Non blind IP Spoofing and Session Hijacking: A Diary From the Garden of Good and Evil Authors: Eric Hines [firstname.lastname@example.org] Jamie Gamble [email@example.com] Date: February 25, 2002
Introduction This paper makes no assumptions of prior knowledge in TCP session hijacking or blind and nonblind IP spoofing. We will cover all basics and provide both a novice and advanced introduction to these topics. Although there are countless papers and books on the subject of TCP/IP, I always believe that there exists a much less intricate definition that can be provided by other people. We aim to provide our definition in an effort to hopefully clearly articulate this often convoluted labyrinth of networking. First off, what exactly is TCP Hijacking? The meticulous craft of TCP hijacking is simple. The exploit relies on the violation of trust relationships between 2 communicating hosts. An attacker can grab unencrypted traffic from a victim’s network-based TCP application, further tampering with the authenticity and integrity of the data before forwarding it on to the unsuspecting target. The first phase of solving this labyrinth is to understand the TCP/IP protocol suite. When two computers on the Internet wish to establish a session with each other, a much more intricate processes take place other than loading Netscape and hitting [go]. Communication over the Internet is conducted through packets, a process involving multiple layers. Packets first traverse down the stack of the sending host, than reverse up the stack at the remote. Each layer in the stack wraps the packet on the sending side and than unwraps it at each layer on the receiving. This stack, also known as the TCP/IP Internet model consists of four layers (not to be confused with all 7 layers of the OSI standards model). Each layer of the stack adds its own proprietary "tag" to each segment of the packet. I have documented the communication processes between stacks in the below diagram.
1. Application Layer The application layer is the topmost layer (the request for a Web page in the preceding example). In this example, the Application layer would be the web browser, Netscape; a graphical interface to browsing the web. 2. Transport Layer Below the application layer lays the Transport layer. This layer controls many of the aspects in management and initiation of communication between two hosts. TCP operates at the Transport layer ensuring reliability of data transported over inherently unreliable communication platforms. This layer is responsible for appending the TCP header to the datagram. 3. Network Layer Below the Transport Layer is the network layer. Routers providing service at this layer offer functionality for the journey of data from its source to destination host, one hop at a time. This layer is responsible for appending the IP header of to the TCP header of the packet. 4. Link Layer This layer is primarily responsible for the transport of data from a host to the physical medium over which it resides. It is responsible for the delivery of signals from source to destination host over a physical communication platform, which in this case is Ethernet. This layer appends the frame header to the IP header of the datagram.
The encapsulation of a packet is very simple. Each layer as mentioned previously attaches its own header to each layer of the packet, in effect ultimately creating a multilayered frame, or packet that is sent over the wire. Diagram 1b places the individual technologies in its respective layer in the stack.
Dissecting the (3) Three Way Handshake When (2) hosts are connected to the same network and host A wishes to communicate with host B, host A sends out what is referred to as an ARP (Address Resolution Protocol) broadcast. In order for packets to be routed across the network, host A must know what the MAC Address is of the destination machine (B). Destination host B responds with it’s MAC address to the ARP request. After host A receives...
Please join StudyMode to read the full document