Hijacking a tcp connection requires just a little bit knowledge about IP spoofing and ACK numbers. IP spoofing is a simple technique in which the attacker/hacker replaces the IP address of the sender i.e sends some data by confusing the receiver.ACK or SEQ numbers are used by the web servers to distinguished between different sessions and to check that whether the user’s session is still active or not.In fact hijacking a tcp connection is not a difficult task;here is the simple description so that you can understand the basic steps.
So the tcp connection-session can be hijacked in the following simple steps –
step1 : Try to learn more and more about that victim-Z and the web server-F before proceeding to the next step.If you are monitoring the connection in a wireless network then you can also use wire-shark or other advanced network traffic monitor tools.(You can also use a Linux based operating system “Linux-back track-4” specially designed for hackers and penetration testing,because it contains all the required tools by default.)
step2 : The web server-F sends an echo back to the victim-Z and the victim acknowledges the data packet.
step3 : Now you can send the spoofed packet to the web server-F.
Step4 : Then the web server-F responds to you and you can start verifying ACK/SEQ numbers and the web server believes that the session is going on with the victim-Z.Now you have hijacked the session of the victim-Z.
Step5 : So you can continue the use of that session and web server will returned the requested information by checking the ACK number..and the connection will be continue until the FIN flag is changed to terminate.
IP fragments is useful in keeping tracks of the different parts of a datagram in TCP/IP suite.When the data packets arrived at the destination field then it is used to reassemble the datagrams.The identification value of all the IP fragments are same so the fragmentation offset is used to indicates the actual position of the current fragment in actual datagram packet.
Hacking/attacking IP fragments
In general the ip fragments do not coincides but a hacker can create ip fragments packets artificially,in order to forge the firewalls or routers.Suppose the second fragment of the datagram packet is inserted to the sequence by the hacker and the offset value of the second packet is less than the length of the first fragment.Then this situation may results in the overriding some bytes of the first segment on the time of reassembly at end computer.So this defected ip fragments may be responsible for the improper functioning (or crash) of the operating system.This is known as ip fragment attacks.A simple example of the ip fragmentation attack is the ping of death attack which sends the ip fragments that create the larger packets then the maximum allowed length at end computer.
Sniffing is the simple process in which the network interface card is used to receive and monitor data that is not intended for that machine.The device or software that does sniffing are known as sniffer or more simply a network analyzer.Sniffing programs are very useful in gathering sensitive information like telnet username and password,ftp username and password.,credit card numbers,bank account details..and so on.Hence sniffing techniques are widely used by the attackers and hackers to monitor the key information that the hacker is interested in.In a network all the NIC(Network Interface card) have the unique mac(Media Access Control) address.In general the NIC responds to that packets only which contains its own mac address in the frames destination field or the broadcast address in the destination field.Network Interface cards also supports a mode known as promiscuous mode,in which it can receive all data packets and traffic that travels across the network.In promiscuous mode NIC generates a hardware interrupt to the CPU every packet’s frame they encounter(instead of the only the frames having the mac address or broadcast address)s.So the sniffer puts the NIC in to the promiscuous mode and capture/monitor the data packets traveling around the network by passing the all traffic to the operating systems TCP/IP stack.Hence a sniffer or network analyzer is also helpful in troubleshooting the networks and used by the network administrators.
Why sniffing threatens network security?
The sensitive information that can be collected by sniffers are :
1. Passwords(eg.ftp,telnet,pop,imap.. loging password)
2. Bank account numbers
3. Any other Private data
4. Low level Protocol Information
Some common Sniffing softwares(sniffers)