Sniffing Chủ nhật, Tháng 3 9 2008

A packet sniffer (also known as a network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network.

Sniffers are a powerful piece of software. They have the capability to place the hosting system’s network card into promiscuous mode. A network card in promiscuous mode can receive all the data it can see, not just packets addressed to it. If you are on a hub, a lot of traffic can potentially be affected. Hubs see all the traffic in that particular collision domain. Sniffing performed on a hub is known as passive sniffing. Ethernet switches are smarter. A switch is supposed to be smart enough to know which particular port to send traffic to and block it from all the rest. However, there can be exceptions to this rule. Sometimes switches have one port configured to receive copies of all the packets in the broadcast domain. That type of port spanning is done for administrative monitoring. When sniffing is performed on a switched network, it is known as active sniffing. Sniffers operate at the Data Link layer of the OSI model. This means that they do not have to play by the same rules as applications and services that reside further up the stack. Sniffers can grab whatever they see on the wire and record it for later review. They allow the user to see all the data contained in the packet, even information that should remain hidden. Passive sniffing is performed when the user is on a hub. Because the user is on a hub, all traffic is sent to all ports. All the attacker must do is to start the sniffer and just wait for someone on the same collision domain to start sending or receiving data. A collision domain is a logical area of the network in which one or more data packets can collide with each other. Whereas switches separate up, collision domain hubs place users in one single shared collision domain. Hubs place users in a shared segment or collision domain. The other reason that sniffing has lost some of its mystical status is that so many more people use encryption than in the past. Protocols such as Secure Sockets Layer (SSL) and Secure Shell (SSH) have mostly replaced standard Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP). With all the barriers in place, we will see what a hacker must do to successfully use a sniffer.

[Active Sniffing]

For sniffers to be successfully used, the attacker must be on your local network or on a prominent intermediary point, such as a border router, through which traffic passes. The attacker must also know how to perform active sniffing. A switch limits the traffic that a sniffer can see to broadcast packets and those specifically addressed to the attached system. Traffic between two other hosts would not normally be seen by the attacker, as it would not normally be forwarded to the switch port that the sniffer is plugged in to. Media Access Control (MAC) flooding and Address Resolution Protocol (ARP) poisoning are the two ways that the attacker can attempt to overcome the limitations imposed by a switch.

MAC flooding is the act of attempting to overload the switches content addressable memory (CAM) table. All switches build a lookup table that maps MAC addresses to the switch port numbers. This enables the switch to know what port to forward each specific packet out of. The problem is that in older or cheaper switches, the amount of memory is limited. If the CAM table fills up and the switch can hold no more entries, some might divert to a fail open state. This means that all frames start flooding out all ports of the switch. This allows the attacker to then sniff traffic that might not otherwise be visible. The drawback to this form of attack is that the attacker is now injecting a large amount of traffic into the network. This can draw attention to the attacker. With this type of attack, the sniffer should be placed on a second system because the one doing the flooding will be generating so many packets that it might be unable to perform a suitable capture. Tools for performing this type of attack include:

EtherFlood EtherFlood floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending traffic out on all ports so that you can sniff all the traffic on the network. EtherFlood can be downloaded from http://ntsecurity.nu/toolbox/etherflood.

SMAC A MAC spoofing tool that allows an attacker to spoof their MAC address. They can change their MAC address to any other value or manufacturer they would like. SMAC is available from www.klcconsulting.net/smac.

