Juggernaut is a network sniffer that can also be used to hijack TCP
sessions. It runs on Linux operating systems in a terminal window. It was one of the first session hijacking tools and is easy to install and run.
Juggernaut can be set to watch for all network traffic or it can be given a keyword or token to look for. For example, a typical token might be the keyword login. Whenever Juggernaut sees this keyword, it captures the session, which means an attacker can capture a user’s password as he is authenticating to a machine. Or from a defensive standpoint, this tool can be set to look for keywords that can indicate a possible attack. By doing this, it becomes easier for an administrator to spot possible breaches of security and take action.
The main function of this program is to maintain information about the various session connections that are occurring on the network. This means that an administrator can use the tool to determine all connections that are occurring on a network. Also, an administrator can take a snapshot of the current connections and look for any unusually activity. On the other hand, an attacker can see all sessions and pick which ones he wants to hijack. As you will see, after Juggernaut detects an active session, there are lots of things that an attacker can do.
Installing Juggernaut
Installing Juggernaut is very straightforward. To install this program, perform the following steps:
1. Download the compressed tar file from packetstorm.securify.com. 2. Uncompress the file by typing gunzip 1.2.tar.gz.
3. Uncompress the tar file by typing tar –xvf 1.2.tar.
2 and 3 can be combined by using the –z option and issuing the following command: tar –zxvf 1.2.tar.gz.
4. Change to the Juggernaut directory by typing cd 1.2.
5. Edit the makefile. The following are some of the key fields you might want to change:
MULTI_P. If this is defined, the program uses the multi-process model of multi-tasking.
IP_HDRINCL. If this is defined, you need to use the IP_HDRINCL socket option to build IP headers.
NOHUSH. If this is defined, the program notifies the user audibly when a connection is added.
GREED. If this is defined, the program attempts to add any and all TCP-based connections.
FASTCHECK. If this is defined, the program uses the fast x86 assembler implementation of the IP checksum routine.
6. Compile the program by typing make all. Note: On the RedHat Linux 6.2 system that I am using, the program compiles clean
without making any changes to the makefile. With RedHat Linux 7.0, you might have trouble compiling the program if the FASTCHECK option is defined.
7. To run Juggernaut, type./juggernaut.
8. To get basic help, type./juggernaut –h. To get the full help file, type./juggernaut –H.
Running Juggernaut
To run Juggernaut, you type./juggernaut to start up the program. The following is the main screen that appears:
Juggernaut +---+ ?) Help 0) Program information 1) Connection database 2) Spy on a connection 3) Reset a connection
4) Automated connection reset daemon 5) Simplex connection hijack
6) Interactive connection hijack 7) Packet assembly module
8) Souper sekret option number eight 9) Step Down
We will briefly go through the important options to see how the program works.
Connection Database
Option 1, connection database, shows you all active connections that the program knows about. For the program to hijack or view a session, it has to be available in the connection database. If there is an active connection that is not in the database, it is probably based on the fact that the
program cannot see it. This might be because the connection is going to a different subnet, in a switched environment, or the connection is going to
a different machine. The following is the output from choosing this option on a machine with active connections:
Current Connection Database:
--- ref # source target
(1) 10.159.90.18 [1042] --> 10.246.68.39 [23] (2) 10.159.90.18 [1046] --> 10.246.68.39 [25] (3) 10.159.90.18 [1047] --> 10.246.68.39 [21] ---
Database is 0.59% to capacity.
In this case, there are three connections to the machine, a telnet
connection on port 23, an SMTP or mail connection on port 25, and an FTP connection on port 21. In cases like this, it is important that you either know the port numbers or have RFC 1700 – Assigned Numbers handy, which shows you which port numbers map to which protocols.
