Hackers Beware

Hunt

Hunt is a program that can be used to listen, intercept, and hijack active sessions on a network. As of the writing of this book, the latest version is version 1.5. Hunt was written by Pavel Krauz, who’s Web page is http://lin.fsid.cvut.cz/~kra/index.html. Hunt came out after Juggernaut was released and built upon some of the same concepts that Juggernaut uses. Also, because it came out later, it has some additional features and enhancements. To get a full listing of the functionality and enhancements, please see the documentation that comes with Hunt. The following are some of the new features, taken from the online documentation, that Hunt offers:

•Connection management:

o Setting what connections you are interested in.

o Detecting an ongoing connection (not only SYN started).

o Normal active hijacking with the detection of the ACK storm.

oARP spoofed/normal hijacking with the detection of successful ARP spoof.

oSynchronization of the true client with the server after hijacking (so that the connection does not have to be reset).

oResetting connection.

oWatching connection.

oDaemons:

Reset daemon for automatic connection resetting.

ARP spoof/relayer daemon for ARP spoofing of hosts with the capability to relay all packets from spoofed hosts.

MAC discovery daemon for collecting MAC addresses.

Sniff daemon for logging TCP traffic with the capability to search for a particular string.

•Host resolving:

oDeferred host resolving through dedicated DNS helper servers.

•Packet engine:

oExtensible packet engine for watching TCP, UDP, ICMP, and

ARP traffic.

oCollecting TCP connections with sequence numbers and the ACK storm detection.

•Miscellaneous:

oDetermining which hosts are up.

•Switched environment:

oHosts on switched ports can be spoofed, sniffed, and hijacked too.

As you can see, Hunt has a lot of powerful features from both a passive and active session hijacking standpoint.

Installing Hunt

Installing Hunt is very straightforward. To install this program, perform the following steps:

1.Download the compressed tar file from packetstorm.securify.com.

2.Uncompress the file by typing gunzip hunt-1.5.tgz.

3.Uncompress the tar file by typing tar –xvf hunt-1.5.tar.

4.Change to the Hunt directory by typing cd hunt1-5.

5.Edit the makefile.

6.Compile the program by typing make. Note: With Linux, it is easier to download the precompiled binary file. To do this, download and uncompress the file hunt-1.5bin.tar.

7.To run Hunt, type./hunt.

In step 6, because you can download the precompiled binary, it is a lot easier to get Hunt up and running on a Linux machine. Also, because you can download the source code, you can still go through the source and figure out what is going on.

Running Hunt

To run Hunt, you type./hunt from a terminal window. After Hunt starts, the following are the main options available to the user:

[root@seclinux1 hunt-1.5]# ./hunt /*

*hunt 1.5

*multipurpose connection intruder / sniffer for Linux

*(c) 1998-2000 by kra

*/

starting hunt

--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

Now, the user selects an option to continue.

l/w/r) list/watch/reset connections

To see a list of all active connections, you type the l command and the following is displayed:

--- Main Menu --- rcvpkt 1947, free/alloc 63/64 ------

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

--- Main Menu --- rcvpkt 2157, free/alloc 63/64 ------

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

x)exit

Notice that after you type the l command, the program lists the active connections and immediately displays the menu option again. This is so the user can take action on one of the connections.

Now, if you type w, you can watch one of the active connections:

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

CTRL-C to break eerriicc

Password: erics-password

Last login: Sun Aug 13 14:18:28 from 207.159.90.18 [eric@seclinux1 eric]$ mmkkddiirr eerriicc

[eric@seclinux1 eric]$ ccdd eerriicc

[eric@seclinux1 eric]$

After an attacker picks a connection, the attacker can see everything that the user types. For example, he can see the user’s password being typed and then go back and log on as that user. Just watching a session can provide a lot of useful information.

