Tools

Previous page
Table of content
Next page
 < Day Day Up > 

Now that you have learned about the theory behind session hijacking, it is time to learn about a few tools used in session hijacking attacks. This section discusses the following tools:

  • Juggernaut

  • Hunt

  • TTY Watcher

  • T-Sight

Juggernaut

Juggernaut, like most of the session hijacking tools, is a Linux based tool. This tool was created by someone with the handle of 'route' and was first introduced in volume 7, issue 50 of Phrack Magazine. You can view this posting, which includes the source code, at http://www.phrack.org/show.php?p=50&a=6. Juggernaut is an older tool, yet it is still popular for some of its unique features.

One of the features that makes Juggernaut a popular tool is its capability to watch all traffic or watch traffic for a particular keyword (such as password). The malicious hacker or penetration tester can watch all sessions and pick the session that he or she wants to hijack.

Another benefit of Juggernaut is the included option of performing the traditional interactive session hijack or a simplex connection hijack. A simplex hijack is also called a simple hijack by many tools. A simplex hijack allows you to inject a single command into a Telnet stream. This command can be something like cat /etc/password/ to grab password information from a Linux host. Doing a few single commands is less noticeable than a full session hijack, increasing the chances that your attack will go unnoticed.

The final benefit of Juggernaut is its built-in function of packet assembly. This enables you to create your own packet with header flags set any way you like. This is an advanced feature of Juggernaut that becomes useful in unique situations such as when you want to create a custom packet that is fragmented into multiple segments. Some intrusion detection systems (IDSs) and firewalls do not track fragmented packets, so you can use this option to create customized packets to bypass some security devices.

When you launch Juggernaut from a Linux command line, you see the menu in Example 6-1.

Example 6-1. Juggernaut Menu
Juggernaut ?) Help 0) Program information 1) Connection database 2) Spy on a connection 3) Reset a connection 4) Automated connection reset daemon 5) Simplex connection hijack 6) Interactive connection hijack 7) Packet assembly module 8) Souper sekret option number eight 9) Step down

The connection database option (1) shows you active sessions. Note that in a switched environment, you cannot see sessions unless you have configured port monitoring on the switch.

In Example 6-2, you can see that two Telnet sessions (destination TCP port 23) are open to 10.18.12.15. You can spy on the connection with option 2. This allows you to monitor all activity between two hosts. You also have the option to log the traffic to a file. By default, no logging is performed.

Example 6-2. Using Juggernaut to View Active Telnet Sessions
Current Connection Database: ------------------------------------------ ref #    source                 target (1)      10.18.12.99 [1033]     10.18.12.15 [23] (2)      10.18.12.15 [1241]     10.18.12.15 [23]  Choose a connection [q] >1 Do you wish to log to a file as well? [y/N] >y Spying on connection, hit 'ctrl-c' when done. Spying on connection:  10.18.12.99 [1033] --> 10.18.12.15 [23] /$cd ~/Documents /home/Dayna/Documents$ls 1stQrtrReport.doc Payroll.xls $

One of the drawbacks to Juggernaut is that no passwords are sent from the monitored host to your computer. You can use another packet sniffer of your choosing (such as Ethereal) to view this information.

To perform a simple hijack, choose option 5, which enables you to enter a single command to the target. This is the safest option to prevent you from being detected. Example 6-3 shows a command that erases all files in the home directory of the user after you choose the connection.

Example 6-3. Simplex Hijack: Executing a Single Command on a Target
Choose a connection [q] >1 Enter the command string you wish executed [q] > rm -rf ~/* Spying on connection, hit 'ctrl-c' when you want to hijack. NOTE: This may cause an ACK storm until client is RST. Spying on connection: 10.18.12.99 [1033]  -->  10.18.12.15 [23]

Following is a description of the other options available with Juggernaut:

  • Reset a connection (option 3) This sends an RST packet to the source to close a session.

  • Automated connection reset daemon (option 4) This option lets you choose a host based on IP address that you want to automatically send RST packets to every time that host attempts to establish a session.

  • Interactive connection hijack (option 6) This performs a full session hijack. It can create a large ACK storm. The topic of ACK storms is discussed later in this chapter.

  • Packet assembly module (option 7) Choosing this option lets you form your own packet.

  • Souper sekret option number eight (option 8) This option has no functionality.

  • Step down (option 9) Exit the program.

Hunt

Hunt, created by Pavel Krauz and available at http://packetstorm.linuxsecurity.com/sniffers/hunt/, has many similarities to Juggernaut. Like Juggernaut, it runs on Linux, enables you to watch all TCP traffic, and gives you the option of doing a simple session hijack or a simple hijack. One of the advantages of Hunt over Juggernaut is its capability to reset connections after you are done with the hijack. You can return control to the originating host which, if done soon enough, can make the session go completely unnoticed by the host and target. Juggernaut, on the other hand, requires you to perform a DoS attack on the host. That attack not only drops the connection to the target, but it also prevents all communication of the host on the network. This in turn alerts the user to contact the help desk, raising suspicion of a possible attack. By returning control to the host, Hunt avoids this problem by making the temporary loss of communication to the target a network "glitch" that others quickly forget about.

