CEHv8 module 11 session hijacking

FIGURE 11.1: Illustrating th e process of session hijacking... Reproduction is Strictly Prohibited... Reproduction Is Strictly Prohibited.... S ending Trojans o n c lie n t PCs Note: Ses

Trang 1

S e ssio n H ija c k in g

Trang 3

VILE a n d a b u s iv e c o m m e n ts c o n tin u e to flo o d P rim e M in is te r Ju lia G illa r d 's F a ce b o o k page

a lm o s t 24 h o u rs a fte r h e r o n lin e q u e s tio n a n d a n sw e r se ssio n w a s h ija cke d by tro lls

M s G illa rd 's m e dia a d v ise r John M cT ern an yesterday said th e P M 's F acebo o k page was

m o d e ra te d by staff, and o ffe n sive posts w e re rem oved.

H ow ever, a c o m m e n t c o m p a rin g th e P M to a do g has been visib le o n th e page sin ce Sunday,

w h ile a n o th e r a busing h e r fo r bein g "u n m a rrie d and ch ild le ss and h u sb a n d le ss" has been

a llo w e d to re m a in o n th e page all m orn ing Several co m m e n ts ca llin g M s G illa rd a " lia r" da tin g back to Friday night a lso re m a in on th e page,

w h ile a n o th e r c o m m e n t le ft last night calls M s G illa rd "s c u m " and "a disgrace to th e co u n try ".

O th e r co m m e n ts attackin g h er ch a ra cte r are a lso still th e re The to r re n t o f abuse fo llo w s th e hijacking o f M s G illa rd 's live o n lin e e d u c a tio n q u e stio n and

a n sw e r sessio n yesterday, w h e n fo u l-m o u th e d c ritic s posted abu sive rants and o ffen sive

Trang 5

M an-in-the-M iddle Attack

Trang 6

C E H

N e tw o rk Level S essio n

Trang 8

FIGURE 11.1: Illustrating th e process of session hijacking

Trang 9

S e s s io n H ij a c k i n g

Hijacking is sim ple to launch

T h reat of id en tity

th e ft, in fo rm atio n loss, frau d , etc

You can do little to p ro te c t

a g ain st it u nless you sw itch

Trang 11

C lear Text Transm ission

No A ccount Lockout For

Invalid Session IDs

Insecure H andling

Small Session IDs • ־־

Trang 13

Trang 14

B r u t e F o r c i n g

A b ru te fo rc e a tta ck is m o s tly used by a tta c k e rs t o guess th e ta rg e t's session ID to

la u n ch th e attack In th is t e c h n iq u e , an a t ta c k e r trie s m u ltip le p o s sib ilitie s o f p a tte rn s until a session ID w o r k s and su cceed s This t e c h n iq u e is used w h e n th e a lg o r ith m th a t p ro d u c e s session IDs is n o t ra n d o m For e x a m p le , in th e URLs, an a t ta c k e r is try in g to gu ess th e session ID:

th e session ID o f th e us er by s e n d in g w h e n th e b r o w s e r s e n d s th e r e fe rre r URL th a t c o n ta in s

th e session ID o f th e user to th e a t ta c k e r's site (w w w m y s i t e c o m )

S o m e o f th e t e c h n iq u e s used to steal session IDs are:

0 Using th e HTTP r e fe rre r h e a d e r

Q Sniffing th e n e t w o r k tra ffic

Trang 15

Urt>fW4 ItliK4I lUilwt

Using a "re fe rre r attack," an attacker tries to lure a user to click on a link to m alicious site (say ww w hacksite.com )

For example, G ET /index.htm l HTTP/1.0 Host:

www.hacksite.com Referrer:

www.webm ail.com/viewmsg.asp

?msgid=689645&SID=2556X54V A75

The browser directs the referrer URL that contains the user's session ID to the attacker's site (www.hacksite.com ), and now the attacker possesses the user's session ID

Using b ru te force attack s, an attack er tries to g u ess a sessio n ID

until he finds th e correct session ID

http://www.hacksite.com/view/VW48266762824302 http://www.hacksite.com/view/VW48266762826502 http://www.hacksite.com/view/VW48266762828902

1 U sin g th e HTTP re fe rre r h e a d e r

2 S n iffin g th e n e tw o rk tra ffic

3 U sin g th e C ross-Site S crip tin g attacks

4 S ending Trojans o n c lie n t PCs

Note: Session ID brute forcing attack is known as session prediction attack ifthe predicted range of values fora session

ID is very small

B r u t e F o r c i n g A t t a c k

T he a t ta c k e r can o b ta in a session ID using th e b ru te fo rc e m e t h o d to access th e

le g itim a t e ta rg e t's session w h e n th e session is active In a " r e fe rre r" attack, th e a t ta c k e r in vites

a user to click on a link t o a n o t h e r site In b ru te f o rc e attacks, th e a t ta c k e r can try m a n y IDs For

e x am p le , ta ke a look at th e fo llo w in g fig u re w ith a list o f URLs, in w h ic h an a t ta c k e r is try in g to guess th e session ID:

http ://w w w m ys ite co m /vie w /V W 3 0 4 22 1 0 1 51 8 9 09

h ttp :/ / w w w m ys ite co m /vie w /V W 3 0 4 22 1 0 1 52 0 8 03

h ttp :/ / w w w m ys ite co m /vie w /V W 3 0 4 22 1 0 1 52 2 5 07

Server

A tta c k e r

FIGURE 11.2: A ttacker perform ing Brute force attack

Trang 16

N o te : A session ID b ru te fo rc in g a tta ck is k n o w n as a session p r e d ic tio n attack if t h e p re d ic te d range o f v a lu e s fo r a session ID is v e ry sm all.

