09-04-2012, 01:49 PM
UDP Session Hijacking
tcpudp session hijacking(2).pptx (Size: 231.74 KB / Downloads: 57)
TCP Sliding Windows
For each TCP connection each hosts keep two Sliding Windows,
send sliding window, and
receive sliding window
to make sure the correct transmission of Traffic between the send and receiver.
Each byte sent from the sender to the receiver has a unique sequence number associated with it.
TCP Session Hijacking
TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.
Packet Sniffers
Passive sniffers monitors and sniffs packet from a network having same collision Domain i.e. network with a hub, as all packets are broadcasted on each port of hub.
TCP ACK Packet Storms
Assume that the attacker has forged the correct packet information (headers, sequence numbers, and so on) at some point during the session.
When the attacker sends to the server-injected session data, the server will acknowledge the receipt of the data by sending to the real client an ACK packet. This packet will most likely contain a sequence number that the client is not expecting, so when the client receives this packet, it will try to resynchronize the TCP session with the server by sending it an ACK packet with the sequence number that it is expecting.
This ACK packet will in turn contain a sequence number that the server is not expecting, and so the server will resend its last ACK packet. This cycle goes on and on and on, and this rapid passing back and forth of ACK packets creates an ACK storm
Countermeasures – Encrypted Application
Other countermeasures include encrypted applications like ssh (Secure SHell, an encrypted telnet) or ssl (Secure Sockets Layer, HTTPS traffic).
Again this reflects back to using encryption, but a subtle difference being that you are using the encryption within an application.
Be aware though that there are known attacks against ssh and ssl. OWA, Outlook Web Access uses ssl to encrypt data between an internet client browser and the Exchange mail server, but tools like Cain & Abel can spoof the ssl certificate and mount a Man-In-The-Middle (MITM) attack and decrypt everything!
UDP Session Hijacking
Hijacking a session over a User Datagram Protocol (UDP) is exactly the same as over TCP, except that UDP attackers do not have to worry about the overhead of managing sequence numbers and other TCP mechanism.
Some UDP is connectionless, injecting data into a session without being detected is extremely easy.