CEH v8 labs module 11 Session hijacking

Hijacking SessionsSession hijacking refers to the exploitation of a valid computer session, herein an attachr takes over a session between two computers... Session Hijacking Using Zed A

S ession H ijacking

M odule 11

Hijacking Sessions

Session hijacking refers to the exploitation of a valid computer session, ))herein an attachr takes over a session between two computers.

Lab S cen ario

S o u r c e : h t t p : / / k r e b s o n s e c u n t v c o m / 2 0 1 2 / 1 1 / y a h o o - e m a il - s t e a lin g - e x p lo i t-

f e t c h e s - 7 0 0

A c c o r d i n g t o K r e b s o n S e c u r i t y n e w s a n d in v e s tig a tio n , z e r o - d a v v u l n e r a b i l i t y 111

y a h o o c o m t h a t le ts a t ta c k e r s h ija c k Y a h o o ! e m a il a c c o u n t s a n d r e d i r e c t u s e r s to

m a lic io u s w e b s i t e s o t t e r s a f a s c in a t in g g lim p s e i n t o t h e u n d e r g r o u n d m a r k e t f o r

la r g e - s c a le e x p lo its

T h e e x p l o it, b e i n g s o ld f o r S 7 0 0 b y a n E g y p t i a n h a c k e r o n a n e x c lu s iv e

c y b e r c r i m e f o r u m , ta r g e ts a “ c r o s s - s i t e s c r i p t i n g ” (X S S ) w e a k n e s s i n v a h o o c o m

t h a t le ts a t t a c k e r s s te a l c o o k i e s f r o m Y a h o o ! w e b m a i l u s e r s S u c h a f la w w o u l d

le t a t t a c k e r s s e n d o r r e a d e m a il f r o m t h e v i c t i m ’s a c c o u n t 111 a tv p ic a l X S S

a t ta c k , a n a t t a c k e r s e n d s a m a lic io u s lin k t o a n u n s u s p e c t i n g u s e r ; i f t h e u s e r

c lic k s t h e lin k , t h e s c r i p t is e x e c u t e d , a n d c a n a c c e s s c o o k i e s , s e s s io n t o k e n s , o r

o t h e r s e n s itiv e i n f o r m a t i o n r e t a i n e d b y t h e b r o w s e r a n d u s e d w i t h t h a t s ite

T h e s e s c r ip t s c a n e v e n r e w r i t e t h e c o n t e n t o f t h e H T M L p a g e

K r e b s O n S e c u r i t y c o m a l e r te d Y a h o o ! t o t h e v u ln e r a b ilit y , a n d t h e c o m p a n y

sa y s i t is r e s p o n d i n g t o t h e is s u e R a m s e s M a r t i n e z , d i r e c t o r o f s e c u r ity a t

Y a h o o ! , s a id t h e c h a lle n g e n o w is w o r k i n g o u t t h e e x a c t v a h o o c o m U R L t h a t

tr ig g e r s t h e e x p l o it, w h i c h is d if f i c u lt t o d i s c e r n f r o m w a t c h i n g t h e v id e o

T h e s e ty p e s o t v u l n e r a b ilit ie s a r e a g o o d r e m i n d e r t o b e e s p e c ia lly c a u tio u s

a b o u t c lic k in g lin k s 111 e m a ils f r o m s t r a n g e r s o r 111 m e s s a g e s t h a t y o u w e r e n o t

e x p e c t in g

B e in g a n d a d m i n i s t r a t o r y o u s h o u l d i m p l e m e n t s e c u r ity m e a s u r e s a t A p p l i c a t i o n

le v e l a n d N e t w o r k le v e l t o p r o t e c t y o u r n e t w o r k f r o m s e s s io n h ija c k in g

N e t w o r k le v e l h ija c k s is p r e v e n t e d b y p a c k e t e n c r y p t i o n w h i c h c a n b e o b t a i n e d

b y u s i n g p r o t o c o l s s u c h a s I P S E C , S S L , S S H , e tc I P S E C a llo w s e n c r y p t i o n o f

p a c k e t s o n s h a r e d k e y b e t w e e n t h e t w o s y s t e m s i n v o l v e d 111 c o m m u n i c a t i o n

