current
acknowledgment number.(Shown below).
The
Source Port would be the client (34235) and destination would be the
HTTP server on port 80. The sequence number would stay the same as
long as only the server is sending data to the client. The Crafted
Packet would only have the ACK Flag up to insert itself into the
session. Below is a screen capture of Wireshark to confirm the
acknowledgment number projected in the calculation above.
 |
| How-to-Calculate Acknowledgement numbers |
The
famous Christmas Day attack by Kevin Mitnick is an excellent example
of session hijacking. Kevin attacked computers of Tsutomu
Shimomura at the San Diego Supercomputer Center. The first step was
to use the finger command in a UNIX environment to discover details
about the user. The second step was Kevin filled the targets queue
with half-open TCP connections (SYN Flag).The third step was to
calculate the ISN as described above then spoof the reply.
In
Conclusion, the TCP header contents are important for a security
professional to know. The ISN can be calculated simply by adding the
data offset to the last packet sent by the client. Once the three-way
handshake is establish, usually there are ACK Flags back and forth
until the connection is torn down by the four-way handshake. To
successfully hijack a session you would want to use the source and
destination ports already established.
No comments:
Post a Comment