Network Security
Session
Hijacking
Session Hijacking
The act of taking over a connection of some sort, for examples, network
connection, a modem connection or other type of connection.
If compared with sniffing, session hijacking is an active attack, sniffing is
a passive attack.
The point of hijacking a connection is to exploit trust.
For example, imagine we are able to monitor traffic between two
machines, one is a server and other is a client. We can catch the root user
logging in via Telnet and we can successfully stole the password.
Session Hijacking
Session
Hijacking is
when an
attacker gets
access to the
session state of
a particular user.
The attacker
steals a valid
session ID which
is used to get
into the system
and snoop the
data.
WhatsApp
Sniffer is
popular Session
Hijacking attack.
3
Session Hijacking
Session hijacking can be done at two levels: Network Level and Application Level.
Network layer hijacking involves TCP and UDP sessions, whereas Application level session hijack occurs with HTTP sessions.
• Successful attack on network level sessions will provide the attacker some critical information which will than be used to attack
application level sessions, so most of the time they occur together depending on the system that is attacked.
• Network level attacks are most attractive to an attacker because they do not have to be customized on web application basis.
they simply attack the data flow of the protocol, which is common for all web applications.
Spoofing Vs Session Hijacking
Session Hijacking
5
Types of Attacks
Active Attacks
An active attack is when the attacker hijacks a session on the network. The
attacker will silence one of the machines, usually the client computer, and take
over the clients’ position in the communication exchange between the
workstation and the server.
An active attack also allows the attacker to issue commands on the network
making it possible to create new user accounts on the network, which can later
be used to gain access to the network without having to perform the session
hijack attack
Types of Attacks
Passive
Attack
Passive session hijack attacks are similar to the active attack, but
rather than removing the user from the communication session, the
attacker monitors the traffic between the workstation and server.
The primary motivation for the passive attack is it provides the
attacker with the ability to monitor network traffic and potentially
discover valuable data or passwords.
Hybrid Attack
• This attack is a combination of the active and passive attacks, which allow the attacker to
listen to network traffic until something of interest is found.
• The attacker can then modify the attack by removing the workstation computer from the
session, and assuming their identity
8
TCP Session Hijacking
• TCP guarantees delivery of data, and also guarantees that packets will be delivered in the same order in which they were sent. In order
to guarantee that packets are delivered in the right order, TCP uses acknowledgement (ACK) packets and sequence numbers to create a
"full duplex reliable stream connection between two endpoints", with the endpoints referring to the communicating hosts. The
connection between the client and the server begins with a 3-way handshake.
• After the handshake, it is just a matter of sending packets and incrementing the sequence number to verify that the packets are getting
sent and received.
TCP Session Hijacking
• The goal of the TCP session hijacker is to create a state where the client and server are
unable to exchange data; enabling him/her to forge acceptable packets for both ends,
which mimic the real packets. Thus, the attacker is able to gain control of the session.
10
TCP Session Hi jacking Steps
• Step 1: Open Ubuntu machine and open connection on any random port
• Step 2 : Open Kali and send request to set up a connection on that random Port
• Step 3 : Machines will exchange messages.
11
TCP Session Hi jacking steps
• Step 4: In order to hijack the session. You need to install Shijack.
• Step 5: Extract and save shijack files.
12
TCP Session Hijacking Steps
• Step 6 Open Wireshark and monitor TCP traffic. Check source port number.
• Step 7 Open shijack to hijack TCP session between the two machines
13
• Step 8 The session has been hijacked and now any message can be send from attacker
machine to the victim machine but no message can be send from other machines to
attacker machine .
14
UDP Session Hijacking
• In UDP session hijacking, an attacker doesn’t need features like TCP, for example, sequence
numbers and ACK mechanism to do session hijacking.
• Terminal Session
• These attacks taking place in the wild back in the beginning of 1995.In this attack, an
attacker concern on connection between terminal.
UDP Session Hijacking
• Nc-netcat, vv- verbose, -u – UDP, -l, listen mode, p –port and n – don’t perform DNS look
Up
UDP Session Hijacking
UDP Session Hijacking
Lab Work
Lab : To perform UDP session hijacking using Scapy
• https://www.youtube.com/watch?v=q1tyq8IUzpY
19
Hijacking Application Levels
• At this level a hijacker can not only hijack already existing sessions but can also create
new sessions from the stolen data.
• HTTP Session Hijack
• Hijacking HTTP sessions involves obtaining Session ID’s for the sessions, which is the only
unique identifier of the HTTP session.
• Session ID’s can be found at three places
• In the URL received by the browser for the HTTP GET request,.
• With cookies which will be stored in client's computer.
• Within the form fields.
Obtaining Session ID’s
• One way to obtain the Session ID is by sniffing, which is same as the Man in middle attack.
• Cookies and URL’s can be sniffed from the packets and if unencrypted can provide critical
user logon information.
• Another way is by Brute Forcing the Session ID’s which involves trying a set of session id’s
based on some pattern. Brute forcing is a time consuming task but worked on some
algorithm can produce results rather quickly.
