NETLAB+ Lab Information

The information provided below will be used to login to the Virtual Machines in
the NETLAB+ system.

Virtual Machine Username Password IP Address

Administrator P@ssw0rd 192.168.0.2

Windows Server
2016 + Clone (Clone)
Test Test123
192.168.0.3

Kali Linux kali kali 192.168.0.4

Module 11: Session Hijacking

A session hijacking attack refers to the exploitation of a session-token generation mechanism or token security
controls so that the attacker can establish an unauthorized connection with a target server. The attacker can
guess or steal a valid session ID (which identifies authenticated users) and uses it to establish a session with
the server. As a system administrator, you should understand different session hijacking concepts, how
attackers perform application and network level session hijacking, and different tools used to perform the
attack. You should also be able to implement security measures at the application and network levels to protect
your network from session hijacking. Network-level hijacking are prevented by packet encryption, which can
be implemented with protocols such as IPsec, SSL, and SSH.

Objective
The objective of this lab is to help students learn session hijacking and take over a user account.

In this lab, you will:

• Intercept the Traffic between server and client

Scenario
A session hijacking attack refers to the exploitation of a session-token generation mechanism or token security
controls so that the attacker can establish an unauthorized connection with a target server. The attacker can
guess or steal a valid session ID (which identifies authenticated users) and uses it to establish a session with
the server.

As a system administrator, you should understand different session hijacking concepts, how attackers perform
application and network level session hijacking, and different tools used to perform the attack. You should also
be able to implement security measures at the application and network levels to protect your network from
session hijacking. Network-level hijacking is prevented by packet encryption, which can be implemented with
protocols such as IPsec, SSL, and SSH.
Exercise 1: Session Hijacking Using the Zed Attack Proxy (ZAP)

OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web
applications. It offers automated scanners as well as a set of tools that allow you to find security vulnerabilities
manually.
It is designed to be used by people with a wide range of security experience, and as such is ideal for developers
and functional testers who are new to penetration testing.

Lab Scenario

ZAP is an Intercepting Proxy. It allows you to see all of the requests you make to a web app and all of the
responses you receive from it. Amongst other things, this allows you to see AJAX calls that may not otherwise
be obvious. You can also set break points, which allow you to change the requests and responses on the fly.

Lab Objectives

The objective of this lab is to learn how to:

• Intercept the Traffic between server and client

Lab Duration: 15 Minutes

1. We are going to be using both Windows Server 2016 VM and Windows Server 2016 Clone VM.
Make sure both VMs have the same Network Adapter setting (NAT or Custom->VMNet1), as
well as their firewalls turned off for both public and private.
2. Login to the Windows Server 2016 Clone VM Administrator account.
3. In the Password field enter P@ssw0rd and press Enter to login.
4. Double-click Google Chrome short-cut icon on the Desktop to launch.
5. Once Chrome browser is launched go to the address bar and type chrome://settings/system

6. In the System section, click Open your computer’s proxy settings

7. Under Automatic Proxy Setup turn off Automatically detect settings. Under Manual proxy steup
turn Use a proxy server on, set the Address to the IP of the Windows Server 2016 VM and the
Port to 8080
8. Click Save at the bottom and close all windows.
9. Now, Login to the Windows Server 2016 VM Administrator account.
10. In the Password field enter P@ssw0rd and press Enter to login.
11. Press the Windows Key or click the windows icon on the taskbar, scroll through the programs
until you reach the letter X, launch XAMPP Control Panel
12. Click Start for the Apache and MySQL Modules

If the modules do not start, launch the command prompt and enter net stop HTTP
Type Y then press enter to continue this operation
 Once all of the services stop, once again try to start the Apache Module, it should now be able to
start without error
13. Minimize XAMPP Control Panel and go the CEH folder on the desktop and navigate to
C:\Users\Administrator\Desktop\CEH\Other Tools
14. Double-click ZAP_2_11_1_widnows.exe to begin the installation process for OWASP ZAP
15. Press Next on the first setup window

16. Accept the agreement and press Next

17. Ensure Standard Installation is selected and press Next

18. Click Install, then click Finish

19. Double Click OWASP ZAP 2.11.1 shortcut on the Desktop
20. A prompt that reads Do you want to persist the ZAP Session? is displayed. Select No, I do not
want to persist this session at this moment in time, and click Start.

21. The OWASP ZAP main window appears; click on the “+” icon in the right pane, as shown in the
screenshot to add the Break tab.
The Break tab allows you to modify a response or request when it has been caught by the ZAP.
It also allows you to modify some elements that you cannot modify through your browser; these
include:

The header
Hidden fields
Disabled fields
Fields that use JavaScript to filter out illegal characters
22. Once the Break tab is added in your OWASP ZAP window, configure the ZAP to work as a
proxy. To configure ZAP as a proxy, navigate to Tools and click Options from the tool bar as
shown in the screenshot.
23. The Options window appears; select Local Proxies from the left pane; and in the Address field,
type the Windows Server 2016 machine IP address, set the Port to default, and then click OK.

24. Click Set break on all requests and responses from the tool bar of ZAP. It should change from
Green to Red
This button sets and unsets a global break point that will trap and display from the victims
machine the next response or request in Break tab.
You can modify any part of the request or response that you want and send it to the victim’s
application by clicking either Step or Continue.
25. Now, go back to Windows Server 2016 Clone, and launch the same browser in which you have
configured the proxy settings. In this lab, we have configured for Google Chrome browser. Type
[IP Address of the Windows Server 2016]/sqli in the address bar, and press Enter as shown in the
screenshot.
26. Click Advanced then Proceed to [IP Address of Windows Server 2016] (unsafe)

27. The page should freeze, switch back to the Windows Server 2016 VM and you should see a GET
request in your break tab
28. Press the Submit and step to next request or response button until the Break tab is empty

29. Go back to the Windows Server 2016 Clone VM and you should now be on SQL Injection form
website
30. Enter the User Id: joe123 and the Password: Joe and press Submit

31. Switch back to the Windows Server 2016 and you should see a POST request in the Break tab
32. Change POST to GET and change the IP Address listed to
http://[IP Address of the Windows Server 2016]/wordpress
and press the Submit and step to next request or response button until the Break tab is empty
33. Switch back to the Windows Server 2016 Clone VM and notice you are on a different website
now

34. This lab is now complete, we have intercepted the traffic between the Victim (Windows Server
2016 Clone) and its target (Windows Server 2016), and modified it to point the user to a different
website.
35. On the Windows Server 2016 Clone VM, repeat steps 4-6 to turn off the Manual Proxy Setup for
the system in preparation for future labs. On Window Server 2016 VM close OWASP Zap and
 Stop the Apache and MySQL modules in XAMPP, then close XAMPP.

In this lab you have learned how to Intercept the Traffic between server and client.