- Session hijacking can be done at two levels:
- Network layer hijacking involves TCP and UDP sessions.
- Application level session hijack occurs with HTTP sessions.
- Successful attack on network level sessions will provide the attacker some critical information which will then be used to attack application level sessions. So most of the time they occur together depending on the system that is attacked.
- Network level attacks are most attractive to an attacker because they do not have to be customized on web application basis; they simply attack the data flow of the protocol, which is common for all web applications.
1.TCP session Hijacking
- TCP hijacks are meant to intercept the already established
- TCP sessions between any two communicating parties and then pretending to be one of them, finally redirecting the TCP traffic to it by injecting spoofed IP packets so that your commands are processed on behalf of the authenticated host of the session.
- It desynchronizes the session between the actual communicating parties and by intruding itself in between.
- As authentication is only required at the time of establishing connection , an already established connection can be easily stolen without going through any sort of authentication or security measures concerned.
- TCP session hijacks can be implemented in two different ways:
- Middle Man Attack
- Blind attack.
- IP Spoofing
- Spoofing is pretending to be someone else.
- This is a technique used to gain unauthorized access to the computer with an IP address of a trusted host.
- The trusted host in case of session hijacking is the client with whose IP address we will spoof our packets so that our packets will become acceptable to the server maintaining the session with the client.
- In implementing this technique session hijacker has to obtain the IP address of the client and inject his own packets spoofed with the IP address of client into the TCP session, so as to fool the server that it is communicating with the victim i.e. the original host.
- What remains untouched is how to alter the sequence and the acknowledgement numbers of the spoofed packets which the server is expecting from the client.
- Once it is altered, hijacker injects its own forged packet in the established session before the client can respond , ultimately desynchronizing the original session , because now our server will expect a different sequence number , so the original packet will be trashed.
- Based on the anticipation of sequence numbers there are two types of TCP hijacking: Man in the Middle and Blind hijacking.
Man in the Middle attack
- This technique involves using a packet sniffer to intercept the communication between client and the server.
- Packet sniffer comes in two categories: Active and Passive sniffers.
- Passive sniffers monitors and sniffs packet from a network having same collision domain i.e. network with a hub, as all packets are broadcasted on each port of hub.
- Active sniffers works with Switched LAN network by ARP spoofing Once the hijacker reads the TCP header, he can know the sequence number expected by the server , the acknowledgement number, the ports and the protocol numbers ; so that hijacker can forge the packet and send it to the server before the client does so.
- Another way of doing so is to change the default gateway of the client’s machine so that it will route its packets via the hijacker’s machine.
- This can be done by ARP spoofing (i.e. by sending malicious ARP packets mapping its MAC address to the default gateways address so as to update the ARP cache on the client , to redirect the traffic to hijacker)
- If you are not able to sniff the packets and guess the correct sequence number expected by server, you have to implement “Blind Session Hijacking”.
- You have to brute force 4 billion combinations of sequence number which will be an unreliable task.
2. UDP Session Hijacking
- Since UDP does not use packet sequencing and synchronizing; it is easier than TCP to hijack UDP session.
- The hijacker has simply to forge a server reply to a client UDP request before the server can respond.
- If sniffing is used than it will be easier to control the traffic generating from the side of the server and thus restricting server’s reply to the client in the first place.
Hijacking Application Levels
- At this level a hijacker can not only hijack already existing sessions but can also create new sessions from the stolen data.
HTTP Session Hijack Hijacking
HTTP sessions involve obtaining Session ID’s for the sessions, which is the only unique identifier of the HTTP session. Session ID’s can be found at three places
- In the URL received by the browser for the HTTP GET request.
- with cookies which will be stored in client’s computer.
- within the form fields.
Obtaining Session ID’s
- One way to obtain the Session ID is by sniffing, which is same as the Man in middle attack. Cookies and URL’s can be sniffed from the packets and if unencrypted can provide critical user logon information.
- Another way is by Brute Forcing the Session ID’s which involves trying a set of session id’s based on some pattern. Brute forcing is a time consuming task but worked on some algorithm can produce results rather quickly