Session H ijacking M o d u l e 1 1 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g a n d C o u n te rm e a s u re s S e s s io n H ija c k in g c (•rtifwd E H EtfcKJl HmIu> a O f t m H i j a c k i n g M o d u le 1 1 2rs. Presented by Professionals. E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 1 1 : S e s s io n H ij a c k i n g E x a m 3 1 2 - 5 0 E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 0 4 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s S e s s io n H ija c k in g S e c u r i t y N e w s Product Services Download Contact About J u lia G illa r d th e T a r g e t o f A b u s e o n F a c e b o o k a f t e r T r o lls H ija c k L iv e C h a t VILE and abusive co m m ents co ntinue to flood Prim e M inister Julia G illard's Facebook page alm ost 24 hours afte r her online question and answ e r session w as hijacked by trolls. M s Gillard's m edia adviser John McTernan yesterday said the PM 's Facebook page was m oderated by staff, and offensive posts were rem oved. However, a com m ent comparing the PM to a dog has been visible on the page since Sunday, w hile anoth er abusing her for being "unm arried and childless and husbandless" has been allowed to remain on the page all m orning. Several com m ents calling M s Gillard a "liar" dating back to Friday night also rem ain on the page, w hile anoth er comm en t left last night calls M s Gillard "scum" and "a disgrace to the country". Other comments attacking her character are also still there. The to rrent of abuse follows th e hijacking o f M s G illard's live online education question and answer session yesterday, when fou l-mouthed critics posted abusive rants and offensive messages. http://www.theaustrolian.com.au Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. ' nsr S e c u r i t y N e w s J J u l i a G i l l a r d t h e T a r g e t o f A b u s e o n F a c e b o o k a f t e r T r o l l s H i j a c k L i v e C h a t S o u rce : h ttp : / / w w w .th e a u s t r a lia n .c o m . a u V ile a nd a b u s iv e c o m m e n t s c o n tin u e to flo o d P r im e M in is te r Julia G illa rd's F a c e b o o k p a g e a lm o s t 2 4 h o u rs a fte r h e r o n lin e q u e s tio n a n d a n s w e r sessio n w a s h ijac k e d b y trolls. M s . G illa rd 's m e d ia a d v is e r John M c T e r n a n y e s te rd a y said th e P M 's F a c e b o o k p a g e w a s m o d e r a te d b y sta ff, a n d o f fe n s ive p o sts w e r e r e m o v e d . H o w e v e r, a c o m m e n t c o m p a r in g t h e PM t o a d o g has b e e n vis ib le o n t h e page sin c e S u n d ay, w h ile a n o th e r a b u s in g h e r f o r b e ing " u n m a r r ie d a n d c h ild le s s a n d h u s b a n d le s s " has b e e n a llo w e d to re m a in o n t h e p a g e all m o rn in g . S e vera l c o m m e n ts c a lling M s G illard a " lia r " d a t in g b a c k t o F rida y n ig h t also re m a in s o n th e p a g e , w h ile a n o th e r c o m m e n t le ft la st n ig h t c alls M s G illard " s c u m " a n d "a d isgrace t o th e c o u n try ." O th e r c o m m e n t s a tta c k in g h e r c h a r a c te r a re a lso still th e r e . E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 0 5 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s S e s s io n H ija c k in g T h e t o r r e n t o f a b u s e fo llo w s th e h ija c k in g o f M s G illa rd 's live o n lin e e d u c a tio n q u e s tio n a n d a n s w e r sessio n y e s te r d a y , w h e n f o u l-m o u t h e d critic s p o s te d a b u s iv e ra n ts a n d o ffe n s iv e m e s s a g e s . M o s t o f th e o ffe n s iv e c o m m e n t s w e r e to o fo u l to b e r e p o r t e d . O n e c o m m e n t e r , r e g is tere d as " M a t th e w V a n D en B o s " o f P e rth , ev e n m a d e re fe r e n c e to M s G illa rd 's r e c e n tly d e c e a s e d fa th e r John G illa rd, w r itin g : " H o w 's y o u r d a d ? " M a n y o f th o s e m e ssag e s w e re in c r e d ib