Sniffing and Sidejacking

Sniffing Attacks

Sniffing gives the attacker a way to capture data and intercept passwords. These may be clear text FTP or Telnet password or even encrypted NTLM passwords. Man-in-the-middle attacks can be used to literally steal someone else’s authenticated session. They will be logged in with the same rights and privileges as the user they stole the session from. They are free to erase, change, or modify information at that point.  Sniffing, session hijack, and man-in-the-middle attacks all represent powerful tools for hackers.






Session Hijack with Ettercap

Ettercap is an open source tool written by Alberto Ornaghi and Marco Valleri. Available from, ettercap will compile on most major operating systems. Ettercap is not strictly an attack tool; it includes many plugins for attempting to detect other systems engaging in potentially malicious activity on the network.
Connecting to the attacking server via SSH, we start ettercap with the –T and –q options. The –T option forces ettercap to use a text interface, and the –q option suppresses ettercap listing every packet that it sniffs. From within this interface, we can press p to view the list of plugins available in ettercap, a number of which are listed below.

1. autoadd 1.2 Automatically add new victims in the target range
2. chk_poison 1.1 Check if the poisoning had success
3. dos_attack 1.0 Run a d.o.s. attack against an IP address
4. find_conn 1.0 Search connections on a switched LAN
5. find_ip 1.0 Search an unused IP address in the subnet
6. gw_discover 1.0 Try to find the LAN gateway
6. isolate 1.0 Isolate an host from the lan
7. link_type 1.0 Check the link type (hub/switch)
7. pptp_chapms1 1.0 PPTP: Forces chapms-v1 from chapms-v2
8. pptp_clear 1.0 PPTP: Tries to force cleartext tunnel
9. pptp_pap 1.0 PPTP: Forces PAP authentication
10. pptp_reneg 1.0 PPTP: Forces tunnel re-negotiation
11. rand_flood 1.0 Flood the LAN with random MAC addresses
12. repoison_arp 1.0 Repoison after broadcast ARP
13. smb_clear 1.0 Tries to force SMB cleartext auth
14. smb_down 1.0 Tries to force SMB to not use NTLM2 key auth
15. stp_mangler 1.0 Become root of a switches spanning tree



Sidejacking with Firesheep

Many social networking domains maintain user access by means of a cookie. Cookies are used to validate users to Facebook, Twitter, and others through an unencrypted channel. Firesheep allows anyone to steal a userís cookie. With this cookie, a malicious person can have full access to the victimís/userís profile.






Is there a way to tell if the status of a NIC in Linux? The Linux ifconfig -a command can be used to detect promiscuous mode as this is displays the interface’s set flags (i.e PROMISC).

Do IPID's increment? Multiple packets sent from the same system should not have the same sequence number.

What are some of the things that make session hijack possible? One is plain text communication protocols which perform authentication only at the initiation of a session.

Why is SSL vulnerable to MitM attacks? One way identity verification (i.e. Server to client), which is not truly verified due to an implementation error in the client.

Sniffing and Hijack Links

Check out these links to learn more:

Types of DNS records
DNS SRV records for SIP and XMPP
Port Forwarding in and linux
OSI model - Wikipedia
What is an APDU?
AT&T Fiber Optic Splitter Used to Spy on Internet
Virtual LAN - Wikipedia
IEEE 802.1Q - Wikipedia
Ethernet - Wikipedia
VLAN Tagging
VLAN Jumping Attack
VoIP Hopper...Jumping from one VLAN to the next!
Making unidirectional VLAN and PVLAN jumping bidirectional
Bypassing and hacking switches using VLAN
IP Spoofing: An Introduction
Windows NT Patch Available to Improve TCP Initial Sequence Number Randomness
Slashdot | TCP/IP Sequence Number Analysis
IPsec - Wikipedia
Cisco Support Lists
Cisco IOS Password Encryption Facts - Cisco Systems
Looking Glass Overview - Web sites that show live routing information
ILAN Looking Glass--useful for trace demo with ASN values
CERN Looking Glass--also shows ASN values on a trace
Big list of looking glass pages sorted by ASN
Hacker writes rootkit for Cisco's routers
Manpage of TCPDUMP