OSI: Securing the Stack, Layer 5 -- session hijacking

Session hijacking occurs when an attacker attempts to take over an established TCP session between two computers. The basic steps of session hijacking include:

1. Find a target with an active session.
2. Guessing the sequence numbers.
3. Taking one of the users offline.
4. Taking over the session.

Session hijacking is not new. Probably the most famous session hijack was the one performed by Kevin Mitnick on Christmas day 1994. This incident led to an increased awareness of the vulnerabilities that make session hijacking possible. The goal of session hijacking is to steal an authenticated connection to an active system. If the attacker is successful, he will have the ability to execute commands locally. If he hijacks a privileged account, the attacker will have the same level of access as the privileged user.

Securing the stack series Bookmark this index for our securing the stack series.

What makes session hijacking so dangerous is that there will be little evidence of an attack, because the exploit allows control of an existing account. Two of the tools used for session hijacking are Ettercap and Hunt.

The steps of session hijacking

The first step of this attack requires the attacker to find an active session. This requires that the attacker sniff traffic on the subnet. He will be looking for an established TCP session such as FTP. If the network uses a hub, sniffing it is a trivial event. A switched network will require the attacker to perform Address Resolution Protocol (ARP) poisoning.

Next, the attacker must be able to guess the correct sequence number. Remember that a fundamental design of TCP is that every byte of data transmitted must have a sequence number. The sequence number is used to keep track of the data and to provide reliability. An initial sequence number is generated at the first step of the TCP handshake. This value is used by the destination system to acknowledge the bytes sent. The sequence number field is 32 bits long. This means that there are about 4,294,967,295 possible sequence numbers. Once a sequence number has been agreed to, the count will increment by one for each byte of data. Years ago, sequence number prediction was much easier because operating system vendors didn't use an efficient method for generating random initial sequence numbers. Modern operating systems have improved on this. If you are curious how your systems produce random sequence numbers, tools such as Nmap can help you gauge the difficulty of predicting sequence numbers for any particular operating system.

Once the sequence number has been determined, the attacker is ready to take the legitimate user offline. Techniques for this include denial of service, source routing, or sending a reset to the user. No matter which technique is used, the objective is to get the user out of the communication path and trick the server into believing that the attacker is the legitimate client.

If these steps have been successful, the attacker will now have control of the session. As long as the session is maintained, the attacker has authenticated access. This access can be used to execute commands locally in an attempt to further leverage the hacker's position.

Preventing and detecting session hijacking

There are two main mechanisms for dealing with hijacking problems: prevention and detection. Preventive measures include limiting incoming connections and also configuring your network to reject packets from the Internet that claim to originate from a local address.

Encryption can also help. If you must allow outside connections from trusted hosts, use Kerberos or IPsec. Use more secure protocols; FTP and Telnet are most vulnerable. Secure Shell (SSH) is a good alternative. SSH establishes an encrypted channel between the local and remote host. Detection can be improved by using IDS or IPS systems. The use of switches, protocols such as SSH, and the more random initial sequence numbers have made session hijacking more difficult. Still, network administrators shouldn't be lulled into a sense of security. While session hijacking may not be as easy as in the past, it still represents a potential threat. Network attacks that allow someone to have an authenticated connection to one of your systems need to be dealt with!

About the author:
Michael Gregg has more than 15 years of experience in IT. He is the president of Superior Solutions Inc., a Houston-based training and consulting firm. Michael is an expert on networking, security and Internet technologies. He holds two associate degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption The OSI Model What network monitoring tools monitor all OSI layers? How do routers and switches differ in the OSI model? How can I define the layered approach to protocols? How does a Layer 3 switch work in a network? OSI -- Securing the stack OSI: Securing the Stack, Layer 8 -- Social engineering and security policy OSI: Securing the Stack, Layer 7 -- Applications OSI: Securing the Stack, Layer 6 -- Encryption Network security -- Taking the layered approach Is it possible to convert a Layer 2 switch to a Layer 3 switch? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ES-IS  (WhatIs.com) FTAM  (SearchNetworking.com) layer 2  (SearchNetworking.com) Network layer  (SearchNetworking.com) OSI  (SearchNetworking.com) physical layer  (SearchNetworking.com) Session layer  (SearchNetworking.com) Technical Office Protocol  (SearchNetworking.com) TP0-TP4  (SearchNetworking.com) Transport Services Access Point  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.