ly s till v is ib le o n th e p a g e up t o fo u r h o u rs later, as w e r e o th e r o ffe n s ive c o m m e n t s p o s te d as fa r b a c k as F rid a y. M r. M c T e rn a n w o u ld n o t say h o w m a n y p e o p le m o d e r a te d th e P M 's F a c e b o o k p a ge, w h ic h has m o r e th a n 1 3 5 ,0 0 0 fans, o r if t h e r e w e re a n y o fficia l g u id e lin e s fo r t h e m a x im u m a m o u n t o f tim e o ffe n s ive p o s ts s h o u ld re m a in v isib le . "T h e P rim e M in iste r 's Fa c e b o o k s ite is m o d e r a te d , b u t w h e n c o m m e n t s a re po s te d y o u ha v e to d o it a fte r th e fac t, a n d w h e n th e r e 's a lo t o f c o m m e n ts it ta k e s t im e t o m o d e r a te t h e m o u t ," h e said y e s te rd a y . " W e d o ta k e th in g s o f f w h ic h a re o ffe n s iv e . A n y th in g th a t 's o ffe n s ive t h a t's b e e n p o s ted o n th e r e w ill b e m o d e r a te d o u t , b u t w e d o n 't h a ve t h e c a p a c ity - w i t h F a c e b o o k y o u c a n 't filte r c o m m e n t s b e f o r e th e y 'r e p o s te d , th a t 's a ll." O th e r c o m m e n te r s ca lle d M s . G illa rd " th e w o r s t P rim e M in is te r e v e r," a n d m a d e o th e r v ile re m a rk s . M s . G illard d r e w e v e n m o r e a b u s e a fte r th e Q & A sessio n w h e n sh e p o s ted a th a n k y o u n o te to th o s e w h o h a d p a r tic ip a te d . A F rid a y p o s t b y M s . G illa rd 's F a c e b o o k p a g e a s k ing f o r fa n s ' m e m o r ie s o f th e ir f a v o u r ite sch o o l te a c h e r w a s als o b o m b a r d e d by t ro lls a b u s in g t h e P rim e M in is te r. S o m e o f th e o ffe n s iv e c o m m e n ts a p p e a r e d to h a v e b e e n re m o v e d f r o m t h e p a g e a fte r inq u irie s b y N e w s Ltd. Copyright 2013 News Limited By Petra Starke h tt p ://w w w .n e w s . c o m .a u /n a tio n a l/liv e -o n lin e -c h a t-w ith - iu lia -g illa r d -tu r n 5 -n a s tv /s to r y -fn d o 4 e g 9 - 1226490891092 E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 0 6 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s S e s s io n H ija c k in g M o d u l e O b j e c t i v e s C E H f J < What Is Session Hijacking? J ן Man-in-the-Middle Attack J Why Session Hijacking Is Successful? J Cross-site Script Attack J Key Session Hijacking Techniques J Network Level Session Hijacking J Brute Forcing Attack . J TCP/IP Hijacking J Session Hijacking Process ~ J Session Hijacking Tools J Types of Session Hijacking J Protecting against Session Hijacking J Application Level Session Hijacking J IPsec Architecture J Session Sniffing j Session Hijacking Pen Testing ץ ,1 1 [ Copyright © by EC-G(ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e O b j e c t i v e s Ai , Jj _____ T his m o d u le c o v e rs th e v a rio u s h a c kin g te c h n o lo g ie s u sed fo r s e s sio n h ijac k ing . It d e als w ith s p o o fin g m e t h o d s , t h e t h re e - w a y TCP h a n d s h a k e , a n d h o w a tta c k e rs use th e s e m e th o d s f o r m a n - in - t h e - m id d le a ttac k s . V a r io u s to o ls th a t can b e u s e d fo r th is p u rp o s e h a v e b e e n h ig h lig h te d to p r o v id e y o u an ins ig h t in to th e w o rk in g s o f sessio n h ija c k ing . F inally, c o u n te rm e a s u r e s to p r e v e n t sessio n h ija c k ing are discu s s e d . T h is m o d u le w ill fa m ilia riz e y o u w it h : © W h a t Is Session H ijackin g ? 