CEHv10 Session hijacking
Steps involved in the IPsec process
A consumer sends a message to a service provider. The consumer's IPsec driver attempts to match the outgoing packet's address or the packet type against the IP filter. The IPsec driver notifies ISAKMP (Internet Security Association and Key Management Protocol) to initiate security negotiations with the service provider. The service provider's ISKAMP receives the security negotiations request. Both principles initiate a key exchange, establishing an ISAKMP SA (ISAKMP Security Association) and a shared secret key. Both principles discuss the security level for the information exchange, establishing both IPsec SAs and keys. Consumer's IPsec driver transfers packets to the appropriate connection type for transmission to the service provider. The provider receives the packets and transfers them to the IPsec driver. Provider's IPsec uses the inbound SA and key to check the digital signature and begin decryption. Provider's IPsec driver transfers decrypted packets to the OSI Transport layer for further processing.
Steps involved in the Forbidden attack
Attacker monitors the connection between the victim and web server and sniffs the nonce from the TLS handshake messages. Attacker generates authentication keys using the nonce and hijacks the connection. All the traffic between victim and web server flows through the attacker's machine. Now, the attacker injects JavaScript code or web fields into the transmission towards victim. Victim reveals sensitive information like bank account no, passwords, social security numbers, etc. to the attacker.
Three parties required to communicate
IP address Port numbers Sequence number
Session hijacking Tools:
OWASP ZAP BetterCAP netool toolkit WebSploit Framework sslstrip JHijack Ettercap Cookie Cadger CookieCatcher hamster Burp Suite
Phases to carry out Session fixation attack:
Session set-up phase: -In this phase, the attacker first obtains a legitimate session ID by establishing a connection with the target web server. Few web servers support the idle session time-out feature. In such cases, the attacker needs to send requests repeatedly in order to keep the established trap session ID alive. Fixation phase: -In this phase, the attacker introduces the session ID to the victim's browser, thus fixing the session. Entrance phase: -In this phase, the attacker waits for the victim to log in into the target web server using the trap session ID and then enter the victim's session.
Steps involved in TCP/IP hijacking:
The attacker sniffs the victim's connection and uses the victim's IP to send a spoofed packet with the predicted sequence number The receiver processes the spoofed packet, increments the sequence number, and sends acknowledgement to the victim's IP The victim machine is unaware of the spoofed packet, so it ignores the receiver machine's ACK packet and turns sequence number count off Therefore, the receiver receives packets with the incorrect sequence number The attacker forces the victim's desynchronized state The attacker tracks sequence numbers and continuously spoofs packets that comes from the victim's IP The attacker continues to communicate with the receiver machine while the victim's connection hangs
Session Hijacking in OSI Model
- Network Level Hijacking - Application Level Hijacking Usually, network-level and application-level session hijacking occur together this is so because a successful network-level session hijacking provides an attacker with ample information to perform the application-level session hijacking. Application-level session hijacking relies on HTTP sessions.
What are the two security services used by IPSEC?
-Authentication Header (AH) -Encapsulation Security Payload (ESP):
Approaches to Prevent Session Hijacking
-HTTP Strict Transport Security (HSTS) -Token Binding - HTTP Public Key Pinning (HPKP)
Why Session Hijacking is Successful?
-Weak session-ID generation algorithm or small session IDs: -Indefinite session-timeout: -Most countermeasures do not work without encryption: -Insecure handling of session IDs: -Computers using TCP/IP are vulnerable: -No account lockout for invalid session IDs:
Types of Network-level Hijacking
1. Blind hijacking 2. UDP hijacking 3. TCP/IP 4. RST 5. Man-in-the-Middle: Packet Sniffer 6. IP Spoofing: Source Routed Packets
HTTP Strict Transport Security (HSTS)
A web security policy that protects HTTPS websites against man-in-the-middle attacks. HSTS policy helps web servers to enforce web browsers to interact with it using secure HTTPS protocol. With HSTS policy, all the insecure HTTP connections are automatically converted into HTTPS connections. This policy ensures that all the communication between the web server and web browser is encrypted and all responses that are delivered and received are originated from an authenticated server.
