Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)

from [reepex] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle)
Date: Thu, 25 Oct 2007 12:23:00 -0500 
Hi I am sorry to hear you just woke from your coma. It is now 2007 not 1995.

On 10/25/07, Oliver <olivereatsolives@gmail.com> wrote:



Hello,

I have been searching all over the place to find an answer to this question,
but Google has made me feel unlucky these last few days. I hope I could find
more expertise here. The burning question I have been pondering over is -
could TCP connections be hijacked both ways? I know there are tools ( e.g.
Hunt) that sniffs traffic and could arbitrarily reset a connection by
spoofing the IP and MAC address. But could there be more than just that? Is
it theoretically possible to not reset the connection with the server or the
client, but play the man-in-the-middle attack?

An example network scenario of this that I could come up with is that the
hacker is within the same network as the victim (client), who is connected
to a server through a persistent TCP connection. Now the hacker could
pretend to be the server and send a TCP message (not reset/fin) to the
client and change the seq/ack numbers on the client side, and the hacker
could pretend to be the client and send a TCP message (not reset/fin) to the
server and change the seq/ack there. Thus, the seq/ack numbers are
completely out of sync for the client and server and thus would not
recognize each others messages. At this point, the hacker could relay ( i.e.
be man-in-the-middle) the messages from the client to the server and vice
versa, using the seq/ack numbers that they would accept. While this seems
pretty pointless so far, the hacker could inject messages at will to either
side of the connection, and still make the server and client believe that
they are in sync with each other ( i.e. this would not work if the hacker
does not relay the messages with the seq/ack numbers the server and client
would accept). That means the hacker goes undetected and could do whatever
he chooses, as he has "hijacked" the connection.

Is this possible? Assuming there is no hardware limitation (e.g.
router/switch blocking MAC/IP addresses from certain port). Would the TCP
protocol definition and implementation in Windows and *nixes these days
would interpret this behaviour correctly (correctly for the hacker,
incorrectly for themselves)? I imagine it would be quite a bit of work
proving this theory and perhaps some of you could enlighten me or dismiss
this concept.

Regards,
Oliver

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle), Oliver
Next by Date:  Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle), Oliver
Previous by Thread:  [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle), Oliver
Next by Thread:  Re: [Full-disclosure] TCP Hijacking (aka Man-in-the-Middle), Oliver
Indexes:  [Date] [Thread] [Top] [All Lists]