TCP/IP Question

Let's dig a little deeper as long as we are on the subject.

Say, you are on a LAN with a Network Analyzer and monitoring the network traffic. You see a PC on the LAN that has established a TCP connection with one of the Financial Institutions that provide online banking.

Now, let's say you capture a packet with TCP headers that are coming from the bank to the host on the LAN. Isn't this a scary situation. Why do I say that?

You can read the Sequence/Acknowledgment Numbers from the TCP segment which gives one the ability to construct NEW TCP headers and you also know the Source/Destination IP addresses from the packet. Before the host on the LAN responds, the person monitoring the traffic can send out a packet with new TCP headers and take over the session. If anyone thinks this ain't possible, I would suggest THINK a Million times.

Has anyone did this type of Pen-Testing? If you did, would greatly appreciate if you can share your experiences.

FallenZero,

The scenario you talk about is possible, as you correctly note. If I remember, there must be such an example in the TCP segment analysis, but there are a few requirements.

The hijacker must know the ISN (Initial Sequence Number) algorithm used by the customer's system connecting to the Internet Banking server.

This is required in order to successfully generate the next correct sequence number to be sent to the Internet Banking server and minimise all possibilities for the attack to fail.

To determine the ISN algorithm, the attacker must further know the operating system the customer is using and a few sample packets from the customer's session.

If we assume all the above information is obtainable, then its simply a matter of time until the hijack is performed.

Closing, let me note that when the hijack starts, the attacker must flood the customer with data in order to keep it busy and stop it from sending any packets to the Internet banking server.

FallenZero,

The scenario you talk about is possible, as you correctly note. If I remember, there must be such an example in the TCP segment analysis, but there are a few requirements.

The hijacker must know the ISN (Initial Sequence Number) algorithm used by the customer's system connecting to the Internet Banking server.

--Why should the hijacker know the ISN algorithm? What am I missing?

This is required in order to successfully generate the next correct sequence number to be sent to the Internet Banking server and minimise all possibilities for the attack to fail.

--Allow me to put my 2 cents here. Lets analyze the packet below.

TIME: 00:00:00.000000 (0.000000)
LINK: 00:00:00:00:00:00 -> 00:00:00:00:00:00 type=IP
IP: 10.0.0.1 -> 10.0.0.2 hlen=20 TOS=10 dgramlen=41 id=956E
MF/DF=0/1 frag=0 TTL=64 proto=TCP cksum=914E
TCP: seq=1746120351 ack=3205630361
hlen=20 (data=1) UAPRSF=011000 wnd=17520 cksum=0EE2 urg=0
DATA: e

Lets say, you captured the Above packet coming from the Bank.


As we can see from the above the Sequence/Acknowledgment Number values, it gives the hijacker the ability to predict exactly the Next Sequence Number as well as the Acknowledgment Numbers. Please correct me here if I am wrong. If I were the hijacker my values would be

Sequence Number = 3205630361
Acknowledgment Number = 1746120352

To determine the ISN algorithm, the attacker must further know the operating system the customer is using and a few sample packets from the customer's session.

--Is the ISN algorithm, OS dependent?

Closing, let me note that when the hijack starts, the attacker must flood the customer with data in order to keep it busy and stop it from sending any packets to the Internet banking server.

--Agreed.

If you're on a LAN you dont need to even bother with SN prediction. you're talking about MitM attacks (Man in the Middle) and they are very easy to orchestrate..
Case one:
Hijack your DNS request and reply to a server I control
Divert the flow of your connection with ARP spoofing
Proxy your SSL requests for you..

use ettercap, it does exactly that.

As far as attack away from a LAN goes, it *was* possible.. do some research on the Mitnick Christmas day attacks against Tsutomu Shimomura.. it is the same thing.. however most O/S's today generate significantly decent entropy data for the ISN...

I have done some research on this, using hping to sample about 25000 samples of sequence numbers from Linux and Windows boxen, threw them into Excel and made a few graphs.. you will find that Windows generates pseudo random numbers is a fairly predictable pattern..

You have obviously not played with nmap too much.. run it against a host with the -O -v switches.. you will get the TCP sequence number prediction

However, in the real world, complicated hacks almost always fail. There are too many variables... not to mention maintaining a blind session (as it is called) is very very difficult... unless you know exactly what packet sequences to expect.. this used to be used to attack the R services (rlogin, rsh etc).. which are deprecated...


Cheers,

As far as attack away from a LAN goes, it *was* possible.. do some research on the Mitnick Christmas day attacks against Tsutomu Shimomura.. it is the same thing.. however most O/S's today generate significantly decent entropy data for the ISN...

--I've seen it.

You have obviously not played with nmap too much..

--What makes you come to that type of conclusion? If you see other people NOT speaking in your language, would you assume, others don't know it? Rule No 1: Don't Assume Others Are Ignorant.

However, in the real world, complicated hacks almost always fail. There are too many variables...

--This kind of Thinking in People are Exactly what Black Hats are looking for to Compromise systems/Own Systems. There is NO such thing as Too Many Variables or That Can't Be Done.

Cheers,

This is getting ridiculous, your responses provide nothing but a commentary to everything I am saying. Yes, I assume that you have not used nmap.. this assumption is based on
a) the fact that you 'have just started with computers'
b) sequence number prediction is *old* news
c) your questions deal with elementary networking, this is not hardcore research.
d) if you had experience with the tools, the answers to these questions would have been obvious.

I am willing to spend as much time as you like to debate this, however before I invest my time, I would like you to provide some show of where your authority on the issue comes from. I am merely asking for some credentials / experience / ANYTHING based on which I can target my discussion with you.

It is very easy to say things like
Rule No 1: Don't Assume Others Are Ignorant.
When you don't actually contribute anything to the content of the discussion. I have not seen you answer a technical question nor provide any input to this debate that is anything other than random criticism. While you may argue that this is not a criteria for having a discussion on the subject, I find it strange that you can expect people to take you seriously when you have shown nothing, and proved nothing, to earn any respect.

stating that you are 'dangerous', have an 'open mind', and claiming a keen insight seems IMHO childish.

My apologies if you find my views strong, most people will attest that I will go out of my way to assist / engage in fruitful debate, and I have nothing to prove here. However this just doesnt seem to be going anywhere....


Regards,