As with Juggernaut, an attacker can also reset a connection. Remember, an administrator who finds an unauthorized connection on her network might also want to reset the connection to prevent any damage from being done. The following is what is displayed when a connection is reset:

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

choose conn> 1

reset [s]rc/[d]st/[b]oth [b]> done

This is very easy to perform with Hunt. You just pick a connection and have it reset. As with Juggernaut, the connection is terminated and the user receives a Connect to host lost message similar to what is shown in Figure 5.5.

host up tests

This option goes through a variety of methods to see which hosts are active on a network. This gives the attacker a better idea of which IP addresses or MAC addresses can be spoofed. The following is the output from running the command:

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

x) exit *> u

start ip addr [0.0.0.0]> 10.246.68.1 end ip addr [0.0.0.0]> 10.246.68.50 host up test (arp method) y/n [y]> arp...

UP 10.246.68.1

UP 10.246.68.2

UP 10.246.68.3

UP 10.246.68.26

UP 10.246.68.27

UP 10.246.68.28

UP 10.246.68.48

UP 10.246.68.50

host up test (ping method) y/n [y]> mac discovery

ping...

UP 10.246.68.33

UP 10.246.68.46

UP 10.246.68.48

UP 10.246.68.50

net ifc promisc test (arp method) y/n [y]>

choose unused MAC in your network [EA:1A:DE:AD:BE:01]> arp...

net ifc promisc test (ping method) y/n [y]>

choose unused MAC in your network [EA:1A:DE:AD:BE:02]> ping...

Hunt gives you a good idea of what hosts are available on a given segment.

arp/simple hijack

This option offers a simple interface for insertion of data into a selected connection using address resolution protocol (ARP) spoofing. By using ARP spoofing, you can avoid the ACK storm that is present with other hijacking techniques. ARP spoofing is fairly simple. When a host wants to communicate with a given IP address, he has to resolve the IP address to a MAC address, which is the address that is coded into the network interface card. Resolving the IP to MAC address is usually done through ARP, which queries a host and finds out its MAC address. If you can fool a system into thinking that the MAC address for a given IP address is your MAC address and not the real user, the machine sends the data to you thinking it is the real user. This type of attack, which is referred to as ARP

poisoning, is fairly simple but can be extremely effective. The following is the output when using this feature with Hunt:

choose conn>

--- Main Menu --- rcvpkt 163, free/alloc 63/64 ------

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

choose conn> 1

arp spoof src in dst y/n [y]> src MAC [EA:1A:DE:AD:BE:01]> arp spoof dst in src y/n [y]> dst MAC [EA:1A:DE:AD:BE:02]>

input mode [r]aw, [l]ine+echo+\r, line+[e]cho [r]> dump connectin y/n [y]>

dump [s]rc/[d]st/[b]oth [b]>

print src/dst same characters y/n [n]>

By using a program like Hunt, you only need minimal knowledge of how session hijacking works. The tool takes you through all of the necessary steps, and in most cases, if you accept the default values, you will be in good shape.

simple hijack

This option allows you to inject commands into the data stream. This is an easy way to get commands executed on the remote host. The following example creates directories on the remote host, but an attacker can perform more devious actions, like create new accounts or delete information:

--- Main Menu --- rcvpkt 595, free/alloc 63/64 ------

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

[r]eset connection/[s]ynchronize/[n]one [r]> done

Most of the features that Hunt performs are the same as Juggernaut, but in some cases, it is a little easier to use.

daemons rst/arp/sniff/mac

This option lets you control the daemons or threads for the program and how they work. When you select this option, it brings up the following sub-menu:

--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

x) exit *> d

--- daemons --- rcvpkt 18, free/alloc 63/64 ------

r) reset daemon

a) arp spoof + arp relayer daemon s) sniff daemon

m) mac discovery daemon x) return

*dm>

From this menu, you can than control how the various threads work.

Options

This option also brings up the following sub-menu where you can control various parameters of the program:

l/w/r) list/watch/reset connections

u)host up tests

a)arp/simple hijack (avoids ack storm if arp used)

s)simple hijack

d)daemons rst/arp/sniff/mac

o)options

TTY Watcher

TTY Watcher is a freeware program that allows someone to monitor and hijack connections on a single host. Additional information can be found at http://www.cerias.purdue.edu. It is basically a free version of IP Watcher (which is covered in the following section) that only monitors a single machine as opposed to an entire network. TTY Watcher runs on UNIX systems and has the following functionality:

•Monitoring. Anything that either party of the communication types can be monitored and displayed on the screen. This includes information like passwords, sensitive files, and emails. Everything the user sees, you can see. It’s as if you are looking over the user’s shoulder as she types.

