Ethical Hacking v10 Module 10 – Session Hijacking

Session Hijacking

Goals• Understand Various Session Hijacking

Concepts• Understand Session Hijacking at App Level• Understand Session Hijacking at Network

Level• Learn Session Hijacking Techniques• Learn Session Hijacking Penetration Testing

Module 10.0 Session Hijacking• 10.1 Session Hijacking Concepts• 10.2 Browser Session Hijacking• 10.3 Ways to Compromise a Session Token• 10.4 Client Side Attacks• 10.5 Session Hijacking at the Network Level• 10.6 Session Hijacking Tools• 10.7 Session Hijacking Countermeasures• 10.8 Session Hijacking Pen Testing

10.1 Session Hijacking Concepts

Session Hijacking Basics

• Attacker takes over a legitimate TCP communication session between computers• Attacker gains access to a machine because authentication happens

only at the beginning of a TCP session• Attack is able to sniff all traffic during TCP session and perform

malicious acts• Attacker authenticates himself on the server by stealing a legitimate

session ID

Why Session Hijacking is Successful

• Lack of account lockout for invalid session IDs• Session expiration time is indefinite• Session IDs are small or the ID generation algorithm is weak• Vulnerability of most TCP/IP computers• Session IDs handled insecurely• Majority of countermeasures require encryption to work

Process for Session Hijacking

• Stealing• Attacker steals session IDs using various techniques

• Guessing• Attacker looks at variable parts of session IDs to try to guess what they are

• Brute Force• Attacker keep trying different session IDs until the right one is found

Process for Session Hijacking (cont’d)• Command Injection

• Attacker begins to inject packets into the target server• Session ID Prediction

• Attacker takes over the session• Session Desynchronization

• Attacker breaks the connection with target machine• Monitor

• Attacker keeps track of the packet flow and predicts sequence number• Sniff

• Attacker gets between victim and target by sniffing the network• Attacker gains access to a machine that still has an active session

• User has stepped away• Access is via RAT• Session has no logout or expiration time

Hijacking vs. Spoofing

• Hijacking• Process of taking over active session• Needs legitimate user to make/authenticate connection

• Spoofing• Process of initiating new session using stolen credentials• Attacker pretends to be a user/machine to gain access

10.2 Browser Session

Hijacking

What is Cookie-Based Authentication?

• The traditional, stateful web authentication mechanism• Lifetime of a cookie:

1. User enters their login credentials2. Server verifies the credentials are correct and creates a session which

is then stored in a database3. A cookie (text file) with the session ID is placed in the user’s browser4. On subsequent requests, the session ID is verified against the

database and if valid the request processed5. Once a user logs out of the app, the session is destroyed both client-

side and server-side

What is Token-Based Authentication?

• A token is (usually) a JSON Web Token (JWT)• Digitally signed JSON object (key/value pair)

• Token-based authentication is stateless• The server does not keep a record of which users are logged • Does not keep track of which JWTs have been issued• Every request to the server is accompanied by the token which the server uses to

verify the authenticity of the request• Token-based authentication has gained prevalence over the last few years

due to the rise of:• single page applications• web APIs• Internet of Things (IoT)

Token Lifetime

1. User enters their login credentials.2. Server verifies the credentials are correct and returns a signed token.3. This token is stored client-side, most commonly in local storage - but can

be stored in session storage or a cookie as well.4. Subsequent requests to the server include this token as an additional

Authorization header or through one of the other methods mentioned above.

5. The server decodes the JWT and if the token is valid processes the request.

6. Once a user logs out, the token is destroyed client-side, no interaction with the server is necessary.

What is a Session Token?

• Typically a JWT• Because HTTP communication uses many different TCP connections, the web

server needs a method to recognize every user’s connections• The most useful method depends on a token that the Web Server sends to the

client browser after a successful client authentication• The token is used in different ways:

• In the URL• In the header of the http requisition as a cookie• In other parts of the header of the http request• In the body of the http requisition.