Trang 17

H T T P R e f e r r e r A t t a c k

T rac kin g HTTP re fe rre rs can be e ffe c tiv e fo r g e n e ra tin g a ttacks if th e p a r a m e te r s are bein g pa ssed th ro u g h a GET request W h e n m a kin g an y HTTP requ est, m o s t w e b b r o w s e r s are

c o n fig u re d to send th e o rigin al URL in th e HTTP h e a d e r c a lled a referrer

In a r e fe rre r attack, th e a t ta c k e r lures th e v ic tim to click on a link to th e site th a t is u n d e r an

a tta c k e r's c o n tro l Let us c o n s id e r th e a tta c k e r's site as a m y site link, fo r e x am p le ,

d e t e r m in e th e session ID fr o m th e r e fe rre r URL O n c e th e a t ta c k e r d e t e r m in e s th e session ID,

he o r she can e asily ta k e o v e r th e session and steal th e se n s itiv e d ata o f th e v ictim

S o m e o f th e t e c h n iq u e s used to steal session IDs:

Q Using th e HTTP r e fe rre r h e a d e r

Q Sniffing th e n e t w o r k tra ffic

Q S e n d in g T rojans on c lie n t PCs

Trang 18

S p o o f i n g v s H i j a c k i n g C E H

C«rt1fW4 itfciul IU c I m (

H ija c k in g-J Session hijacking is th e process of taking over an existing active session

J Attacker relies on th e legitimate user to make a connection and authenticate

John logs on to the

1 server w ith his credentials E f f

J Attacker pretends to be a n o th er user

or machine (victim) to gain access

J Attacker does not take over an existing

active session Instead he initiates a

new session using th e victim's stolen

The e arlie st re cord o f a session hijacking a tta ck is p e rh a p s th e M o r r is W o r m e p is o d e th a t

a ffe c te d n e a rly 6,000 c o m p u t e r s on th e A R P A N E T in 1988 This w a s A R P A N E T 'S first a u t o m a t e d

n e t w o r k s e c u rity m ish ap R o b e rt T M o r r is w r o t e a p ro g ra m th a t cou ld sp rea d th ro u g h a

n u m b e r o f c o m p u t e r s an d c o n t in u e its ac tio n in an in fin ite loop, e ve ry t im e c o p y in g itself in to a

n e w c o m p u t e r on th e A R P A N E T T h e basic w o r k in g o f th e M o r r is W o r m w a s ba sed on th e

d is c o v e ry th a t th e se c u rity o f a T C P /IP c o n n e c t io n rested in th e s e q u e n c e n u m b e rs, and th a t it

w as p o s sib le t o p re d ic t th e m

Blind hijacking in vo lv es p re d ic tin g th e s e q u e n c e n u m b e r s th a t th e t a rg e te d h ost s e n d s in o r d e r

to c re a te a c o n n e c t io n th a t a p p e a rs to o rig in a te fr o m th e host B e fo re e x p lo rin g blind sp o o fin g

fu rth e r, ta ke a lo o k at th e s e q u e n c e n u m b e r p re d ic tio n TCP s e q u e n c e n u m b e rs , w h ic h are

u n iq u e fo r each byte in a TCP session, p ro v id e f lo w c o n tro l and data in teg rity fo r th e sam e In

a d d itio n , th e TCP s e g m e n t gives th e Initial S e q u e n c e N u m b e r (ISN) as a pa rt o f th e s e g m e n t

h ea der The initial s e q u e n c e n u m b e r d o e s no t sta rt at zero fo r e ach session T he p a rtic ip a n ts ' sta te ISNs as a p art o f h a n d s h a k e p ro ce ss in d iffe r e n t d ire c tio n s, and th e bytes are n u m b e r e d

s e q u e n tia lly Blind IP hijacking relies on th e a t ta c k e r's a b ility to p re d ic t s e q u e n c e n u m b e rs , as

he o r sh e is u n a b le to sn iff th e c o m m u n ic a t io n b e t w e e n th e t w o hosts by v irtu e o f no t bein g on

th e sa m e n e t w o r k s e g m en t A n a tta c k e r c a n n o t s p o o f a tr u s te d h ost on a d iffe r e n t n e t w o r k and

Trang 19

see th e re ply pa ckets be c a u se th e p a ck ets are n o t ro u te d back to him o r her N e it h e r can th e

a t ta c k e r re s o rt to A R P c a c h e p o is o n in g b e c a u se ro u te rs d o n o t ro u te A R P b ro a d c a s ts across th e Internet As th e a tta c k e r is u n a b le to see th e replies, he o r she is fo rc e d to a n tic ip a t e th e

re s p o n s e s f r o m th e ta rg e t an d p re v e n t t h e host f r o m s e n d in g an RST to th e target The a t ta c k e r

th e n injects h im s e lf/ h e r s e lf in to th e c o m m u n ic a t io n by p re d ic tin g w h a t s e q u e n c e n u m b e r s th e

r e m o t e h ost is e x p e c tin g fr o m th e ta rget This is used e x te n s iv e ly to e x p lo it th e tru s t

r e la tio n s h ip s b e t w e e n users and r e m o t e m a ch in es Th e s e se rvice s in clu d e NFS, te ln e t, and IRC

