Professional Documents
Culture Documents
Prevent Session Hijacking PDF
Prevent Session Hijacking PDF
1 of 6
https://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx
TechNet Magazine
Sign in
Home
Current Issue Topics Issues Columns Digital Magazine Downloads Videos Tips
TechNet Magazine > Home > Issues > 2005 > Winter > Theft On The Web: Theft On The Web: Prevent Ses...
Resources
2/16/2015 11:06 AM
2 of 6
https://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx
uses acknowledgment (ACK) packets and sequence numbers. Manipulating these is the basis for
TCP session hijacking. As we mentioned earlier, the MITM attacker simply needs to be positioned so
that communications between the client and the server are relayed through him or her. To
understand how an attacker might sneak into the TCP session in a blind session hijack attack, you
need to look at what happens when a client initiates a TCP session with the server.
As shown in Figure 1, the client first initiates a session with the server by sending a synchronization
(SYN) packet to the server with initial sequence number x. The server responds with a SYN/ACK
packet that contains the server's own sequence number p and an ACK number for the client's
original SYN packet. This ACK number indicates the next sequence number the server expects from
the client. In our example, this is x+1, because the client's original SYN packet counted as a single
byte. The client acknowledges receipt of the SYN/ACK packet by sending back to the server an ACK
packet with the next sequence number it expects from the server, which in this case is p+1 (the
server's initial SYN packet sequence number plus one). The client and server are ready to start
exchanging data.
The sequence number values just described are important for understanding how to successfully
hijack this session later, so pay close attention to them in the paragraphs that follow. The same
goes for ACK numbers, which are key to understanding TCP ACK storms.
2/16/2015 11:06 AM
3 of 6
https://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx
number x+2. The server accepts it and sends the real client an ACK packet with acknowledgment
number x+3 to confirm that it has received the Z character. When the client receives the ACK
packet, it will be confused, either because it did not send any data or because the next expected
sequence is incorrect. (Maybe the attacker sent something "nice" like "mv `which emacs` /vmunix
&& shutdown r now" and not just a single character.) As you will see later, this confusion can
cause a TCP ACK storm, which can disrupt a network. In any case, the attacker has now successfully
hijacked this session.
Attackers can automate the session hijacking process just described with tools such as Juggernaut,
by Mike Schiffman, and Hunt, by Pavel Krauz.
Determining Susceptibility
One obvious way to determine the susceptibility of your organization's networks to network-level
session hijacking attacks is to try to hijack actual network sessions using common attacker tools
such as Juggernaut or Hunt. Using live attacker tools against your organization's production
networks, however, is not recommended. A safer approach would be simply to find out if your
organization uses transport protocols that do not use cryptographic protection (such as encryption)
for transport security or digital signatures for authentication verification. Common examples of
these protocols include Telnet, FTP, and DNS. If such network protocols exist in your organization's
networks, sessions traveling over those unencrypted protocols are ripe for hijacking.
What countermeasures can you take to reduce your susceptibility to network-level session hijacking
attacks? One technique is to implement encrypted transport protocols such as Secure Shell (SSH),
Secure Socket Layers (SSL), and Internet Protocol Security (IPSec). An attacker attempting to hijack a
session by tunneling in an encrypted transport protocol must, at a minimum, know the session key
used to protect that tunnel, which should be difficult to guess or steal. Any data the attacker can
inject into network sessions without using the correct session key will be undecipherable by the
recipient and rejected accordingly. Even in the unlikely event that an attacker is able to attain the
prized session key, digitally signing network traffic provides an extra layer of defense against the
successful injection of malicious data into network sessions.
As a rule, do not communicate with highly critical systems unless you do so over protocols that use
a strong encryption algorithm for secure transport. By themselves, protocols such as Telnet and FTP
are poor choices, extremely susceptible to hijacking when not protected inside encrypted tunnels.
2/16/2015 11:06 AM
4 of 6
https://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx
2/16/2015 11:06 AM
5 of 6
https://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx
TCP Resynchronizing
To hide his or her tracks, an attacker who is finished with the session hijacking attack might want to
resynchronize the communicating hosts. The problem is that after the attack, the two hosts whose
session was hijacked will be at different points in the session. In other words, each host will be
expecting different sequence numbers.
For example, the server might think that it is 40 bytes into the session when really the client might
have sent only 29 bytes. Thus, the expected sequence numbers on each side will differ. Since
sequence numbers move in only a positive direction, it's not possible with TCP stacks to manipulate
the server so that its expected sequence number moves downward to match the client's sequence
number.
In this situation, the attacker needs some way to move the client's sequence numbers to match the
servers. Tools like Hunt try to solve this problem by sending a message to the client. Here is an
example (note that the number 13 is used arbitrarily):
Hunt will replace this value with whatever number of bytes the client is required to send to be
resynchronized with the server. The hope is that the user will comply. When the user has typed
enough characters, Hunt will use more forged ARP reply packets to restore the correct values to the
ARP table entries it modified on the client and server to avoid TCP ACK storms.
This technique of resynchronizing client and server TCP stacks is dependent on the user following
2/16/2015 11:06 AM
6 of 6
https://technet.microsoft.com/en-us/magazine/2005.01.sessionhijacking.aspx
instructions sent by the Hunt tool, and will probably not work against well-educated users or any
protocol other than Telnet or possibly FTP.
Conclusion
Protecting network sessions that carry sensitive and important data such as credit card numbers,
bank transactions, and administrative server commands is an important first step at improving the
security posture of your organization. By removing an attacker's ability to inject data into those
sessions, you raise the security bar and force your adversary to try other, more complex avenues
that are less likely to compromise your organization's security.
Kevin Lam, David LeBlanc, and Ben Smith all work on security at Microsoft. Ben is the coauthor of
Microsoft Windows Security Resource Kit and David is the coauthor of Writing Secure Code 2 (both from
Microsoft Press).
This article is adapted from Chapter 21 of Assessing Network Security (Microsoft Press, 2004).
2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without
permission is prohibited .
2/16/2015 11:06 AM