Session Hijacking

Session Hijacking Overview

• Module Objectives and Overview
  • Module Objectives: The module on session hijacking focuses on understanding and defending against attacks where malicious actors take over active sessions, bypassing authentication to gain access to the system. The session covers:
    • Basic concepts of session hijacking.
    • Application-level and network-level session hijacking techniques.
    • Tools used for hijacking sessions.
    • Countermeasures against session hijacking attacks.
  • Learning Outcomes: At the end of this module, you should be able to:
    • Describe session hijacking concepts.
    • Conduct application-level and network-level session hijacking.
    • Use various session hijacking tools.
    • Implement countermeasures to prevent session hijacking.
  • Module Flow:
    • Session Hijacking Concepts – Introduction to session hijacking, its success factors, and different attack methodologies.
    • Network-Level Hijacking – Specifics of network-level attacks, including sniffing and injecting into network streams.
    • Session Hijacking Tools – Tools used for both tracking sessions and performing hijacking attacks.
    • Countermeasures – Defensive strategies to secure sessions and mitigate risks of hijacking.

Session Hijacking Concepts

• Overview: Session hijacking involves taking over a legitimate TCP session, exploiting the authentication gaps after session initiation. Attackers can use this technique to intercept or manipulate data, steal information, and even impersonate the original user. Sessions are typically identified by a unique session token or ID generated after successful authentication. If an attacker gains access to this token, they can interact with the server as if they were the authenticated user.
• Why Session Hijacking is Successful: Several vulnerabilities contribute to session hijacking:
  • Weak Session-ID Generation: Predictable algorithms or small session IDs make it easier for attackers to guess a valid session ID.
  • Lack of Account Lockout: Websites without account lockout mechanisms allow repeated attempts to guess session IDs.
  • Insecure Handling of Session IDs: Issues like inadequate encryption and mishandling of tokens can expose session data.
  • No Session Timeout: Indefinite session tokens give attackers prolonged opportunities to hijack sessions.
  • TCP/IP Vulnerabilities: Inherent flaws in the TCP/IP protocol make machines susceptible to session hijacking.
• Session Hijacking Process:
  • Tracking the Connection: Using network sniffers, attackers monitor TCP sessions, tracking sequence and acknowledgment numbers.
  • Desynchronizing the Connection: Attackers disrupt the connection by sending packets with manipulated sequence numbers.
  • Injecting Malicious Data: Once the connection is hijacked, attackers can inject data, intercept data flow, or assume control of the session.
• Packet Analysis of a Local Session Hijack: In a typical session hijacking scenario, an attacker:
  • Monitors/Tracks a Session by sniffing the network.
  • Desynchronizes the Session by altering sequence numbers to disrupt the established connection.
  • Injects Commands into the session to take control or manipulate data flow.

Types of Session Hijacking, OSI Model, Spoofing vs Hijacking

Types of Session Hijacking

• Definition: Session hijacking occurs when an attacker gains unauthorized access to an active session between a client and server. This attack can be classified into two main types: passive and active session hijacking.

1. Passive Session Hijacking
   • Definition: In a passive session hijack, the attacker monitors the session without taking control. They observe and record traffic between the user and server, aiming to collect sensitive data like user IDs, passwords, and session tokens.
   • Method: The attacker uses network sniffers to intercept data. Password sniffing is one common method in passive hijacking.
   • Countermeasures:
     • One-Time Password Systems (e.g., S/KEY).
     • Ticketing Identification Systems (e.g., Kerberos).
     • Encryption: Ensuring data is encrypted can make it more challenging for attackers to read the intercepted data.
2. Active Session Hijacking
   • Definition: In active hijacking, the attacker takes over the session by breaking the connection or inserting themselves into the ongoing communication. Active attacks allow the attacker to impersonate the user and interact with the server.
   • Example: Man-in-the-Middle (MITM) Attack where the attacker intercepts and relays messages between the two parties, manipulating the conversation.
   • Challenge: Predicting the sequence numbers is complex due to randomized initial sequence numbers in TCP sessions.
   • Countermeasures:
     • Randomized TCP Sequence Numbers to prevent sequence-number prediction.
     • Encryption Protocols like Secure Sockets Layer (SSL) or Point-to-Point Tunneling Protocol (PPTP) that prevent attackers from participating in key exchanges.

Session Hijacking in the OSI Model

• Network-Level Hijacking
  • Description: Involves intercepting packets during a TCP or UDP session between the client and server.
  • Target: Typically focuses on the network layer, allowing attackers to gain control over data flow at the protocol level.
  • Benefits for Attackers: Often used to collect session information that can be leveraged to escalate to application-level attacks.
• Application-Level Hijacking
  • Description: Gaining control over an HTTP session by stealing session IDs. Attackers can take over a user’s active session or create new unauthorized sessions.
  • Example: Attacking web applications where the attacker hijacks the HTTP session, allowing access to sensitive user data and privileges.

Spoofing vs. Hijacking

• Spoofing: The attacker impersonates another user or machine to gain access. Unlike hijacking, spoofing involves initiating a new session with the victim’s stolen credentials without taking over an active session.
• Hijacking: The attacker takes control of an existing active session, often forcing the legitimate user out of the session.