Macof Macof floods the LAN with false MAC addresses in hopes of overloading the switch. It can be downloaded from http://monkey.org/~dugsong/dsniff

[ARP Poisoning]

ARP poisoning is the second method that can be used to overcome switches. A review of the ARP process will help in your understanding of how this is possible. Address Resolution Protocol is a helper protocol that in many ways is similar to domain name service (DNS). DNS resolves known domain names to an unknown IP addresser. ARP resolves known IP addresses to unknown MAC addresses. Both DNS and ARP are two-step protocols. ARP is how network devices associate a specific MAC address with an IP address so that devices on the local network can find each other. As an example, think of MAC addresses as physical street addresses, whereas IP addresses are logical names. You might know that my name is Michael Gregg and because I’m the author of this book, you would like to send me a note about it. The problem is that knowing my name is not enough. You need a physical address to know where the note to Michael Gregg should be delivered. ARP serves that purpose and ties the two together. ARP is a simple protocol that consists of two message types:

An ARP Request Computer A asks the network, “Who has this IP address?”

An ARP Reply Computer B tells computer A, “I have that IP. My MAC address is XYZ.”

The developers of ARP lived in a much more trusting world than we do today, so they made the protocol simple. The problem is that this simple design makes ARP poisoning possible. When an ARP request is sent, the system simply trusts that when the ARP reply comes in, it really does come from the correct device. ARP provides no way to verify that the responding device is really who it says it is. It’s so trusting that many operating systems accept ARP replies, even when no ARP request was made. To reduce the amount of ARP traffic on a network system, implement something called an ARP cache. The ARP cache stores the IP address, the MAC address, and a timer for each entry. The timer varies from vendor to vendor, so OSes such as Microsoft use 2 minutes and many Linux vendors use 15 minutes. You can view the ARP cache for yourself by issuing the arp -a command.

With a review of the ARP process out of the way, you should now be able to see how ARP spoofing works. The method involves sending phony ARP requests or replies to the switch and other devices to attempt to steer traffic to the sniffing system. Bogus ARP packets will be stored by the switch and by the other devices that receive the packets. The switch and these devices will place this information into the ARP cache and now map the attacker to the spoofed device. The MAC address being spoofed is usually the router so that the attacker can capture all outbound traffic.

First, the attacker would say that the router’s IP address is mapped to his MAC address. Second, the victim now attempts to connect to an address outside the subnet. The victim has an ARP mapping showing that the router’s IP is mapped to the hacker’s MAC; therefore, the physical packets are forwarded through the switch and to the hacker. Finally, the hacker forwards the traffic onto the router. After this setup is in place, the hacker is able to pull off many types of man-in-the-middle attacks. This includes passing on the packets to their true destination, scanning them for useful information, or recording the packets for a session replay later. IP forwarding is a critical step in this process. Without it, the attack will turn into DoS. There are many tools for performing ARP spoofing attacks for both Windows and Linux. A few are introduced here:

Arpspoof Part of the Dsniff package of tools written by Dug Song. Arpspoof redirects packets from a target system on the LAN intended for another host on the LAN by forging ARP replies.

Ettercap One of the most feared ARP poisoning tools because Ettercap can be used for ARP poisoning, for passive sniffing, as a protocol decoder, and as a packet grabber. It is menu driven and fairly simple to use. As an example, ettercap Nzs will start ettercap in command-line mode (-N), not perform an ARP storm for host detection (-z), and passively sniff for IP traffic (-s). This will output packets to the console in a format similar to Windump or Tcpdump. Ettercap exits when you type q. Ettercap can even be used to capture usernames and passwords by using the C switch. Other common switches include: N is Non-interactive mode, z starts in silent mode to avoid ARP storms, and a is used for ARP sniffing on switched networks.

Cain A multipurpose tool that has the capability to perform a variety of tasks, including ARP poisoning, Windows computer enumeration, sniffing, and password cracking. The ARP poisoning function is configured through a GUI interface.

Sniffers, such as Ethereal, are capable of displaying multiple views of captured traffic. Three main views are available, which include

Summary

Detail

Hex

The uppermost window shows the summary display. It is a one line per packet format. The highlighted line shows the source and destination MAC address, the protocol that was captured, ARP, and the source and destination IP address. The middle window shows the detail display. Its job is to reveal the contents of the highlighted packet. Notice that there is a plus sign in front of these fields. Clicking on the plus sign reveals more detail. The third and bottom display is the hex display. The hex display represents the raw data. There are three sections to the hex display. The numbers to the left represent the offset in hex of the first byte of the line. The middle section shows the actual hex value of each portion of the headers and the data. The right side of the display shows the sniffers translation of the hex data into its American Standard Code for Information Exchange (ASCII) format. It’s a good place to look for usernames and passwords.

