Demonstration: Session hijacking

• TCP/IP weaknesses have been known for decades
  • A Weakness in the 4.2BSD Unix (tm) TCP/IP Software by Robert Tappan Morris, 1984
  • Security Problems in the TCP/IP Protocol Suite by Steven Bellovini, 1989
  • Technical details of the attack described by Markoff in NYT (Usenet news post on IP spoofing incident, January 1995
  • Playing redir games with ARP and ICMP
  • A Short Overview of IP spoofing: PART I
  • A Short Overview of IP spoofing: PART II
  • Simple Active Attack Against TCP
• Dug Song's dsniff includes ARP redirection to facilitate sniffing in switched environments (often switches are used for security, which is a mistake)
• Tools like Juggernaut (1.02 patch) and hunt are making these once sophisticated attacks very easy -- future versions will deal with switches/routers better, probably add ICMP redirection support, be even easier to use... 
    
  Capture the Flag, Euro style, @ DEFCON 6.0
  Copyright © 1998, David Dittrich (All rights reserved)  

• Anatomy of a Hijack
• Counter-measures (in order of difficulty)
  • Allow only encrypted terminal sessions/file transfers (e.g, SSH, Kerberized telnet and ftp w/encryption enabled -- The UWICK CD-ROM has clients for Windows/Mac, source available for Unix)
  • Use arpwatch to keep track of ethernet/IP address pairings
  • Turn off ARP and use static ARP tables
  • Or if you really want to go crazy trying to detect these attacks, see: Implementing A Generalized Tool For Network Monitoring, by Marcus J. Ranum, et al, Network Flight Recorder, Inc.

[Next] | [Prev] | [Top]