Hi,
I have heard of connections being hijacked. i just wanted to know how this works and any other information realted to this topic.
Printable View
Hi,
I have heard of connections being hijacked. i just wanted to know how this works and any other information realted to this topic.
Go grab AntiOnline Newsletter #6 for info about a tool, ettercap, that can do this.
Basically, an attacker puts him/herself inbetween a client and server, acting as a go-between. The attack collects info and sometimes injects packets into the stream to gain control of a session.
taken from http://black.box.sk/articles/13/arphack.txtQuote:
4: IP hijacking
Lets suppose I'm an ordinary computer user,i dont have security knowlegdes
and i dont see the difference between telnet and ssh.I use telnet from home
to start a session to my server. I enter my username and password.Then i
will exchange datas to server without any form of authentification. An
attacker being able to sniff around,will grab my SEQ/ACK numbers, reset my
connection using arp poisoning and then will insert commands in my place.
He can place easily a backdoor on my server!!(mail [email protected]
< /etc/shadow it's enough :) But to stop ACK storm interfering with his
attack,a hacker must DoS me using arp poisoning or any other DoS method
like SYN flooding. Remember how Kevin Mitnick hacked Shimomoura's network?
Shimomoura was using rlogin becasue being the only owner of the network,
he trusted every computers from within. Mitnick,situated outside the
trusted zone,he impersoanted one of the trusted machines.
He easily guessed seq/ack's because the older software was vulnerable to
ID predictions. Today,DNS cache poisoning/IP spoofing from the internet is
hard because the right ID is very hard to predict.But,there is arp
spoofing :).And i think that multithreaded bruteforcer will work, if you
are lucky enough :)
as the article says, it's a bit tricky, but not impossible- unfortunately i couldn't find any defensive white papers on this subject? anyone know where?
Here ya go -- Knock yerself out! :D
www.giac.org/practical/Donna_Shuart_GSEC.doc
www.faqs.org/rfcs/rfc1948.html
I would think that firewall policies that defend against certain addresses NOT appearing from external would be good. e.g. use private addressing internally with a DMZ and put in "anti-spoofing policies"
e.g.,
Internal Machine (192.168.1.4) ---> Router/Firewall1 (192.168.1.5/10.0.0.5) --------> Router/Firewall2 (10.0.0.5/valid Internet Addy)
Firewall 1 and 2 should never see 192.168.1.x packets originating from external. Not a perfect solution but it does help stem some of the attack. ;)