After you launch Hunt, you see the menu in Example 6-4.

Example 6-4. Hunt Menu
l/w/r) list/watch/reset connections u) host up tests a) arp/simple hijack (avoids ack storm if arp is used) s) simple hijack d) daemons rst/arp/sniff/mac o) options x) exit *>

The selections do the following:

  • List connections Show all active connections.

  • Watch connections Watch traffic from a particular source and destination of your choosing.

  • Reset connections Reset a connection based on source or destination IP address.

  • Host up tests Show you which hosts are up. This also gives you the option of choosing an unused MAC address on the network.

  • ARP Spoof a MAC address.

  • Simple hijack Inject a single command. This is the same as the simplex hijack in Juggernaut.

  • Daemons Set options for RST, ARP, sniffing, and MAC daemons.

  • Options Set program options such as base MAC address and timeout values.

Example 6-5 shows a hijack of an active Telnet session.

Example 6-5. Using Hunt to Hijack an Active Telnet Session
/* * Hunt 1.0 * multipurpose connection intruder / sniffer for Linux *  1998 by kra - http://www.rootshell.com */ starting hunt ---Main Menu---rcvpkt 0, free/alloc pkt 63/64. l/w/r) list/watch/reset connections u) host up a) arp/simple hijack (avoids ack storm if arp used) s) simple hijack d) daemons rst/arp/sniff/mac o) options x) exit - [ http://www.rootshell.com/ ] - > a 0) 10.12.18.99 [1421] --> 10.12.18.15[23] 1) 10.12.18.134 [1049] --> 10.12.18.15 [23] choose conn> 0 arp spoof src in dst y/n [y]> y src MAC [EA:1A:DE:AD:BE:03]> dst MAC [EA:1A:DE:AD:BE:04]> dump connection y/n [y]>n press key to take over connection CTRL-] to break rm -rf ~/* [r]reset connection/[s]ynchronize/[n]one [r]> s user have to type 12 characters and print 29 characters to synchronize connection CTRL-C to break Done

In this example, a simple hijack is performed against the 10.12.18.99 host as it connects to the 10.12.18.15 computer via Telnet (destination TCP port 23). Executing the rm rf ~/* command deletes all files in the home directory of that user. To properly synchronize the sequence numbers, Hunt might send a message to the user to type additional characters to pad the communication with additional bytes. In the output given from Example 6-5, the user is prompted to type 12 characters with the following message:

msg from root: power failure - try to type 12 chars

This is one of the major drawbacks to Hunt because most UNIX and Linux users would recognize this as abnormal behavior and report it to their administrator. Their administrator (after reading this book) would know that this message was sent by Hunt and would begin investigating the source of the attack. Still, some Linux and UNIX users might not think much of this message and would do as it says, padding the data so that the sequence numbers stay synchronized.

TTY-Watcher

TTY-Watcher (available at http://www.engarde.com/software/) is different from Hunt and Juggernaut in that it monitors and hijacks sessions on a single system. At press time, TTY-Watcher works only on Sun Solaris systems. When users are connected to the Solaris system, all data from their Terminal Type (TTY) session is copied over to your TTY window. Figure 6-4 shows this process.

Figure 6-4. TTY-Watcher Operation


TTY-Watcher also has the option of sending a message to the user. The message could be something like this:

Your connection has logged out. Please enter your password again. Login:

Of course, when the user enters this at the command line, he receives an error because his original TTY application interprets his password as a command. This is only an example of what can happen with the send feature; the possibilities are limited only by your imagination.

T-Sight

T-sight is a commercial tool developed by Engarde (http://www.engarde.com/software/) that runs on Windows platforms. T-sight was originally designed as a security tool to monitor your network for suspicious activity. All communication is copied in real-time, giving you accurate output of data being transmitted on your network. However, in the process of monitoring, you can hijack the session. Because of this intrusive option, Engarde licenses its software only to predetermined IP addresses.

You can view a tutorial of T-sight at http://www.engarde.com/software/t-sight/tutorial/realtime/index.php.

Other Tools

The tools mentioned in this chapter are only a sample of software and code available to perform session hijacking. Other tools include the following:

  • IP-Watcher (http://www.engarde.com)

  • Remote TCP Session Reset Utility (http://www.solarwinds.net)

  • 1644 (http://www.insecure.org)

  • Rbone (http://www.packetstormsecurity.com)

  • Synk4.c (http://www.packetstormsecurity.com)

  • SSHMITM (http://www.monkey.org/~dugsong/dsniff/)

  • C2MYAZZ (http://www.antiserver.it/Win%20NT/Penetration/)

  • UDP Spoofer (http://www.deter.com/unix/software/arnudp.c)

  • Hjksuite (http://www.l0t3k.org/security/tools/hijacking/)

  • P.A.T.H. (http://www.l0t3k.org/security/tools/hijacking/)

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209
    Authors: Andrew Whitaker, Daniel Newman
    BUY ON AMAZON
    Project Management JumpStart
    Certified Ethical Hacker Exam Prep
    A Practitioners Guide to Software Test Design
    Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
    Web Systems Design and Online Consumer Behavior
    Extending and Embedding PHP
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy