Session hijacking is a technique that's used to gain unauthorized access to information or an account by exploiting a valid computer session. Sometimes, it is also referred to as cookie hijacking as cookies are often used to track the user session. By stealing a cookie from the client session, an attacker can spoof the client and perform activities on behalf of the legitimate client.
When a user attempts to access a domain, they are prompted to authenticate to a protected resource. After a successful login with a valid username and password, the web server assigns a unique value to the client to track the user. The unique value is sometimes called session cookie. This session cookie is created by the web server and placed on the client. While this client is communicating with the web server during this session, this cookie information will continue to be used. An attacker positioned between the client and the web server, such as the interface off of our access point, is able to sniff the traffic and can extract the session cookies. This could allow the attacker to impersonate the client and interact with the web application even without having direct knowledge of the username and password.
To demonstrate how session hijacking occurs, let's suppose that the victim is accessing http://infosecawareness.in, where he will be logging in with his credentials in order to gain access to the website. On successful login, a cookie is created for the session and is used to track the user. If the attacker can extract the cookie from the HTTP session, it can be used to hijack the session and perform activities on the target website without the knowledge of the user. While this session is being established, all of the session data will be passing through the attacker machine and can be seen in Wireshark by the attacker. The attacker can now extract the cookies sent by your browser in plain text and can take over the session between your browser and web server.
Once the user session is hijacked, the attacker can potentially change the user's password, post comments on behalf of the user, or update the user profile. If the website that the user is visiting is the administrative console of an infrastructure device, the attacker can also download or change the configuration, which can lead to further compromise of the network.
In this section, we will perform session hijacking on clients connected to our evil twin access point. Once a user session is compromised, we will extract useful information which will help us further penetrate the network. The prerequisite for this attack requires that we are in the path of the client traffic once again. There are several ways to accomplish this, as discussed previously in this chapter, including either Hostapd or airbase-ng.
In this example, we will sniff the data traffic using Wireshark and extract cookies to access the user session from the attacker machine. We will also use Tamper Data, an add-in to Firefox, which can be used to capture, alter, and replay HTTP requests. Follow these steps:
- Run Wireshark with the following command:
#wiresharkYou should be able to see the following screenshot:
- Specify the interface to sniff in Wireshark. Go to Capture | Interfaces and select the at0 interface, as shown here:
- In Wireshark, right-click on any HTTP data packet related to http://infosecawareness.in and select Follow TCP Stream; in the Stream Content you can see the cookie value in plain text.
- Copy this cookie value, as shown here:
- After copying the cookie value, open the Firefox or Iceweasel web browser and look in Add-Ons for Tamper Data. If the add-on is not installed, you can add it to the browser using Add-On Manager and searching for Tamper Data. After the add-on is installed and the browser has been restarted to enable it, go to Tools | Tamper Data.
- Click on Start Tamper in the Tamper Data add-on. Type
infosecawareness.in/@@personal-preferencesin the address bar of the web browser. You will be prompted by Tamper Data to modify the request content; when prompted, click on the Tamper button.
- You can now paste the cookie value that we copied earlier from the Wireshark capture into the cookie field. Now once you send the request with the captured user session cookie, you will get the user session in your web browser. Now you can just interact with the web application as if you were the legitimately authenticated user.
We have also seen how this type of attack can potentially be utilized on certain administrative interfaces to bypass user authentication.
The following screenshot is the hijacked session displayed in the attacker's machine:
The attacker has successfully logged in to the website by just hijacking the user session. Now he has the ability to change the password or perform malicious activities on the logged-in account.