TCP/IP Hijacking

TCP/IP hijackingTCP/IP hijacking is a technique that uses spoofed packets to take over a connection between a victim and a host machine. It is similar to a man-in-the-middle attack, except that the rogue agent sends a reset request to the client so that the client loses contact with the server while the rogue system assumes the role of the legitimate client, continuing the session. This technique is especially useful when the victim uses a one-time password to connect to the host machine. A one-time password can, as its name implies, be used to authenticate once and only once; thus, sniffing the authentication is useless for the attacker.

To carry out a TCP/IP hijacking attack, the attacker must be on the same network as the victim. This gives the attacker the ability to sniff the local network segment and, as a result, all the details of open TCP connections can be pulled from the headers. Each TCP packet contains a sequence number in its header. This sequence number is incremented with each packet sent to ensure that packets are received in the correct order. While sniffing packets, the attacker has access to the sequence numbers for a connection between a victim and a host machine. Then the attacker sends a spoofed packet from the victim’s IP address to the host machine, using the sniffed sequence number to provide the proper acknowledgment number. The host machine will receive the spoofed packet with the correct acknowledgment number and will have no reason to believe the packet did not come from the victim’s machine; thus the TCP/IP hijacking attempt will be successful.


Forms of TCP/IP Hijacking

One form of TCP/IP hijacking is to inject an authentic-looking reset (RST) packet. If the source is spoofed and the acknowledgment number is correct, the receiving side will believe that the source actually sent the reset packet, and the connection will be reset. The attacker could perform such an attack using a program that uses the libpcap and libnet libraries. libpcap would sniff the packets, and libnet would inject RST packets. The program does not need to look at every packet, but only established TCP connections to a target IP, so the libcpap function calls would be structured accordingly. It is relatively easy to come up with a filter rule for packets that have a certain destination IP. It is somewhat more difficult to filter for established connections, but since all established connections will have the ACK flag in the TCP header TCP flags, the program can look for that.

Another type of TCP/IP hijacking is continued hijacking. The spoofed packet does not need to be an RST packet; the spoof packet can contain data. When the host receives the spoofed packet, it will increment the sequence number and responds to the victim’s IP. Since the victim’s machine does not know about the spoofed packet, the host machine’s response has an incorrect sequence number, so the victim ignores that response packet. And since the victim’s machine ignored the host machine’s response packet, the victim’s sequence number count is off. Therefore, any packet the victim tries to send to the host machine will have an incorrect sequence number as well, causing the host machine to ignore it. In this instance, both legitimate sides of the connection have incorrect sequence numbers, resulting in a desynchronized state. And since the attacker sent out the first spoofed packet that caused all this chaos, it can keep track of sequence numbers and continue spoofing packets from the victim’s IP address to the host machine. This lets the attacker continue communicating with the host machine while the victim’s connection hangs.


External Links:

TCP Hijacking at TechRepublic

pfSense Setup: Part Three (WAN and LAN Settings)

In pfSense Setup: Part Two,  I covered General Settings within the pfSense web GUI. In this part, I cover configuring the WAN and LAN interfaces. There are a number of different options here; fortunately, pfSense makes the job easy on us by creating reasonable defaults. From the pfSense web GUI menu, go to Interfaces -> WAN.

pfSense Setup: WAN Interface Settings

WAN

The WAN settings page in the pfSense web GUI.

The WAN interface provides your connection to the Internet. To access the WAN, you will need a properly-configured WAN interface and an Internet connection. Typically your Internet connection will be through a cable modem provided by your Internet service provider (ISP), but pfSense will support other connection methods as well.

To configure the WAN interface, browse to Interfaces | WAN. Under “General Configuration”, check Enable Interface. You can change the description of the interface (Description).

The next item is “Type”. Here you can choose the interface type. “Static” requires you to type in the WAN interface IP address. “DHCP” gets the IP address from the ISP’s DHCP server, and is probably what you want to select. “PPP” stands for Point-to-Point Protocol, a protocol used for dialup modem connects as well as T-carrier, E-carrier connections, SONET and SDH connections and higher bitrate optical connections. “PPPoE” stands for Point-to-Point Protocol over Ethernet and is used by a number of DSL providers. “PPTP” stands for Point-to-Point Tunneling Protocol and is a method for implementing virtual private networks (VPNs); unless your WAN interface is a VPN you won’t want to choose this option. “L2TP” stands for Layer 2 Tunneling Protocol, a tunneling protocol also used with VPNs.

The next option is MAC address. Typing in a MAC address here allows you to “spoof” a MAC address. The DHCP servers of ISPs assign IP addresses based on MAC addresses. But they have no way of verifying a MAC address, so by typing a different MAC address, you can “force” your ISP’s DHCP server to give you another IP address. Unless you want to spoof your MAC address, you can leave this field blank. MTU stands for maximum transmission unit. Larger MTUs bring greater efficiency but also greater latency. This should probably be left unchanged. MSS stands for maximum segment size, and specifies the largest amount of data pfSense can receive in a single TCP segment. This also should likely be left unchanged.


The next section is different depending on what you selected for the interface type. If you selected “DHCP”, the options will be “Hostname” and “Alias IP Address”. Hostname can be left blank unless your ISP requires it for client identification, and Alias IP address can also be left blank unless the ISP’s DHCP client needs an alias IP address.

The next section is “Private Networks”. Checking “Block private networks” ensures that 10.x.x.x, 172.16.x.x, and 192.168.x.x addresses, as well as loopback addresses (127.x.x.x) are non-routable. This should be left checked under most circumstances. “Block bogon networks” blocks traffic from IP addresses either reserved or not yet assigned by IANA. This should be left checked as well, for obvious reasons.

Save the options and move on to Interfaces -> LAN.

pfSense Setup: LAN Interface Settings

WAN

The LAN settings page in the pfSense web GUI.

Under “General Configuration”, “Enable Interface” should be checked, since unchecking it will prevent the local network from connecting to the router. “Description” allows you to type in a description of the interface.

“Type” allows you to choose an interface type. See the section on WAN settings for an explanation of each of the options. “MAC address” allows you to type in a different MAC address in order to do MAC address spoofing. Again, see the section on WAN interface settings for a more detailed explanation. “MTU” and “MSS” are also explained under WAN settings. “Speed and duplex” allows you to explicitly set speed and duplex mode for the interface; pfSense should autodetect this, so this option should be left unchanged.

If you selected “Static” for the interface, there should be a “Static IP Configuration” section with two options: “IP address” and “Gateway”. With “IP address”, you can change the IP address of the LAN interface (it defaults to 192.168.1.1).

The next section is “Private networks”. The two options are “Block private networks” and “Block bogon networks”. See the section on configuring the WAN interface for detailed explanations of these options.

That does it for WAN and LAN settings. In pfSense Setup: Part Four, I will take a look at setting up an optional interface.


The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Ad Links:


© 2013 David Zientara. All rights reserved. Privacy Policy