SESSION HIJACKING

By Rupal Shekokare. Rohini Vaidya.

Objectives
Basics of TCP/IP How communication takes place on Network? How does Three-way Handshaking works? What is a Session? What is Session Hijacking Different types of session hijack attacks Methods of conducting Session Hijacking Attacks

Steps in Session Hijacking

Session Hijack Tools Detecting Session Hijack Attacks What Makes the Attack so Dangerous?

Basics of TCP/IP
TCP an abbreviation for Transmission Control Protocol, one of

the main connections oriented protocol in a TCP/IP network. TCP is a protocol for providing a reliable end -to-end communication on a non-reliable network. To establish a session or a connection with a TCP server, a client must have to follow a structured system for session management; this system is known as Three Way Handshake. For two machines to communicate via TCP they must have to synchronize their session through Synchronize and Acknowledgement Packets. Every single packet is given a sequence number which helps the receiving host to synchronize and reassemble the stream of packets back into their original and intended order. TCP session establishment is shown in figure:

How communication takes place on Network?

Three-way Handshaking
SYN (seq# = x)

SYN / ACK ack# = x+1 seq# = y

ACK (seq# = x ; ack# = y+1)

How does Three-way Handshaking works?

1. Client sends a SYN request to server with initial sequence number X. 2. Server sends the SYN/ACK packet publishing its own Sequence number SEQ y and Acknowledgement number ACK for the clients original SYN packet. The ACK indicates the next SEQ number expected from client by the server. 3. Client acknowledges the receipt of the SYN/ACK packet from the server by sending the ACK number which will be the next sequence number expected from the server, y+1 in this case.

What is a Session?
A Session refers to all the request that a

single client makes to a server. A session is specific to the user and for each user a new session is created to track all the request from that user. Every user has a separate session and separate session variable is associated with that session.

What is Session Hijacking

Session hijack attacks are defined as taking over an active TCP/IP communication session without their permission or knowledge. When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to resources as the compromised user. Hijacking HTTP sessions involves obtaining Session IDs for the sessions, which is the only unique identifier of the HTTP session. Session IDs can be found at three places: 1. In the URL received by the browser for the HTTP GET request. 2. With cookies which will be stored in clients computer. 3. Within the form fields.

Different types of session hijack attacks:

1.Active 2.Passive 3.Hybrid

Active Attack
The active attack is when the attacker hijacks a session on the network. The attacker will silence one of the machines, usually the client computer, and take over the clients position in the communication exchange between the workstation and the server. The active attack also allows the attacker to issue commands on the network making it possible to create new user accounts on the network, which can later be used to gain access to the network without having to perform the session hijack attack.

Figure 1- Active Session Hijack Attack

Passive Attack
In Passive attack the attacker monitors the traffic between the workstation and server. The primary motivation for the passive attack is it provides the attacker with the ability to monitor network traffic and potentially discover valuable data or passwords. That is an attacker hijacks a session, but sits back, and watches and records all the traffic that is being sent forth

Figure 2- Passive Session Hijack Attack

Hybrid Attack
The final type of session hijack attack is referred to as the hybrid attack. This attack is a combination of the active and passive attacks. This allow the attacker to listen to network traffic until something of interest is found. The attacker can then modify the attack by removing the workstation computer from the session, and assuming their identity.

Methods of conducting Session Hijacking Attacks

Session Fixation attacker sets a user's session id to
one known to him, for example by sending the user an email with a link that contains or uses a particular session id.

Session Sidejacking attacker uses packet sniffing

to read network traffic between two parties to steal the session i.e. man-in-the-middle

XSS -attacker tricks the user's computer into running

code which is treated as trustworthy because it appears to belong to the server

Session Hijacking How Does it Work?

Attackers exploit sequence numbers to hijack sessions.

Sequence numbers are 32-bit counters used to:

1.Tell receiving machines the correct order of packets 2.Tell sender which packets are received and which are lost

Receiver and Sender have their own sequence numbers. When two parties communicate the following are needed: I. IP addresses II. Port Numbers III. Sequence Number IP addresses and port numbers are easily available so once the attacker gets the server to accept his guesses sequence number he can hijack the session.

