Hijacking Sessions


Session hijacking is one class of effective attacks on networks; it isn’t difficult, and if the target access point isn’t using WEP(or WPA) encryption, then it’s extremely simple. Hijacking occurs in many forms on both wired and wireless networks. By hijacking a session, a cracker gains access to a WLAN, where he masquerades as a legitimate user. Session hijacking can also be the first step in other more complicated cracking techniques.

Cross-Reference 

You can read more about WEP and WPA encryption in Chapter 10

This type of attack targets the user session on the WLAN. A user session (or simply session) begins when you connect to and authenticate with an access point (see Figure 4-1) and ends when you log off or the connection times out. Connections automatically time out or expire, requiring clients to authenticate again and begin another session. A session time-out can occur after a period of inactivity or after a predetermined amount of time has passed.

click to expand
Figure 4-1: Authenticating with an access point

Timing out conserves resources. If sessions didn’t time out automatically they would remain open after users leave their computers without logging off. Eventually, a server might be overwhelmed tracking thousands of open sessions for clients that aren’t actually there. It also has a security application; closing timed-out sessions helps prevent unauthorized persons from hijacking sessions that have been left open by authorized users.

Note 

When you connect to a WLAN, or to your ISP for that matter, your session periodically times out (typically in an hour), and your computer authenticates again without your intervention. The process is largely invisible to the user.

Similarly, when you log on to a Web site, you begin a session that runs for a specified amount of time or until you log out. If you leave a Web site without logging out, you may return a few minutes later to find out that you are still connected. This happens because your session hasn’t yet expired.

Spoofing

Contrary to popular belief, spoofing is not a method of communicating anonymously on the Internet. Generally, using spoofing alone, you can only communicate one way (sending data). The cracker uses a sniffer, which is a software application that sniffs or passively listens to network traffic. The attacker waits for someone to authenticate with the access point and captures the authentication data (sequence and acknowledgment numbers, see Figure 4-2).

click to expand
Figure 4-2: Sniffing network traffic

The cracker can then insert commands into the data stream, spoofing a legitimate user’s IP address so that it appears that the inserted packets originated from that user’s machine. The cracker inserts commands that force the target server (or access point) to reestablish the connection and then hijacks the session by authenticating with the sequence and acknowledgment numbers that he sniffed (see Figure 4-3).

click to expand
Figure 4-3: Session hijacking

Note 

Spoofing allows a cracker to send data to network hosts with which he normally couldn’t communicate. All of which are a component of session hijacking, a man-in-the-middle attack, and denial of service (DoS) attacks.

An attacker can emulate the access point and send a legitimate client a disassociate frame. A frame is a packet of data in network communications. Engineers and programmers use the two terms interchangeably. The disassociate frame disconnects the client from the WLAN. When this happens, the attacker can spoof the client’s MAC address and take over the user’s session. The session remains open because the access point didn’t send the disassociation message, the attacker did. As far as the access point is concerned, the original user is still connected and authenticated (see Figure 4-4).

click to expand
Figure 4-4: Spoofing a MAC address and exploiting a race condition

Cross-Reference 

Read how crackers can use disassociation messages in a type of denial of service (DoS) attack in Chapter 5.

This type of attack exploits a race condition. In this case, the attacker forces the legitimate user to disconnect and then races to take over the user’s session. If the attacker can spoof the victim’s MAC before the client authenticates again, he can hijack the session and take over until the session times out.

Tip 

Use WEP or WPA encryption on your WLAN to prevent this type of session hijacking and most forms of IP spoofing from occurring.

Caution 

Routers and firewalls can also prevent many types of spoofing attacks, but due to flaws in the 802.11 protocol, crackers can use spoofing when attacking WLANS.

Explaining race conditions

A race condition occurs when a device, application, or system attempts to perform multiple functions at the same time, but must perform them in a specific order for them to be successful. The system depends on the timing of events, and if the timing is off, unexpected results can occur.

In the example I used in the previous section, a race condition occurs when a cracker forces a user to dissociate with an access point. The legitimate user attempts to reassociate, and at the same time, the cracker is trying to spoof the MAC address of that user and connect with the access point. The outcome depends on the timing of the two events. If the cracker manages to associate before the legitimate user reestablishes a connection, he can take control of the session. If the legitimate user reestablishes a connection first, the cracker is out of luck.

Race conditions are not exclusively security concerns; they occur in many different areas of information technology. Race conditions occur in software when different functions attempt to read or modify the same data simultaneously. This can cause the computer or applications to crash or lead to other unexpected results.