IP s p o o fin g is easy to achieve To c re a te n e w ra w packets, th e o n ly c o n d itio n is t h a t th e a tta c k e r

m u s t have ro o t access on th e m a c h in e In o r d e r to esta blish a s p o o f e d c o n n e c t io n , th e a tta c k e r

m u s t k n o w w h a t s e q u e n c e n u m b e r s are bein g used T h e re fo re , IP s p o o fin g fo rc e s th e a tta c k e r

to f o re c a s t th e next s e q u e n c e n u m b e r To send a c o m m a n d , an a t ta c k e r uses blind hijacking,

b u t th e re s p o n s e c a n n o t be v ie w e d

Q In th e case o f IP s p o ofin g , gu essin g th e s e q u e n c e n u m b e r is n o t r e q u ire d since t h e r e is

no session c u r r e n t ly o p e n w ith th a t IP ad dress In a blind hijack, th e tra ffic w o u ld get back to th e a t ta c k e r by using o n ly s o u rc e routin g This is w h e r e th e a t ta c k e r tells th e

n e t w o r k h o w to ro u te th e o u t p u t and in p u t fr o m a session, and he o r she p ro m is c u o u s ly sniffs it fr o m th e n e t w o r k as it passes by th e attacker C a p tu re d a u t h e n t ic a t io n

c re d e n tia ls are used to esta blish a session in session sp oofing Here, active hijacking eclip ses a pre -e xis tin g session Due to th is attack, th e le g itim a te user m a y lose access or

m a y be d e p r iv e d o f th e n o rm a l fu n c t io n a lit y o f his o r h e r e s ta b lis h e d t e ln e t session th a t has b e e n hija cked by th e a ttacker, w h o n o w acts w ith th e user's privileges Since m o s t

a u t h e n t ic a t io n s o n ly h a p p e n at th e in itia tio n o f a session, th is a llo w s t h e a t ta c k e r to gain access to a ta rg e t m a ch in e A n o t h e r m e t h o d is to use s o u r c e - r o u t e d IP packets This

a llo w s an a t ta c k e r to b e c o m e a part o f th e ta rg e t-h o s t c o n v e rs a tio n by d e c e p tiv e ly

g u idin g th e IP p a ckets t o pass t h ro u g h his o r h e r system

Q Session hijacking is m o r e d iffic u lt th a n IP a d d re s s sp oofing In session hijacking, John (an

in tru d e r) w o u ld seek to in sert h im s e lf in to a session th a t Jane (a le g itim a t e user) a lre a d y had se t up w ith \ \ M a il John w o u ld w a it until she e s t a b lis h e s a se ss io n , th e n kn o ck her

o ff th e air by s o m e m e a n s and pick up th e session as th o u g h he w e r e she T h e n John

w o u ld send a sc rip te d set o f p a ckets to \ \ M a i l an d w o u ld be ab le to see th e respon ses

To d o this, he w o u ld ne e d to k n o w th e s e q u e n c e n u m b e r in use w h e n he hija cked th e session, w h ic h co u ld be c a lc u la te d as a resu lt o f k n o w in g th e ISN and th e n u m b e r o f

p a ck ets th a t have be e n exch an g ed

0 Su ccessfu l session hijacking is d iffic u lt w it h o u t t h e use o f k n o w n to o ls and o n ly po s sib le

w h e n a n u m b e r o f fa c to rs are u n d e r t h e a tta c k e r's c o n tro l K n o w le d g e o f th e ISN w o u ld

be th e le ast o f J o h n 's ch a llen g es For in stance, he w o u ld need a w a y to k n o c k Ja n e o f f

th e air w h e n he w a n t e d to, an d also ne e d a w a y to k n o w th e exact statu s o f Jan e's session at th e m o m e n t he m o u n t e d his attack B oth o f t h e s e re q u ire th a t John have far

m o r e k n o w le d g e and c o n tro l o ve r th e session th a n w o u ld n o r m a lly be possib le

Trang 20

Q session hijacking are n o t po s sib le if th e session uses e n c r y p t i o n s su ch as SSL o r P P T P

C o n s e q u e n tly , th e a tta c k e r c a n n o t p a rtic ip a te in th e key e xchange

o f n o n - e n c r y p t e d s e s s io n - o r ie n t e d tra ffic , th e a b ility to re cog n ize TCP s e q u e n c e

n u m b e r s t h a t p re d ic t th e N ext S e q u e n c e N u m b e r (NSN), and th e a b ility to s p o o f a h ost's

M A C o r IP a d d re s s in o r d e r to re ceive c o m m u n ic a t io n s th a t are n o t d e s tin e d fo r th e

a t ta c k e r's host If th e a t ta c k e r is on th e local se g m en t, he o r she can sn iff an d p re d ic t

th e ISN+1 n u m b e r and ro u te th e tra ffic back t o h im by p o is o n in g th e A R P ca ch e s on th e

t w o le g itim a t e hosts p a rtic ip a tin g in a session

(Victim)