Spy on a Connection
This option lets you watch a connection and see the data that is being passed back and forth between the two connections. This is passive hijacking, where you can view the session, but you do not actively do anything. The following is the interaction that occurs when you choose this option:
Current Connection Database:
--- ref # source target
(1) 10.159.90.18 [1042] --> 10.246.68.39 [23] (2) 10.159.90.18 [1046] --> 10.246.68.39 [25] (3) 10.159.90.18 [1049] --> 10.246.68.39 [21] (4) 10.159.90.18 [1051] --> 10.246.68.39 [23] (5) 10.159.90.18 [1053] --> 10.246.68.48 [23] --- Choose a connection [q] >5
Do you wish to log to a file as well? [y/N] >y Spying on connection, hit `ctrl-c` when done.
Spying on connection: 10.159.90.18 [1053] --> 10.246.68.48 [23]
Last login: Sun Aug 13 14:13:48 from 10.159.90.18 [eric@localhost eric]$ mkdir test
[eric@localhost eric]$ cd test [eric@localhost test]$
When you first pick this option, it gives you a list of the current
connections in the database so you can choose which connection you want to view. After you choose a connection—in this case we picked connection 5, which is a telnet session—the program asks if you want the data logged to a file in addition to being printed to the screen. After you pick the
options, the data is printed to meet the options you selected. In this case, you can see the user logged on to the system and issued some
commands. All of this monitoring is done without the user knowing it is happening. One important thing to note about Juggernaut: The user’s password does not get displayed. As you will see, with Hunt, the password is pulled off the wire.
Reset a Connection
With this option, the attacker starts to become active. Now he can reset or a close an active connection that is occurring on the network. When this command is issued, the following is displayed on the screen:
Current Connection Database:
--- ref # source target
(1) 10.159.90.18 [1042] --> 10.246.68.39 [23] (2) 10.159.90.18 [1046] --> 10.246.68.39 [25] (3) 10.159.90.18 [1049] --> 10.246.68.39 [21] (4) 10.159.90.18 [1051] --> 10.246.68.39 [23] (5) 10.159.90.18 [1053] --> 10.246.68.48 [23] --- Choose a connection [q] >5 Reseting connection: 10.159.90.18 [1053] --> 10.246.68.48 [23]
Connection torn down. [cr-
First, the program gives the attacker a list of which connections are active and allows him to pick which one he wants to reset. In this case, we pick connection 5. The program then shows that it is resetting the connection and that it is torn down. Now, if we display a list of active connections, connection 5 is no longer there, which shows it was successfully reset: Current Connection Database:
--- ref # source target
(1) 10.159.90.18 [1042] --> 10.246.68.39 [23] (2) 10.159.90.18 [1046] --> 10.246.68.39 [25] (3) 10.159.90.18 [1049] --> 10.246.68.39 [21] (4) 10.159.90.18 [1051] --> 10.246.68.39 [23] --- Database is 0.78% to capacity.
From the user’s perspective, because the connection was reset, his
connection will be closed. If a user is working with a Windows telnet client and the connection is reset, he would receive the message that is
displayed in Figure 5.5.
Figure 5.5. Telnet, connection closed message.
The user now has to reestablish the connection and log back on to the system. This might be useful to an attacker if he hijacked an established connection; he might want to reset it so he can watch the user log on. This way, he can capture the user ID and password. Next time your
connecting and your connection is reset for no reason, you might want to be a little suspicious.
Automated Connection Reset Daemon
This option automatically resets any connection attempts to a specific IP, before they are established. In essence, anyone who tries to connect from a given host is denied access, because the connection is reset before a connection is established. The following is the output that is displayed when using this option:
Enter source IP [q] >10.246.68.48 Enter target IP (optional) [q] >
Reseting all connection requests from: 10.246.68.48 [cr]
As you can see, an attacker could enter a source address to deny access to any location for that host, or he could specify a source and target combination IP address that is not allowed to communicate.