• A Session Hijacking attack compromises the session token • By stealing or predicting a valid session token • This gains unauthorized access to the Web Server

Common Ways to Compromise a Session Token• Session prediction• Session sniffing• Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)• Man-in-the-middle attack• Man-in-the-browser attack

10.3 Ways to Compromise a Session Token

Session Prediction• Attacker analyzes the website’s session ID generation process• Attacker then predicts a valid session ID value and gets access• Looking at the example, “user02” would be a good prediction

Session Sniffing

• Use a sniffer to capture a valid session token (Session ID)• Reuse the token to gain unauthorized access• Aka side-jacking

Cross Site Scripting Attack (XSS)

• Use XSS to steal token• Send a crafted link to the victim with

malicious JavaScript• When the victim clicks on the link, the

JavaScript runs • The JavaScript code document.cookie

property captures the cookie, sending it to the attacker

<SCRIPT>alert(document.cookie);</SCRIPT>

Man-in-the-Middle Attack

• Attacker inserts him/herself into existing session to intercept messages• Use of various techniques to split TCP connection into:• Victim-to-attacker• Attacker-to-server

• Once inserted, the attacker can read/modify/insert fraudulent data into the communication• You can capture a session cookie by reading the HTTP header• You can also change the amount of a money transaction inside the

application context

Man-in-the-Browser Attack• Attacker uses a Trojan to intercept calls between the browser and its

libraries/security mechanisms• Primary objective is to manipulate Internet banking transactions• Customer makes the payment, but malware changes the destination

and amount

What the user sees

What the bank sees

ONLINE BANKINGONLINE BANKING

Payee Name

Payee Account #

Amount

Gas Bill

$50

123456Payee Name

Payee Account #

Amount

Fraudster

$5000

99999

10.4 Client Side Attacks

Cross-Site Scripting (XSS) Attacks • Cross-Site Scripting is an attack in which

malicious JavaScript is inserted and executes on the client's browser• Forums• Reviews• Social media posts

• Can steal cookies, read sensitive info, inject malware, and more• While a user views the content of the page,

the browser executes the malicious code in the background• One of the most popular and effective attacks

Cross-Site Scripting (XSS) Attacks (cont’d) • Three categories:

• Stored (persistent) injects scripts that remain on the server• Reflected inject scripts that are sent to

server and then bounce back to user• DOM-based is executed entirely on client

side

Cross-Site Scripting (XSS) Attacks (cont’d)• Use social engineering to craft injected URL• Persistent attack requires modifying data

stored by app• Try with forms you know store data, like

site feedback page• Not all injection points are visible• May be able to POST data in HTTP request• Depends on web app technology

Cross-Site Request Forgery (XSRF) Attacks

• Cross-Site Request Forgery is an attack where an established trust between and authorized user and a website is exploited• Exploits server’s trust in user• Takes advantage of saved

authentication to access sensitive data• Craft URL and send to victim• Victim clicks link and

automatically signs in to site due to a saved cookie• Requested action executes

automatically

Also known as CSRF

Cross-Site Request Forgery Attacks (cont’d)

• Power of CSRF is that it's difficult to detect• Attack is carried out by

browser as if user requested it

• User could enter same URL manually and get same result

• Nearly impossible for browser to distinguish CSRF from normal activity

• CSRF can be difficult to execute• Requires finding form that

can do something malicious• Requires knowing the right

values that aren't obscured• Sites that check referrer

header will disallow requests from different origins

Session Replay Attack

• Attacker listens in on conversation between user and server• Attacker obtains user’s authentication token• Attacker replays request to server using obtained token and gains

unauthorized server access

Session Fixation Attack

• Attacker obtains legitimate web app session ID and tricks the victim browser into using it• Session fixation execution techniques include:

• Session token in URL argument• Session token in hidden form field• Session ID hidden in cookie

Session Fixation Attack Example

10.5 Hijacking at the

Network Level

Network-Level Session Hijacking

• Hijack depends on abusing networking protocols• Types of network-level session hijacking:• Blind Hijacking• UDP Hijacking• TCP Hijacking• RST Hijacking• Man-in-the-Middle Packet Sniffer• IP Spoofing Source Routing

TCP Session Hijacking• TCP Session Hijacking is taking a user's or client's place after it has

established a TCP connection with a server • Enables connection without providing credentials• Conditions:• Cleartext protocol used• Attacker needs to observe and correctly predict TCP sequencing

numbers• Packets can’t be digitally signed

• Process:• Watch the client/server TCP sequence numbers• Send spoofed TCP FIN packets to the client• Spoof your IP or MAC to the server • When the client disconnects, continue communicating with the server

via the spoofed address

Source Routed Packets

• Uses trusted host IP address to gain unauthorized access to a computer• Attacker spoofs host IP address so server will accept packet from

attacker• Attacker injects forged packets as soon as session is established but

prior to host responding to server• Server gets packet from attacker and original packet from host is lost• Attacker source-routes packets through host and specifies destination

IP

RST Hijacking

• Attacker used spoofed source address/predicted acknowledgment number to inject reset packet that looks authentic• With accurate acknowledgment number, attacker is able to reset

user’s connection• User thinks reset packet was sent and resets connection• This attack can be done with packet crafting tool