A cracker can sometimes exploit this type of race condition and get one function to overwrite or modify the data used by another function, the result being that the cracker can gain access to a system or application. Race conditions aren’t easy to exploit, and often a cracker has to attempt this kind of attack multiple times before it is successful.

Public hotspots

While it’s possible that session hijacking could occur on your own WLAN, public Wi-Fi hotspots are a more likely environment for these (and other) attacks to occur. Many free public or open hotspots don’t use WEP or WPA encryption, which would prevent most session hijacking attacks. (Chances are you’re using some form of encryption on your WLAN. If not, I hope that you will after reading this book.)

The administrators of these WLANs want users to be able to connect freely and with little trouble.

I’m specifically talking about public hotspots, meaning they are free and open for the public to use, not the commercial hotspots hosted at major chain restaurants, coffee houses, and other gathering places. Commercial hotspots generally employ some form of encryption (beyond WEP and WPA) and are less likely targets for many session hijacking techniques.

However, beyond session hijacking, there are many other techniques that a cracker can use to target clients. Hotspots, both public and commercial, present an opportunity for a cracker because there are so many, often unsecured, Wi-Fi clients present. A cracker can target data stored on clients as well as data broadcast between clients and access points.

A cracker can configure his computer to masquerade as a legitimate access point to intercept and record data sent to that access point. WEP may deter casual eavesdropping and spoofing, but if the user authenticates with the cracker’s access point, WEP is no protection here. This amounts to a form of wireless sniffing, and the cracker can collect all data sent through the user’s machine, including usernames, passwords, and credit card numbers.

Caution 

When connecting to an access point at a hotspot, make sure the access point is legitimate. See the section “Understanding Rogue Access Points” later in this chapter.

While using a hotspot, unsecured client machines are also susceptible to malicious software, including worms, and viruses, that can spread via a network. Crackers can also use blended attacks when targeting other network clients. Blended attacks use malicious software to target known security vulnerabilities. An example would be a worm that targets a security flaw in an operating system in order to gain access to a computer and then delivers a payload such as a virus or installs a program that allows the cracker to access and control the machine.

Cross-Reference 

To read more about viruses and protecting yourself from them, see Chapter 7.

Protecting yourself at hotspots

There are a number of things that you can do to protect yourself when you’re using a public or commercial hotspot. These include:

  • Using a virtual private network (VPN)

  • Installing a personal firewall on your notebook or PDA

  • Installing antivirus software

  • Using encryption when sending files across the network

Using a VPN will help keep all of your data private when you’re working with e-mail or sensitive data. A VPN uses encryption to create a tunnel, which is a secure connection between two computers, even over the public Internet (see Figure 4-5). In fact, using a VPN allows business people to connect securely to their company’s e-mail and servers via the Internet. VPNs are usually available only to business users.

click to expand
Figure 4-5: A VPN

In order to use a VPN, you or your company needs to have a VPN solution installed at your end of the connection, and you need to have VPN client software installed on your machine. Usually, you also have to have a routable public (Internet) IP address, not an IP address reserved for internal use on a WLAN or intranet. This is because many VPN solutions won’t operate over NAT and require a public IP address, whether it’s static or assigned dynamically by DHCP.

Once you connect to your VPN and authenticate, the VPN encrypts all of the data between your machine and the server. This secures any communication with your corporate network, such as e-mail and file transfers, but once you connect to the Internet you’ve left the protection of your VPN behind because you’re now communicating with the ISP servers and not your company’s VPN (see Figure 4-6).

click to expand
Figure 4-6: A VPN doesn’t secure Web browsing

One exception to this would be if your company supplies you with an HTTP proxy server that you can access over the VPN. A proxy server receives Web page requests from your browser, forwards those requests to the company’s ISP, and sends the pages back to your browser (see Figure 4-7).

click to expand
Figure 4-7: An HTTP proxy server

Exposing the man in the middle

As already mentioned, spoofing is a type of man-in-the-middle attack. A man-in-the- middle (MITM) attack occurs when a cracker spoofs the MAC or IP address of a network client or access point. Masquerading as a legitimate node on the network, the cracker can intercept or inject data into the communications stream between two other nodes (see Figure 4-8). Usually, the affected nodes will be unaware that this is happening.

click to expand
Figure 4-8: Man-in-the-middle attack




Caution. Wireless Networking. Preventing a Data Disaster
Caution! Wireless Networking: Preventing a Data Disaster
ISBN: 076457213X
EAN: 2147483647
Year: 2003
Pages: 145

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net