•Termination. To hijack a session, one of the two parties that are involved with the session must be terminated. This feature allows you to knock one of the users offline while still keeping the session active so that it can be hijacked.

•Steal. This is where the attacker actually steals or hijacks the session. This is usually done after one of the parties is terminated. You would terminate one side of the communication and take over the portion to hijack the session.

•Return. After a session has been hijacked, it can be returned to the user as if nothing happened. This is useful if you only want to hijack a session for a short amount of time.

•Send. This allows you to send a message to the real person you are communicating with. This message is only displayed to the user and not sent to the underlying process.

•Save and replay. With this feature, you can tape an entire session and play it back at a later time. This is very useful for either understanding what someone is doing on your system or for tracking an attacker so that the information can be used as evidence.

Because this program performs similar features to Hunt and Juggernaut, it will not be discussed in detail. All of these features that are available in TTY Watcher are also in available in IP Watcher, plus IP Watcher has additional features and an easy-to-use interface.

IP Watcher

IP Watcher is a commercial session hijacking tool that allows you to monitor connections and has active countermeasures for taking over a session. It is based on TTY Watcher, but provides additional functionality. IP Watcher can monitor an entire network; TTY Watcher can only monitor a single host. Because IP Watcher is commercial and has additional functionality, the old saying that “you get what you pay for” is really true. It is available from Engarde and additional information can be found at http://www.engarde.com/.

Most people think of session hijacking as a technique or tool used by an attacker to take over an existing session, but there are reasons why administrators might want to monitor and control sessions coming in and leaving their company. For example, if an administrator detects that an intruder is compromising a system, he might want to first monitor the intruder for a while. Then, at some point, the administrator might take the intruder offline if he is going to do too much damage. Also, from a forensics or information gathering perspective, having a full account of what an attacker does on a system can be extremely valuable. It also helps an administrator better understand how his system can be compromised and what an attacker was able to do. This can be extremely valuable in fixing a security hole so that the system cannot be compromised in the same fashion in the future. As with any tool that implements functionality that can be used by an attacker, the possibility for abuse arises. Yes, an administrator can use this tool to protect a system, but what stops an attacker from using these tools to break into your system? The only thing that stops him is well-informed administrators and well-protected sites. Therefore, it is critical that administrators embrace and understand these tools so that they can protect their systems.

IP Watcher is a tool that can monitor all connections on a network and inspect what information is being sent back and forth between hosts that are communicating.

The program can monitor all the connections on a network, allowing an administrator to display an exact copy of a session in real time, just as the user of the session sees the data. To monitor connections, IP Watcher has a screen that displays all active connections on a network so an administrator can choose which session to monitor or hijack.

After the administrator decides on which connection to monitor, he can select that session and see exactly what the user sees.

To use this tool, or any tool that hijacks a session, it is important to remember that the machine that is hijacking the session must be able to see the session. You cannot hijack a session that is occurring on the opposite side of the world. To hijack a session, the traffic must pass through your network so you can see it.

IP Watcher is a very powerful commercial tool that can be used to monitor traffic by hijacking sessions. It has the same features as the freeware tools like Hunt, but the interface is more straightforward and easier to use. Next, we will look at some of the dangers hijacking poses to your network

Dangers Posed by Hijacking

As with any threat, there are dangers posed if an attacker can successfully launch an attack against your network. In this section, we will look at those dangers and what harm they can do to a system. The following are some of the key issues associated with a session hijacking attack:

•Most computers are vulnerable.

•Little can be done to protect against Hijacking.

•Hijacking is simple (with the proper software).

•Hijacking is very dangerous

•Most countermeasures do not work.

Most Computers Are Vulnerable

As with most vulnerabilities, session hijacking only affects a certain operating system. Or if it affects numerous operating systems, there is usually some way to fix it with a vendor patch. Session hijacking is inherent with how TCP/IP works. Users have to be able to make connections and establish sessions with remote computers. By allowing users to do this, they are vulnerable to session hijacking attacks.