A p p li c a t i o n - l e v e l s e c u r ity is o b t a i n e d b y u s i n g s t r o n g s e s s io n I D S S L a n d S S H

a ls o p r o v i d e s s t r o n g e n c r y p t i o n u s i n g S S L c e r tif ic a te s t o p r e v e n t s e s s io n

h ija c k in g

Lab O b jectives

T h e o b je c ti v e o f th is la b is t o h e l p s u i d e n t s l e a r n s e s s io n h ija c k i n g a n d ta k e

n e c e s s a r y a c t i o n s t o d e f e n d a g a in s t s e s s io n h ija c k in g

111 th is la b , y o u w ill:

I C O N K E Y

& Valuable information

Test your knowledge

H Web exercise

caWorkbook review

E t h i c a l H a c k i n g a n d C o u n te m ie a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 716

■ S im u la te a T r o j a n , w h i c h m o d if ie s a w o r k s t a t i o n 's p r o x y s e r v e r s e ttin g s

Lab E nvironm ent

T o c a r ry o u t tin s , y o u n e e d :

Lab D uration

T im e : 2 0 M in u te s

O v e rv ie w o f Session H ijackin g

111 TCP s e s s i o n ln ja c k in g , a n a tta c k e r ta k e s o v e r a T C P s e s s io n b e t w e e n tw o

Lab T asks

P ic k a n o r g a n iz a tio n d ia t y o u fe e l is w o r t h y o f y o u r a tte n tio n T in s c o u ld b e a n

e d u c a tio n a l in s titu tio n , a c o m m e r c ia l c o m p a n y , o r p e r h a p s a n o n p r o f i t c h a n ty

R e c o m m e n d e d la b s t o a s sist y o u 111 s e s s io n ln ja ck in g :

Lab A nalysis

A n a ly z e a n d d o c u m e n t d ie re s u lts r e la te d to th e la b e x e rc ise G iv e y o u r o p in io n o n

y o u r ta r g e t’s s e c u rity p o s t u r e a n d e x p o s u re

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L AB

S 7 T o o ls

d e m o n str a te d in

th is lab are

a v a ila b le in

D:\CEH-

Tools\C EH v 8

M odule 11

S e s s io n H ijacking

m T A S K 1

O verview

E t h i c a l H a c k i n g a n d C o u n te r m e a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 717

Session Hijacking Using Zed A ttack Proxy (ZAP)

The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integratedpenetration testing too1 for finding vulnerabilities in n׳eb applications.

Lab S cen ario

A t t a c k e r s a r e c o n t i n u o u s l y w a t c h i n g f o r w e b s i t e s t o h a c k a n d d e y e l o p e r s m u s t

b e p r e p a r e d t o c o u n t e r - a t t a c k m a lic io u s h a c k e r s b y w r i t i n g s t r o n g s e c u r e c o d e s

A c o m m o n f o r m o f a t t a c k is s e s s io n h ija c k in g , i.e , a c c e s s in g a w e b s i t e u s in g

s o m e o n e e l s e ’s s e s s io n I D A s e s s io n I D m i g h t c o n t a i n c r e d i t c a r d d e ta ils ,

p a s s w o r d s , a n d o t h e r s e n s itiv e i n f o r m a t i o n t h a t c a n b e m i s u s e d b y a h a c k e r

S e s s io n h ija c k i n g a tta c k s a r e p e r f o r m e d e i t h e r b y s e s s i o n I D g u e s s i n g 01־ b y

s t o l e n s e s s io n I D c o o k i e s S e s s i o n I D g u e s s i n g i n v o l v e s g a t h e r i n g a s a m p le o f

s e s s io n I D s a n d “ g u e s s i n g ״ a v a l id s e s s io n I D a s s ig n e d t o s o m e o n e e lse I t is

a lw a y s r e c o m m e n d e d n o t t o r e p la c e A S P N E T s e s s io n I D s w i t h I D s o f y o u r

o w n , as th is w ill p r e v e n t s e s s io n I D g u e s s in g S to le n s e s s io n I D c o o k i e s s e s s io n

h i ja c k i n g a t t a c k c a n b e p r e v e n t b y u s i n g S S L ; h o w e v e r , u s i n g c r o s s - s i t e s c r i p t i n g

a tta c k s a n d o t h e r m e t h o d s , a t ta c k e r s c a n s te a l t h e s e s s io n I D c o o k i e s I f a n

a t t a c k e r g e t s a h o l d o f a v a lid s e s s io n I D , t h e n A S P N E T c o n n e c t s t o th e

c o r r e s p o n d i n g s e s s io n w i t h 110 f u r t h e r a u t h e n t i c a t i o n

