Fwd: FW: session-hijacking is still available?

From: crawford charles (biv0uac17@hotmail.com)
Date: 04/04/03

  • Next message: James Washer: "Re: analyzing client / server traffic" 
    From: "crawford charles" <biv0uac17@hotmail.com>
To: chulmin2@hotmail.com
Date: Fri, 04 Apr 2003 18:46:37 +0000

    I had thought that the original thesis was that for older TCP
    implementations, an attacker could make a reasonable guess about the
    starting sequence number of a new TCP session, given the sequence numbers
    for a previous one (i.e. one he could observe). Then he would attempt to
    hijack a subsequent TCP session that he might not be able to observe, but
    could predict or infer. Newer TCP implementations start the sequence number
    for each new session at a random value, and increment from there. But
    sequence numbers still have to increment monotonically (presumably by the
    number of bytes in each TCP PDU).

    If an attacker can monitor the link between the client and server of a TCP
    session in real-time, and can inject packets "fast enough", he can still
    hijack a session, as the sequence numbers for the hijacked session will be
    directly observable. The counter to this level of attack is to encrypt,
    preferably at the IP layer (one can still encrypt at the TCP layer,
    preventing the hijacker from doing anything "useful", but the victim session
      is still disrupted -- DoS).

    >-----Original Message-----

    From: SB CH [mailto:chulmin2@hotmail.com]
    Sent: Thursday, April 03, 2003 8:44 PM
    To: security-basics@securityfocus.com
    Subject: session-hijacking is still available?

    Hello, all.

    if attacker can do session hijacking, he can know the seq number change,
    ack seq number change something like that.
    But I have heard that modern system like linux kernel 2.4.x or openbsd
    produce almost random seq number, so session hijacking is almost impossible
    thesedays.

    is it true or not?
    anyone still can session hijacking using session hijacking program like
    hunt?

    Thanks in advance.

    _________________________________________________________________
    Tired of spam? Get advanced junk mail protection with MSN 8.
    http://join.msn.com/?page=features/junkmail

    -------------------------------------------------------------------
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-security-basics

  • Next message: James Washer: "Re: analyzing client / server traffic"

    Relevant Pages

    • Re: tcp vulnerability? havent seen anything on it here...
      ... >> Anyone who recommends responding to a RST packet, ... >> understand TCP very well. ... during established session, address translation, sequence randomization a la ... with a session cookie. ...
      (Linux-Kernel)
    • [NEWS] Vulnerability in the TCP Protocol Allows RST Spoofing (Cisco Advisory)
      ... A vulnerability in the Transmission Control Protocol (TCP) specification ... the connection may get automatically ... Here is an example of a normal termination of a TCP session: ... Access control lists should also be deployed as close to the edge ...
      (Securiteam)
    • Re: iwndows update jung
      ... failed with error 800704dd for session 0 ... download. ... Sequence 4988 vs AcceptRate 4813. ...
      (microsoft.public.windowsupdate)
    • Re: iwndows update jung
      ... failed with error 800704dd for session 0 ... download. ... Sequence 4988 vs AcceptRate 4813. ...
      (microsoft.public.windowsupdate)
    • Re: ISA RADIUS Authentication per-request -> per-session
      ... What ISA interprets as a "session" is defined as a single TCP connection. ... What the user calls an OWA "session" is actually made up of 4 or more concurrent TCP connections to the server (ISA, ...
      (microsoft.public.isa)