0 S e ssio n S n iffin g e W h y Session H ijack in g is S uccessful 0 M a n - in -th e - M i d d le A tta c k s e Key S ession H ijackin g T e chn iques 0 C ross-s ite S c rip t A tta c k s e B rute F orcing A tta c k © N e t w o r k - le v e l S e ssion H ijac k ing e Session H ija ckin g P rocess © T C P/IP H ijac k ing 0 T y pes o f Session H ija ckin g © S e ssio n H ija c k in g To o ls © A p p lication -le v e l Session H ija ckin g © P r o te c tin g a g a in st S e s sion H ija c k in g E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 0 7 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE t h ic a l H a c k in g an d C o u n te r m e a s u r e s S e s s io n H ija c k in g C E H N etw ork Level Session Hijacking M o d u l e F l o w Session Hijacking C oncepts n A pplication Level Session Hijacking & /׳ ץ Session Hijacking \ j ■ Tools J Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e F l o w In o r d e r t o u n d e r s ta n d s e s s io n h ija c k ing a n d h o w a tta c k e rs u se th is m e t h o d fo r h a c k ing, y o u s h o u ld be f a m ilia r w ith th e b a sic c o n c e p ts o f s e s s io n h ijackin g . Session H ija c king Concepts A p p lica tio n Level Session H ija ckin g > N e tw o rk Level Session H ijacking Session H ijackin g Tools v C o u n ter-m ea su res r ' | | P e n e tra tio n Testin g T h is se c tio n h ig h lig h ts sessio n h ija c kin g a n d d a n g e rs p o s e d b y it, t e c h n iq u e s u s e d f o r sessio n h ijack in g , s p o o fin g vs. h ija c kin g , th e sessio n h ija c k in g p rocess, ty p e s o f s e s s io n h ijack in g , a n d se ssio n h ija c k ing in th e OSI m o d e l. E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 0 8 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s S e s s io n H ija c k in g W h a t I s S e s s i o n H i j a c k i n g ? C E H The atta cker steals a valid session ID w h ic h is used to get into th e system and sno op th e data Since m ost au th enticatio n only occurs at the start of a TCP session, th is allo w s the attacker to gain access to a m achine Session Hija ckin g re fers to the exp lo ita tio n o f a va lid c om p uter session w h ere an attacker takes over a session betw een tw o com p uters In TCP se ssion hijacking, an attacker takes o ve r a TCP session between tw o m achines Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. W h a t I s S e s s i o n H i j a c k i n g ? & S e ssion h ija c k in g re fe rs to th e e x p lo it a t io n o f a v a lid c o m p u t e r se ssion w h e r e a n a tta c k e r ta k e s o v e r a s e ssio n b e tw e e n tw o c o m p u te rs . T h e a t ta c k e r s teals a v a lid sessio n ID th a t is used to g e t in to th e s y s te m a n d e x tra c t th e d a ta . TCP s e ssion h ijac k in g m e a n s ta k ing c o n t r o l o v e r a TCP s e s s io n e x c h a n g e d b e tw e e n t w o c o m p u te rs . It is c a rrie d o u t th r o u g h s o u rc e - ro u t e d IP p ac k e ts. A n a tta c k e r w h o is log g e d o n t o a s y s te m c an p a r ticip a te in th e c o n v e rsa tio n o f o t h e r u s e rs o n o th e r s ys te m s b y d iv e r tin g p a c k e ts to his o r h e r s y s te m . B lind h ijac k in g is a n o t h e r m e th o d th r o u g h w h ich resp o n s e s o n a s y s te m can b e a s s u m e d . T h e m a n - in -th e - m id d le (M IT M ) a tta c k is a n o th e r m e th o d in w h ic h a s n iffe r is u se d to tra c k d o w n a c o n v e rs a tio n b e tw e e n t w o u s e rs. D e n ia l-o f-s e r v ice (D oS ) is e x e c u te d so th a t a sy s te m cra s h e s , w h ic h le a ds to a g r e a t e r loss o f pa c k e ts . S te p s in session h ijack ing : © T r a c k in g th e c o n n e c tio n © D e s y n c h ro n izin g th e c o n n e c tio n © I n je c tin g th e a tta c k e r 's p a c k e t E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 0 9 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s S e s s io n H ija c k in g Victim FIGURE 11.1: Illustrating the process of session hijacking E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 1 0 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a c k e rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s S e s s io n H ija c k in g D a n g e r s P o s e d b y H i j a c k i n g C E H Hijacking is simple to launch Threat of identity theft, information loss, fraud, etc. You can do little to protect