Ethical Hacking v10 Hijacking Module 10 – Session
Transcript of Ethical Hacking v10 Hijacking Module 10 – Session
Ethical Hacking v10 Module 10 – Session Hijacking
Session Hijacking
Goals• Understand Various Session Hijacking
Concepts• Understand Session Hijacking at App Level• Understand Session Hijacking at Network
Level• Learn Session Hijacking Techniques• Learn Session Hijacking Penetration Testing
Module 10.0 Session Hijacking• 10.1 Session Hijacking Concepts• 10.2 Browser Session Hijacking• 10.3 Ways to Compromise a Session Token• 10.4 Client Side Attacks• 10.5 Session Hijacking at the Network Level• 10.6 Session Hijacking Tools• 10.7 Session Hijacking Countermeasures• 10.8 Session Hijacking Pen Testing
10.1 Session Hijacking Concepts
Session Hijacking Basics
• Attacker takes over a legitimate TCP communication session between computers• Attacker gains access to a machine because authentication happens
only at the beginning of a TCP session• Attack is able to sniff all traffic during TCP session and perform
malicious acts• Attacker authenticates himself on the server by stealing a legitimate
session ID
Why Session Hijacking is Successful
• Lack of account lockout for invalid session IDs• Session expiration time is indefinite• Session IDs are small or the ID generation algorithm is weak• Vulnerability of most TCP/IP computers• Session IDs handled insecurely• Majority of countermeasures require encryption to work
Process for Session Hijacking
• Stealing• Attacker steals session IDs using various techniques
• Guessing• Attacker looks at variable parts of session IDs to try to guess what they are
• Brute Force• Attacker keep trying different session IDs until the right one is found
Process for Session Hijacking (cont’d)• Command Injection
• Attacker begins to inject packets into the target server• Session ID Prediction
• Attacker takes over the session• Session Desynchronization
• Attacker breaks the connection with target machine• Monitor
• Attacker keeps track of the packet flow and predicts sequence number• Sniff
• Attacker gets between victim and target by sniffing the network• Attacker gains access to a machine that still has an active session
• User has stepped away• Access is via RAT• Session has no logout or expiration time
Hijacking vs. Spoofing
• Hijacking• Process of taking over active session• Needs legitimate user to make/authenticate connection
• Spoofing• Process of initiating new session using stolen credentials• Attacker pretends to be a user/machine to gain access
10.2 Browser Session
Hijacking
What is Cookie-Based Authentication?
• The traditional, stateful web authentication mechanism• Lifetime of a cookie:
1. User enters their login credentials2. Server verifies the credentials are correct and creates a session which
is then stored in a database3. A cookie (text file) with the session ID is placed in the user’s browser4. On subsequent requests, the session ID is verified against the
database and if valid the request processed5. Once a user logs out of the app, the session is destroyed both client-
side and server-side
What is Token-Based Authentication?
• A token is (usually) a JSON Web Token (JWT)• Digitally signed JSON object (key/value pair)
• Token-based authentication is stateless• The server does not keep a record of which users are logged • Does not keep track of which JWTs have been issued• Every request to the server is accompanied by the token which the server uses to
verify the authenticity of the request• Token-based authentication has gained prevalence over the last few years
due to the rise of:• single page applications• web APIs• Internet of Things (IoT)
Token Lifetime
1. User enters their login credentials.2. Server verifies the credentials are correct and returns a signed token.3. This token is stored client-side, most commonly in local storage - but can
be stored in session storage or a cookie as well.4. Subsequent requests to the server include this token as an additional
Authorization header or through one of the other methods mentioned above.
5. The server decodes the JWT and if the token is valid processes the request.
6. Once a user logs out, the token is destroyed client-side, no interaction with the server is necessary.
What is a Session Token?
• Typically a JWT• Because HTTP communication uses many different TCP connections, the web
server needs a method to recognize every user’s connections• The most useful method depends on a token that the Web Server sends to the
client browser after a successful client authentication• The token is used in different ways:
• In the URL• In the header of the http requisition as a cookie• In other parts of the header of the http request• In the body of the http requisition.