Steps in Session Hijacking

Step 1 - Locating a Target Step 2 - Find an Active Session Step 3 - Perform Sequence Number Prediction Step 4 - Take One of the Parties Offline Step 5 Take over the Session and Maintain the Connection

Step 1 - Locating a Target

The first step in the session hijack attack is locating a target user. Attackers look for two things prior to their attack: 1.First, they look for networks that have a high level of utilization. High volume networks provide a healthy supply of users to choose from, which also helps the attack remain anonymous. 2.Secondly, users who frequently use insecure network protocols such as Telnet, rlogin (remote logon), and FTP (file transfer protocol) are also frequent targets due to their inherently insecure design. 3.Packet sniffing software can be used to sniff network traffic for the purpose of locating vulnerable protocols like FTP, Telnet, and rlogin. Port scanning software can also be used to identify servers that have FTP, Telnet, or rlogin ports open.

Step 2 - Find an Active Session

1.Session hijack attacks are usually waged against servers with large amounts of activity. The reason is twofold, high network utilization provides an environment containing adequate sessions that can be exploited. 2.Secondly, the high usage on the server helps hide the disruption caused by the attack. 3.Attackers generally target session oriented protocols like FTP, Telnet, and rlogin which provide prolonged connections to other computers. 4.Attackers who are looking for open sessions generally use software tools like Wireshark or more sophisticated site detection software that is included in some of the popular session hijacking software packages like T-Sight or Juggernaut.

Step 3 - Perform Sequence Number Prediction

Now that a target has been chosen, the next step in the session hijack process is sequence number prediction. This process entails guessing the next sequence number that the server is expecting from the workstation. Sequence number prediction is a critical step, because failing to predict the correct sequence number will result in the server sending reset packets and terminating the connection attempt. If the attacker guesses the sequence numbers wrong repeatedly, the likelihood of detecting the attack increases. Various software tools are available such as Programs like Juggernaut, T-sight are successfully used by attacker.

Step 4 - Take One of the Parties Offline

Once a session is chosen and sequence numbers predicted, you need to silence the workstation computer. This is generally done with a denial of service attack; however, any attack that renders the computer unable to communication on the network would work just as well.
The attacker must ensure that the client computer remains offline for the duration of the attack or the client computer will begin transmitting data on the network causing the workstation and the server to repeatedly attempt to synchronize their connections resulting in a condition known as an ACK storm.

Taking the client computer offline is only done in an aggressive session hijack attack.

Step 5 - Take over the Session and Maintain the Connection

The final phase of the session hijack attack entails taking over the communication session between the workstation and server.
The attacker will spoof their client IP address, to avoid detection, and include a sequence number that was predicted earlier. If the server accepts this information, the attacker has successfully attacked the communication session. Because the attackers source address has been spoofed, the attacker will not receive any feedback regarding the status of the attack.

Session Hijack Tools

The session hijacking tools available today provide precision, timing, and session prediction capabilities.

1.Juggernaut :
It is one of the most popular software packages for session hijacking and it runs only on the LINUX operating system. Juggernaut contains a built in network sniffer which aids in the hijacking process and allows the attacker to watch for keywords as they flow across the network. Juggernaut is frequently used when attackers want to capture passwords.

2.T-Sight:
It is written for the Windows Operating system, is a commercially available product that provides most of the functionality of the UNIX software variants. T-Sight automates the selection of open sessions, provides accurate sequence number predication, and is capable of silencing target workstations.

What Makes the Attack so Dangerous?

The attack also exploits all three sides of the CIA triad: 1.CONFIDENTIALITY
2.INTEGRITY 3.AVAILABILTY

The session hijack attack compromises all three sides of the CIA triad. When a successful attack is achieved, the attacker has the ability to read and modify data, violating the confidentiality and integrity portion of the model. Availability is also affected by the session hijack attack due to ARP storms and denial of service conditions that are a byproduct of the attack.

Detecting Session Hijack Attacks

There are two primary technologies that assist in session hijack detection. 1.Packet sniffing Essentially, a packet sniffer is a program that can see all of the information passing over the network it is connected to. As data streams back and forth on the network, the program looks at, or "sniffs," each packet. Computer network administrators have used packet sniffers for years to monitor their networks and perform diagnostic tests or troubleshoot problems . 2.Intrusion detection systems (IDS) and intrusion prevention systems It is a software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting such attempts.[

Questions