General Security Concepts: Attacks • Chapter 2  67


                 Figure 2.3 A Standard TCP/IP Handshake


                                                       SYN
                                                     SYN/ACK
                                                       ACK
                                     Host A                              Host B



                    There are a few ways in which you can prevent MITM attacks from hap-
                 pening, like using a TCP/IP implementation that generates TCP sequence numbers
                 that are as close to truly random as possible.

                 TCP/IP Hijacking

                 TCP/IP hijacking, or session hijacking, is a problem that has appeared in most
                 TCP/IP-based applications, ranging from simple Telnet sessions to Web-based e-
                 commerce applications. In order to hijack a TCP/IP connection, a malicious user
                 must first have the ability to intercept a legitimate user’s data, and then insert him-
                 self or herself into that session much like a MITM attack.A tool known as Hunt
                 (www.packetstormsecurity.org/sniffers/hunt/) is very commonly used to monitor
                 and hijack sessions. It works especially well on basic Telnet or File Transfer Protocol
                 (FTP) sessions.
                    A more interesting and malicious form of session hijacking involves Web-based
                 applications (especially e-commerce and other applications that rely heavily on
                 cookies to maintain session state).The first scenario involves hijacking a user’s
                 cookie, which is normally used to store login credentials and other sensitive infor-
                 mation, and using that cookie to then access that user’s session.The legitimate user
                 will simply receive a “session expired” or “login failed” message and probably will
                 not even be aware that anything suspicious happened.The other issue with Web
                 server applications that can lead to session hijacking is incorrectly configured ses-
                 sion timeouts.A Web application is typically configured to timeout a user’s session
                 after a set period of inactivity. If this timeout is too large, it leaves a window of
                 opportunity for an attacker to potentially use a hijacked cookie or even predict a
                 session ID number and hijack a user’s session.
                    In order to prevent these types of attacks, as with other TCP/IP-based attacks,
                 the use of encrypted sessions are key; in the case of Web applications, unique and
                 pseudo-random session IDs and cookies should be used along with Secure Sockets
                 Layer (SSL) encryption.This makes it harder for attackers to guess the appropriate



                                                                              www.syngress.com