What is cookie?
• A cookie is a small piece of information that is stored in the user's client (browser) when a
user visits a website.
• It is generated by the web server and sent to the browser for authentication purpose.
• Lets say you login to your facebook account, when you login a session data is being
created in the facebook's server and it sends a cookie file to your browser. when you do
some activity in facebook, these two things are compared and matched every time.
• So if we manage to steal this cookie file from someone we will access to their account.
Steps of HTTP Session Hijacking
Step 1 - Locating a Target
• First, they look for networks that have a high level of utilization. High volume networks provide a healthy supply of
users to choose from, which also helps the attack remain anonymous.
• Secondly, users who frequently use insecure network protocols such as Telnet, rlogin (remote logon), and FTP (file
transfer protocol) are also frequent targets due to their inherently insecure design.
Step 2 - Find an Active Session
• Attackers who are looking for open sessions generally use software tools like Wireshark or more sophisticated site
detection software that is included in some of the popular session hijacking software packages like T-Sight or
Juggernaut
Step 3 - Perform Sequence Number Prediction
• This process entails guessing the next sequence number that the server is expecting from the workstation. Sequence
number prediction is a critical step, because failing to predict the correct sequence number will result in the server
sending reset packets and terminating the connection attempt. Programs such as Juggernaut, Hunt and are very
effective tools that can be successfully used by attackers of moderate skill levels.
Step 4 - Take One of the Parties Offline
• Once a session is chosen and sequence numbers predicted, you need to silence the
workstation computer. This is generally done with a denial of service attack The attacker must
ensure that the client computer remains offline for the duration of the attack or the client
computer will begin transmitting data on the network causing the workstation and the server
to repeatedly attempt to synchronize their connections resulting in a condition known as an
ACK storm
Step 5 - Take over the Session and Maintain the Connection
• The final phase of the session hijack attack entails taking over the communication session
between the workstation and server. The attacker will spoof their client IP address, to avoid
detection, and include a sequence number that was predicted earlier. If the server accepts
this information, the attacker has successfully attacked the communication session.
HTTP Session Hijacking
HTTP Session Hijacking
HTTP Session Hijacking
• Open Mozilla Firefox and install Grease Monkey extension in Firefox/Windows
Greasemonkey allows you to customize the way popular
websites look and behave by tweaking their functionality with
a script.
In fact Greasemonkey is not an application in itself. It’s a
Firefox add-on that prepares your browser to support
Greasemonkey scripts. The add-on puts a small monkey icon in
the bottom right corner, from where you can add new scripts
and manage the ones you’ve already installed. Other than that,
it doesn’t include any configuration options.
You need to install cookie injector for injecting cookie into the web page.
Once cookie injector is install, to activate it Press Alt+C .
27
HTTP Session Hijacking
HTTP Session Hijacking
Advantages of Session Hijacking for the hacker
Ability to gain access to a server without having to authenticate to it. The
attacker enjoys the same server access as the compromised user.
A successful session hijack attack also allows the attacker to issue
commands to servers on the network. This is usually done to create user
accounts that can be used to access resources at a later date.
Session Hijacking is dangerous
It is dangerous as session hijack attacks can not be eliminated by software patches, complex passwords,
or multi-factor authentication. The root cause of the attack lies with design limitations inherent to the
TCP/IP protocol. In addition, all machines regardless of operating system or hardware architecture are
vulnerable to the session hijack attack provided they are running TCP/IP
The attacker has the ability to read and modify data, violating the confidentiality and integrity of the data
Session Hijacking Tools
WireShark: sniffing packets
Juggernaut: Linux base, Flow across the network
Hunt: Unix base, sequence number prediction
TTY Watcher: sun, monitor and control users system
IP Watcher: commercial Software
T-Sight : Windows , Commercial software
Paros HTTP Hijacker: spidering, proxy-chaining, filtering, application vulnerability scanning. Hjksuite Tool:
32
HIJACKING PROTECTION
.
Encryption
SSh can replaced the functionality of Telnet,
ftp, rlogin and rcp.
SSh
Tunnel other protocols like HTTP over an SSh
connection.
SSL
This technique is used to watch for something that
doesn’t match retransmission and duplicate packets.
Basically this is the IDS approach.
Storm
Watchers
Available for Web server where
it is most widely deployed.
Lab Work
Lab: To perform HTTP session Hijacking through Cookie Stealing
34
Routing Table
• Routes are predetermine paths used by routers when sending packets from on subnet to another sub-net.
• Each route consists of information (TCP/IP) that is stored in a database. This database
is called a routing table.
• Router uses packet destination IP address to find where to route the packet.
Destination LAN IP
Subnet Mask
Gateway
Interface
0.0.0.0
0.0.0.0
10.10.1.0
LAN
10.10.1.10
255.255.255.0
10.10.1.133
WAN
192.168.1.1
255.255.255.0
192.168.1.10
WAN
Net ID
Next Connected Router
Distribute List
• A distribute-list is a command configured within a routing process that
controls what routes are accepted or advertised based on a criteria set by a
standard ACL.