Simplex Connection Hijack
This command allows an attacker to perform basic hijacking, where he can inject a command into a TCP-based telnet stream. If the attacker only wants a specific command executed, like creating a directory or a user account, this works well. The following is the output from running this command:
Current Connection Database:
--- ref # source target
(1) 10.159.90.18 [1062] --> 10.246.68.48 [23] ---
Choose a connection [q] >1
Enter the command string you wish executed [q] >mkdir eric Spying on connection, hit `ctrl-c` when you want to hijack. NOTE: This may cause an ACK storm until client is RST.
Spying on connection: 10.159.90.18 [1062] --> 10.246.68.48 [23]
The important thing to point out is that this causes a short ACK storm while the session is being hijacked.
Interactive Connection Hijack
This option is your full session hijack, where an attacker takes over a
session from a legitimate client. The following is the output from using this command:
Current Connection Database:
--- ref # source target
(1) 10.159.90.18 [1062] --> 10.246.68.48 [23] ---
Choose a connection [q] >1
Spying on connection, hit `ctrl-c` when you want to hijack. NOTE: This may cause an ACK storm until client is RST.
Spying on connection: 10.159.90.18 [1062] --> 10.246.68.48 [23]
It is important to note that, with this option, it creates a large ACK storm, which could interrupt other connections on the network.
Packet Assembly Module
This option allows the attacker to create his own packets, where he has control of the various header fields for the various protocols. The following are the high-level protocols that the attacker can create packets for:
Packet Assembly Module (beta)
+---+ 1. TCP Assembler
2. UDP Assembler 3. ICMP Assembler 4. IP Assembler
5. Return to previous menu
For TCP, the following are the fields that an attacker can control: TCP Packet Assembly +---+ 1. Source port 2. Destination port 3. Sequence Number 4. Acknowledgement Number 5. Control Bits 6. Window Size 7. Data Payload
8. Return to previous menu 9. Return to main menu
As you can see, this option is very powerful because an attacker can create a packet with whatever options he wants. By using a program like this, it becomes very easy to create and send a spoofed packet. I actually use this program to create custom packets for either testing a network or trying out various security vulnerabilities. It provides an easy interface to create packets for spoofing a variety of fields. The following is the output of creating an IP packet where the source and destination IP addresses are the same and where the IP header fields are set to various values: Juggernaut +---+ ?) Help 0) Program information 1) Connection database 2) Spy on a connection
3) Reset a connection
4) Automated connection reset daemon 5) Simplex connection hijack
6) Interactive connection hijack 7) Packet assembly module
8) Souper sekret option number eight 9) Step Down
>7
Packet Assembly Module (beta) +---+ 1. TCP Assembler
2. UDP Assembler 3. ICMP Assembler 4. IP Assembler
5. Return to previous menu >4 IP Packet Assembly +---+ 1. TOS 2. Fragment Flags 3. Fragment Offset 4. TTL 5. Source Address 6. Destination Address
7. Number of packets to send 8. Return to previous menu 9. Return to main menu >1
Minimize Delay? [yNq] >Y
Maximize Throughput? [yNq] >Y Maximize Reliability? [yNq] >Y Minimize Monetary Cost? [yNq] >Y
IP Packet Assembly
+---+ TOS: none set
2. Fragment Flags 3. Fragment Offset 4. TTL
5. Source Address
6. Destination Address
7. Number of packets to send 8. Return to previous menu
9. Return to main menu >2
More Fragments? [yNq] >Y Don't Fragment? [yNq] >Y
IP Packet Assembly
+---+ TOS: none set
Fragment flags: none set 3. Fragment Offset
4. TTL
5. Source Address
6. Destination Address
7. Number of packets to send 8. Return to previous menu 9. Return to main menu >3
Fragment Offset [qr] >
IP Packet Assembly
+---+ TOS: none set
Fragment flags: none set Fragment offset: 0
4. TTL