AttackerAttacker

FIGURE 11.3: A ttacker performing Spoofing Attack and Session Hijacking on victim's system

Trang 21

g e n u in e user has access and has be e n a u t h e n t ic a t e d O n c e th e session has be e n hijacked, th e

a t ta c k e r can stay c o n n e c t e d fo r hours This leaves a m p le t im e fo r th e a t ta c k e r to plan t

b a c k d o o rs o r even gain a d d itio n a l access to a system O n e o f th e m a in re a so n s th a t session hijacking is c o m p lic a t e d to be id e n tifie d is t h a t an a t ta c k e r im p e rs o n a t e s a g e n u in e user

T h e re fo re , all ro u te d tra ffic g oin g t o t h e user's IP a d d re s s c o m e s t o th e a t ta c k e r's system

H o w d o e s an a t ta c k e r go a b o u t hijacking a s e s s io n ? T he hijack can be b ro k e n d o w n in to th re e

b ro a d phases:

n e t w o r k s n iffe r to tra c k th e ta rg e t an d host, o r to id e n tify a s u ita b le user by sca n n in g

w ith a to o l like N m a p to fin d a ta rg e t w it h an easy TCP s e q u e n c e p re d ic tio n This is to

e n s u re th a t c o r r e c t s e q u e n c e an d a c k n o w le d g e m e n t n u m b e r s are c a p tu re d , since

p a ck ets are c h e c k e d by TCP t h ro u g h s e q u e n c e a n d / o r a c k n o w le d g e m e n t n u m b e rs The

Trang 22

tra n s m is s io n ; o r th e s e rv e r's s e q u e n c e n u m b e r is n o t e q u a l to th e clie n t's

a c k n o w le d g e m e n t n u m b e r; o r t h e c lie n t 's s e q u e n c e n u m b e r is n o t e qu a l to th e server's

a c k n o w le d g e m e n t n u m b e r

To d e s y n c h r o n iz e th e c o n n e c t io n b e t w e e n th e ta rg e t and host, th e s e q u e n c e n u m b e r o r

th e a c k n o w le d g e m e n t n u m b e r (SEQ/ACK) o f th e s e rv e r m u s t be ch anged This is d o n e

by s e n d in g null data to th e s e rv e r so th a t th e s e rv e r's S E Q / A C K n u m b e r s can a d v a n c e

w h ile th e ta rg e t m a c h in e c a n n o t re g is te r such an in c re m e n t For e x a m p le , be fo re

d e s y n c h ro n iz a tio n , th e a t ta c k e r m o n it o r s th e session w it h o u t an y kind o f in te rfe re n c e

T he a t ta c k e r th e n s e n d s a large a m o u n t o f "n u ll d a ta " to th e server This data serves

o n ly to ch a n g e th e A C K n u m b e r on th e s e rv e r an d d o e s no t a ffe c t a n y th in g else N o w ,

b o th th e s e rv e r an d ta rg e t are d e s y n c h ro n iz e d

A n o t h e r a p p ro a c h is to send a reset flag t o th e s e rv e r in o r d e r to bring d o w n th e

c o n n e c t io n on th e s e rv e r side Ideally, th is o c c u rs in th e early s e tu p stage o f th e

c o n n e c t io n T he a t ta c k e r's goal is to bre a k th e c o n n e c t io n on th e s e rv e r sid e an d c re a te

a n e w o n e w ith a d iffe r e n t s e q u e n c e n u m b e r

The a t ta c k e r listens fo r a S Y N /A C K p a c k e t fr o m th e se rv er to th e host On d e te c tin g th e packet, th e a t t a c k e r i m m e d i a t e l y s e n d s an RST p a c k e t t o t h e s e r v e r and a SYN pa cket

w ith e x actly th e sa m e p a ra m e te rs , such as a p o rt n u m b e r, bu t w ith a d iffe r e n t s e q u e n c e

n u m b e r The server, on re c eivin g th e RST packet, clo se s th e c o n n e c t io n w ith th e ta rg e t and in itiates a n o t h e r o n e based on th e SYN packet, b u t w ith a d iffe r e n t se q u e n c e

This can also be d o n e using a FIN flag, b u t th is can ca use th e se rv er to re s p o n d w ith an

A C K and give a w a y th e a tta ck t h ro u g h an A C K storm This o c c u rs b e ca u se o f a fla w in

th is m e t h o d o f hijacking a TCP c o n n e c t io n W h ile re ceivin g an u n a c c e p t a b le p a c k e t, th e

h ost a c k n o w le d g e s it by s e n d in g th e e x p e c te d s e q u e n c e n u m b e r This u n a c c e p ta b le

p a c k e t g e n e ra te s an a c k n o w le d g e m e n t packet, t h e r e b y c re a tin g an e n d le s s lo o p fo r

e v e ry data packet T he m is m a tc h in S E Q /A C K n u m b e r s results in excess n e t w o r k tra ffic

w ith b o th th e s e rv e r and ta rg e t try in g to v e rify th e right s e q u e n c e Since th e s e pa ckets

do n o t ca rry data, t h e y are n o t r e tr a n s m itt e d if th e p a c k e t is lost H o w e v e r, since TCP uses IP, th e loss o f a s in g le p a c k e t p u ts an e n d t o t h e u n w a n t e d c o n v e rs a tio n b e tw e e n

th e s e rv e r and th e target

The d e s y n c h r o n iz in g stage is a d d e d in th e hijack s e q u e n c e so th a t th e ta rg e t h ost is

ig n o ra n t a b o u t th e attack W it h o u t d e s y n c h ro n iz in g , th e a tta c k e r is able to in ject data to

th e se rv er and even kee p h is / h e r id e n tity by sp o o fin g an IP ad dress H o w e v e r, h e /sh e have t o p u t up w ith th e s e rv e r's re s p o n s e bein g re la ye d to th e ta rg e t h o st as well

