Re: TCP Hijacking (aka Man-in-the-Middle)

[Oliver <olivereatsolives () gmail com>]

I'd like to thank everyone for their responses. It took me a few days to
process all that and play around with those fancy tools. I think I hacked
this protocol, or at least manipulated it in a way it was designed not to.
It's likely that this is a trivial matter since the protocol is not used for
anything big and I'm only doing this for a class.

The protocol is text-based on top of TCP. It features a persistent TCP
connection, where once in a while the server pings the client with some
text, which has to respond with some text, and vice versa to make sure the
validity of the connection. I manipulated this by sending to the server some
pings and the client some pings, so that each party believes they are in
sync while they are really talking to me (no ack storm here either). The
number of pings for each was picked so that after this series of injected
packets, the sequence number of the server was out of sync by exactly the
amount of data that I want to send to the client (the spoofed packet), and
then I send it. This ensures that both sides believe they are in sync and do
not become disconnected at all, while the client has successfully accepted a
spoofed packet of mine.

I might sound like I'm repeating what was done 10 years ago. Has this been
done already (variations or attacks on application protocols)? What is it
called?

Thanks,
Oliver
On 10/25/07, Oliver <olivereatsolives () gmail com> wrote:
> Hello,
>
> I have been searching all over the place to find an answer to this
> question, but Google has made me feel unlucky these last few days. I hope I
> could find more expertise here. The burning question I have been pondering
> over is - could TCP connections be hijacked both ways? I know there are
> tools ( e.g. Hunt) that sniffs traffic and could arbitrarily reset a
> connection by spoofing the IP and MAC address. But could there be more than
> just that? Is it theoretically possible to not reset the connection with the
> server or the client, but play the man-in-the-middle attack?
>
> An example network scenario of this that I could come up with is that the
> hacker is within the same network as the victim (client), who is connected
> to a server through a persistent TCP connection. Now the hacker could
> pretend to be the server and send a TCP message (not reset/fin) to the
> client and change the seq/ack numbers on the client side, and the hacker
> could pretend to be the client and send a TCP message (not reset/fin) to the
> server and change the seq/ack there. Thus, the seq/ack numbers are
> completely out of sync for the client and server and thus would not
> recognize each others messages. At this point, the hacker could relay (
> i.e. be man-in-the-middle) the messages from the client to the server and
> vice versa, using the seq/ack numbers that they would accept. While this
> seems pretty pointless so far, the hacker could inject messages at will to
> either side of the connection, and still make the server and client believe
> that they are in sync with each other ( i.e. this would not work if the
> hacker does not relay the messages with the seq/ack numbers the server and
> client would accept). That means the hacker goes undetected and could do
> whatever he chooses, as he has "hijacked" the connection.
>
> Is this possible? Assuming there is no hardware limitation (e.g.
> router/switch blocking MAC/IP addresses from certain port). Would the TCP
> protocol definition and implementation in Windows and *nixes these days
> would interpret this behaviour correctly (correctly for the hacker,
> incorrectly for themselves)? I imagine it would be quite a bit of work
> proving this theory and perhaps some of you could enlighten me or dismiss
> this concept.
>
> Regards,
> Oliver
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/