CEH-Bk3_Ch01-Review Question Answers

CEH-Bk3_Ch01-Review Question Answers

• What is the main difference between active hijacking and passive hijacking?

The essential difference between an active and passive hijack is that while an active attack takes over an existing session, a passive hijack monitors an ongoing session

• In what situations might a hacker decide to use passive hijacking?

A passive attack uses sniffers on the network, allowing attackers to obtain information such as user IDs and passwords. The attacker can later use this information to log on as a valid user and take over privileges. Password sniffing is the simplest attack when raw access to a network is obtained.In an active attack, the attacker takes over an existing session by either tearing down the connection on one side of the conversation or by actively participating. .On most current networks, sequence number prediction does not work because operating system vendors use random values for the initial sequence number, which makes sequential numbers harder to predict.

• What are the four layers of a TCP stack? What is each one’s role in hijacking?
• IE works at the application layer. When it begins a connection between two

hosts, it creates a request datagram to be sent across the Internet to the Web server to establish a connection.

• The transport protocol comes into play at the transport layer, the layer of

the TCP stack that allows connections between software services on connected systems. At the transport layer, the appropriate protocol header is added to the datagram. This header ensures the reliability of the data transported, and controls many aspects of the communication between the two hosts. The initial segment is a SYN request and the first phase of what is known as the TCP three-way handshake (SYN, SYN/ACK, and ACK used to establish a reliable connection-oriented session with the Web server.

• In the network layer, routers allow the datagram to hop from the source to

the destination, one hop at a time. The IP header is added to the packet in the network layer.

• The final layer is the data link layer. This layer communicates with the

physical hardware and is responsible for the delivery of signals from the source to the destination over a physical communication platform, in this case, the Ethernet. At this layer, the frame header is added to the datagram.

• Why is it so difficult to predict TCP sequence numbers?

TCP sequence numbers, unique per byte in a TCP session, provide flow control and data integrity. TCP segments give the initial sequence number (ISN) as a part (Ethical Hacking and Countermeasures, Web Applications and Data Servers, 2e EC-Council) 1 / 3

of each segment header. ISNs do not start at zero for each session; part of the handshake process is for each participant to state the ISN, and the bytes are numbered sequentially from that point.In order to establish a spoofed connection using this session hijacking technique, an attacker must know the sequence numbers being used. IP spoofing forces the attacker to forecast the next sequence number. To send a command, an attacker uses blind hijacking, but the response cannot be viewed.To do this, he would need to know the sequence number in use when he hijacked the session, which could be calculated as a result of knowing the ISN and the number of packets that have been exchanged. Successful session hijacking is difficult without the use of known tools and only possible when a number of factors are under the attacker’s control.

• Name two countermeasures to session hijacks. How does each stop the hijack?

A. Limit incoming connections:

• Establish sessions with limited IP addresses. An example would be the

IP address in an intranet where the specifics of the range of IPs are already known.

• If possible, try to limit unique session tokens to each browser’s instance.

For example, generate the token with a hash of the MAC address of the computer and process ID of the browser.

• Follow the same general set of countermeasures to prevent replay and

brute force attacks.

B. Use encryption:

• Use X.509 certificates (to encrypt via SSL, IPSec, SSH, S/MIME, or

PGP) to prevent more traditional types of TCP traffic predictable sequence number hijacking.

• Force all incoming connections from the outside world to be fully

encrypted. Attackers outside the network will have a difficult time if passwords are not sniffable, and so sessions cannot be hijacked.

• Connections to all mission-critical systems must be encrypted. The

telnet package allows such administrative policies to be enforced.Kerberos allows encrypted communication.

• Communications on the network must be encrypted. Newer systems

such as SKIP help a great deal, but they are in their infancy. (Sun Microsystems developed an automated key-management system called “Simple Key Management for Internet Protocols” that was later proposed to the IETF as a standard IPSec key-management scheme.) 2 / 3

• Encrypted protocols should be used, e.g., those in Open SSH suite.
• The OpenSSH suite includes the ssh program, which replaces login and

telnet. SCP replaces RCP, and SFTP replaces FTP. It also includes sshd, which is the server side of the package, and other basic utilities such as ssh-add, ssh-agent, ssh-keygen, and sftp-server.

C. Minimize remote access:

• Use strong authentication and peer-to-peer VPNs.

D. Use a secure protocol:

• Configure the appropriate spoof rules on gateways (internal and

external).

• Monitor for ARP cache poisoning, by using IDS products or Arpwatch.

E. Educate users:

• A user’s identity must be verified at a higher level before conducting a

potentially dangerous transaction such as transferring money online or using a credit card for online shopping.

• Train users about suspicious activity and how to detect a breach in

network security.

• What are the differences between man-in-the-middle hijacking and blind

hijacking?In blind hijacking, a hacker can inject malicious data or commands into intercepted communications in a TCP session, even if source routing is disabled.The hacker can send data or comments, but cannot access the response. In order to get to the response, a man-in-the-middle attack works much better.A man-in-the-middle attack uses a packet sniffer to intercept the communication between the client and the server. The attacker changes the default gateway of the client’s machine and attempts to reroute packets. The technique used is to forge ICMP (Internet Control Message Protocol) packets to redirect traffic between the client and the host through the hijacker’s host. The hacker’s packets send error messages that indicate problems in processing packets through the original connection. This fools the server and the client to route through its path instead.

• What is spoofing? What role does it play in hijacking?

Spoofing merely involves pretending to be another user or machine to gain access to a target machine or server.In ARP spoofing, the IP address is vulnerable, and an attacker can also spoof the MAC address. An attacker sniffing on a network can sniff packets and carry out

• / 3