Security Basics mailing list archives
Fwd: FW: session-hijacking is still available?
From: "crawford charles" <biv0uac17 () hotmail com>
Date: Fri, 04 Apr 2003 18:46:37 +0000
I had thought that the original thesis was that for older TCP implementations, an attacker could make a reasonable guess about the starting sequence number of a new TCP session, given the sequence numbers for a previous one (i.e. one he could observe). Then he would attempt to hijack a subsequent TCP session that he might not be able to observe, but could predict or infer. Newer TCP implementations start the sequence number for each new session at a random value, and increment from there. But sequence numbers still have to increment monotonically (presumably by the number of bytes in each TCP PDU).
If an attacker can monitor the link between the client and server of a TCP session in real-time, and can inject packets "fast enough", he can still hijack a session, as the sequence numbers for the hijacked session will be directly observable. The counter to this level of attack is to encrypt, preferably at the IP layer (one can still encrypt at the TCP layer, preventing the hijacker from doing anything "useful", but the victim session is still disrupted -- DoS).
-----Original Message-----
From: SB CH [mailto:chulmin2 () hotmail com] Sent: Thursday, April 03, 2003 8:44 PM To: security-basics () securityfocus com Subject: session-hijacking is still available? Hello, all. if attacker can do session hijacking, he can know the seq number change, ack seq number change something like that. But I have heard that modern system like linux kernel 2.4.x or openbsd produce almost random seq number, so session hijacking is almost impossible thesedays. is it true or not? anyone still can session hijacking using session hijacking program like hunt? Thanks in advance. _________________________________________________________________Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- session-hijacking is still available? SB CH (Apr 04)
- RE: session-hijacking is still available? Michael Cunningham (Apr 07)
- Re: session-hijacking is still available? secvuln (Apr 07)
- Re: session-hijacking is still available? John Fastabend (Apr 07)
- <Possible follow-ups>
- RE: session-hijacking is still available? Raghu Chinthoju (Apr 04)
- Fwd: FW: session-hijacking is still available? crawford charles (Apr 04)
- REsession-hijacking is still available? Dina Kamal (Apr 08)
- Re: REsession-hijacking is still available? John Fastabend (Apr 09)
- REsession-hijacking is still available? Dina Kamal (Apr 08)
- Re: session-hijacking is still available? crawford charles (Apr 10)