Compromised Session IDs using Sniffing
An application level technique in which an attacker sniffs a connection to find the session ID, he can gain access to the resources. Uses Tools such as Wireshark, SteelCentral Packet Analyzer among others to intercept the HTTP traffic between the victim and the web server. He/she then analyzes the data in the captured packets to identify valuable information such as session IDs, passwords. Once the session ID is determined, the attacker masquerades himself/herself as the victim and sends the session ID to the web server before the victim. Attacker uses the valid token session to gain unauthorized access to the web server. This way, an attacker takes control over an existing legitimate session.
What is passive session hijacking?
An attacker hijacks a session but sits back and watches and records all the traffic that is being sent forth. uses sniffers on the network, allowing attackers to obtain information such as user IDs and passwords. The attacker can later use this information to log on as a valid user and enjoy the privileges.
What is a Cross-site Request Forgery Attack (CSRF or XCRF) attack?
Application level technique Also known as a one-click attack or session riding, exploits victim's active session with a trusted site to perform malicious activities such as purchase an item, modify, or retrieve account information. In this web attack, an attacker forces the victim to submit the attacker's form data to the victim's Web server. The attacker creates the host form, containing malicious information, and sends it to the authorized user. The user fills in the form and sends it to the server. Because the data is coming from a trusted user, the Web server accepts the data. - exploits the trust that a website has in a user's browser.
What is a CRIME (Compression Ratio Info-Leak Made Easy) attack?
Application level technique Attack is a client-side attack, which exploits the vulnerabilities present in data compression feature of protocols such as SSL/TLS, SPDY, and HTTPS. The possibility of mitigation against HTTPS compression is less which makes this vulnerability even more dangerous than other compression vulnerabilities To perform this attack, an attacker has to use social engineering techniques to trick the victim into clicking a malicious link.When the victim clicks the malicious link, it either injects malicious code into the victim's system or redirects the victim to a malicious website.
Man-in-the-Browser Attack
Application level technique Attack requires a Trojan, already deployed on the target machine. The trojan can either change the proxy settings or redirect all traffic through the attacker. It can also intercept the process between the browser and its security mechanism An attacker uses previously installed Trojan to act between the browser and its security mechanism, capable of modifying web pages, and modifying transaction content or inserting additional transactions, everything invisible to both the user and web application The main objective of this attack is financial theft by manipulating the transactions of Internet banking systems. used on the client-side
What is Session Fixation?
Application level technique Attacker issuing a session ID to the user's browser, forcing it to use the chosen session ID. This attack refers to session fixation attack because an attacker fixes the user's session ID in advance, instead of generating it randomly at the time of login. An attacker uses various techniques to perform this attack such as; - Session token in the URL argument - Session token in a hidden form field - Session ID in a cooki
Session Hijacking Using Proxy Servers
Application level technique Attackers lure victim to click on bogus link which looks legitimate but redirect user to attacker's server. The attacker then forwards the request to the legitimate server on behalf of victim
What is a Cross-SIte Scripting (XSS ) attack?
Application level technique Enables attackers to inject malicious client side scripts into the web pages viewed by other users. This type of attack occurs when a dynamic Web page gets malicious data from the attacker and executes it on the user's system. Web sites that create dynamic pages do not have control over how the clients read their output. Thus, attackers can insert a malicious JavaScript, VBScript, ActiveX, HTML, or Flash applet into a vulnerable dynamic page. That page will then execute the script on the user's machine and collect personal information of the user, steal cookies, redirect users to unexpected Web pages, or execute any malicious code on the user's system. - exploits the trust a user has for a particular website
Session Hijacking Using Forbidden Attack
Application level technique Is a type of man-in-the-middle attack which is possible when a cryptographic nonce is reused while establishing a HTTPS session with the server This attack exploits vulnerability through TLS implementation that incorrectly reuses the same nonce when data is encrypted (using AES-GCM) during the TLS handshake. Repeating the same nonce during the TLS handshake allows an attacker to monitor and hijack the connection.
