Ethical Hacking: Session Hijacking — Notes

This article is a collection of my personal notes taken while attending the LinkedIn courses entitled: Ethical Hacking: Session Hijacking. The course is the 11th course in the LinkedIn learning path. The course id divided into 5 sections named respectively:

  • Network Session Hijacking
  • Web Session Hijacking
  • Additional Tools
  • Service Hijacking
  • Hijacking the Physical World

Network Session Hijacking

Session Hijacking means the ability of the attacker to to:

  • take control over communications.
  • Gain Access to services without authenticating.
  • Exploit protocol weaknesses.
  • Exploit weak wireless configuration.
  • Exploit web services.

Both sides of the TCP session maintain a 32 bits sequence number used throughout the session. The session starts with a 3-way handshake to set the values of the sequence number on both sides which will be incremented throughout the session.

Shijack is a TCP connection hijacking tool for Linux, FreeBSD and Solaris.

Web Session Hijacking

HTTP is stateless protocol so there it doesn’t retain any information between web pages. But whenever there is a a need to track this info, state will be provided through session IDs (authentication). Session IDs can be passed either embedded in the URL or via cookies.

WebSockets provide the ability to set up a full duplex communications channel between the client and the server, this requires a handshake over HTTP or HTTPS to upgrade the protocol to WS or WSS and a WebSocket server to manage the protocol.

Man In The Browser (MITB) is a form of attack which inserts code inside the user’s browser. It is a difficult attack to detect as the malware sniffs and modifies the transaction before their transmission. MITB is hard to detect and can include parts of HTML sent from the server to capture sensitive information without being noticed to even anti-virus software.

To Create a MITB you can use:

  • Browser helper object.
  • Browser extension.
  • API hooking.
  • JavaScript.

MIM attack can be used to hijack a web session, it goes often unnoticed until it’s too late. The attacker intercepts the messages coming from both ends (client & server) and reply to each of them without them realizing there is a “proxy” between them.

MIM can be established in many ways:

  • Web proxy in the web browser (it can be deliberate — to do testing ).
  • ARP poisoning.
  • Malicious WiFi host-spot.

SSL stripping is an attack used in the key exchange protocol, it is used to downgrade security for the connection without interfering with the certificate. It is also know as an HTTP downgrade attack. The communication between the server and the attacker happens through HTTPS but the one between the client and the attacker is through HTTP, therefore the attacker can see the messages coming from the client clearly and the certificate on the server side was validates with no issues.

Session hijacking can happen through through intercepting and re-using cookies.

Subterfuge is a framework used to hijack sessions. It can be used to hijack the session through ARP poisoning. ARP poisoning happens when an attacker sends an ARP identification associating an IP address of a machine on the network with the attacker’s MAC address.

Additional Tools

Zed Attack Proxy is a web proxy tool that comes with Kali. ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

Cain & Abel is used to collect credentials and crack passwords. It includes session hijacking a MIM throughout poisoning. It is available for Windows.

Service Hijacking

Secure Shell (SSH) is a common protocol used by system administrators to remotely manage enterprise servers, and is preferred over telnet, as it establishes a secure connection.

Insomnia a company from New Zealand invented a tool called PuTTY Hijack ( works only on 0.6 version) that hijacks putty sessions and puts system administrators at risk. This tool inspired another one called PuTTY Rider which works on all PuTTY releases. PuTTY Rider can even monitor the session in real time.

DNS hijack can happen through altering your hosts file on your systems. This files exists on both Linux and Windows and it provides hard coded translation, it is used before checking the DNS sever.

Cloud is also not immune to hijacking. It could be account hijacking, service cloud traffic hijacking, theft of pay-for-use API keys … The attack can happen using brute force guessing of passwords or the credentials have been compromised though another service.

Hijacking the Physical World

Since the cars and drones use have multiple networks and dozens of sensors and electronic computer units, ECUs. Replacing early point to point wiring with addressable network devices.

This gives the opportunity to attackers to remotely access and control these systems — via Bluetooth or internet. The control can vary from controlling air conditioning system to disabling brakes or accelerators.

A Lifelong Learner