TCP Session Hijacking

This post is an introduction to TCP session hijacking.

Phases of session hijacking

Session Hijacking is divided in these phases:

  1. Tracking the connection
  2. Desynchronizing the connection
  3. Injecting the attacker’s packet

Step 1. Tracking the connection

The attacker uses a network sniffer to track a victim and host or uses a tool like nmap to scan the network for a target with a TCP sequence that is easy to predict. After identifying victim, an attacker captures the sequence and acknowledgment numbers of the victim because TCP checks the sequence/acknowledgment numbers. The attacker uses these numbers to construct packets.

There are two possibilities to determine sequence numbers:

  • Local Session Hijacking: One is to sniff the traffic, finding the ACK packet and then determining the next sequence number based on the ACK packet. If you can access the network and sniff the TCP session, you can easily determine the sequence number.
  • The other is to transmit the data with guessed sequence numbers. This one is not reliable.

Step 2. Desynchronizing the connection

TCP desynchronization is a technique used in TCP Hijacking attacks. It is triggered by a process in which the sequential number in incoming packets differs from the expected sequential number. Packets with an unexpected sequential number are dismissed (or saved in the buffer storage, if they are present in the current communication window).

  • There is no data transmission
  • The server’s sequence number is not equal to the client’s acknowledgment number
  • The client’s sequence number is not equal to the server’s acknowledgment number

A desynchronized state occurs when a connection between the target and host is established and there is one of the three situations:

In desynchronization, both communication endpoints dismiss received packets, at which point remote attackers are able to infiltrate and supply packets with a correct sequential number. The attackers can even manipulate or modify communication.

To force the desynchronization of the connection between the target and the host, the attacker must change the sequence number or acknowledgment number (SEQ/ACK) of the server.

Different ways to force desynchronization:

  1. The attacker sends null data to the server so that the server’s SEQ/ACK numbers will advance, while the target machine will not register the increment.

    For example, before desynchronization, the attacker monitors the session without any kind of interference, then sends a large amount of null data to the server. These data change the ACK number on the server without affecting anything else. Thus, synchronizing the server and the target.
  2. Send a reset flag to the server to bring down the connection on the server side. Ideally, it occurs in the early setup stage of the connection. The attacker’s goal is to break the connection on the server side and create a new connection with a different sequence number.

    The attacker waits for a SYN/ACK packet from the server to the host. On detecting the packet, the attacker immediately sends an RST packet and a SYN packet with exactly the same parameters, such as a port number with a different sequence number, to the server. The server, on receiving the RST packet, closes the connection with the target and initiates another one based on the SYN packet, but with a different sequence number on the same port. After opening a new connection, the server sends a SYN/ACK packet to the target for acknowledgement.

    The attacker detects (but does not intercept) this and sends back an ACK packet to the server. Now the server is in the established state. The aim is to keep the target conversant, and switch to the established state once it receives the first SYN/ACK packet from the server. Both server and target are now desynchronized, but in a established state.
  3. An attacker can also use a FIN flag, but this will make server respond with an ACK thus giving away the attack through an ACK storm. This occurs because of a flaw in this method of hijacking a TCP connection. While receiving an unacceptable packet, the host acknowledges it by sending the expected sequence number. This unacceptable packet generates an acknowledgment packet, thereby creating an endless loop for every data packet. The mismatch in SEQ/ACK numbers results in excess network traffic with both the server and the target trying to verify the right sequence. Since these packets do not carry data, retransmission does not occur if the packet is lost. However, since TCP uses IP, the loss of a single packet puts an end to the unwanted conversation between the server and the target.

An attacker can add the desynchronizing stage to the hijack sequence to deceive the target host. Without desynchronizing, the attacker injects data into the server while keeping his or her identity by spoofing an IP address. However, the attacker should ensure that the server responds to the target host as well.

 

TCP Hijacking attacks aim to interrupt server-client, or peer-to-peer communications. Many attacks can be avoided by using authentication for each TCP segment. It is also advised to use the recommended configurations for your network devices.

Step 3. Inject the attacker’s packet

Once the attacker has interrupted the connection between the server and the target, he or she can either inject data into the network or actively participate as the man-in-the-middle, passing data from the target to the server, and vice-versa, while reading and injecting data at will.

You might also be interested in…

Sources

  • ESET; “TCP Desynchronization“; ESET
  • EC-Council; “CEH v10. Module 10: Session Hijacking”; EC-Council

Leave a Reply

Your email address will not be published. Required fields are marked *