Firewall Wizards mailing list archives
Re: Session hijacking, source-routes
From: Cohen Liota <cohen_liota () securecomputing com>
Date: Wed, 10 Feb 1999 16:40:11 -0500
The simple answer is yes. Yes, but it does depend on certain conditions, namely the predictability of the initial connection sequence numbers. I find a fair test of this to telnet or ftp to the system in question and run a tcpdump watching for the initial connect then drop the connection, wait fifteen minutes do the same and in another fifteen minutes again once more. Compare the sequence numbers and if you see that the sequence numbers increment in a predictable pattern, your sessions can be hijacked. A typical attack usually looks something like this; 1. C SYN-floods B's port we are impersonating 2. C sends a normal SYN to a port on A 3. A returns a SYN-ACK to C containing A's current Initial Sequence Number 4. A internally increments the ISN, this is done differently in different OS'es, BSD's, HPUX, Irix, SunOS etc usually increments by x for each connection and double each second. Now we can guess the ISN A will pick for the next connection, so lets spoof: 5. C sends a SYN to A, source spoofed as B 6. A sends a SYNACK to B, containing the ISN (C cannot see this, but it doesn't matter because we have _guessed_ the ISN) 7. Here B WOULD have responded to A with a RST since it has no clue on why he got the SYNACK, but since we in 1. synflooded the port, it won't respond at all. 8. Now C sends an ACK to A, source spoofed as B, containing the guessed ISN+1. Provided that the guess was correct, A now thinks there is a fully setup TCP connection between A and B. We can do whatever we want from now on, blindly of course. 9. C sends 'echo + + >>/.rhosts' to port 514 on A, spoofed as if coming from B. 10. If root on A had computer B in /.rhosts, that's it game over. 11. C is nice and sends a FIN to A. 12. C is brutal and sends a RST to A just to clean things up. 13. C is nice and RST's the synflooded port on B, leaving no traces. There is also a decent paper by Laurent Joncheray, if you would like I can send it. Hopes that helps clear it up for you, Cohen At 09:44 AM 2/10/99 -0600, you wrote:
Can a TCP session be hijacked if the target system rejects source-routed IP packets? If I understand the process correctly, the attacker quells the legitimate client with a DOS attack and gets the server to route the packets to himself instead after having observed the proper sequence numbers to use. (No real significance to use of client/server here -- could work against either end of the TCP connection.) If my f/w rejects all source-routed packets, are its connections immune to session hijacking, or does this (or can this) work another way? -- KH
--- Cohen Liota Information Security Specialist +1.416.815.3041 - voice Secure Computing Corporation +1.416.815.3001 - fax cohen_liota () securecomputing com http://www.securecomputing.com/
Current thread:
- Session hijacking, source-routes Ken Hardy (Feb 10)
- Re: Session hijacking, source-routes Bennett Todd (Feb 10)
- Re: Session hijacking, source-routes Paul D. Robertson (Feb 10)
- Re: Session hijacking, source-routes Ken Hardy (Feb 11)
- Re: Session hijacking, source-routes Cohen Liota (Feb 11)
- <Possible follow-ups>
- Re: Session hijacking, source-routes Ryan Russell (Feb 10)