An important feature of a sniffer such as Ethereal is the capability it has to set up filters to view specific types of traffic. Filters can be defined in one of two ways:

Capture filters Used when you know in advance what you are looking for. They allow you to predefine the type of traffic captured. As an example, you could set a capture filter to capture only HTTP traffic.

Display filters Done after the fact. Display filters are used after the traffic is captured. Although you might have captured all types of traffic, you could apply a display filter to show only ARP packets.

Although Ethereal is useful for an attacker to sniff network traffic, it’s also useful for the security professional. Sniffers allow you to monitor network statistics and discover MAC flooding or ARP spoofing. Filters are used to limit the amount of captured data viewed and to focus on a specific type of traffic.

[Defense]

Sniffing is a powerful tool in the hands of a hacker, and as you have seen, many sniffing tools are available. Defenses can be put in place. It is possible to build static ARP entries, but that would require you to configure a lot of devices connected to the network; it’s not that feasible. A more workable solution would be port security. Port security can be accomplished by programming each switch and telling them which MAC addresses are allowed to send/receive and be connected to each port. Again, if the network is large, this can be a time-consuming process. The decision has to take into account the need for security versus the time and effort to implement the defense. Use encryption. IPSec, VPNs, SSL, and PKI can all make it much more difficult for the attacker to sniff valuable traffic. Linux tools such as Arpwatch are also useful. Arpwatch keeps track of ethernet/ip address pairings and can report unusual changes. Even DNS spoofing can be defeated by using DNS Security Extensions (DNSSEC). It digitally signs all DNS replies to ensure their validity. RFC 4035 is a good reference to learn more about this defense.

[Session Hijacking]

Session hijacking is when sensitive information is stolen or viewed with out knowledge or permission. This hijacking is not always common but when performed is extremely dangerous. Session hijacking is when an attacker relies on user to connect and authenticate and then take over the session. In spoofing attack, the attacker pretends to be another user or machine to gain access. Successful session hijacking is extremely difficult and only possible when a number of factors are under the attacker’s control. Session hijacking can be active or passive on the degree of involvement of the attacker. Many tools exist to aid the attacker in perpetrating a session hijack. Like previously said, Session Hijacking could be very dangerous and there is a need for implementing strict protection. In this article I will focus more on ACK Storms, TCP/IP Methods, Sequence attack Prediction, Hijack Tools, Types of Hijacks and difference between spoofing and Hijacking. The whole point of session hijacking is to get authentication to an active system. Hacking onto systems is not always a trivial act. Session hijacking provides the attacker with an authenticated session to which he can then execute commands. The problem is that the attacker must identify and find a session This process is much easier when the attacker and the victim are on the same segment of the network. If both users are on a hub, this process requires nothing more than passive sniffing. If a switch is being used, active sniffing is required. Either way, if the attacker can sniff the sequence and acknowledgement numbers, a big hurdle has been overcome because otherwise it would be potentially difficult to calculate these numbers accurately. Sequence numbers are discussed in the next section. If the attacker and the victim are not on the same segment of the network, blind sequence number prediction must be performed. This is a more sophisticated and difficult attack because the sequence and acknowledgement numbers are unknown. To circumvent this, several packets are sent to the server to sample sequence numbers. If this activity is blocked at the firewall, the probe will fail. Also, in the past, basic techniques were used for generating sequence numbers, but today, that is no longer the case because most OSes implement random sequence number generation, making it difficult to predict them accurately. Force all incoming connections from the outside world to be fully encrypted, And all connections to critical machines to be fully encrypted. Force all traffic on the network to be encrypted. Using encrypted protocols, like those found in the OpenSSH suite. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keygen and sftp-server. All these steps will prevent and protect you and your information’s from any kind of hijacking.

