Skip to content

Latest commit

 

History

History
137 lines (111 loc) · 7.59 KB

Module 11 - Session Hijacking.md

File metadata and controls

137 lines (111 loc) · 7.59 KB
Raw

Module 11: Session Hijacking

Concept

  • An attack in which an attacker seizes control of a valid TCP communication session between two computers
  • As most authentication only occur at the start of a TCP session , allowing the attacker…
  • Attackers can sniff all the traffic from the established TCP sessions and perform identify theft, info theft, traud, etc.
  • Steal a valid session ID and use it to authenticate himself

Why is Session Hijacking Successful

  • Absence of account lockout for invalid session IDs
  • Weak session-ID generation algorithm or small session IDs
  • Insecure handling of session IDs
  • Indefinite session timeout
  • Most computeres using TCP/IP are vulnerable
  • Most countermeasures do not work without encryption

Process

  • Sniff
  • Monitor
  • Session Desynchronization
  • Session ID prediction
  • Command Injection

Types of Session Hijacking

  • Passive: The attacker hijacks a session but sits back, watches, and records all the traffic.
  • Active: The attacker finds an active session and seizes control of it.

Session Hijacking in OSI Model

  • Network Level Hijacking: Can be defined as the interception of packets during the transmission between a client and the server in a TCP or UDP session
  • Application Level Hijacking: Gain control over the HTTP's user session by obtaining the session IDs

Application Level Session Hijacking

  • A session is stolen or a valid session taoken is predicted to gain unauthorized access to the web server
  • A session token can be compromised in various ways
    • Session sniffing: Use a sniffer to capture a valid session token or session ID
    • Predictable session token: Predict session IDs generated by weak algorithms and impersonate a website user.
    • MITM attack
    • Man-in-the-browser attack: Use a trojan horse to intercept the calss between the browser and its security mechanisms or libs
    • XSS: Inject malicious client-side scripts into the web pages…
    • CSRF: Exploit the victim's active session with a trusted site to perform malicious activities
    • Session replay attack: Use the authentication token to replay the request
    • Session fixation attack: Attackers provide a valid SID to a victim and lure him to authenticate using that SID.
    • CRIME (Compression Ratio Info-Leak Made Easy) attack: A client-side attack that exploit the vulnerabilities present in the data compression feature of protocols, such as SSL/TLS, SPDY, and HTTPS.
    • Forbidden attack: A type of MITM. Exploit the reuse of cryptographic nonce during the TLS handshake
    • Session donation attack: An attacker donates his own SID to the target user.

Network Level Session Hijacking

  • Rely on hijacking transport and Internet Protocols used by web applications in the application layer
  • Blind hijacking: Inject malicious data or cmds into the intercepted communications in the TCP session even if the source-routing is disabled. But the attacker cannot see the response
  • UDP hijacking: Attackers send forged server reply to a civtim's UDP request before the intended server replies to it.
  • TCP/IP hijacking: Use spoofed packets to seize control of a connection. The attacker must be be on the same network as the victim.
  • RST hijacking: Inject an authentic-looing RST packet using a spoofed source address and predict the ack number. An attacker can reset a victim's connection if it uses an accurate ack num
  • MITM: Packet sniffer: Change the default gateway of the client's gateway and attempt to reroute packets. The packets between the C and S are routed through the hijacker's host using Forged ICMP and ARP Spoofing.
  • IP spoofing: Source routed packets: Spoof the host's IP so that the server managing a session with the host accepts the packets from the attacker.

Session Hijacking Tools:

  • Burpsuite
  • OWASP ZAP
  • bettercap
  • ssltrip

Countermeasures

  • Detection Method

    • Manual Method

      • Using packet sniffing software

    • Automatic Method

      • IDS
      • IPS

  • Protect against Session Hijacking

  • Web Dev Guielines to Prevent Session Hijacking

  • Web User Guidelines to Prevent Session Hijacking

  • Detection Tools
    • AlienVault USM
    • Wireshark
  • Approaches Causing Vulnerability to Session Hijacking and Their Preventative Solutions
    • Telnet, rlogin -> OpenSSH or ssh
    • FTP -> SFTP, AS2, MFT, FTPS
    • HTTP -> SSL or TLS
    • IP -> IPsec
    • Any remote connection -> VPN
    • SMB -> SMB signing
    • Hub Network -> Switch Network
  • Approaches to Prevent Session Hijacking
    • HSTS (HTTP StrictTransport Security): A web security policy that protects HTTPs against MITM. Allow web server to enforce web browsers to interact with it using HTTPS
    • Token Binding: When a user logs on a web app, it generates a cookie with an SID , called token.
    • HPKP (HTTP Public Key Pinning): A TOFU (Trust on First Use) technique used in an HTTP header. Allow a web client to associate a specific public key certificate with a particular server to minimize the risk of MITM
  • Approaches to Prevent MITM Attacks
    • WEP/WPA Encryption
    • VPN
    • TFA
  • IPSec
    • A protocol suite developed by the IETF for securing IP communication by authenticating and encrypting each IP packet of a session.
    • Deployed widely to implement VPNs and for remote user access through dial-up connection to pricate networks
    • Components:
      • IPsec Driver: Software that performs protocol-level functions required to encrypt and decrypt packets
      • IKE (Internet Key Exchange): An protocol that produces security keys for IPsec and other protocols
      • ISAKMP (Internet Securtity Association Key Management Protocol): Software that allows two computers to communicate by encrypting the data exchanged between them
      • Oakley: A protocol that uses the Diffie-Hellman algorithm to create a master key and a key that is specific to each session in IPsec data transfer
      • IPsec Policy Agent: A service included in Windows OS that enforces IPsec policies for all the network communications initiated from that system
    • Benefits
      • Network-level peer authentication
      • Data origin authentication
      • Data integrity
      • Date confidentiality
      • Replay protection
    • Modes of IPsec
      • Transport Mode: Also ESP, encrypts only the payload of the IP packet, leaving the header untouched.
      • Tunnel Mode: Also AH, encrypt both the payload and header. More secure than the transport mode.
    • IPsec Architecture:
      • AH (Authentication Header): Offer integrity and data origin authentication, with optional anti-replay features.
      • ESP (Encapsulating Security Payload): Offer all the services offered by AH as well as confidentiality
      • DOI (IPsec Domain of Interpretation): Define the payload formats, types of exchange, and naming conventions for security info such as cryptographic algorighms or security policies
      • ISAKMP (Internet Security Association and Key Management Protocol): A key protocol in the IPsec architecture that establishes the required security for various communications over the Internet, such as gov, private, and com communications.
      • Policy: Define when and how to secue data, as well as security methods to use at differnet level in the network.
  • Session Hijacing Prevention Tools:
    • CxSAST
    • Fiddler