[b]Analysis of a Telnet Session Hijack via Spoofed MAC Addresses and Session Resynchronization
Introduction
The TCP/IP protocol was design for a trusting environment and therefore has insufficient security
controls. Because of the design, a number of vulnerabilities exist in the telnet, which provides a remote
terminal session, and TCP/IP protocols that allow an attacker to hijack a telnet session, thus appearing to
be the original client to the server. Located on the Internet there are many tools that can automate
attacks on TCP/IP networks. For this analysis one of those tools, "hunt," will be used to hijack a telnet
session via spoofed MAC (Media Access Control) addresses and when the attacker has completed
issuing commands, he or she will restore the original telnet connection, through a resynchronization
process.
TCP, IP and MAC Addresses
Hosts that communicate using the TCP/IP protocol basically have the same network architecture as the
OSI network model, which has 7 layers. As the flow of data moves down the network stack a header is
added to the packet at each layer and then sent down to the next layer. When the packet reaches the
destination host the reverse takes place, the header is removed and the packet is passed up to the next
layer.
The important headers and their addresses for the analysis are TCP, IP, and MAC. At the Transport
layer, the TCP headers will contain the port number (address) of each host. The client will be assigned a
port number above 1023 (in the examples the port assigned is 1103) and the server’s port number will be
a predetermined number (telnet is being used and by convention resides at port number 23). At the
Network layer, each host will provide its 4-octet IP address in the header. In the examples the client is
10.0.0.154 and the server is 10.0.0.146. At the Data Link layer, a 6-octet Ethernet MAC address is added
to the destination and source fields. Every network card has a unique MAC address that is assigned by
the IEEE and manufacturer. In the examples the MAC address for the client is 00-50-04-AD-5E-63
Introduction
The TCP/IP protocol was design for a trusting environment and therefore has insufficient security
controls. Because of the design, a number of vulnerabilities exist in the telnet, which provides a remote
terminal session, and TCP/IP protocols that allow an attacker to hijack a telnet session, thus appearing to
be the original client to the server. Located on the Internet there are many tools that can automate
attacks on TCP/IP networks. For this analysis one of those tools, "hunt," will be used to hijack a telnet
session via spoofed MAC (Media Access Control) addresses and when the attacker has completed
issuing commands, he or she will restore the original telnet connection, through a resynchronization
process.
TCP, IP and MAC Addresses
Hosts that communicate using the TCP/IP protocol basically have the same network architecture as the
OSI network model, which has 7 layers. As the flow of data moves down the network stack a header is
added to the packet at each layer and then sent down to the next layer. When the packet reaches the
destination host the reverse takes place, the header is removed and the packet is passed up to the next
layer.
The important headers and their addresses for the analysis are TCP, IP, and MAC. At the Transport
layer, the TCP headers will contain the port number (address) of each host. The client will be assigned a
port number above 1023 (in the examples the port assigned is 1103) and the server’s port number will be
a predetermined number (telnet is being used and by convention resides at port number 23). At the
Network layer, each host will provide its 4-octet IP address in the header. In the examples the client is
10.0.0.154 and the server is 10.0.0.146. At the Data Link layer, a 6-octet Ethernet MAC address is added
to the destination and source fields. Every network card has a unique MAC address that is assigned by
the IEEE and manufacturer. In the examples the MAC address for the client is 00-50-04-AD-5E-63
No comments:
Post a Comment