Documente Academic
Documente Profesional
Documente Cultură
Session Hijacking
Module 11
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..1 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..1 of 15.
Module 11 - Session Hijacking
Hijacking Sessions
Session hijacking refers to the exploitation of a valid computer session, ))herein an
attachr takes over a session between two computers.
Lab Scenario
Source: http: / /krebsonsecuntv.com/2012/11/yahoo-emai l -steal i ng-expl oi t-
fetches-700
A ccordi ng to K rebsonSecuri ty news and investi gati on, zero-dav vul nerabi l i ty 111
yahoo.com that lets attackers hijack Y ahoo! email accounts and redi rect users to
malicious websi tes otters a fasci nati ng gl i mpse i nto the underground market for
l arge-scal e expl oits.
T he expl oi t, bei ng sol d for S700 by an E gypti an hacker on an exclusi ve
cybercri me forum, targets a cross-si te scri pti ng (XSS) weakness i n vahoo.com
that lets attackers steal cooki es f rom Y ahoo! webmai l users. Such a flaw woul d
l et attackers send or read email f rom the vi cti ms account. 111 a tvpical X SS
attack, an attacker sends a mal i ci ous link to an unsuspecti ng user; i f the user
clicks the link, the scri pt is executed, and can access cooki es, sessi on tokens, or
other sensitive i nf ormati on retai ned by the browser and used wi th that site.
T hese scri pts can even rewri te the content of the H T M L page.
K rebsOnSecuri ty.com al erted Y ahoo! to the vul nerabi l i ty, and the company
says i t is respondi ng to the issue. Ramses M arti nez, di rector of securi ty at
Y ahoo!, said the challenge now is worki ng out the exact vahoo.com U RL that
triggers the expl oi t, whi ch is di ffi cul t to di scern f rom watchi ng the vi deo.
T hese types ot vul nerabi l i ti es are a good remi nder to be especiall y cauti ous
about cl icki ng links 111 emails f rom strangers or 111 messages that you were not
expecti ng.
Being and admi ni strator you shoul d i mpl ement securi ty measures at A ppl i cati on
level and N etwork level to protect your network from sessi on hijacking.
N etwork level hijacks is prevented by packet encrypti on whi ch can be obtai ned
by usi ng protocol s such as I PSE C, SSL , SSH, etc. I PSE C allows encrypti on of
packets on shared key between the two systems i nvol ved 111 communi cati on.
A ppl i cati on-l evel securi ty is obtai ned by usi ng strong sessi on I D. SSL and SSH
also provi des strong encrypti on usi ng SSL certi fi cates to prevent sessi on
hijacki ng.
Lab Objectives
T he obj ecti ve of this l ab is to hel p sui dents l earn sessi on hij acki ng and take
necessary acti ons to def end agai nst sessi on hijacking.
111 this lab, you will:
I ntercept and modi fy web traffic
I CON KEY
& Valuableinformation
Test your knowledge
H Web exercise
caWorkbook review
Ethi cal Hacki ng and Countemieasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M anual Page 716
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..2 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..2 of 15.
Module 11 - Session Hijacking
Simulate a T roj an, whi ch modi fi es a workstati on's proxy server settings
Lab Environment
T o carry out tins, you need:
A computer mi mi ng Windows Server 2012 a s host machine
Tins lab will mn on Windows 8 virtual machine
Web browser wi th I nternet access
A dministrative privileges to configure settings and mn tools
Lab Duration
Time: 20 M inutes
Ov erv iew o f Session Hijacking
Session hijacking refers to the exploitation of a valid computer session where an
attacker t ak es over a session between two computers. T he attacker s t e a l s a valid
session I D, whi ch is used to get i nto the system and sniff the data.
111 TCP s e s s i o n lnjacking, an attacker takes over a T CP session between two
machines. Since most authentications occur only at the start of a T CP session, this
allows the attacker to gain a c c e s s to a machine.
Lab Tasks
Pick an organizati on di at you feel is worthy of your attention. Tins coul d be an
educational i nstituti on, a commerci al company, or perhaps a nonprofi t chanty.
Recommended labs to assist you 111 session lnjacking:
Session lnjacking using ZAP
Lab Analysis
A nalyze and document die results related to the lab exercise. Give your opi ni on on
your targets security posture and exposure.
PL EASE TAL K TO Y OUR I NST RUCT OR I F Y OU HAVE QUEST I ONS
REL A TED TO T HI S LAB.
S 7Tools
demonstrated in
this lab are
available in
D:\CEH-
Tools\CEHv8
Module 11
Se s sion Hijacking
m . T A S K 1
Overview
Ethi cal Hacki ng and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M anual Page 717
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..3 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..3 of 15.
Module 11 - Session Hijacking
Lab
Session Hijacking Using Zed Attack
Proxy (ZAP)
The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integratedpenetration
testing too1 for finding vulnerabilities in neb applications.
Lab Scenario
A ttackers are conti nuousl y watchi ng f or websi tes to hack and deyel opers must
be prepared to counter-attack malicious hackers by wri ti ng strong secure codes.
A common f orm of attack is sessi on hijacki ng, i.e., accessi ng a websi te usi ng
someone el ses sessi on I D. A sessi on I D mi ght contai n credi t card detail s,
passwords, and other sensi ti ve i nf ormati on that can be mi sused by a hacker.