[TCP/IP Hijacking]

TCP hijacking relies on the violation of trust relationships between two interacting hosts. Let take a look at the TCP stack and the IPv4 protocol to understand why this is possible.

(TCP stack)

Every time when you access the Internet with your browser like Internet Explorer, It works at the application layer and accepts the initial datagram to be sent across the Internet. The transport protocol comes into action in the next layer called the transport layer, and the appropriate protocol header is added to the datagram. Here it is TCP header, as it is the TCP protocol that is being used. This ensures the reliability of data transported over inherently unreliable communication platforms, and also controls many of the aspects in the management and initiation of communication between the two hosts. In the network layer, routers offer the functionality for the datagram to hop from source to the destination, one hop at a time. This also sees the IP header being added to the datagram. The final layer that communicated with the physical system is the data link layer. This layer is responsible for the delivery of signals from the source to the destination over a physical communication platform, which is the Ethernet. This layer also sees the frame header being added to the datagram.

(IPv4)

The headers are peeled back on reaching the destination to reveal the original datagram. The original IPv4 standard needed to address three basic security issues – authentication, integrity and privacy. Authentication was an issue because an attacker could easily spoof an IP address and exploit a session. Spoofing was not restricted to IP address alone, but also extended to MAC addresses in ARP spoofing. An attacker sniffing on a network could sniff packets and carry out simple attacks such as change, delete, reroute, add, forge or divert data. Perhaps the most popular among these attacks is the Man-In-the-Middle attack. An attacker can grab unencrypted traffic from a victim’s network-based TCP application, further tampering with the authenticity and integrity of the data before forwarding it on to the unsuspecting target.

[Spoofing & Hijacking]

(SPOOFING)

Spoofing can be summed up in a single sentence: It’s a sophisticated technique of authenticating one machine to another by forging packets from a trusted source address. A spoofing attack is different from a hijack. In spoofing an attacker is not taking another user offline to perform the attack. He pretends to be another user or machine to gain access. Like for example say a Host only allows certain IP’s to connect to that server and all others are blocked, an Attacker can change or more technical “Spoof” his MAC addresses with SMAC or BMACC Tools and gets fake IP and connects to the server. Blind IP spoofing involves predicting the sequence numbers that the victimized host will send in order to create a connection which appears to originate from the host. Before exploring blind spoofing further, let us take a look at sequence number prediction.
TCP sequence numbers are used to provide flow control and data integrity for TCP sessions. Every byte in a TCP session has a unique sequence number. Moreover, every TCP segment provides the sequence number of the initial byte (ISN), as part of the segment header. The initial sequence number does not start at zero for each session. Instead, the participants specify initial sequence numbers as part of the handshake process-a different ISN for each direction-and begin numbering the bytes sequentially from there.

Blind IP spoofing relies on the attacker’s ability to predict sequence numbers as he is unable to sniff the communication between the two hosts by virtue of not being on the same network segment. He cannot spoof a trusted host on a different network and see the reply packets because the packets are not routed back to him. He cannot resort to ARP cache poisoning as well because routers do not route ARP broadcasts across the Internet. As he is not able to see the replies he is forced to anticipate the responses from the victim and prevent the host from sending a RST to the victim. The attacker then injects himself into the communication by predicting what sequence number the remote host is expecting from the victim. This is used extensively to exploit the trust relationships between users and remote machines, these services include NFS, NetBIOS, FTP, and so on.

IP spoofing is relatively easy to accomplish. The only pre-requisite on part of the attacker is to have root access on a machine in order to create raw packets. In order to establish a spoofed connection the attacker must know what sequence numbers are being used. Therefore, IP spoofing forces the attacker to have to predict the next sequence number.