• A Session Hijacking attack compromises the session token • By stealing or predicting a valid session token • This gains unauthorized access to the Web Server
Common Ways to Compromise a Session Token• Session prediction• Session sniffing• Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)• Man-in-the-middle attack• Man-in-the-browser attack
10.3 Ways to Compromise a Session Token
Session Prediction• Attacker analyzes the website’s session ID generation process• Attacker then predicts a valid session ID value and gets access• Looking at the example, “user02” would be a good prediction
Session Sniffing
• Use a sniffer to capture a valid session token (Session ID)• Reuse the token to gain unauthorized access• Aka side-jacking
Cross Site Scripting Attack (XSS)
• Use XSS to steal token• Send a crafted link to the victim with
malicious JavaScript• When the victim clicks on the link, the
JavaScript runs • The JavaScript code document.cookie
property captures the cookie, sending it to the attacker
<SCRIPT>alert(document.cookie);</SCRIPT>
Man-in-the-Middle Attack
• Attacker inserts him/herself into existing session to intercept messages• Use of various techniques to split TCP connection into:• Victim-to-attacker• Attacker-to-server
• Once inserted, the attacker can read/modify/insert fraudulent data into the communication• You can capture a session cookie by reading the HTTP header• You can also change the amount of a money transaction inside the
application context
Man-in-the-Browser Attack• Attacker uses a Trojan to intercept calls between the browser and its
libraries/security mechanisms• Primary objective is to manipulate Internet banking transactions• Customer makes the payment, but malware changes the destination
and amount
What the user sees
What the bank sees
ONLINE BANKINGONLINE BANKING
Payee Name
Payee Account #
Amount
Gas Bill
$50
123456Payee Name
Payee Account #
Amount
Fraudster
$5000
99999
10.4 Client Side Attacks
Cross-Site Scripting (XSS) Attacks • Cross-Site Scripting is an attack in which
malicious JavaScript is inserted and executes on the client's browser• Forums• Reviews• Social media posts
• Can steal cookies, read sensitive info, inject malware, and more• While a user views the content of the page,
the browser executes the malicious code in the background• One of the most popular and effective attacks
Cross-Site Scripting (XSS) Attacks (cont’d) • Three categories:
• Stored (persistent) injects scripts that remain on the server• Reflected inject scripts that are sent to
server and then bounce back to user• DOM-based is executed entirely on client
side
Cross-Site Scripting (XSS) Attacks (cont’d)• Use social engineering to craft injected URL• Persistent attack requires modifying data
stored by app• Try with forms you know store data, like
site feedback page• Not all injection points are visible• May be able to POST data in HTTP request• Depends on web app technology
Cross-Site Request Forgery (XSRF) Attacks
• Cross-Site Request Forgery is an attack where an established trust between and authorized user and a website is exploited• Exploits server’s trust in user• Takes advantage of saved
authentication to access sensitive data• Craft URL and send to victim• Victim clicks link and
automatically signs in to site due to a saved cookie• Requested action executes
automatically
Also known as CSRF
Cross-Site Request Forgery Attacks (cont’d)
• Power of CSRF is that it's difficult to detect• Attack is carried out by
browser as if user requested it
• User could enter same URL manually and get same result
• Nearly impossible for browser to distinguish CSRF from normal activity
• CSRF can be difficult to execute• Requires finding form that
can do something malicious• Requires knowing the right
values that aren't obscured• Sites that check referrer
header will disallow requests from different origins
Session Replay Attack
• Attacker listens in on conversation between user and server• Attacker obtains user’s authentication token• Attacker replays request to server using obtained token and gains
unauthorized server access
Session Fixation Attack
• Attacker obtains legitimate web app session ID and tricks the victim browser into using it• Session fixation execution techniques include:
• Session token in URL argument• Session token in hidden form field• Session ID hidden in cookie
Session Fixation Attack Example
10.5 Hijacking at the
Network Level
Network-Level Session Hijacking
• Hijack depends on abusing networking protocols• Types of network-level session hijacking:• Blind Hijacking• UDP Hijacking• TCP Hijacking• RST Hijacking• Man-in-the-Middle Packet Sniffer• IP Spoofing Source Routing
TCP Session Hijacking• TCP Session Hijacking is taking a user's or client's place after it has
established a TCP connection with a server • Enables connection without providing credentials• Conditions:• Cleartext protocol used• Attacker needs to observe and correctly predict TCP sequencing
numbers• Packets can’t be digitally signed
• Process:• Watch the client/server TCP sequence numbers• Send spoofed TCP FIN packets to the client• Spoof your IP or MAC to the server • When the client disconnects, continue communicating with the server
via the spoofed address
Source Routed Packets
• Uses trusted host IP address to gain unauthorized access to a computer• Attacker spoofs host IP address so server will accept packet from