T h e r e a r e m a n y t o o l s e a s ily a v a ila b le n o w t h a t a t ta c k e r s u s e t o h a c k i n t o

w e b s i t e s 01־ u s e r d e ta ils O n e o f t h e t o o l s is F i r e s lie e p , w h i c h is a n a d d -011 f o r

F ir e f o x W h i l e y o u a r e c o n n e c t e d t o a n u n s e c u r e w ir e le s s n e t w o r k , tin s F i r e f o x

a d d -011 c a n s n i f f t h e n e t w o r k tr a f f ic a n d c a p t u r e all y o u r i n f o r m a t i o n a n d

p r o v i d e i t t o t h e h a c k e r 111 t h e s a m e n e t w o r k T h e a t t a c k e r c a n n o w u s e tin s

i n f o r m a t i o n a n d l o g in a s y o u

s h o u l d b e f a m ilia r w i t h n e t w o r k a n d w e b a u t h e n t i c a t i o n m e c h a n i s m s 111 y o u r

s e s s i o n IDs, i n s e c u r e h a n d l in g , id e n tity th e ft, a n d in fo rm a tio n lo s s A lw a y s

e n s u r e t h a t y o u h a v e a n e n c r y p t e d c o n n e c t i o n u s in g h t t p s w h i c h w ill m a k e th e

s n if f in g o f n e t w o r k p a c k e t s d if f i c u lt f o r a n a tta c k e r A lte r n a tiv e ly , Y P N

1 C < O N K E Y

/ Valuable

information

y5Test your

knowledge

= Web exercise

m Workbook review

E t h i c a l H a c k i n g a n d C o u n te r m e a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 718

c o n n e c t i o n s t o o c a n b e u s e d t o s ta y s a fe a n d a d v i s e u s e r s t o lo g o f f o n c e th e y

a r e d o n e w i t h t h e i r w o r k 111 tin s la b y o u w ill le a r n t o u s e Z A P p r o x y t o

i n t e r c e p t p r o x i e s , s c a n n in g , e tc

Lab O b jectives

T h e o b j e c t i v e o f tin s la b is t o h e l p s t u d e n t s l e a r n s e s s io n h ija c k i n g a n d h o w to

ta k e n e c e s s a r y a c t i o n s t o d e f e n d a g a in s t s e s s io n h ija c k in g

111 tin s la b , y o u w ill:

Lab E nvironm ent

T o c a rry o u t th e la b , y o u n e e d :

■ P aros P roxy lo c a te d a t D:\CEH-Tools\CEHv 8 M odule 11 S e s s io n

H ija ck in g \S essio n H ijacking T ools\Z ap roxy

h t t p : / / c o d e g o o g l e c o m / p / z a p r o x v / d o w n l o a d s / l i s t

111 th e la b m i g h t d if f e r

n o t, g o to h t t p : / / i a v a s u n c o m / i 2 s e to d o w n lo a d a n d in sta ll it

Lab D uration

T im e : 2 0 M in u te s

O v e rv ie w o f Z ed A tta c k P roxy (ZA P )

Z e d A tta c k P r o x y (Z A P ) is d e s ig n e d t o b e u s e d b y p e o p l e w ith a w id e r a n g e o f

s e c u rity e x p e r ie n c e a n d as s u c h is id e a l f o r d e v e lo p e rs a n d f u n c tio n a l te s te rs w h o are

n e w t o p e n e tr a ti o n te s tin g as w e ll as b e i n g a u s e fu l a d d itio n to a n e x p e r ie n c e d p e n

te s te r ’s to o lb o x I ts f e a tu re s in c lu d e in te r c e p tin g p r o x y , a u t o m a t e d s c a n n e r, p a s s iv e

s c a n n e r, a n d sp id e r

Lab T asks

Tools

dem onstrated in

this lab are

available in

D:\CEH-

Tools\CEHv8

Module 11

Session Hijacking

m T A S K 1

Setting-up ZAP

E t h i c a l H a c k i n g a n d C o u n te m ie a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 719

Admini-PC £

! 2 2 A t its h e art Z A P S in

ail in tercep tin g p ro sy Y o u

n e e d to co n fig u re yo u r

b ro w ser to c o n n ec t to d ie

w eb ap p lication y o u w ish

to te st th ro u g h Z A P I f

re q u ired y o u c an also

co n fig u re Z A P to co n n ec t

th ro u g h a n o th e r p ro s y -

this is o fte n necessary in a

c o rp o ra te env iro n m en t.