5. Source Address
6. Destination Address
7. Number of packets to send 8. Return to previous menu 9. Return to main menu >4
TTL (0 - 255) [qr] >30
IP Packet Assembly
+---+ TOS: none set
Fragment flags: none set Fragment offset: 0
TTL: 30
5. Source Address
6. Destination Address
7. Number of packets to send 8. Return to previous menu
9. Return to main menu >5
Source Address [qr] >10.246.68.48
IP Packet Assembly
+---+ TOS: none set
Fragment flags: none set Fragment offset: 0
TTL: 30
Source Address: 10.246.68.48 6. Destination Address
7. Number of packets to send 8. Return to previous menu 9. Return to main menu >6
Destination Address [qr] >10.246.68.48
IP Packet Assembly
+---+ TOS: none set
Fragment flags: none set Fragment offset: 0
TTL: 30
Source Address: 10.246.68.48
Destination Address: 10.246.68.48 7. Number of packets to send
8. Return to previous menu 9. Return to main menu >7
Amount (1 - 65536) [qr] >5
IP Packet Assembly
+---+ TOS: none set
Fragment flags: none set Fragment offset: 0
TTL: 30
Source Address: 10.246.68.48
Destination Address: 10.246.68.48 Sending 5 packet(s)
8. Return to previous menu 9. Return to main menu 10. Transmit packet(s)
>10
5 Packet(s) injected.
IP Packet Assembly
+---+ TOS: none set
Fragment flags: none set Fragment offset: 0
TTL: 30
Source Address: 10.246.68.48
Destination Address: 10.246.68.48 Sending 5 packet(s)
8. Return to previous menu 9. Return to main menu 10. Transmit packet(s)
To confirm that the program works properly, I sniffed the packets off the network while they were being generated by Juggernaut, as follows:
05:34:28.911080 eth0 > arp who-has 10.246.68.48 tell seclinux1 (0:50:8b:9a:51:30)
05:34:28.911178 eth0 < arp reply 10.246.68.48 is-at 0:50:8b:9a:4c:1b (0:50:8b:9a:51:30) 05:34:28.911192 eth0 > 10.246.68.48 > 10.246.68.48: ip-proto-0 532 (frag 38102:532@0+) (DF) [tos 0x1e,ECT] 05:34:28.911196 eth0 > 10.246.68.48 > 10.246.68.48: ip-proto-0 532 (frag 38101:532@0+) (DF) [tos 0x1e,ECT] 05:34:28.911200 eth0 > 10.246.68.48 > 10.246.68.48: ip-proto-0 532 (frag 38100:532@0+) (DF) [tos 0x1e,ECT]
As you can see, the packets were all created correctly, based on the
information I specified. When you look at them, these packets don’t make a lot of sense, but the bottom line is an attacker can create whatever packets he wants. Another one way new exploits are discovered is by an attacker trying something that doesn’t make sense—in some cases,
depending on how the end machine reacts, he could either gain access or crash the machine and cause a Denial of Service attack.
Souper Sekret Option Number Eight
This option is so secret that I cannot tell you about it. It is listed as an option for future growth or for the user’s imagination.
Hunt
Hunt is a program that can be used to listen, intercept, and hijack active sessions on a network. As of the writing of this book, the latest version is version 1.5. Hunt was written by Pavel Krauz, who’s Web page is
http://lin.fsid.cvut.cz/~kra/index.html. Hunt came out after Juggernaut was released and built upon some of the same concepts that Juggernaut uses. Also, because it came out later, it has some additional features and enhancements. To get a full listing of the functionality and enhancements, please see the documentation that comes with Hunt. The following are some of the new features, taken from the online documentation, that Hunt offers:
• Connection management:
o Setting what connections you are interested in.
o Detecting an ongoing connection (not only SYN started). o Normal active hijacking with the detection of the ACK storm. o ARP spoofed/normal hijacking with the detection of successful
ARP spoof.
o Synchronization of the true client with the server after
hijacking (so that the connection does not have to be reset). o Resetting connection.
o Watching connection. o Daemons:
Reset daemon for automatic connection resetting. ARP spoof/relayer daemon for ARP spoofing of hosts
with the capability to relay all packets from spoofed hosts.
