Earlier you learned that sniffing is the process of observing traffic on the network. Session hijacking builds on this process and refines it. Session hijacking adds the goal of not only observing the traffic and sessions currently active on the network but also taking over one of these sessions that has authenticated access to the resource you want to interact with. For a session hijack to be successful, the attacker must locate and identify a suitable session for hijacking. It sounds like a simple process until factors such as different network segments, switches, and encryption come into play. If you factor in the very real issue of having to uncover sequence numbers on packets to properly take control of a session, the challenges mount significantly. But they are not insurmountable. Remember that although the challenges are not small, what is on the line is the ability to interact with and execute commands against authenticated resources.

Consider some of the challenges standing in the way of successful session hijacking:

• Sequence numbers—Every TCP packet has a unique 32-bit number embedded into its header that identifies it and how it should be reassembled with its fellow packets to regenerate the original message.

• Network segments—When the attacker and victims are on the same network segment or on a network that uses a hub, observing traffic works like basic sniffing. However, if the victim and the attacker are on two different network segments separated by a switch, it becomes more difficult to carry out an attack, and techniques similar to active sniffing are needed.

Take a look at the sequence number problem and review the steps involved in session hijacking once again:

1. Insert yourself between Party A and Party B.

2. Monitor the flow of packets using sniffing techniques.

3. Analyze and predict the sequence number of the packets.

4. Sever the connection between the two parties.

5. Seize control of the session.

6. Perform packet injection into the network.

Look at step 3—this step is easy on a network on which you can see both parties. On these types of networks, you can sniff the traffic passively and read the sequence numbers off of the packets themselves. On a switched network, it becomes much more of an issue because you cannot see the other party (or parties), so you must use techniques to guess the sequence number correctly. (You can’t just stumble in with whatever number you want.) In this situation, you will send several packets to the victim or target to solicit a response with the sequence numbers on it.

Sequence numbers are a cornerstone of TCP that make possible several features you may take for granted. In TCP, every piece or byte of data must have a sequence number assigned to it to track the data, assemble it with its fellow packets, and perform flow control. So where and when do the sequence numbers get assigned? During the three-way handshake, which is illustrated in FIGURE 11-2.

Here are some points to remember about sequence number prediction:

• When a client transmits a SYN packet to a server, the response will be a SYN/ACK. The client then responds to this SYN/ACK with an ACK. During this handshake, the starting sequence number will be assigned using a random method if the operating system supports this function.

• If this sequence number is predictable, the attacker can initiate the connection to the server with a legitimate address and then open up a second connection from a forged address.

Once an attacker has determined the correct sequence numbers, the next attack step is to inject packets into the network. Of course, this is easier said than done, and just injecting packets into the network is not useful in every case because a few details must be in place first. Consider the two extremes of the session: the beginning and the end. At the beginning of the session, the process of authentication takes place. Injecting packets into the network and taking over the session here would be worthless if done prior to the authentication process (after all, you want an authenticated session). On the other hand, injecting packets too late, such as when the session is getting torn down or closed, will mean that the session you want to hijack is no longer present.

With the proper sequence numbers predicted and known, the attack can move to the next phase, which is to unplug one of the parties, such as a server if one is present. The goal at this stage is to knock out or remove one of the parties from the communication to get it out of the way. The removal can be performed by any method the attacker chooses, from a simple DoS attack to sending a connection reset request to the victim.

After taking control of a session, the attacker can move toward carrying out dirty work, whatever it may be. The difficulty for the attacker at this point is to keep the session maintained and active because as long as this connection is maintained and kept alive, the attacker has an authenticated connection to the intended target.

To perform session hijacking, you can use a number of tools, each having its own advantages and disadvantages. Each of the tools on this list has seen widespread use by hackers and will offer you the ability to perform session hijacking quite easily. Each of these tools is essentially a packet sniffer with the enhanced capability needed to perform session hijacking.

• Ettercap—This is an old-school tool that has the advantage of being multiplatform so you can learn how to use it on one platform and move those skills over easily to another platform, such as Mac OS. Ettercap possesses robust capabilities that enable it to perform its duties quite well. Included in this functionality is the ability to perform man-in-the-middle attacks, ARP spoofing, and session hijacking.

• Hunt—This is a commonly used tool for performing session hijacking; in fact, it is the first one most hackers and security professionals are introduced to. This software has the ability to observe and hijack a session between two parties and to fire off TCP resets to shut down a victim’s system. This software package is designed to work on Ethernet-based networks and can work in both passive and active modes.

• Juggernaut—This tool is a Linux network sniffer that provides the ability to hijack TCP sessions.

• Paros HTTP Hijacker—This Java utility is an HTTP/HTTPS proxy that allows you to intercept and edit HTTP messages in real time.

• IP-Watcher—This utility is a commercial-grade tool (read: you have to pay for it) that can perform session hijacking and monitor connections so you can choose the session you wish to take over.

• T-sight—This is another commercial offering that can hijack TCP sessions on a network much like IP-Watcher.

Session hijacking is dangerous, but you can limit its effect to a great degree through the proper application of your two best lines of defense: being proactive and looking for the signs of an attack. One way to be proactive is to use encryption. After all, it is hard for troublemakers to hijack a session if they can’t see what is being transmitted. Other measures you can use include configuring routers to block spoofed traffic from outside the protected network. Additionally, you can use countermeasures such as an intrusion detection system (IDS) that can watch for suspicious activity and alert you to it or even actively block this traffic automatically.

An older type of attack that still plagues the Internet and the computer systems attached to it is the denial of service (DoS) attack, which is a threat against one of the core tenets of security: availability. This makes sense when you consider that a DoS attack is designed to target a service or resource and deny access to it by legitimate users. In this section, you will take a look at this simple form of hacking—what it can do as well as how it works.

A DoS attack functions by tying up valuable resources that could be used to service legitimate needs and users. A DoS attack functions like this: Imagine someone calling your mobile phone over and over again; at some point the person might call often enough that no one else could call you, nor could you call out. At that point, you would become the victim of a DoS attack. Translate this scenario into the world of computer networks, and you have a situation where availability of a service is similarly threatened.

DoS attacks used to be employed to annoy and irritate a victim, but over the past few years these attacks have evolved into something much more ominous: a means to extort money and commit other crimes. For example, a criminal may contact a victim and ask for protection money to prevent any unfortunate “accidents” from happening.

To summarize, the main points of a DoS attack follow:

• Deny the use of a system or service through the systematic overloading of its resources. An attacker is seeking a result in which the system becomes unstable, substantially slower, or overwhelmed to the point it cannot process any more requests.

• Be carried out when an attacker fails at other attempts to access the system and just decides to shut down a system in retaliation.

DoS attacks are not all the same. They can be broken down into three broad categories based on how they carry out their goal of denying the service to legitimate uses and users:

• Consumption of bandwidth

• Consumption of resources

• Exploitation of programming defects

There are plenty of tools available to the hacker to perform a DoS attack, including:

• Jolt2—A piece of software designed to flood an older system with incorrectly formatted packets

• LOIC (Low Orbit Ion Cannon)—An easy-to-use tool to launch DoS attacks via UDP, TCP, or HTTP

• HULK (HTTP Unbearable Load King)—This tool allows the attacker to launch DoS attacks that are difficult to trace and even identify because of its ability to generate unique requests during the attack.

• RUDY (R-U-Dead-Yet)—This is a relatively easy-to-use HTTP DoS tool that uses the HTTP POST method to carry out its attack.