3

2

F IG U R E 2.1: P aro s p ro s y m ain w in d o w

111 W in d o w s 8 V ir tu a l M a c h in e , f o llo w t h e w i z a r d - d r i v e n in s t a l l a t i o n

£ 7 Y o u c an also

d o w n lo a d Z A P

h t t p : / / c o d e g o o g le c o m /p

/z a p ro s y /d o w n lo a d s /lis t

SkyOiftt

* י

t l i m w

Mozilla Firefox

Microsoft Excel 2010 S

ן |

־ ׳ ־ ־

M icrosoft PowerPoint 2010 (2

Microsoft 2010

F IG U R E 2.2: P aro s p ro s y m ain w in d o w

s c r e e n s h o t

c o n t i n u e

I f y o u k n o w h o w to

set u p p ro sie s in y o u r w eb

b ro w ser th e n g o ahead and

give it a go!

I f y o u are u n su re th e n have

a lo o k a t th e C o nfiguring

p ro s ie s section.

E t h i c a l H a c k i n g a n d C o u n te n n e a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 720

O n c e you have

co n fig u red Z A P as y o u r

b ro w ser's p ro x y th e n try to

c o n n e c t to d ie w eb

ap p lication y o u will be

testing I f y o u c an n o t

c o n n e c t to it th e n check

y o u r p ro s y settings again

Y o u will n e ed to check

y o u r b ro w ser's p ro x y

settings, a n d also Z A P 's

p ro x y settings.

a tte m p ts to find p o ten tial y ^ O p tio n s w i n d o w , s e le c t D y n a m ic SSL c e r t i f i c a t e s t h e n c lic k

k n o w n attacks against th e G e n e r a te t o g e n e r a t e a c e r tif ic a te T h e n c lic k S a v e

selected targets.

A ctive scan n in g is an attack

o n th o se targets Y o u

sh o u ld N O T u se it o n w eb

applications th a t y o u d o

n o t ow n.

I t sh o u ld b e n o te d th a t

active scan n in g c an only

fin d certain types o f

vulnerabilities Logical

vulnerabilities, su ch as

b ro k e n access c o n tro l, will

n o t be fo u n d b y any active

o r a u to m a ted vulnerability

scanning M anual

p e n etra tio n testin g sh ould

always be p e rfo rm e d in

ad d itio n to active scanning

to find all types o f

vulnerabilities.

8 S a v e t h e c e r tif ic a te 111 t h e d e f a u l t l o c a t i o n o f ZAP I f t h e c e r tif ic a te

a l r e a d y e x is ts , r e p la c e i t w i t h t h e n e w o n e

K *

Options

ce m n ca te s

(_2!L 1

Root CA certificate

' Options Active Scan

A rti c s r f T0K3ns API

A p p lica to rs Authertc330n Ernie Force certncate Check Fee Updates Connection Dataoase

Pi5pa< Diay

E rco d e t)e ccd e Extensions Fuzier Language Local prarr Passive Scar

P o ll Scan Session Tokens

Spider

F IG U R E 2.4: P aro s p ro x y m ain w in d o w

E t h i c a l H a c k i n g a n d C o u n te n n e a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 721

u a A 11 alert is a p o ten tial

vulnerability a n d is

associated w ith a specific

request A re q u e st can have

m o re th a n o n e alert.

Q ־ J A n ti C SR F to k e n s are

(pseudo) ra n d o m

p aram eters u sed to p ro te c t

against C ross Site R equest

F o rg ery (CSRF) attacks.

H o w ev e r th e y also m ake a

p e n e tra tio n testers job

h ard er, especially if th e

to k e n s are reg en erated

every tim e a fo rm is

requested.