What is a Session Replay Attack?
Application level technique The attacker listens to the conversation between the user and the server and captures the authentication token of the user. Once the authentication token is captured, the attacker replays the request to the server with the captured authentication token to dodge the server and gains unauthorized access to the server. -reuses a a valid session Id to spoof a client
Predicting Session Token
Application level technique The process of observing currently occupied session IDs by the client. By observing common and variable parts of the session key, an attacker can guess the next session key. Usually, attackers can predict session IDs generated by weak algorithms and impersonate a web site user. Attackers perform analysis of variable section of session IDs to determine the existence of a pattern. She/he performs this analysis either manually or by using various cryptanalytic tools.
What is a Man-in-the-Middle Attack?
Application level technique This attack is used to intrude into an existing connection between systems and to intercept messages being exchanged. Attackers use different techniques and split the TCP connection into two connections - client-to-attacker connection and attacker-to-server connection. After the successful interception of TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication. In the case of an http transaction, the TCP connection between the client and the server becomes the target.
How to Predict a Session Token/ Where are Session tokens hidden
Embedding in the URL, which is received by the GET request in the application when the links embedded within a page are clicked by clients Embedding in the form as a hidden field and submitted to the HTTP's POST command In cookies on the client's local machine
Components of IPsec
IPsec driver: A software, that performs protocol-level functions required to encrypt and decrypt the packets Internet Key Exchange (IKE): IPsec protocol that produces security keys for IPsec and other protocols. Internet Security Association Key Management Protocol (ISKAMP); Software that allows two computers to communicate by encrypting the data exchanged between them. Oakley: A protocol, which uses the Diffie-Hellman algorithm to create master key, and a key that is specific to each session in IPsec data transfer. IPsec Policy Agent: A service of the Windows 2000 collects IPsec policy settings from the active directory and sets the system configuration system at startup.
Modes of IPsec
In transport - (also ESP [Encapsulating Security Payload]), IPsec encrypts only the payload of the IP packet, leaving the header untouched. In tunnel - (also AH [Authentication Header]), the IPsec encrypts both the payload and header.
What is Authentication Header (AH)?
It is useful in providing connectionless integrity and data origin authentication for IP datagrams and anti-replay protection for the data payload and some portions of IP header of each packet. It does not support data confidentiality (no encryption). A receiver can select the service to protect against replays, an optional service on establishing a Security Association (SA).
Session Hijacking Detection Methods
Manual Normal telnet session Forcing an ARP Entry Automatic
Session Hijacking Countermeasures
Mitigation of Session Hijacking attacks include several detection techniques and countermeasures that can be implemented including manual and automated processes. Deployment of Defence-in-depth technology, Network monitoring devices such as Intrusion detection System (IDS) and intrution Prevention Systems (IPS) categorized as an automated detection process. Several packet sniffing tools are available that can be used for manual detection.
UDP Hijacking
Network-Level Session Hijacking A connection less hijacking, it does not require any sequence packet between requesting client and host. It's all about sending the response packet before a destination server responds.
Blind Hijacking
Network-Level Session Hijacking Attacker correctly guesses the next ISN of a computer attempting to establish a connection; but the attacker can never see the response.
MiTM Attack Using Forged ICMP and ARP Spoofing
Network-Level Session Hijacking Destination unavailable or high latency messages, are sent to fool the victim The hacker's packets send error messages indicating problems in processing packets through the original connection. This fools the server and client into routing through hijacker's path instead The attacker sends forged ARP replies that update the ARP tables of the host that is broadcasting ARP requests. This delivers the traffic to the host instead of delivering it to the legitimate IP.
What is TCP/IP hijacking?
Network-Level Session Hijacking In this approach, the attacker uses spoofed packets to redirect the TCP traffic to his/her own machine. Once this is successful, the victim's connection hangs and the attacker is able to communicate with the host's machine on behalf of the victim. To launch a TCP/IP hijacking attack, both victim and attacker must be on the same network.
