66     Chapter 2 • General Security Concepts: Attacks

             only have two choices, but some don’t have proper error handling routines.This
             may sound like a really trivial and uncommon attack methodology, because it is
             easy to catch from the programming standpoint. However, as mentioned earlier,
             mistakes do happen. For example, consider the lesson learned by an early e-com-
             merce site.Their shopping cart program would allow users to enter negative num-
             bers of items into their cart.A malicious user could order -2 books at $50 each,
             and would be credited $100 on his or her credit card.This continued for several
             days before an accountant caught the problem. It is extremely important for a pro-
             grammer to completely check all input a program receives, and to clean it or sani-
             tize it to avoid introducing vulnerabilities while parsing the input.
             MITM Attacks


             As you have probably already begun to realize, the TCP/IP protocols were not
             designed with security in mind and contain a number of fundamental flaws that
             simply cannot be fixed due to the nature of the protocols. One issue that has
             resulted from IPv4’s lack of security is the MITM attack.To fully understand how a
             MITM attack works, let’s quickly review how TCP/IP works.
                 The TCP/IP was formally introduced in 1974 by Vinton Cerf.The original
             purpose of TCP/IP was not to provide security; it was to provide high-speed com-
             munication network links.
                 A TCP/IP connection is formed with a three-way handshake.As seen in Figure
             2.3, a host (Host A) that wants to send data to another host (Host B) will initiate
             communications by sending a SYN packet.The SYN packet contains, among other
             things, the source and destination IP address as well as the source and destination
             port numbers. Host B will respond with a SYN/ACK.The SYN from Host B
             prompts Host A to send another ACK and the connection is established.
                 If a malicious individual can place himself between Host A and Host B, for
             example compromising an upstream router belonging to the ISP of one of the
             hosts, he can then monitor the packets moving between the two hosts. It is then
             possible for the malicious individual to analyze and change packets coming and
             going to the host. It is quite easy for a malicious person to perform this type of
             attack on Telnet sessions, but, the attacker must first be able to predict the right
             TCP sequence number and properly modify the data for this type of attack to
             actually work—all before the session times out waiting for the response. Obviously,
             doing this manually is hard to pull off; however, tools designed to watch for and
             modify specific data have been written and work very well.






          www.syngress.com