Trang 23

In jectin g t h e a t t a c k e r 's pa cket: N o w th a t th e a t ta c k e r has in te r r u p te d th e c o n n e c t io n

b e t w e e n th e s e rv e r an d target, he o r she can c h o o s e e it h e r to in ject d ata in to th e

n e t w o r k o r ac tively p a rtic ip a t e as th e m a n - in - t h e - m id d le , passing data f r o m th e ta rg e t

to th e server, and vice versa, re a d in g an d in jectin g d ata as p e r w ish

e

FIGURE 11.4: Depicting Session Hijacking Process

Trang 24

SYN <Clt ISN 1200><WIN 512>

SYN <Svr ISN 1500><WIN 1024> /ACK 1201

p r o t o c o l f o r tra n s m it t in g data For c o n n e c t io n e s t a b lis h m e n t b e t w e e n t w o s y ste m s an d fo r

su ccessful tr a n s m is s io n o f data, th e t w o s y ste m s s h o u ld esta blish a t h r e e - w a y h a n d s h a k e Session hijacking in vo lv es e x p lo it in g th is t h r e e - w a y h a n d s h a k e m e t h o d to ta ke c o n tro l o v e r t h e session

To c o n d u c t a session hijack attack, th e a t ta c k e r p e r fo r m s t h re e activities:

d e t e r m i n e s e q u e n c e n u m b e r s O n e w a y is to sn iff th e traffic, fin d in g th e A C K p a c k et an d th e n

d e t e r m in in g th e next s e q u e n c e n u m b e r based on th e A C K packet A n d th e o t h e r w a y is to

t r a n s m it th e data w ith gu essed th e s e q u e n c e n u m b e rs T he s e c o n d w a y is n o t v e ry reliable If

Trang 25

you can access th e n e t w o r k and can sn iff th e TCP session, th e n you can d e t e r m in e th e

s e q u e n c e n u m b e r easily This kind o f session hijacking is ca lled "local session hijacking." The

fo llo w in g is t h e p a c k et an alysis o f a n o rm a l TCP t h r e e - w a y ha ndshake:

FIGURE 11.5: Packet analysis of a norm al TCP three-w ay handshake

Based on th e dia g ra m , th e next e x p e c te d s e q u e n c e n u m b e r w o u ld be 1420 If y o u can t r a n s m it

th a t p a c k e t s e q u e n c e n u m b e r b e fo re th e user, y o u can d e s y n c h r o n iz e th e c o n n e c t io n b e tw e e n

th e us er an d th e server T he d ia g ra m th a t fo llo w s s h o w s t h e p a c k e t a n a ly s is o f a local session hijack:

Trang 26

SYN <Clt ISN 1200><WIN 512>

FIGURE 11.6: Packet analysis of a local session hijackUser

Attacker

Trang 27

T he a t ta c k e r sen d s th e data w ith th e e x p e c te d s e q u e n c e n u m b e r b e fo re th e user sen d s it N o w ,

th e s e rv e r w ill be in s y n c h r o n iz a t io n w ith th e attacker This leads to e s ta b lis h m e n t o f a

c o n n e c t io n b e t w e e n th e a t ta c k e r and th e server O n c e th e c o n n e c t io n is e s ta b lis h e d b e tw e e n

th e a t ta c k e r an d th e server, t h o u g h th e user sen d s th e data w ith th e c o r r e c t s e q u e n c e n u m b e r ,

th e s e rv e r d ro p s th e data c o n s id e rin g it as a re se n t packet The user is u n a w a r e o f th e

a t ta c k e r's a c tio n and m a y resen d th e d ata p a c k et as he o r she is no t re ceivin g an A C K f o r his o r

h e r TCP packet H o w e v e r, th e s e rv e r d ro p s th e p a c k e t again Thus, an a t t a c k e r p e r f o r m s a local

s e s s io n h ija c k in g a ttack

Trang 28

W ith a p a ss iv e a tta c k , a n a tt a c k e r h ijack s a s e s s io n

b u t sits b a c k a n d w a tc h e s a n d re c o r d s all t h e tra ffic

t h a t is b e in g s e n t fo r th

T y p e s o f S e s s i o n H i j a c k i n g

Session hijacking can be e it h e r active o r passive in nature, d e p e n d in g on th e d e g re e o f

in v o lv e m e n t o f th e a ttacker The e ssen tial d iffe re n c e b e t w e e n an active and passive hijack is

th a t w h ile an a c tiv e hijack ta ke s o v e r an e xisting session, a p a s s iv e h ija c k m o n it o r s an o n g o in g session