IP Spoofing: Source Routed Packets
Network-Level Session Hijacking Technique is useful in gaining unauthorized access to a computer with the help of a trusted host's IP address. allows attackers to create their own acceptable packets to insert into the TCP session. the attacker must inject forged packets into the TCP session before the client can respond. the server receives a packet with the new ISN (initial sequence number). These packets are source-routed to a patched destination IP specified by the attacker.
RST Hijacking
Network-Level Session Hijacking The process of sending Reset (RST) packet to the victim with spoofed source address. Acknowledgment number used in this Reset packet is also predicted. When the victim receives this packet, couldn't identify if the packet is spoofed. Victim resets the connection assuming that the connection reset request was requested by an actual source. This attack can be carried out using a packet crafting tool such as Colasoft's Packet Builder and TCP/IP analysis tool such as tcpdump.
Types of Session Hijacking
Passive Session Hijacking -an attacker hijacks a session but sits back and watches and records all the traffic that is being sent forth. A passive attack uses sniffers Active Session Hijacking - the attacker takes over an existing session either by tearing down the connection on one side of the conversation or by actively participating.
CxSAST
Session Hijacking Prevention Tool A unique source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code, such as security vulnerabilities, compliance issues, and business logic problems
FIddler
Session Hijacking Prevention Tool Used for security testing of web applications such as decrypting HTTPS traffic, and manipulating requests using a man-in-the-middle decryption technique.
Burp Suite
Session Hijacking Tool An integrated platform for performing security testing of web applications. Its various tools work together to support the entire testing process, from initial mapping and analysis of an application's attack surface to finding and exploiting security vulnerabilities. Key components: - An intercepting Proxy, - An application-aware Spider, - An advanced web application Scanner, - An Intruder tool,s - A Repeater tool, s - A Sequencer tool, - The CSRF PoC Generator function
Session Hijacking Process
Session hijacking can be divided into three broad phases: Tracking the connection -The attacker uses a network sniffer to track a victim and host or uses a tool like Nmap to scan the network for a target with a TCP sequence that is easy to predict. Desynchronizing the connection -Desynchronized state occurs when a connection between the target and host is established, or stable with no data transmission or the server's sequence number is not equal to the client's acknowledgment number, or vice versa. Injecting the attacker's packet -Once the attacker has interrupted the connection between the server and the target, he or she can either inject data into the network or actively participate as the man-in-the-middle, passing data from the target to the server, and vice-versa, while reading and injecting data at will
Ways to obtain a valid session IDs
Stealing Guessing Brute forcing
Session Hijacking Penetration testing
Step 1: Locate a session Step 2: Sniff session traffic between two machines Step 3: Crack Session ID encryption Step 4: Send Phishing email for Session Fixation Step 5: Make a normal connection with one machine Step 6: Collect several session IDs Step 7: Predict a new session ID Step 8: Replay new session ID Step 9: Brute force session IDs Step 10: Document all the findings
Application Level Session Hijacking
The attacker is looking for a legitimate session ID from the victim in order to gain access to an authenticated session that allows the attacker to avail web resources. -This is about gaining control over the HTTP user session by obtaining the session IDs. an attacker steals or predicts a valid session to gain unauthorized access to the web server.
What is Active Session Hijacking?