The attacker can use “blind” hijacking, to send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net. By SYN flooding the trusted host, Attacker establishes a short connection which is then used to gain access through common methods.

IP spoofing can only be implemented against certain machines running certain services. Many flavors of Unix are viable targets. (This shouldn’t give you the impression that non-Unix systems are invulnerable to spoofing attacks. Most network services use IP-based authentication, and although RPC, X Window System, and the r services have problems inherent to Unix-based operating systems, other operating systems are not immune.

The following are some of the configurations and services are known to be vulnerable:

Any device running Sun RPC

Any network service that uses IP address authentication

The X Window System from MIT

The r services

These are the essential steps that must be taken in a spoofing attack:

1. The cracker must identify his targets.

2. He must anesthetize the host he intends to impersonate.

3. He must forge the address of the host he’s impersonating.

4. He must connect to the target, masquerading as the anesthetized host.

5. He must accurately guess the correct sequence number requested by the target.

(HIJACKING)

Hijacking is when an attacker is taking over an existing session, which means he is relying on the legitimate user to make a connection and authenticate. Then take over the session.
So basically attacker is connected to the user and is waiting for him to connect and do his job. If the user doesn’t connect than the attack fails. With IP Spoofing there is no need to guess the sequence number since there is no session currently open with that IP address. The traffic would get back to the attacker only by using source routing. This is where the attacker tells the network how to route the output and input from a session, and he simply sniffs it from the network as it passes by him. Source routing is an IP option used today mainly by network managers to check connectivity. Normally, when an IP packet leaves a system, its path is controlled by the routers and their current configuration. Source routing provides a means to override the control of the routers. This works when an attacker uses captured, reverse engineered or brute forced authentication tokens to take over the control of a legitimate user’s session while he is in session, the session is said to be hijacked. Due to this attack, the legitimate user may loose access or be deprived of the normal functionality of the session to the attacker, who now acts with the user’s privileges. Most authentications occur at the beginning of a TCP session; this makes it possible for the attacker to gain access to a target machine. A popular method attackers adopt is to use source-routed IP packets. This allows an attacker to become a part of the target – host conversation by deceiving the IP packets to pass through his system. The attacker can also carry out the classic man-in-the-middle attack using a sniffing program to monitor the conversation. In TCP session hijacking, a familiar aspect of the attacks is the carrying out of a denial-of-service (DoS) attack against the target & host to prevent it from responding by either forcing the machine to crash, or against the network connection to result in a heavy packet loss. Successful session hijacking is extremely difficult and only possible when a number of factors are under the attacker’s control. Knowledge of the ISN would be the least of John’s challenges. For instance, he would need a way to knock Jane off the air at will. He also would need a way to know the exact status of Jane’s session at the moment he mounted his attack. Both of these require that John have far more knowledge about and control over the session than normally would be possible. However, IP address spoofing attacks can only be successful if IP addresses are used for authentication. An attacker cannot perform IP address spoofing or session hijacking if per-packet integrity checking is executed. Similarly, neither IP address spoofing nor session hijacking are possible if the session uses encryption such as SSL or PPTP, as the attacker will not be able to participate in the key exchange. Therefore the essential requirements to hijack non-encrypted TCP communications can be listed as: Presence of non-encrypted session oriented traffic, ability to recognize TCP sequence numbers and predict the next sequence number (NSN) and capability to spoof a hosts MAC or IP address to receive communications which are not destined for the attackers host. If the attacker is on the local segment, they can sniff and predict the ISN+1 number and have the traffic routed back to them by poisoning the ARP cache.

[How Session Hijacking is performed]

First is to Track the session. Second is to desynchronizing the connection. Then third is Resetting the connection. And finally fourth is Injecting your packets.

Let’s look closer at each step.

[Tracking the connection]

Hacker will wait to find a suitable target and host. He uses a network sniffer to track the victim and host or identify a suitable user by scanning with nmap to find a target with a trivial TCP sequence prediction. This is done to ensure that because the correct sequence and acknowledgement numbers are captured, as packets are checked by TCP through sequence and acknowledgement numbers. These will later be used by the attacker in making his own packets.