A passive a tta ck uses sn iffers on th e n e t w o r k a llo w in g a tta c k e rs to o b ta in in fo rm a t io n such as user IDs an d pa ss w o rd s T he a tta c k e r can la te r use th is in fo rm a t io n to log on as a valid user and

ta ke o ve r privileges P a s s w o rd sn iffin g is th e s im p le s t a tta c k th a t can be p e r fo r m e d w h e n raw access t o a n e t w o r k is o b ta in e d C o u n te rin g th is a tta ck are m e t h o d s th a t range fro m

id e n tific a tio n s c h e m e s (such as a o n e - t im e p a s s w o rd like skey) to tic k e tin g id e n tific a tio n (such

as K erberos) Th e s e t e c h n iq u e s p r o te c t th e data fr o m be in g sn iffed, b u t th e y c a n n o t p ro te c t it

fr o m active a ttack s unless it is e n c r y p te d o r c a rrie s a d ig ita l sig n a tu re

In an active attack, th e a tta c k e r ta ke s o v e r an existing session by e it h e r te a rin g d o w n th e

c o n n e c t io n on o n e side o f th e c o n v e rs a tio n , o r by a c tiv ely p a rtic ip a t in g as th e m a n -in -th e -

m id dle A n e x a m p le o f an active attack is th e M I T M atta c k For this ty p e o f attack to su cceed ,

th e s e q u e n c e n u m b e r m u s t be gu essed b e fo re th e ta rg e t r e s p o n d s t o th e server P resen tly, th e

p r e d ic tio n o f s e q u e n c e n u m b e r s is no lo n g e r valid to ca rry o u t a su ccessful a tta ck b eca u se

o p e r a t in g sy stem v e n d o r s use r a n d o m v a lu es fo r th e in itial s e q u e n c e n u m b e r

Trang 29

-and a p p lic a tio n level N e tw o r k - le v e l hijacking can be d e f in e d as th e act o f c o m p r o m is in g th e

TC P a n d U D P s e s s io n s b e t w e e n t h e c lie n t a n d th e s e r v e r an d th e n in te r c e p tin g th e pa ckets

d u rin g data tra n s m is s io n In n e tw o r k - le v e l hijacking, th e a t ta c k e r g a th ers crucial in fo rm a tio n

th a t can be used to lau n ch an a tta ck at th e a p p lic a tio n level In a p p lic a tio n -le v e l hijacking, th e

Trang 30

M o d u l e F l o w C E H

N e tw o rk Level S essio n

H ijacking

S essio n

H ijackingTools

Trang 31

Man-in-the-browser attackClient-side attacks

Session Sniffing

A p p l i c a t i o n - l e v e l S e s s i o n H i j a c k i n g

In a session hijacking attack, a session to k e n is c o m p r o m is e d by f o r e c a s t in g o r

s t e a lin g a v a lid s e s s io n t o k e n t o g a in u n a u t h o r iz e d p riv ile g e s t o t h e w e b se rv er As m e n t io n e d pre vio u sly, n e tw o r k - le v e l hijacking p ro v id e s useful in f o rm a t io n th a t can be used to p e rfo rm

a p p lic a tio n -le v e l hijacking H en ce, n e tw o rk - le v e l and a p p lic a tio n -le v e l hijacking o c c u r t o g e t h e r

in m o s t cases A p p lic a t io n - le v e l hijacking in vo lv es e it h e r ga in in g c o n tro l o f an e xisting s ession o r

c re a tin g a n e w session based on s to le n data A p p lic a t io n - le v e l h ija c k in g o c c u r s w i t h H T T P

se ss io n s HTTP se ss io n s can be hijacked by o b ta in in g th e r e s p e c tiv e session IDs, th e u n iq u e

id e n tifie rs o f th e HTTP sessions V a r io u s w a y s in w h ic h a p p lic a tio n -le v e l session hija cking can be

a c c o m p lis h e d by c o m p r o m is e d th e session to k e n are m e n t io n e d as fo llo w s:

Trang 32

S e s s i o n S n i f f i n g C E H

J A tta c k e r u s e s a sn iffe r to c a p tu r e a valid s e s s io n to k e n c a lle d "S e s sio n ID"

J A tta c k e r t h e n u s e s t h e valid to k e n se s s io n to g ain u n a u th o r iz e d a c c e s s t o th e

V

Attacker

F I G U R E 1 1 7 : D i a g r a m m a t i c a l R e p r e s e n t a t i o n o f a t t a c k e r s n i f f i n g a s e s s i o n

Trang 33

Initially t h e a t ta c k e r sniffs th e HTTP tra ffic b e t w e e n th e v ic tim and th e w e b s e rv e r an d an alyzes

th e c a p tu re d data and d e t e r m in e s th e session ID Then, th e a t t a c k e r s p o o f s h im s e lf o r h e rs e lf

as th e v ic tim and sen d s th e session ID to th e w e b s e rv e r b e fo re th e v ic tim can Thus, an

a t ta c k e r ta ke s c o n tro l o v e r an existing session

Trang 34

P r e d i c t a b l e S e s s i o n T o k e n s

— _ _ P re d ic tin g session t o k e n s (session IDs) is a m e t h o d o f h ija c k in g o r i m p e r s o n a t in g a

w e b s it e user This is also k n o w n as session hijacking o r th e s e s s io n / c r e d e n tia l p re d ic tio n

m e th o d This can be a c h ie v e d by g u e ssin g o r c o n s t ru c tin g th e u n iq u e valu e, i.e., session ID used

fo r th e id e n tific a tio n o f a user o r a p a rtic u la r session Using th e s e s s io n h ija c k in g t e c h n iq u e , an

a t ta c k e r has th e ab ility to ping w e b s it e re q u e s ts w it h c o m p r o m is e d us er privileges

