CEH Certified || Ethical Hacker Module 11: Session HijackingEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Session Hijacking Module Objectives a Understanding Session Hijacking Concepts . Understanding Application Level Session Hacking a 2p Undestnding Netware! Sesion ecg Overview of Session Hijacking Tools Understanding offerent Session Hijacking Countermeasures Module Objectives hijacking allows attackers to take over an active session by bypassing the authent cked system. Ses process. Thereafter, they can perform any action on the This module aims to provide comprehensive information on session hijacking. It starts with an introduction to session hijacking concepts and provides insight into session hijacking at the application and network levels. Later, the module discusses tools used to hijack a session between a client and server. It also discusses various countermeasures to defend against session hijacking attacks. At the end of this module, you will be able to do the following: * Describe session hijacking concepts Perform application level session hijacking "Perform network level session hijacking Use different session hijacking tools = Apply session hijacking countermeasures ‘Module 1 Page 1372 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Session Hijacking Module Flow ¢ Notwork Level Session 03 01 ~ Session Hijacking Concepts = 02 ae 04 Session Hijacking Tots 05 — Countermeasures Session Hijacking Concepts Familiarization with basic concepts related to session hijacking is important to attain a comprehensive understanding. This section explains what session hijacking is as well as the reasons why session hijacking succeeds. It also discusses the session hijacking process, packet analysis of a local session hijack, types of session hijacking, session hijacking in an Open Systems Interconnection (OS!) model, and differences between spoofing and hijacking. ‘Module 1 Page 373 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Session Hijacking What is Session Hijacking? |@ Session hijacking efes to.an attack in which an attacker selzes ‘conta! of a valid TCP communication session between two ‘computers 'As most authentications only occur atthe start of TCP ‘session this allows the atacker to gain access to’@ machine [Atackers can sniff al the traffic from the established TCP sessions and perform identity thet, information theft fraud, et. Te attacker stenle aval session 1D and uses it to authenticate himsel withthe server What is Session Hijacking? A web server sends a session identification token or key to a web Client after successful authentication. These session tokens differentiate multiple sessions that the server establishes with clients. Web servers use various mechanisms to generate random tokens and controls to secure the tokens during transmission. Session hijacking is an attack in which an attacker takes over a valid Transmission Control Protocol (TCP) communication session between two computers. Because most types of authentication are performed only at the start of a TCP session, an attacker can gain access to a machine while a session is in progress. Attackers can sniff all the traffic from established TCP sessions and perform identity theft, information theft, fraud, etc. A session hijacking attack exploits a session-token generation mechanism or token security controls so that the attacker can establish an unauthorized connection with a target server. The attacker can guess or steal a valid session ID, which identifies authenticated users, and use it to establish a session with the server. The web server responds to the attacker's requests under the impression that it is communicating with an authenticated user. Attackers can use session hijacking to launch various kinds of attacks, such as man-in-the- middle (MITM) and denial-of-service (DoS) attacks. In an MITM attack, an attacker places themselves between an authorized client and a server by performing session hijacking to ensure that information flowing in either direction passes through them. However, the client and server believe they are directly communicating with each other. Attackers can also sniff Sensitive information and disrupt sessions to launch a Dos attack. ‘Module 1 Page 376 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiatedthea Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Session Hijacking ‘credentla Transmission Credential Confiemation Session Setup Sexson Setup Data Request Data Transmission Data Tranemision Data Transmission attacker Figure 11.1: Example of session hijacking ‘Module 1 Page 1375 Ethical Making and Countermeasures Copyight © by E-Caunedl ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Session Hijacking Why is Session Hijacking Successful? Absence of account lockout for invalid {G0 todetiitasentontinaout session 1Ds Weak session-1D generation algorithm [Bh Most computers using 17/1” are for small session IDs ‘vulnerable ‘Most countermeasures do not work nsecare handing fsa os I, Why is Session Hijacking Successful? Session hijacking succeeds because of the following factors. Absence of account lockout for invalid session IDs: If a website does not implement account lockout, an attacker can make several attempts to connect with varying session IDs embedded in a genuine URL. The attacker can continue making attempts until the actual session ID is determined. This attack is also known as a brute-force attack. During a brute-force attack, the web server does not display a warning message or complaint, allowing the attacker to determine the valid session ID. ‘Weak session-ID generation algorithm or small session IDs: Most websites use linear algorithms to predict variables such as time or IP address for generating session IDs. By studying the sequential pattern and generating multiple requests, an attacker can easily narrow the search space necessary to forge a valid session ID. Even if a strong session-ID generation algorithm is used, an active session ID can be easily determined if the string is short. Insecure handling of session IDs: An attacker can retrieve stored session-ID information by misleading the user’s browser into visiting another site. Before the session expires, the attacker can exploit the information in many ways, such as Domain Name System. (DNS) poisoning, cross-site scripting exploitation, and the exploitation of a bug in the browser. Indefinite session timeout: Session IDs with an indefinite expiration time provides an attacker with unlimited time to guess a valid session ID. An example of this is the “remember me” option in many websites. The attacker can use static session IDs to the user's web account after capturing the user’s cookie file. The attacker can also perform ‘Module 1 Page 1376 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel ProhiatedEthical Hacking and Countermeasures ‘eam 31250 Cerfied thea ker Session Hijacking session hijacking if they can break into a proxy server, which potentially logs or caches session IDs. «Most computers using TCP/Internet Protocol (IP) are vulnerable: All machines running TCP/IP are vulnerable to session hijacking because of the design flaws inherent in TCP/IP. + Most countermeasures do not work without encryption: It is easy to sniff session IDs in a flat network if transport security is not set up properly during the transmission of session ID cookies, even if a web application uses Secure Sockets Layer (SSL) encryption. An attacker's task becomes even easier if they capture session IDs containing actual login information. Module 1 Page 1377 Ethical Making and Countermeasures Copyright © by E-Cauncil ‘Al Rights Reserved. Reproduction Sel Prohiated