[Desynchronizing the connection]

When a connection between the target and host is in the established state; or in a stable state with no data transmission; or the server’s sequence number is not equal to the client’s acknowledgement number; or the clients sequence number is not equal to the server’s acknowledgement number. To desynchronize the connection between the target and host, the sequence number or the acknowledgement number SEQ/ACK of the server must be changed. This can be done if null data is sent to the server so that the server’s SEQ/ACK numbers will advance; while the target machine will not register such a change.
The desynchronizing is seen by the attacker monitoring the session without interference till an opportune moment, when he will send a large amount of “null data” to the server. This data serves only to change the ACK number on the server and does not affect anything else. The attacker also does same thing to the target. Now both the server and target are desynchronized.

[Resetting the connection]

Another trick is to send a reset flag to the server and tearing down the connection on the server side. This is usually done in the early setup stage. The goal of the attacker is to break the connection on the server side and create a new one with different sequence number.
The attacker listens for a SYN/ACK packet from the server to the host. On detecting the packet, he sends an RST to the server and a SYN packet with exactly the same parameters such as port number but a different sequence number. The server on receiving the RST packet, closes connection with the target, but initiates another one based on the SYN packet – with a different sequence number on the same port. Having opened a new connection, the server sends a SYN/ACK packet to the target for acknowledgement. The attacker detects (but does not intercept) this and sends back an ACK packet to the server. Now, the server is in the established state. The target is oblivious to the conversation and has already switched to the established state when it received the first SYN/ACK packet from the server. Now both server and target are in desynchronized but established state.
Since TCP uses IP the loss of a single packet puts an end to the unwanted conversation between the server and target on the network. The desynchronizing stage is added in the hijack sequence so that the target host is kept in the dark about the attack. Without desynchronizing, the attacker will still be able to inject data to the server and even keep his identity by spoofing an IP address. However, he will have to put up with the server’s response being relayed to the target host as well.

[Injecting your packets]

Now that the attacker has interrupted the connection between the server and target, he can choose to either inject data into the network or actively participate as the “man in the middle”, and pass data from the target to the server, and vice versa.

[Active and Passive attacks]

In an active attack, an attacker finds an active session and takes over. With a passive attack, an attacker hijacks a session, but sits back and watches and records all of the traffic that is being sent forth. The main difference between an active and passive hijack is that while an active hijack takes over an existing session, a passive attack monitors an on-going session.

Generally a [passive attack] uses sniffers on the network allowing the attacker to obtain information such as user id and password so that he can use it later to logon as that user and claim his privileges. Password sniffing is only the simplest attack that can be performed when raw access to a network is obtained. Counters against this attack range from using identification schemes such as one-time password to ticketing identification. While these may keep sniffing from yielding any productive results, they do not insure the network from an active attack neither as long as the data is neither digitally signed nor encrypted.

In an [active attack], the attacker takes over an existing session by either tearing down the connection on one side of the conversation or by actively participating by being the man-in-the-middle.

This requires the ability to predict the sequence number before the target can respond to the server. Sequence number attacks have become much less likely because OS vendors have changed the way initial sequence numbers are generated. The old way was to add a constant value to the next initial sequence number; newer mechanisms use a randomized value for the initial sequence number.

[Sequence Numbers]

Sequence Numbers are very important to provide reliable communication but they are also important to hijacking a session.
The numbers are a 32-bit counter, which means the value can be any of over 4 billion possible combinations. They are used to tell the receiving machine what order the packets should go in when they are received. Therefore an attacker must successfully guess the sequence number to hijack a session.

TCP provides a full duplex reliable stream connection between two end points. A connection is uniquely defined by the IP address of sender, TCP port number of the sender, IP address of the receiver and TCP port number of the receiver.