Predicting a session ID

is also know n as Session Hijacking

G uessing th e unique session value or

d educing th e session ID accom plishes th e attack

It is a m eth o d used for

predicting a session ID

o r to im p e rso n a te a

w eb site u ser

Using session hijacking

technique, an attacker gets

th e ability to ping w eb site

requests with compromised

user’s privileges

W h e n a user s e n d s a re q u e s t to a w e b s it e fo r c o m m u n ic a t io n , th e w e b s it e first trie s to

a u t h e n t ic a t e an d tra ck th e user iden tity U n les s th e us er p ro ves his o r h e r iden tity, th e w e b s it e

w ill n o t p ro v id e th e re q u e s te d in fo rm a tio n to th e user W e b s it e s usually a u th e n tic a t e a user based on a c o m b i n a t io n o f user n a m e and p a s s w o rd (credentials) W h e n th e user s u b m its his o r

h e r us er n a m e an d p a ss w o rd , th e w e b s it e g e n e ra te s a u n iq u e "session ID." This session ID

in d ica te s th e us er session as a u th e n tic a t e d T he session ID is tagg ed to th e s u b s e q u e n t

c o m m u n i c a t i o n b e t w e e n t h e u s e r a n d t h e w e b s it e as a p r o o f o f a u t h e n t ic a t e d session If th e

a t ta c k e r is ab le t o d e t e r m in e th is session ID e it h e r by p re d ic tin g o r guessing, th e n he o r she can

c o m p r o m is e t h e user's session

Trang 35

co o kie In such cases, an a t ta c k e r can ea s ily d e t e r m in e th e session ID, if he o r sh e m a n a g e s to

d e t e r m in e th e a lg o rith m used fo r g e n e ra tin g th e session ID The po s sib le w a y s in w h ic h

a t ta c k e r can la unch th e a tta c k include:

6 B ru te fo rc in g o r c a lc u la tin g th e next session ID

Q S w itc h in g th e c u r r e n t v alu e in th e U R L / h id d e n f o r m - f ie ld / c o o k ie t h e r e b y a s s u m in g th e next user id e n tity

T he a t ta c k e r c a p tu re s several session IDs an d a n aly ze s th e pa ttern:

Trang 36

M a n - i n ־ t h e - M i d d l e A t t a c k C E H

C«rt1fW4 I til 1(41 N m I m

J The man-in-the-middle attack is used to intrude into an existing connection betw een systems

and to intercept messages being exchanged

Attackers use different techniques and split the TCP connection into two connections

1 Client-to-attacker connection

2 Attacker-to־server connection

After the successful interception of TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication

In the case of an http transaction, the TCP connection between the client and the server becomes the target

M a n ־ i n ־ t h e ־ M i d d l e A t t a c k s

A m a n - in - t h e - m id d le attack is a ty p e o f a tta ck in w h ic h a tta c k e rs in tru d e in to an

e xisting c o n n e c t io n b e t w e e n t w o s y ste m s to in te r c e p t th e m essages bein g e x c h a n g e d an d to

in ject f r a u d u le n t in fo rm a tio n H ere th e v ictim th in k s th a t he o r she is d ire c tly ta lk in g w ith

s o m e o n e else, bu t in a c tu a lity th e e n tire c o n v e rs a tio n is c o n t r o lle d by th e a ttacker T he v a rio u s

fu n c tio n s o f th is a tta c k in vo lv e s n o o p in g o n a c o n n e c t io n , in tru d in g in to a c o n n e c t io n ,

in te rc e p tin g m essages, and m o d ify in g th e data

Let us c o n s id e r an e x a m p le o f an HTTP tra n s a c tio n In th is case, th e ta rg e t is th e TCP c o n n e c t io n

b e t w e e n th e c lie n t and server The a t ta c k e r s p lits t h e le g it im a t e T C P c o n n e c t io n b e t w e e n th e

c lie n t and th e s e rv e r in to t w o d is tin c t c o n n e c t io n s by using v a rio u s t e c h n iq u e s The t w o d is tin c t

c o n n e c t io n s are:

A f t e r th e su ccessful in te r c e p tio n o f th e TCP c o n n e c t io n , an a tta c k e r can read, m o d ify, and

in sert false data in to th e in te r c e p te d c o m m u n ic a t io n

B e cau se o f th e n a tu re o f th e HTTP p ro to c o l and data tr a n s f e r w h ic h are all ASCII based, th e

m a n - in - t h e - m id d le attack is e ffective In this w ay, it is p o ssib le to v ie w th e data t ra n s fe rre d

Trang 38

M a n - i n - t h e - B r o w s e r A t t a c k C E H

M a n -in -th e -b ro w s e r a tta c k u s e s a T rojan H o rse

to in te rc e p t th e calls b e tw e e n th e b ro w s e r a n d its se c u rity m e c h a n is m s o r lib raries