10 Y o u r P a r o s p r o x y s e r v e r is n o w r e a d y t o i n t e r c e p t r e q u e s ts

ד י ו

Options

c enmr.aies

Hlc9X0VN0TFplZC3BdHahV;«cUHJv»HVj-Jn9vdCBI|r

ODZ3H:0<OCTu7t»MMa0CX^t'KC<3(wNTl *a:!‘ ן

R oolC A caitn cate

■ q ■ Generate j

r Options

Active 3can 1 CSRF TOKMS

*־«

API

Actficaions

, A^ntrvcaagn

tit II a 1 , a i n n ! a 1 Look m: ! ! j A d m ri FC

Pie Name־ |owasp_zap_roct_ca cer | Fles DfTypo Al Pias

3 d r e ן 1e w

" ־

F IG U R E 2.5: P a ro s p ro x y m ain w in d o w

E t h i c a l H a c k i n g a n d C o u n te r m e a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 722

£ile Cdit View Maiy5e Report Toaa Help

sji D 0 ,־

U id

נ V © « ־ » ► 0

] s»«§Q | KsquMI | R«spons«4» J Brea* j

AJ9:t3

Break Points v-i

Filter.CFF

ft 0 0_ 0

current scans

Aieits ^0 k-0 0 a o

F IG U R E 2.7: P a ro s p ro x y m ain w in d o w

in s ta lle d

C u s t o m iz e an d c o n tr o l G o o g le C h ro m e b u t t o n , a n d t h e n c lic k

S e t t in g s

New tab New vwodow Nr*■ inccgniro window

Bocfcmiria

Cut Cop, P»ae

- וגהל - Q

EM

S«vt p»9«

Find

Tods

Sign in to Chiwn*

Tab

M C י

Foi quick kcc; place ycur bcclrwfa Se־e an Sie tntroti bs׳

r « T |

0 יז 0 >יי • W«b S:c׳ #

m Z A P d etects anti

C SR F to k e n s purely by

a ttrib u te n am es - th e list o f

a ttrib u te n am es co n sid ered

to b e an ti C SR F to k en s is

co n fig u red u sin g th e

O p tio n s A n ti C SR F screen

W h en Z A P d etects these

to k e n s it reco rd s d ie to k e n

value a n d w h ich U R L

g en erated th e token.

F IG U R E 2.8: IE Internet O ptions w indow

s e t t i n g s lin k b o t t o m o f t h e p a g e , a n d t h e n c lic k d i e C h a n g e p roxy

s e t t i n g s b u t t o n

LUsi Z A P p ro v id es an

A p p licatio n P ro g ram m in g

In te rfac e (API) w h ich

allow s y o u to in te ra c t w ith

Z A P program m atically.

T lie A P I is available in

J S O N , H T M L a n d X M L

fo rm ats T h e A P I

d o c u m e n tatio n is available

via th e U R L h t t p : / / z a p /

w h e n y o u are prox y in g via

Z A P

E t liic a l H a c k i n g a n d C o u n te n n e a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 723

»־ ־ ■»* C Li <־*rorr*//chrome/settings/

Ocoy't ih c 'H o 1&ng jcuf tcnpvtar't 1, 111״! prwy 1«M!״ ji to cenntct to tht nctwoi

I Ch»»91 p>**y m«1 |

LtnguigK

C*v*«0t ,X*•* CN0(*« ►MTxjk•; Md topt*>5־ Unguises

l»9<׳u»9« «td ifxa-<t1«<k<( *dings

«/ Cfltris t»*nti*te a»cr» tKx aren't in 1 Language I read

Dsvmlc*d k-n&ott C'.C1er1’.AdrTw1\Eownlc«<fe Change

[ I *•4 n»^t 10 «K» fifc M c׳i dc*״l<w<)1"9 HTTPVSSL

M « ^ e(0t1A ul6- _ Chedtforseva certrfieaterrwecation

Google Ooud Pnnt

Google Cloud Mrs las you seeett th« ee»np«jter 5 printers from anywhere Click to enab

B30tg־w,־d apes

• i Co'it'-v* v «9 t*v91-״c-j׳־ J tfi- *f־«n0ocgl«Ch1cr

Hide * ג.*׳י>»נ $ *זז**?׳ ,

F IG U R E 2.9: P a ro s p ro x y m ain w in d o w

S e t t in g s

Internet Properties

General Security Privacy Content | " Connections [ Prpgrame *\dvanced

Setup.

Dial-up and Virtual Private Network settings

Settirgc

% Never d a a c c m e o o n

C ) Oial whenever a netw ork connection is not present

4 ־' Always dal m y d e f a it ccnnection

Local Area Network (LAN) settings

Choose Settngs aoove for dal ■up settngs.

F IG U R E 2.10: IE Internet O ptions window w ith Connections tab

Q=a! Click O K several

tim es u n til all config u ratio n

dialog b o x es are closed.

E t h i c a l H a c k i n g a n d C o u n te r m e a s u r e s C o p y rig h t © by E C -C o u n cil

C E H L a b M a n u a l P a g e 724