• A distribute-list affects all routes being received or advertised by the routing
process, including updates between peers as well as routes derived from
redistribution.
• Distribute-lists are unidirectional; the distribute-list out command filters
outgoing routing updates, while the distribute-list in command controls
routes received in updates.
Routing Table-Commands
• Command used –route print
• For IPv4 Table use –route print-4
• For IPv6 table use – route print-6
Route Table Modification
Route Table
Modification
All computers that use TCP/IP keep a route table
A route table shows the way to the address sought Or way to nearest
source that might know the address
Route table has two sections. Active routes and active connections
If the route table can’t locate a perfect match of the IP address.It
searches for the closest possible match in the list of network addresses
Routing Table-Commands
Methods
• Route Table Modification (continued)
• After the match is found, the IP address of Computer A sends the packets
to the IP address
• If the route table cannot find a match, it refers the request to the
network gateway
• Active connections section shows the network addresses of the
computers
• That are connected with the host computer
Routing Table in action
Route Discovery
Methods (continued)
• Route Table Modification (continued)
• Hacker changes the route table
• Host computer assumes that the best possible path for the transfer of data packets is through the
hacker’s computer.
Methods (continued)
• Route Table Modification (continued)
• Hackers can modify a route table using two methods
• Erase all necessary records from the route table
• And then provide the hacker’s own IP address as the default gateway address
•
•
•
•
Change the corresponding route in the route table of the gateway router
Inserting Bogus routers
Changing entries in the routing table
Session Hijacking
Routing Table Hack
To Add/Delete to default route from the routing
Table
46
Route added in a routing Table
New Route
Added
Route Table
Updated
47
Route Deleted and Updated in a routing Table
Existing
Route
Deleted
Route
Modified
Updated
Routing
Table
48
Lab Work
• Write commands in Kali Linux
•
•
•
•
To view routing Table
To view network statistics of a network
To view all routes
To update/modify/add/delete routes in a routing table
49
Preventions Techniques - Neighbour Authentication
• Neighbor authentication is a feature available on most routing protocols, ensures a router
only receives reliable routing information and from trusted neighbors.
• That is achieved by certifying the authenticity of each neighbor and the integrity of its
routing updates.
• Each router is initially configured with a shared secret key that is used to validate each
routing update. Before sending a routing update, each router is required to sign it with
the predefined secret key; and include the resulting signature as part of the update
message. Finally, the update is verified by the receiving neighbor to prove its authenticity
and integrity. Neighbor authentication is supported for BGP, IS-IS, OSPF, RIPv2 and EIGRP.
Preventions Techniques - Neighbour Authentication
• Neighbor authentication helps protect peering sessions from attacks such as session
reset attempts and insertion of unauthorized routing peers.
• Neighbor authentication also helps secure routing data from the injection of false
routes, and the removal or modification of legitimate routing information from
unauthorized routing peers.
Preventions Techniques - Routing peer definition
• The same dynamic peer discovery mechanisms that facilitate the deployment and setup
of routers can be used potentially to insert bogus routers into the routing infrastructure.
• This problem may be prevented by disabling such mechanisms by statically configuring a
list of trusted neighbors with known IP addresses. This can be used in conjunction with
other routing security features such neighbor authentication and route filtering.
• This default behavior can be changed by configuring a static neighbor, after which all
routing messages are sent in unicast packets
Preventions Techniques- Route Filtering
• Route filtering is another important tool to secure the routing infrastructure.
• Most routing protocols allow the configuration of route filters that prevent specific
routes from being propagated throughout the network.
• In terms of security, these filters are useful because they help ensure that only legitimate
networks are advertised; and that networks that are not supposed to be propagated are
never advertised, i.e. networks falling within the private address space (RFC 1918) should
not be advertised out to the Internet.
Practice Questions
1. How does session hijacking work?
2. Mention what flaw arises from session tokens having poor randomness across a range of
values?
3. How cookies differ from session?
4. What happens if you visit an unsecure website during a man in the middle attack?
5. What is the role of session ID in session hijacking?
54
Solutions
Sol1: Session hijacking is an attack where a user session is taken over by an attacker. ... To
perform session hijacking, an attacker needs to know the victim's session ID (session key). This can be
obtained by stealing the session cookie or persuading the user to click a malicious link containing a
prepared session ID.
Sol2: Session hijacking arises from session tokens having poor randomness across a range of values.
Sol3: The main difference between a session and a cookie is that session data is stored on the server,
whereas cookies store data in the visitor's browser. Sessions are more secure than cookies as it is
stored in server. Cookie can be turned off from browse.
Sol4. An attacker can fool your browser into believing it's visiting a trusted website when it's not. By
redirecting your browser to an unsecure website, the attacker can monitor your interactions with
that website and possibly steal personal information you're sharing.
Sol5: Session hijacking requires an attacker to determine the session ID. The session ID is vulnerable
in storage and in transit. In storage, the session ID can be stolen from the user's browser cookies,
often via Cross-Site Scripting (XSS). In transit, the session ID can be observed by eavesdropping on
the network traffic
55