Sessi on hij acki ng attacks are perf ormed ei ther by sessi on I D guessi ng 01 by
stol en sessi on I D cooki es. Sessi on I D guessi ng i nvol ves gatheri ng a sampl e of
sessi on I D s and guessi ng a val id sessi on I D assi gned to someone else. I t is
always recommended not to repl ace A SP.N E T sessi on I D s wi th I D s of your
own, as this will prevent sessi on I D guessing. Stol en sessi on I D cooki es sessi on
hi j acki ng attack can be prevent by usi ng SSL ; however, usi ng cross-si te scri pti ng
attacks and other methods, attackers can steal the sessi on I D cooki es. I f an
attacker gets ahol d of a val id sessi on I D, then A SP.N E T connects to the
correspondi ng sessi on wi th 110 f urther authenti cati on.
T here are many tool s easily available now that attackers use to hack i nto
websi tes 01 user detail s. One of the tool s is Fi resl i eep, whi ch is an add-011 for
Fi refox. Whi l e you are connected to an unsecure wireless network, tins F i refox
add-011 can sni f f the network traffi c and capture all your i nf ormati on and
provi de i t to the hacker 111 the same network. T he attacker can now use tins
i nf ormati on and l ogi n as you.
A s an et hic al hacker, penetrati on tester, 01 s e c ur it y administrator, you
shoul d be fami liar wi th network and web authenti cati on mechani sms. 111 your
rol e of web securi ty admi ni strator, you need to test web server traffic for w e a k
s e s s i o n IDs, i nsecure handl i ng, identity theft, and information l o s s . A lways
ensure that you have an encrypted connecti on usi ng https whi ch will make the
sni ffi ng of network packets di ffi cul t for an attacker. A lternati vel y, Y PN
1 C <ON K E Y
/ Valuable
information
y5Test your
knowledge
=
Web exercise
m Workbook review
Ethi cal Hacki ng and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M anual Page 718
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..4 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..4 of 15.
Module 11 - Session Hijacking
connecti ons too can be used to stay safe and advi se users to l og of f once they
are done wi th thei r work. 111tins lab you will l earn to use ZA P proxy to
i ntercept proxi es, scanni ng, etc.
Lab Objectives
T he obj ecti ve of tins l ab is to hel p students l earn sessi on hi jacki ng and how to
take necessary acti ons to def end agai nst sessi on hijacking.
111 tins lab, you will:
I ntercept and modi fy web traffi c
Simulate a T roj an, whi ch modi fi es a workstati on's proxy server settings
Lab Environment
T o carry out the lab, you need:
Paros Proxy located at D:\CEH-Tools\CEHv8 Module 11 Session
Hijacking\Session Hijacking Tools\Zaproxy
Y ou can also downl oad the l atest versi on of ZAP f rom the link
http: / / code.googl e.com/p/zaproxv/downl oads/l i st
I f you deci de to downl oad the l a t e s t version, then screenshots shown
111 the l ab mi ght di ffer
A system wi th runni ng W indows Server 2012 H ost M achine
Run tins tool ni Windows 8 V irtual M achine
A web browser wi th I nternet access
A dministrative privileges to configure settings and run tools
Ensure that Java Run Time Environment (JRE) 7 (or above) is nistalled. I f
not, go to http://i ava.sun.com/i 2se to download and install it.
Lab Duration
Time: 20 M inutes
Ov erv iew o f Zed A t t ac k Proxy (ZAP)
Zed A ttack Proxy (ZA P) is designed to be used by peopl e wi th a wide range of
security experience and as such is ideal for developers and functi onal testers who are
new to penetrati on testing as well as bei ng a useful addi tion to an experienced pen
testers toolbox. I ts features include intercepting proxy, automated scanner, passive
scanner, and spider.
Lab Tasks
1. L og 111 to your Windows 8 V i rtual M achine.
Tools
demonstrated in
this lab are
available in
D:\CEH-
Tools\CEHv8
Module 11
Session Hijacking
m . T A S K 1
Setting-up ZAP
Ethi cal Hacki ng and Countemieasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M anual Page 719
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..5 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..5 of 15.
Module 11 - Session Hijacking
Admini -PC
!22 A t its heart ZAPS in
ail intercepting prosy. Y ou
need to configure your
browser to connect to die
web application you wish
to test through ZAP. I f
required you can also
configure ZAP to connect
through another prosy -
this is often necessary in a
corporate environment.
3.
2.
FI GURE 2.1: Paros prosy main window
Cl ick ZAP 1.4.1 111 the Start menu apps.
111 Windows 8 V irtual M achi ne, fol l ow the wi zard-dri ven i nstal l ati on
steps to install ZAP.
T o l aunch ZAP after i nstal l ati on, move your mouse cursor to the lower-
l eft corner of your desktop and cl ick Start.
7 Y ou can also
download ZAP
http:/ / code.google.com/p
/zaprosy/downloads/list
m 4 S
SkyOiftt
ZAP 1.4.1 Safari
j r
*
tl i m w
Mozilla
Firefox
Microsoft
Excel 2010
S
|
Microsoft
PowerPoint
2010
(2
Microsoft
Publisher
2010
FI GURE 2.2: Paros prosy main window
5. T he mai n i nterface of ZAP appears, as shown 111 the fol l owi ng
screenshot.
6. I t will prompt you wi th SSL Root CA c e r t if ica t e . Cl ick Generate to
conti nue.
I f you know how to
set up prosies in your web
browser then go ahead and
give it a go!
I f you are unsure then have
a look at the Configuring
prosies section.
Ethi cal Hacki ng and Countenneasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M anual Page 720
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..6 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..6 of 15.
Module 11 - Session Hijacking
Once you have
configured ZAP as your
browser's proxy then try to
connect to die web
application you will be
testing. I f you can not
connect to it then check
your prosy settings again.
Y ou will need to check
your browser's proxy
settings, and also ZAP's
proxy settings.