Non Blind Hijacking
Non blind IP Spoofing and Session Hijacking: A Diary From the Garden of Good and Evil Authors: Eric Hines [loki@fatelabs.com] Jamie Gamble [bit@fatelabs.com] Date: February 25, 2002
Introduction This paper makes no assumptions of prior knowledge in TCP session hijacking or blind and nonblind IP spoofing. We will cover all basics and provide both a novice and advanced introduction to these topics. Although there are countless papers and books on the subject of TCP/IP, I always believe that there exists a much less intricate definition that can be provided by other people. We aim to provide our definition in an effort to hopefully clearly articulate this often convoluted labyrinth of networking. First off, what exactly is TCP Hijacking? The meticulous craft of TCP hijacking is simple. The exploit relies on the violation of trust relationships between 2 communicating hosts. An attacker can grab unencrypted traffic from a victim’s network-based TCP application, further tampering with the authenticity and integrity of the data before forwarding it on to the unsuspecting target. The first phase of solving this labyrinth is to understand the TCP/IP protocol suite. When two computers on the Internet wish to establish a session with each other, a much more intricate processes take place other than loading Netscape and hitting [go]. Communication over the Internet is conducted through packets, a process involving multiple layers. Packets first traverse down the stack of the sending host, than reverse up the stack at the remote. Each layer in the stack wraps the packet on the sending side and than unwraps it at each layer on the receiving. This stack, also known as the TCP/IP Internet model consists of four layers (not to be confused with all 7 layers of the OSI standards model). Each layer of the stack adds its own proprietary "tag" to each segment of the packet. I have documented the communication processes between stacks in the below diagram.
1. Application Layer
Introduction This paper makes no assumptions of prior knowledge in TCP session hijacking or blind and nonblind IP spoofing. We will cover all basics and provide both a novice and advanced introduction to these topics. Although there are countless papers and books on the subject of TCP/IP, I always believe that there exists a much less intricate definition that can be provided by other people. We aim to provide our definition in an effort to hopefully clearly articulate this often convoluted labyrinth of networking. First off, what exactly is TCP Hijacking? The meticulous craft of TCP hijacking is simple. The exploit relies on the violation of trust relationships between 2 communicating hosts. An attacker can grab unencrypted traffic from a victim’s network-based TCP application, further tampering with the authenticity and integrity of the data before forwarding it on to the unsuspecting target. The first phase of solving this labyrinth is to understand the TCP/IP protocol suite. When two computers on the Internet wish to establish a session with each other, a much more intricate processes take place other than loading Netscape and hitting [go]. Communication over the Internet is conducted through packets, a process involving multiple layers. Packets first traverse down the stack of the sending host, than reverse up the stack at the remote. Each layer in the stack wraps the packet on the sending side and than unwraps it at each layer on the receiving. This stack, also known as the TCP/IP Internet model consists of four layers (not to be confused with all 7 layers of the OSI standards model). Each layer of the stack adds its own proprietary "tag" to each segment of the packet. I have documented the communication processes between stacks in the below diagram.
1. Application Layer