against it unless you switch to another secure protocol Copyright © by EC-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited. - Most counterm easures do not work unless you use encryption Most computers using TCP/IP are vulnerable D a n g e r s P o s e d b y H i j a c k i n g _________ H ija c k in g is s im p le t o la u n ch . M o s t c o m p u te r s usin g T C P /IP are v u ln e r a b le t o sess io n h ija c k ing . You can d o little to p r o t e c t a g a in s t it u n le s s y o u s w itc h to a n o th e r s e c u re p r o to c o l. M o s t c o u n te rm e a s u r e s d o n o t w o rk u n le s s y o u us e e n c ry p tio n . Id e n t ity t h e f t, in fo r m a t io n loss, fra u d , etc . a re th e m a jo r d a n g e rs p o se d by h ija c kin g . T h e fo llo w in g a re th e e le m e n ts s u s c e p tib le to h ija c k in g : O n e - t im e P a s s w o rd s ( s m a r tc a rd s , S /K e y , c h a lle n g e re s p o n s e ) A ll o n e - tim e p a s s w o rd s c h e m e s a re v u ln e ra b le to c o n n e c tio n h ijac k ing . O n c e th e u s e r/s e r v ic e has a u t h e n t ic a te d itse lf, his o r h e r c o n n e c tio n can be ta k e n o v e r. A c c o rd in g to w w w .w e b o p e d ia .c o m " S / k e y is a o n e - t im e , c h a lle n g e - r e s p o n s e p a s s w o r d s c h e m e u se d t o a u t h e n t ic a t e acces s t o d a ta . T h e p u rp o s e o f S /ke y is t o e lim in a te t h e n e e d fo r th e sa m e p a s s w o r d to b e c o n v e y e d o v e r a n e t w o r k e a ch t im e a p a s s w o rd is n e e d e d f o r a c ce ss." K e rb e ro s E n c ry p tio n is n o t e n a b le d o n b y d e fa u lt; d u e to this , s e c u rity is o f m a jo r c o n c e rn as it is e q u iv a le n t t o t h e o n e - tim e p a s s w o rd s c h e m e , w h ic h is s u s c e p tib le t o h ija c k in g w it h ease . S o u rce A d d re s s F ilte r in g R o u te r E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 1 1 E x a m 3 1 2 - 5 0 C e r t ifie d E th ic a l H a cke rE th ic a l H a c kin g a n d C o u n te r m e a s u r e s S e s s io n H ija c k in g A n e t w o r k is s u s c e p tib le to n e tw o r k a d d re s s s p o o f a tta c k s if its s e c u rity d e p e n d s o n filte rin g th e p a c ke ts f r o m u n k n o w n s o u rces. A n u n k n o w n h o s t c o u ld in s e r t its e lf, m id s tre a m , in t o a p re - e x istin g c o n n e c tio n . S o u rce A d d re s s C o n t r o lle d P ro x ies © M a n y p ro xie s c o n tro l a ccess t o c e rta in c o m m a n d s b a sed o n th e so u rc e a d d ress o f t h e re q u e s to r. T h e s o u rce a d d ress is e a sily v u ln e r a b le to p a s s ive o r a c tiv e s n iffe rs. Q N o e asy ste p s ha v e y e t b e e n f o u n d t h a t can s e c u re a n e tw o r k fro m p a s siv e o r a ctiv e s n iffin g . By b e c o m in g a w a re o f th e e x isten c e o f th is th re a t, y o u w ill be b e t te r p re p a r e d to m a k e in t e llig e n t s e c u rity d e c isio n s fo r y o u r n e tw o rk . E t h ic a l H a c k in g an d C o u n te rm e a s u re s C o p y r ig h t © b y E C -C 0 U n C il A ll R ig h ts R e s e rved . R e p ro d u c tio n is S t ric tly P ro h ib it e d . M o d u le 1 1 P a g e 1 5 1 2 [...]... R eserved Reproduction is Strictly Prohibited M o d u l e F l o w So far, w e have discussed v a rio u s c o n c e p ts o f session hijacking, ty p e s o f session hijacking, and session hijacking in th e OSI m o d e l N o w w e w ill discuss a p p lic a tio n -le v e l session hijacking, a level o f h ijacking in th e OSI m o d e l km h 1 S e s s io n H ija c k in g C o n c e p t s A p p lic a t io... H ij a c k i n g It is a m eth o d used for predicting a session ID or to im p e rso n ate a w eb site u ser Predicting a session ID is also known as Session Hijacking Using session hijacking technique, an attacker gets the ability to ping w eb site requests with compromised user’s