In this chapter, you will learn about session hijacking, including the steps involved, the different types, and the countermeasures that can be used to protect against this type of attack.
- 1.
Identify the proper order of steps used to conduct a session hijacking attack.
- 2.
Recognize different types of session hijacking.
- 3.
Identify TCP/IP hijacking.
- 4.
Describe countermeasures to protect against session hijacking.
Session Hijacking
Session hijacking happens when a user’s valid computer session between two computers is taken over by an attacker. In this lesson, you will learn how an attacker can steal a valid session ID and use it to get into the system and extract data. To begin, it is important to first review the transmission control protocol (TCP) stack to establish a solid base of understanding before taking a closer look at the details of session hijacking.
The TCP Stack
Three-Way Handshake
To establish a connection between two parties using TCP, a three-way handshake is used. The attacker tries to disrupt the three-way handshake. An attacker can send packets, which are manipulated if the TCP sequence is easy to predict. Attackers can also gain access to unauthorized information. Sequence numbers are random, but over time, random numbers will repeat because the randomness is based on an internal algorithm within the operating system.
Steps in Session Hijacking
- 1.
Track the connection: The attacker uses a network sniffer to target a victim with a TCP sequence that is easy to predict. Sequence and acknowledgement numbers are captured by the attacker and these numbers are used to build packets.
- 2.
Desynchronize the connection: The attacker alters the server’s sequence number to desynchronize the connection between the host and the target. To accomplish this, the attacker sends null data to the server in order to advance the server’s SEQ/ACK number (the target machines do not have the same increment) which desynchronizes the server and target. The target is unaware of the attack.
- 3.
Inject the attacker’s packet: Once the connection between the server and the target has been interrupted, the attacker is able to inject data into the network or engage in a man-in-the-middle attack.
Types of Session Hijacking
For an active attack to succeed, the attacker must guess the sequence number before the target responds to the server. Operating system vendors use random values for the initial sequence number, making the sequence numbers harder to predict. Active attacks take over existing sessions, break down the connection, and actively participate. Passive attacks monitor an ongoing session and use sniffers.
Network-Layer Hijacking
Network-layer hijacking includes intercepting packets while transmission takes place in a TCP/UDP session between the client and the server. In order to attack application layer sessions, the attacker has the essential information required.
TCP/IP hijacking uses spoofed packets to take over a connection. The attacker must be on the same network as the victim.
Man-in-the-middle uses packet sniffers to intercept communication between the client and server. It also redirects traffic between the client and host through the attacker.
IP spoofing attackers create packets to insert into the TCP session, which are used to gain unauthorized access by using a trusted host’s IP address.
Blind hijacking occurs when the attacker predicts the sequence numbers that a victim sends and the connection appears to originate from the host.
RST hijacking occurs when the attacker resets the target computer and a newly established session is rerouted through the attacker.
UDP hijacking does not use packet sequencing. The attacker sends a forged server reply to the client before the server responds.
Application-Layer Hijacking
An attacker takes control of an existing session by accessing the session IDs. You can find session IDs embedded in the URL.
In an HTML injection, an attacker injects malicious HTML code which is executed by the client. Session data is returned to the hijacker. Cross-site scripting authenticates user inputs by exploiting the web application.
Sniffing is attacking by redirecting traffic through hosts when the HTTP traffic is unencrypted. Unencrypted data carries session IDs, usernames, and passwords.
Brute force attacking is simply trying multiple possibilities until a session ID works.
Misdirected trust uses HTML interjection and cross-site scripting.
Additional attacks include embedding code in the URL, a form, or in cookies.
Countermeasures
The specification of the TCP protocol has been changed to make prediction of sequence numbers much difficult. There are 4.3 billion potential values possible for an ISN with a 32-bit field. A network administrator may use different best practices to defend against the session hijacking. They can limit incoming connections, use encryption, minimize remote access, use a secure protocol, educate users, and use circuit-level gateway firewalls as part of the Internet Protocol security (IPSec).
Browser Exploit
For different browsers on the marketplace, including Internet Explorer, Mozilla Firefox, Google Chrome, and Safari, Metasploit has exploits. Brower exploits, however, only work when a particular version of the operating system is used.
Configured Settings
Spear Phish Attack
Exploiting the Victim Machine
Summary
In this chapter, you learned about key factors involving session hijacking and how to recognize the steps used to conduct an attack. You reviewed several countermeasures that can help to protect against this type of an attack.