Road to CEH Masters Week 11: Session Hijacking

Understanding Session Hijacking: A Comprehensive Overview

Session Hijacking Concepts

Session hijacking is a malicious technique where an attacker takes over a valid TCP communication session between two computers. After a successful authentication process, a web server sends a session identification token to the client. Attackers exploit these session tokens to gain unauthorized access to the server by sniffing, predicting, or stealing them. This can lead to identity theft, fraud, and other malicious activities.

Why is Session Hijacking Successful?

Several factors contribute to the success of session hijacking:

1. Absence of Account Lockout for Invalid Session IDs: Attackers can make multiple attempts to connect with varying session IDs without the account being locked.
2. Weak Session-ID Generation Algorithms: Linear algorithms and short session IDs make it easier for attackers to predict valid session IDs.
3. Insecure Handling of Session IDs: Session IDs can be intercepted through DNS poisoning, cross-site scripting, and other methods.
4. Indefinite Session Timeout: Session IDs that never expire give attackers unlimited time to guess a valid session ID.
5. Lack of Encryption: Without proper encryption, session IDs can be easily sniffed in a network.

Session Hijacking Process

Session hijacking typically involves three main phases:

1. Tracking the Connection: Using network sniffers or tools like Nmap to capture TCP sequence and acknowledgment numbers.
2. Desynchronizing the Connection: Creating a state where the server and target are out of sync by manipulating SEQ/ACK numbers or sending reset packets.
3. Injecting the Attacker’s Packet: Injecting data into the network and acting as a man-in-the-middle to control the communication.

Types of Session Hijacking

1. Passive Session Hijacking: The attacker observes and records traffic without altering it. This is often done using network sniffers to obtain user IDs and passwords.
2. Active Session Hijacking: The attacker takes over an existing session by breaking the connection on one side or actively participating in the session, such as in a man-in-the-middle attack.

Session Hijacking in OSI Model

• Network-Level Hijacking: Interception of packets during transmission in a TCP/UDP session, providing attackers with crucial information.
• Application-Level Hijacking: Gaining control over HTTP user sessions by obtaining session IDs, allowing attackers to create unauthorized sessions.

Spoofing vs. Hijacking

• Session Hijacking: Involves taking over an active session by predicting sequence numbers and displacing the legitimate user.
• IP Spoofing: Involves initiating a new session using stolen credentials, without the need for ongoing session details.

Application-Level Session Hijacking

Involves compromising session tokens to gain unauthorized access to a web server. Key methods include:

1. Session Sniffing: Intercepting HTTP traffic to extract session IDs using tools like Wireshark.
2. Stealing: Gaining physical access to session ID information stored on a user’s system or server.
3. Guessing: Predicting session IDs based on observed patterns.
4. Brute Forcing: Generating and testing multiple session ID values to find a valid one.

Compromising Session IDs

1. Using Sniffing: Intercepting HTTP traffic to identify session IDs and masquerading as the victim.
2. Predicting Session Tokens: Analyzing patterns in session ID generation to guess or predict valid IDs.
3. MITM Attacks: Intercepting and manipulating messages in an existing connection.
4. Man-in-the-Browser Attacks: Using a Trojan horse to intercept and manipulate browser communications.

Conclusion

Session hijacking is a significant threat to online security, allowing attackers to gain unauthorized access to systems and sensitive information. Understanding the methods and processes involved in session hijacking is crucial for implementing effective countermeasures, such as strong session-ID generation algorithms, proper encryption, and vigilant monitoring of network traffic.

With my study notes I have create a set of 8 flashcards that can be accessed here: Module 11 – Flash Cards

I have also created this visual Mind map: Module 11 – Mindmap

If you have any questions or any feedback feel free to comment or leave a message on the homepage as that will send directly to me!

Thanks for reading!