The attacker takes over an existing session either by tearing down the connection on one side of the conversation or by actively participating. An example is a man-in-the-middle (MITM) attack. To make this attack to successful, the attacker must guess the sequence number before the target responds to the server. On most current networks, sequence number prediction does not work because operating-system vendors use random values for the initial sequence number, which makes it harder to predict sequential numbers
Spoofing vs Hijacking
The major difference between spoofing and Hijacking is an active session. In a spoofing attack, the attacker pretends to be another user by impersonating to gain access. The attacker does not have any active session; it initiates a new session with the target by the help of stolen information. Hijacking is the process of taking control over an existing active session between an authenticated user and a targeted host. Session Hijacking in
Client-side attacks used to compromise Session IDs
These attacks occur when clients establish connections with malicious servers, as clients happen to process potentially harmful data from them. Cross-Site Scripting (XSS): -XSS enables attackers to inject malicious client side scripts into the web pages viewed by other users. Malicious JavaScript Codes: - A malicious script can be embedded in a web page that does not generate any warning but it captures session tokens in the background and send it to the attacker. Trojans: -A Trojan horse can change the proxy settings in user's browser to send all the sessions through the attackers machine. CRIME (Compression Ratio Info-Leak Made Easy) attack exploits the vulnerabilities present in data compression feature of protocols such as SSL/TLS, SPDY, and HTTPS. Cross-Site Request Forgery an attacker forces the victim to submit the attacker's form data to the victim's Web server.
Network Level Hijacking
This Hijacking is the interception of packets during the transmission between client and server in a TCP/UDP session Successful attack will provide the attacker with crucial information, which will be used to attack the application level sessions. Most likely attackers perform this level hijacking because they do not require to modify the attack on a per web application basis. This attack focuses on the data flow of the protocol, shared across all web applications. Relies on hijacking transport and Internet protocols used by web applications in the application layer. By attacking the this level, the attacker gathers some critical information which is used to attack the application level sessions.
What is session hijacking?
This attack refers to the exploitation of a session-token generation mechanism or token security controls so that the attacker can establish an unauthorized connection with a target server. The attacker can guess or steal a valid session ID (which identifies authenticated users) and uses it to establish a session with the server. The web server responds to the attacker's requests as though it were communicating with an authenticated user.
HTTP Public Key Pinning (HPKP)
This is a Trust on First Use (TOFU) technique. It is used in an HTTP header that allows a web client to associate a specific public key certificate with a particular server to minimize the risk of man-in-the-middle attacks with fraudulent certificates.
What is Encapsulation Security Payload (ESP)?
This is a protocol in IPSEC that offers confidentiality. In transport mode (also ESP [Encapsulating Security Payload]), IPsec encrypts only the payload of the IP packet, leaving the header untouched. In tunnel mode, the system encrypts the entire IP packet (payload and IP header) and encapsulates the encrypted packets into a new IP packet with a new header. ESP does not provide integrity and authentication for the entire IP packet in transport mode. You can apply ESP alone, or in conjunction with AH, or in a nested fashion. It protects only the IP data payload on default setting. In tunnel mode, it protects both the payload and the IP header.
What is IPSEC?
This is a set of protocols that the IETF (Internet Engineering Task Force) developed to support the secure exchange of packets at the IP layer. It ensures interoperable cryptographically based security for IP protocols (IPv4 and IPv6), and supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. It is widely used to implement virtual private networks (VPNs) and for remote user access through dial-up connection to private networks.
Packet Analysis of a Local Session Hijack
To conduct a session hijacking attack, the attacker performs three activities: - Track a session - Desynchronizes session - Injects attacker's commands in between
Mobile Hijacking Tools
Tools Droidsheep -session hijacking on Android devices connected on common wireless network DroiSniff -an Android app for Security analysis in wireless networks and capturing Facebook, Twitter, LinkedIn and other accounts. FaceNiff -an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to. It is possible to hijack sessions only when WiFi is not using EAP, but it will work on any private network (Open/WEP/WPA-PSK/WPA2-PSK).
Session Hijacking Detection Tools
Wireshark LogRhythm
Types of Application level hijacking / Ways session tokens are compromised
o Session sniffing o Predictable session token o Man-in-the-middle attack o Man-in-the-browser attack o Cross-site scripting (XSS) attack o Cross-site request forgery attack o Session replay attack o Session fixation attack o CRIME attack o Forbidden attack
How to determine sequence numbers.
o Sniff the traffic - finding the ACK packet and then determining the next sequence number based on the ACK packet. o Transmit the data with guessed sequence numbers (not reliable).