privileges Guessing th e unique session value or deducing th e session ID accom plishes th e attack Copyright © by EG ouncil... a c i n t i o n L e v e l S e s s i o n C k E H g In a Session Hijacking attack, a session token is stolen or a valid session token is predicted to gain u n au th o rized access to th e w eb server A session token can be compromised in various ways Predictable session token Man-in-the-middle attack Client-side attacks Man-in-the-browser attack Session Sniffing Copyright © by EC-G (ancil All R ights... a y h a n d s h a k e Session hijacking in vo lv es e x p lo itin g th is th r e e - w a y h a n d sh a k e m e th o d to ta ke c o n tro l o v e r th e session To c o n d u c t a session hijack attack, th e a tta c k e r p e r fo r m s t h re e activities: © Tracks a session © D e sy n c h ro n iz e s th e session © Injects a tta c k e r's c o m m a n d s in b e tw e e n A session can be m o n it... n H ij a c k i n g you can access th e n e tw o r k and can sniff th e TCP session, th e n you can d e t e r m in e th e se q u e n c e n u m b e r easily This kind o f session hijacking is called "local session hijacking. " The fo llo w in g is th e p a c k et analysis o f a n o rm a l TCP t h r e e - w a y handshake: FIGURE 11. 5: Packet analysis of a normal TCP three-w ay handshake Based on th e diag... r system Q Session hijacking is m o r e d ifficu lt th a n IP ad d re ss sp oofing In session hijacking, John (an in trude r) w o u ld seek to in sert h im s e lf in to a session th a t Jane (a le g itim a te user) alre a d y had se t up w ith \ \ M a il John w o u ld w a it until she e s ta b lis h e s a se ssio n , th e n kno ck her o ff th e air by s o m e m e a n s and pick up th e session as th... b s it e g e n e ra te s a u n iq u e "session ID." This session ID in d ica te s th e user session as a u th e n tic a te d The session ID is tagged to th e s u b s e q u e n t c o m m u n ic a t io n b e t w e e n t h e u s e r a n d t h e w e b s it e as a p r o o f o f a u th e n tic a t e d session If th e a tta c k e r is ab le t o d e t e r m in e th is session ID e ith e r by p re d ic tin... v e l hijacking, th e a tta c k e r g a th ers crucial in fo rm a tio n th a t can be used to launch an attack at th e a p p lic a tio n level In a p p lic a tio n -le v e l hijacking, th e a tta c k e r in te rc e p ts tr a n s m is s io n in th e w e b a p p lica tio n A p p lic a tio n - le v e l hijacking is a b o u t gaining c o n tro l on th e user's HTTP session by o b ta in in g the session. .. A75 IDs: The browser directs the referrer URL that contains the user's session ID to the attacker's site (www.hacksite.com ), and now the attacker possesses the user's session ID 4 S ending Trojans o n c lie n t PCs Note: Session ID brute forcing attack is known as session prediction attack ifthe predicted range of values fora session ID is very small Copyright © by EC-G(ancil All Rights Reserved Reproduction... e a s ie r to s n e a k in as a g e n u in e user ra th e r th a n to e n te r th e sy stem directly Session hijacking w o r k s by fin d in g an e sta b lish e d session and ta kin g o v e r th a t session a fte r a g e n u in e user has access and has be e n a u t h e n t ic a t e d O n ce th e session has be e n hijacked, th e a tta c k e r can stay c o n n e c t e d fo r hours This leaves a m . Attack . J TCP/IP Hijacking J Session Hijacking Process ~ J Session Hijacking Tools J Types of Session Hijacking J Protecting against Session Hijacking J Application Level Session Hijacking J IPsec. H f J < What Is Session Hijacking? J ן Man-in-the-Middle Attack J Why Session Hijacking Is Successful? J Cross-site Script Attack J Key Session Hijacking Techniques J Network Level Session Hijacking J Brute. c k in g C E H N etw ork Level Session Hijacking M o d u l e F l o w Session Hijacking C oncepts n A pplication Level Session Hijacking & /׳ ץ Session Hijacking j ■ Tools J Copyright