MAC discovery daemon for collecting MAC addresses. Sniff daemon for logging TCP traffic with the capability
to search for a particular string.
• Host resolving:
o Deferred host resolving through dedicated DNS helper servers.
• Packet engine:
o Extensible packet engine for watching TCP, UDP, ICMP, and ARP traffic.
o Collecting TCP connections with sequence numbers and the ACK storm detection.
• Miscellaneous:
o Determining which hosts are up.
• Switched environment:
o Hosts on switched ports can be spoofed, sniffed, and hijacked too.
As you can see, Hunt has a lot of powerful features from both a passive and active session hijacking standpoint.
Installing Hunt
Installing Hunt is very straightforward. To install this program, perform the following steps:
1. Download the compressed tar file from packetstorm.securify.com. 2. Uncompress the file by typing gunzip hunt-1.5.tgz.
3. Uncompress the tar file by typing tar –xvf hunt-1.5.tar. 4. Change to the Hunt directory by typing cd hunt1-5. 5. Edit the makefile.
6. Compile the program by typing make. Note: With Linux, it is easier to download the precompiled binary file. To do this, download and uncompress the file hunt-1.5bin.tar.
7. To run Hunt, type./hunt.
In step 6, because you can download the precompiled binary, it is a lot easier to get Hunt up and running on a Linux machine. Also, because you can download the source code, you can still go through the source and figure out what is going on.
Running Hunt
To run Hunt, you type./hunt from a terminal window. After Hunt starts, the following are the main options available to the user:
[root@seclinux1 hunt-1.5]# ./hunt /*
* hunt 1.5
* multipurpose connection intruder / sniffer for Linux * (c) 1998-2000 by kra
*/
starting hunt
--- Main Menu --- rcvpkt 0, free/alloc 63/64 --- l/w/r) list/watch/reset connections
u) host up tests
a) arp/simple hijack (avoids ack storm if arp used) s) simple hijack
d) daemons rst/arp/sniff/mac o) options
x) exit *>
To see a list of all active connections, you type the l command and the following is displayed:
--- Main Menu --- rcvpkt 1947, free/alloc 63/64 --- l/w/r) list/watch/reset connections
u) host up tests
a) arp/simple hijack (avoids ack storm if arp used) s) simple hijack d) daemons rst/arp/sniff/mac o) options x) exit -> l 0) 10.159.90.18 [1025] --> 10.246.68.39 [23] 1) 10.159.90.18 [1026] --> 10.246.68.39 [23] --- Main Menu --- rcvpkt 2157, free/alloc 63/64 --- l/w/r) list/watch/reset connections
u) host up tests
a) arp/simple hijack (avoids ack storm if arp used) s) simple hijack
d) daemons rst/arp/sniff/mac o) options
x) exit
Notice that after you type the l command, the program lists the active connections and immediately displays the menu option again. This is so the user can take action on one of the connections.
Now, if you type w, you can watch one of the active connections: l/w/r) list/watch/reset connections
u) host up tests
a) arp/simple hijack (avoids ack storm if arp used) s) simple hijack d) daemons rst/arp/sniff/mac o) options x) exit *> w 0) 10.159.90.18 [1025] --> 10.246.68.39 [23] 1) 10.159.90.18 [1029] --> 10.246.68.39 [23] choose conn> 1 dump [s]rc/[d]st/[b]oth [b]>
print src/dst same characters y/n [n]> CTRL-C to break
eerriicc
Last login: Sun Aug 13 14:18:28 from 207.159.90.18 [eric@seclinux1 eric]$ mmkkddiirr eerriicc
[eric@seclinux1 eric]$ ccdd eerriicc [eric@seclinux1 eric]$
After an attacker picks a connection, the attacker can see everything that