Security Basics mailing list archives
Re: session-hijacking is still available?
From: John Fastabend <jfastabe () up edu>
Date: Mon, 7 Apr 2003 00:37:11 -0700 (PDT)
Hello, all.
Hello.
if attacker can do session hijacking, he can know the seq number change, ack seq number change something like that.
Only if he is spoofing from somewhere where he can sniff this information off the wire. For example if he is on the same network or has manipulated routing information so that the packet is passed through his system on its way to its destination.
But I have heard that modern system like linux kernel 2.4.x or openbsd produce almost random seq number, so session hijacking is almost impossible thesedays. is it true or not?
Most operating system engineers have caught on to the fact that the random number generator for initial sequence numbers is not good enough and have fixed this. This will not stop an attacker though from session hijacking if he has the packet going through his computer on the way to its destination because all he has to do is read the ack and seq numbers as they go through his computer. It does though make it significantly harder to predict the sequence numbers of packets that are not passing through your computer. This is called blind spoofing. The problem before was that I could guess what the next number was going to be and then I didnt even have to see the packet at all. This is very bad. So some people have been trying to fix this.
anyone still can session hijacking using session hijacking program like hunt?
I've never used hunt before so I dont know. But, i would guess almost any session hijacking program will be able hijack a session when it can read the packets off the wire(it's trivial). Whether or not it can hijack or start spoofed sessions from hosts where it can't see the packets I dont know. It is possible for some operating systems. I've done some research on blind spoofing Windows 98 and an older linux kernel and been sucessful. So it is possible whether or not hunt can hijack blindly depends on the sophistication of the program and what OS it is trying to hijack i would think.
Thanks in advance.
no problem if you have any more questions send me an email. :) John Fastabend University of Portland Computer Engineering Major
_________________________________________________________________ È®ÀÎÇÏÀÚ. ¿À´ÃÀÇ ¿î¼¼ ¹«·á »çÁÖ, ±ÃÇÕ, ÀÛ¸í, Àü»ý °¡À̵å http://www.msn.co.kr/fortune/default.asp ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
-- -- "Dependence on computers is apparently making a significant fraction of the population incurably stupid." -- Fritz Whittington ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- session-hijacking is still available? SB CH (Apr 04)
- RE: session-hijacking is still available? Michael Cunningham (Apr 07)
- Re: session-hijacking is still available? secvuln (Apr 07)
- Re: session-hijacking is still available? John Fastabend (Apr 07)
- <Possible follow-ups>
- RE: session-hijacking is still available? Raghu Chinthoju (Apr 04)
- Fwd: FW: session-hijacking is still available? crawford charles (Apr 04)
- REsession-hijacking is still available? Dina Kamal (Apr 08)
- Re: REsession-hijacking is still available? John Fastabend (Apr 09)
- REsession-hijacking is still available? Dina Kamal (Apr 08)
- Re: session-hijacking is still available? crawford charles (Apr 10)