attacker• Attacker injects forged packets as soon as session is established but
prior to host responding to server• Server gets packet from attacker and original packet from host is lost• Attacker source-routes packets through host and specifies destination
IP
RST Hijacking
• Attacker used spoofed source address/predicted acknowledgment number to inject reset packet that looks authentic• With accurate acknowledgment number, attacker is able to reset
user’s connection• User thinks reset packet was sent and resets connection• This attack can be done with packet crafting tool
Blind Hijacking
• Attacker injects malicious data/commands into intercepted communications• Possible even if source-routing is disabled• Attacker can only send data/commands – cannot see response• OK if they can see the results of a command
Forged ICMP/ARP Spoofing
• Packet sniffer acts as interface between client and server• ARP spoofing broadcasts ARP request to fool host and change host• ARP spoofing sends forged replies to change host ARP tables• Two techniques used to route packets through hijacker’s host:• ICMP• ARP Spoofing
UDP Hijacking
• Attacker sends a forged server reply to user’s IDP before legitimate server can reply• Attacker intercepts server’s reply using man-in-the-middle attack
10.6 Session Hijacking Tools
Session Hijacking Tools
• Zaproxy (OWASP ZAP)• Burp Suite• Jhijack• Surf Jack• Ettercap• TamperIE• PerJack• WhatsUp Gold Engineer’s Toolkit
• Cookie Cadger• Firesheep• CookieCatcher• T-sight• sslstrip
Zaproxy Example
Mobile Session Hijacking Tools
• DroidSheep• DroidSniff
Droid Sheep
10.7 Session Hijacking Counter-
measures
Methods for Session Hijacking Detection
• Manual Method• Uses packet-sniffing software
• Automatic Method• Uses IDS/IPS
Session Hijacking Protection
• Create secure communication channel with SSH• Ensure authentication cookies are passed via HTTPS connection• Encrypt data in transit/use defense-in-depth mechanism• Use timeout() to kill session when it has expired• Ensure strong authentication/peer-to-peer VPNs• Ensure session ID generated after login/only accept session IDs
generated by server• Ensure different accounts have different usernames/passwords• Ensure employees are educated and remote access is limited
Session Hijacking Protection (cont’d)
• Ensure session key is long random numbers/strings• Avoid transporting session ID in query string• Ensure use of switches instead of hubs/limit incoming connections• Ensure active/updated client-side/server-side protection software• Ensure user can end session using logout functionality• Ensure appropriate internal/external spoof rules are configured on
gateways• Ensure use of IDS products/ARP watch to monitor ARP cache poisoning• Ensure use of OpenSSH suite encrypted protocols
Session Hijacking Prevention for Web Developers• Ensure session keys are made with long strings of random numbers• Once login is successful, regenerate session ID• Encrypt session key and all data being transferred• When user logs out ensure session is expired• Do not allow eavesdropping on the network• Minimize session/cookie lifespans
Session Hijacking Prevention for Web Users
• Avoid links that come via IM/email• Put firewalls in place to stop malicious content from getting on
network• Restrict cookies using firewall/browser settings• Ensure certifying authorities have certified the website• Ensure history, cookies, and offline content are cleared from browser
after each sensitive transaction• When transferring sensitive data, use HTTPS instead of HTTP• Always click on logout button to log out of browser
IPSec
• Protocol suite created by IETF to secure IP communications• Works by authenticating/encrypting every IP packet in a
communication session• Benefits:• Data integrity• Data origin authentication• Network-level peer authentication• Data confidentiality• Replay protection
IPSec Architecture
• AH Protocol• Authentication algorithm• IPSec DOI• Policy• Key management
• ESP Protocol• Encryption algorithm• IPSec DOI• Policy• Key management
IPSec Modes
IPSec Components
• IPSec Driver• Internet Key Exchange (IKE)• Internet Security Association Key Management Protocol• Oakley• IPSec Policy Agent
10.8 Session Hijacking Pen
Testing
Session Hijacking Pen Testing
• Find a session• Check if session ID is being used in URL• If no, sniff session traffic
• Check if session is encrypted• If yes, stop or use Trojans
• Check if session ID is recovered• If no, hijack session with automated tools
• Check if session ID is encrypted• If no, crack encryption
• Ensure use of phishing emails to accomplish session fixation
Session Hijacking Pen Testing (cont’d)
• Establish normal connection with machine• Gather multiple session IDs• Predict new session ID• Replay new session ID• Establish connection if possible• If no, use brute force for session IDs
• Document findings
Session Hijacking Review
• In session hijacking, an attacker requires the user to connect and authenticate, then takes over session
• A spoofing attack requires an attacker to pretend to be a user/machine to gain access
• Types of application-level session hijacking include:• Session Sniffing• Predict Session Token• Man-in-the-Middle Attack• Man-in-the-Browser Attack• Cross-site Script Attack• Cross-site Request Forgery Attack• Session Replay Attack• Session Fixation Attack
Lab 10: Session Hijacking