It w o rk s w ith an a lre a d y in stalled T rojan h o rs e

a n d a c ts b e tw e e n th e b r o w s e r a n d its s e c u r ity

m e c h a n is m s

Its m ain o b je c tiv e is to c a u s e financial d e c e p tio n s

by m a n ip u la tin g tr a n s a c tio n s of I n t e r n e t B anking

s y s te m s

M a n ־ i n ־ t h e ־ B r o w s e r A t t a c k s

A m a n - in - t h e - b ro w s e r a tta ck is sim ila r to th a t o f a m a n - in - t h e - m id d le attack The

d iffe re n c e b e tw e e n th e t w o te c h n iq u e s is th a t th e m a n - in - t h e - b ro w s e r a tta c k uses a T ro ja n

h o rs e t o in t e r c e p t a n d m a n ip u la t e t h e ca lls b e t w e e n th e b r o w s e r a n d its s e c u r it y m e c h a n is m s

o r lib ra rie s This a tta ck uses a lre a d y in sta lled T roja n on th e sy stem to act b e t w e e n th e b r o w s e r and its s e c u rity m e c h a n is m s This a tta c k is c a p a b le o f m o d ify in g and sn iffing th e tra n sa ctio n s

T he m a in o b je c tiv e o f this a tta c k is fin a n cia l t h e f t by m a n ip u la tin g th e t ra n s a c tio n s o f In tern et

ba n k in g system s W it h th is t e c h n iq u e , th e a tta c k e rs will be ab le to steal th e se n s itiv e

in fo rm a t io n o r m o n e y w it h o u t leavin g any kind o f p r o o f o r bein g n o tic ed , even th o u g h th e

b r o w s e r 's s e c u rity level is set t o t h e high N o signal o f th is kind o f a t ta c k will be d isp la y ed , even

w h e n th e n e t b a n k in g t r a n s a c t io n s a re c a rr ie d o v e r t h e SSL c h a n n e l All th e se c u rity

m e c h a n is m s d is p la y e d w o r k n o rm a lly T h e re fo re , a user m u s t be s m a r t and a le rt w h e n using

in te r n e t b a n k in g system s

Trang 39

The exten sio n files register a h a n dle r fo r every visit to th e w ebpage

B

S t l

DThe Trojan first infects the computer's

software (OS or application)

The user logs in securely to the website

B

The browser sends the form and modified values to the server

El■

A fte r th e user restarts th e brow ser, th e

m a licio u s code in th e fo rm o f exten sio n files

is lo aded

W h e n th e page is lo aded, th e exten sio n uses

th e URL and m atches it w ith a list o f know n

sites targeted fo r attack

It registers a button event handler when a

specific page load is detected for a specific

pattern and compares it with its targeted list

ca rry o u t th e fo llo w in g steps:

S te p 1: T he Trojan first in fects th e c o m p u t e r 's s o ft w a r e (OS o r ap plication )

S te p 2: A f t e r th e us er resta rts th e b ro w se r, th e m a lic io u s c o d e in th e f o r m o f e x te n s io n files is

lo ad ed

S te p 3: W h e n th e page is load ed, th e e x te n s io n uses t h e U R L a n d m a t c h e s it w it h a list o f

k n o w n site s t a r g e t e d f o r atta c k

S te p 4: It registers a b u tto n e v e n t h a n d le r w h e n a s p e cific page lo ad is d e te c te d fo r a sp ecific

p a tte rn and c o m p a r e s it w ith its t a rg e te d list

S te p 5: T he Trojan installs m a lic io u s c o d e (e xte n sion files) and saves it in to th e b r o w s e r

co n fig u ra tio n

S te p 6: T he e x te n s io n file s re g is te r a h a n d le r fo r e v e ry visit t o th e w e b page

S te p 7: T he user logs in se c u re ly to th e w e b s ite

Trang 40

C E H

S t e p s t o P e r f o r m M a n - i n - t h e -

B r o w s e r A t t a c k ( c o m > d )

m

The server receives th e m o d ifie d values

bu t ca n n o t distin gu ish betw een th e

o rig in a l and th e m o d ifie d values

I B Now, th e b ro w se r receives th e receipt fo rth e m o d ifie d tra n sa ctio n

S te p 9: W h e n th e user clicks on th e b u tto n , th e e x te n s io n uses D O M in te r f a c e and

e xtra cts all th e d ata fro m all fo r m fie ld s and m o d ifie s th e values

S te p 10: A f t e r th e s e rv e r p e r fo r m s t h e tra n s a c tio n , a re c e ip t is g e n e ra te d

S te p 11: The b r o w s e r d isp lays th e re c e ip t w ith th e o rigin al details

S te p 12: T he s e rv e r re ceive s th e m o d ifie d v a lu es bu t c a n n o t distin gu ish b e t w e e n th e origin al and th e m o d ifie d values

S te p 13: N o w , th e b r o w s e r re ceive s th e re c e ip t fo r th e m o d ifie d tra n s a c tio n

S te p 14: T h e user th in k s th a t th e o r ig in a l t r a n s a c t io n w a s re ceive d by th e s e rv e r w it h o u t any

in te rc e p tio n s

UserInternet

Attacker

F I G U R E 1 1 9 : A t t a c k e r p e r f o r m i n g M a n - i n - t h e - B r o w s e r A t t a c k s

Định dạng
Số trang	97
Dung lượng	4,29 MB