Blind Hijacking

• Attacker injects malicious data/commands into intercepted communications• Possible even if source-routing is disabled• Attacker can only send data/commands – cannot see response• OK if they can see the results of a command

Forged ICMP/ARP Spoofing

• Packet sniffer acts as interface between client and server• ARP spoofing broadcasts ARP request to fool host and change host• ARP spoofing sends forged replies to change host ARP tables• Two techniques used to route packets through hijacker’s host:• ICMP• ARP Spoofing

UDP Hijacking

• Attacker sends a forged server reply to user’s IDP before legitimate server can reply• Attacker intercepts server’s reply using man-in-the-middle attack

10.6 Session Hijacking Tools

Session Hijacking Tools

• Zaproxy (OWASP ZAP)• Burp Suite• Jhijack• Surf Jack• Ettercap• TamperIE• PerJack• WhatsUp Gold Engineer’s Toolkit

• Cookie Cadger• Firesheep• CookieCatcher• T-sight• sslstrip

Zaproxy Example

Mobile Session Hijacking Tools

• DroidSheep• DroidSniff

Droid Sheep

10.7 Session Hijacking Counter-

measures

Methods for Session Hijacking Detection

• Manual Method• Uses packet-sniffing software

• Automatic Method• Uses IDS/IPS

Session Hijacking Protection

• Create secure communication channel with SSH• Ensure authentication cookies are passed via HTTPS connection• Encrypt data in transit/use defense-in-depth mechanism• Use timeout() to kill session when it has expired• Ensure strong authentication/peer-to-peer VPNs• Ensure session ID generated after login/only accept session IDs

generated by server• Ensure different accounts have different usernames/passwords• Ensure employees are educated and remote access is limited

Session Hijacking Protection (cont’d)

• Ensure session key is long random numbers/strings• Avoid transporting session ID in query string• Ensure use of switches instead of hubs/limit incoming connections• Ensure active/updated client-side/server-side protection software• Ensure user can end session using logout functionality• Ensure appropriate internal/external spoof rules are configured on

gateways• Ensure use of IDS products/ARP watch to monitor ARP cache poisoning• Ensure use of OpenSSH suite encrypted protocols

Session Hijacking Prevention for Web Developers• Ensure session keys are made with long strings of random numbers• Once login is successful, regenerate session ID• Encrypt session key and all data being transferred• When user logs out ensure session is expired• Do not allow eavesdropping on the network• Minimize session/cookie lifespans

Session Hijacking Prevention for Web Users

• Avoid links that come via IM/email• Put firewalls in place to stop malicious content from getting on

network• Restrict cookies using firewall/browser settings• Ensure certifying authorities have certified the website• Ensure history, cookies, and offline content are cleared from browser

after each sensitive transaction• When transferring sensitive data, use HTTPS instead of HTTP• Always click on logout button to log out of browser

IPSec

• Protocol suite created by IETF to secure IP communications• Works by authenticating/encrypting every IP packet in a

communication session• Benefits:• Data integrity• Data origin authentication• Network-level peer authentication• Data confidentiality• Replay protection

IPSec Architecture

• AH Protocol• Authentication algorithm• IPSec DOI• Policy• Key management

• ESP Protocol• Encryption algorithm• IPSec DOI• Policy• Key management

IPSec Modes

IPSec Components

• IPSec Driver• Internet Key Exchange (IKE)• Internet Security Association Key Management Protocol• Oakley• IPSec Policy Agent

10.8 Session Hijacking Pen

Testing

Session Hijacking Pen Testing

• Find a session• Check if session ID is being used in URL• If no, sniff session traffic

• Check if session is encrypted• If yes, stop or use Trojans

• Check if session ID is recovered• If no, hijack session with automated tools

• Check if session ID is encrypted• If no, crack encryption

• Ensure use of phishing emails to accomplish session fixation

Session Hijacking Pen Testing (cont’d)

• Establish normal connection with machine• Gather multiple session IDs• Predict new session ID• Replay new session ID• Establish connection if possible• If no, use brute force for session IDs

• Document findings

Session Hijacking Review

• In session hijacking, an attacker requires the user to connect and authenticate, then takes over session

• A spoofing attack requires an attacker to pretend to be a user/machine to gain access

• Types of application-level session hijacking include:• Session Sniffing• Predict Session Token• Man-in-the-Middle Attack• Man-in-the-Browser Attack• Cross-site Script Attack• Cross-site Request Forgery Attack• Session Replay Attack• Session Fixation Attack

Lab 10: Session Hijacking