Every byte that is sent by a host is marked with a sequence number and is acknowledged by the receiver using this sequence number. The sequence number for the first byte sent is computed during the connection opening. It changes for any new connection based on rules designed to avoid reuse of the same sequence number for two different sessions of a TCP connection.

Let’s say we sent the increment of sequence number in our discussion of the three way handshake. What happens if the sequence number is predictable? When the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from a trusted computer.

The next step taken was to tighten the OS implementation of TCP and introduce randomness in the ISN. This was done by the use of pseudo-random number generators (PRNGs). PRNGs introduced some randomness when producing ISNs used in TCP connections. However, adding a series of numbers together provided insufficient variance in the range of likely ISN values; thereby allowing an attacker to disrupt or hijack existing TCP connections or spoof future connections against vulnerable TCP/IP stack implementations.

This implied that systems relying on random increments to make ISN numbers harder to guess were still vulnerable to statistical attack. Basically with the passage of time, even computers choosing random numbers will repeat themselves, because the randomness is based on an internal algorithm that is used by a particular operating system. Once a sequence number has been agreed to, all following data will be the ISN+1. This makes injecting data into the communication stream possible.

If a sequence number within the receive window is known, an attacker can inject data into the session stream or choose to terminate the connection. If the attacker knows the initial sequence number, he can send a simple packet to inject data or kill the session if he is aware of the number of bytes transmitted in the session this far.

As this is a difficult proposition, the attacker can guess a suitable range of sequence numbers and send out a number of packets into the network with different sequence numbers – but falling within the range. Since the range is known, it is likely that at least one packet will be accepted by the server. This way, the attacker doesn’t need to send a packet for every sequence number, but resort to sending an appropriate number of packets with sequence numbers a window-size apart.

But how does he know how many packets are to be sent?

This is obtained by dividing the range of sequence numbers to be covered by the fraction of the window size that is used as an increment. Why is this possible despite the introduction of PRNGs? The problem lay in the use of increments themselves, random or otherwise, to advance an ISN counter, making statistical guessing practical. The result of this is that remote attackers can perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN. The more random the ISNs are, the more difficult it is to carry out these attacks.

[Spoofing/Hijacking Tools]

Several programs are available that perform session hijacking. The following are a few that belong to this category:

Ettercap – Ettercap runs on Linux, BSD, Solaris 2.x, most flavors of Windows, and Mac OS X. Ettercap will ARP spoof the targeted host so that any ARP requests for the target’s IP will be answered with the sniffer’s MAC address, allowing traffic to pass through the sniffer before ettercap forwards it on. This allows ettercap to be used as an excellent man-in-the-middle tool. Ettercap uses four modes:

- IP The packets are filtered based on source and destination.

- MAC Packet filtering based on MAC address.

- ARP ARP poisoning is used to sniff/hijack switched LAN connections (in full-duplex mode).

- Public ARP ARP poisoning is used to allow sniffing of one host to any other host.

Hunt – This is one of the best known session hijacking tools. It can watch, hijack, or reset TCP connections. Hunt is meant to be used on Ethernet and has active mechanisms to sniff switched connections. Advanced features include selective ARP relaying and connection synchronization after attacks. Requirements: C compiler, Linux.

TTY Watcher – This Solaris program can monitor and control users’ sessions.

IP Watcher – IP Watcher is a commercial session hijacking tool that allows you to monitor connections and has active countermeasures for taking over a session.

T-Sight – This commercial hijack tool has the capability to hijack any TCP sessions on the network, monitor all your network connections in real-time, and observe the composition of any suspicious activity that takes place.

1644 – TTCP spoofing Tool. {Source} – Requirements: C compiler, IP header files, FreeBSD.

Juggernaut – Linux Tool, networking and packet spoofing tool. {Source} – Requirements: C compiler, IP Header Files, Unix.

synk4.c – Syn Flooder tool that allows IP Spoofing and packet spoofing. {Source} – Requirements: C compiler, IP header files, Linux