OSI: Securing the Stack, Layer 5 -- session hijacking

To help secure your systems against session hijacking, this tip walks you through the steps hackers use to hijack active sessions and take over your network. You'll also learn how to detect and prevent session hijacking attacks, a major security concern at the session layer -- Layer 5 of the OSI model.

Layer 5 of the OSI model is the session layer. The session layer sets up, manages and terminates exchanges and conversations. Since Layer 5 deals with session and connection coordination, this month's article discusses session hijacking.

Session hijacking occurs when an attacker attempts to take over an established TCP session between two computers. The basic steps of session hijacking include:

  1. Find a target with an active session.
  2. Guessing the sequence numbers.
  3. Taking one of the users offline.
  4. Taking over the session.

Session hijacking is not new. Probably the most famous session hijack was the one performed by Kevin Mitnick on Christmas day 1994. This incident led to an increased awareness of the vulnerabilities that make session hijacking possible. The goal of session hijacking is to steal an authenticated connection to an active system. If the attacker is successful, he will have the ability to execute commands locally. If he hijacks a privileged account, the attacker will have the same level of access as the privileged user.

Securing the stack series
Bookmark this index for our securing the stack series.

What makes session hijacking so dangerous is that there will be little evidence of an attack, because the exploit allows control of an existing account. Two of the tools used for session hijacking are Ettercap and Hunt.

The steps of session hijacking

The first step of this attack requires the attacker to find an active session. This requires that the attacker sniff traffic on the subnet. He will be looking for an established TCP session such as FTP. If the network uses a hub, sniffing it is a trivial event. A switched network will require the attacker to perform Address Resolution Protocol (ARP) poisoning.

Next, the attacker must be able to guess the correct sequence number. Remember that a fundamental design of TCP is that every byte of data transmitted must have a sequence number. The sequence number is used to keep track of the data and to provide reliability. An initial sequence number is generated at the first step of the TCP handshake. This value is used by the destination system to acknowledge the bytes sent. The sequence number field is 32 bits long. This means that there are about 4,294,967,295 possible sequence numbers. Once a sequence number has been agreed to, the count will increment by one for each byte of data. Years ago, sequence number prediction was much easier because operating system vendors didn't use an efficient method for generating random initial sequence numbers. Modern operating systems have improved on this. If you are curious how your systems produce random sequence numbers, tools such as Nmap can help you gauge the difficulty of predicting sequence numbers for any particular operating system.

Once the sequence number has been determined, the attacker is ready to take the legitimate user offline. Techniques for this include denial of service, source routing, or sending a reset to the user. No matter which technique is used, the objective is to get the user out of the communication path and trick the server into believing that the attacker is the legitimate client.

If these steps have been successful, the attacker will now have control of the session. As long as the session is maintained, the attacker has authenticated access. This access can be used to execute commands locally in an attempt to further leverage the hacker's position.

Preventing and detecting session hijacking

There are two main mechanisms for dealing with hijacking problems: prevention and detection. Preventive measures include limiting incoming connections and also configuring your network to reject packets from the Internet that claim to originate from a local address.

Encryption can also help. If you must allow outside connections from trusted hosts, use Kerberos or IPsec. Use more secure protocols; FTP and Telnet are most vulnerable. Secure Shell (SSH) is a good alternative. SSH establishes an encrypted channel between the local and remote host. Detection can be improved by using IDS or IPS systems. The use of switches, protocols such as SSH, and the more random initial sequence numbers have made session hijacking more difficult. Still, network administrators shouldn't be lulled into a sense of security. While session hijacking may not be as easy as in the past, it still represents a potential threat. Network attacks that allow someone to have an authenticated connection to one of your systems need to be dealt with!

About the author:
Michael Gregg has more than 15 years of experience in IT. He is the president of Superior Solutions Inc., a Houston-based training and consulting firm. Michael is an expert on networking, security and Internet technologies. He holds two associate degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center