Thursday, November 15, 2018

Session Hijacking And its Types


Session Hijacking and its Types

Introduction

Session hijacking is defined as taking over an active TCP/IP communication session without the user’s permission. When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to resources as the compromised user. Identity theft, Information theft, stealing sensitive data are some of the common impacts of session hijacking.

Types of session hijacking attacks:

There are two types of session hijacking depending on how they are done. If the attacker directly gets involved with the target, it is called active hijacking, and if an attacker just passively monitors the traffic, it is passive hijacking.

Active:

The attacker will silence one of the machines, usually the client computer, and take over the clients’ position in the communication exchange between the workstation and the server. The active attack also allows the attacker to issue commands on the network making it possible to create new user accounts on the network, which can later be used to gain access to the network without having to perform the session hijack attack.

Passive:

In Passive session hijacking attack, the attacker monitors the traffic between the workstation and server. The primary motivation for the passive attack is to monitor network traffic and potentially discover valuable data or passwords.

Session Hijacking Process

The first step in the session hijack attack is locating a target user. Attackers look for two things prior to their attack- first, they look for networks that have a high level of utilization; high volume networks help attackers to remain anonymous and they also provide a healthy supply of users to choose from, which also helps the attack. Secondly, users who use insecure network protocols such as Telnet, rlogin (remote login), and FTP (file transfer protocol) are easy targets due to their inherently insecure design. Packet sniffing software can be used to sniff network traffic for the purpose of locating vulnerable protocols like FTP, Telnet, and rlogin. Port scanning software can also be used to identify servers that have FTP, Telnet, or rlogin ports open. 

1. Sniffing into Active Session:

The attacker then finds an active session between the target and another machine and places himself between them. Using a sniffer like Wireshark, he captures the traffic and tries to gather information about the session.

2. Monitor:

He then monitors the traffic for vulnerable protocols like HTTP, telnet, rlogin, etc., and tries to find any valid authentication packets passing through. 

3. Session Id Retrieval:

The attacker tries to predict the session id using available information. Now that a target has been chosen, the next step in the session hijacking process is sequence number prediction. Sequence number prediction is a critical step because failing to predict the correct sequence number will result in the server sending reset packets and terminating the connection attempt. If the attacker guesses the sequence numbers wrong repeatedly, the likelihood of detecting the attack increases. 

4. Stealing: 

In application-level hijacking, active attacks are pursued to steal the session Id. Man in the middle attack, cross-site scripting, sniffing are used to steal the session id.
Brute Forcing: This is a time-consuming process.
While sequencing number guessing can be done manually by skilled attackers, software tools are available to automate the process. 

5. Take One of the Parties Offline:

Once a session is chosen and sequence numbers predicted, one of the targets has to be silenced. This is generally done with a denial of service attack. The attacker must ensure that the client computer remains offline for the duration of the attack, or the client computer will begin transmitting data on the network causing the workstation and the server to repeatedly attempt to synchronize their connections; resulting in a condition known as an ACK storm. 

6. Take over the Session and Maintain the Connection: 

The final phase of the session hijack attack entails taking over the communication session between the workstation and server. The attacker will spoof their client IP address, to avoid detection, and include a sequence number that was predicted earlier. If the server accepts this information, the attacker has successfully attacked the communication session.

Session Hijacking Levels

Session Hijacking can be done at two levels: 

1.      Network Level 
2.      Application Level
Network Level hijacking includes TCP and UDP sessions.
Application Level hijacking occurs with HTTP Sessions.

Application Level Hijacking:

Here the valid session token is stolen or predicted to take over the session. Various attacks involved here are-

Man in the middle attack: 

By using automated tools/spoofing methods the attacker splits the connection between the targets into two. One connection between the client and attacker and another one between attacker and server. Since the attacker becomes the man in the middle, all the traffic goes through him, hence he can capture the session Id.

Cross-site scripting:

Client-side vulnerabilities like XSS attacks allow an attacker to craft a malicious script to get the session Id from the application.

Using Proxy:

By setting up a proxy and causing the traffic to flow through the proxy, one can capture the session Id details.

Man-in the–Browser:

By installing a Trojan in the victim’s browser will notify the attacker the session Id.

Session Replay: 

Capturing the authentication packets by sniffing the traffic; replaying those packets after a time interval may cause the attacker to successfully login to the session of the authorized user.

Network or TCP Session Hijacking

TCP guarantees delivery of data, and also guarantees that packets will be delivered in the same order in which they were sent. In order to guarantee that packets are delivered in the right order, TCP uses acknowledgement (ACK) packets and sequence numbers to create a "full duplex reliable stream connection between two endpoints", with the endpoints referring to the communicating hosts. The connection between the client and the server begins with a 3-way handshake.
After the handshake, it is just a matter of sending packets and incrementing the sequence number to verify that the packets are getting sent and received.
The goal of the TCP session hijacker is to create a state where the client and server are unable to exchange data; enabling him/her to forge acceptable packets for both ends, which mimic the real packets. Thus, the attacker is able to gain control of the session.
IP Spoofing: IP spoofing is a technique which is used to gain unauthorized access to computers where the intruder sends a message to a computer with an Ip address indicating that the message is coming from a trusted host. 
Man in the middle Attack: Attacker tries to get the session Id by doing ARP spoofing and man in the middle attack.
Blind Hijacking: In cases where source routing is disabled, the session hijacker can also use blind hijacking where he injects his malicious data into intercepted communications in the TCP session. It is called blind because he cannot see the response; though the hijacker can send the data or commands, he is basically guessing the responses of the client and server.
UDP session Hijacking: UDP is a connectionless protocol. UDP/IP provides very few error recovery services offering. There is no direct way to send and receive datagrams over an IP network. Therefore, the delivery integrity, non-duplication and orders are not guaranteed. UDP doesn't use sequence numbers like TCP, it is mainly used for broadcasting messages across the network or for doing DNS queries.

Counter Measures:

·         Using secure protocols instead of clear text protocols like HTTP, FTP.Telnet, Rlogin, etc.
·         Encrypting session id will increase the complexity of the session id prediction.
·         Sending session id over SSL.
·         Use long random numbers for session id.
·         Implement timeout for the session when the session is logged out, or session id expires.
·         Having different session id for each page.
·         Use switches rather than hubs.
·         Ensure server side and client side protection software.
·         Use IDS for detecting ARP spoofing/Poisoning.
·         Do not click on suspicious links.
·         Check the web application for all errors.
·         Using IPSec is a valid defence mechanism.


Basics of vulnerability assessment and penetration testing

In these days of widespread Internet usage, security is of prime importance. The almost universal use of mobile and Web applications mak...