Pentesting

Session Hijacking

  • Attacker waits for a session to begin and once authentication gets done, jumps in to steal the session

  • Can be done via

    • brute force

    • calculation

    • stealing

    • send preconfigured session ID to the target, when target clicks to open it just wait for authentication and jump in

How it Works

  1. Hacker tracks the session, watching the sequence numbers and the flow of packet headers

  2. Hacker "desynchronizes" the connection by sending a TCP RST or FIN to the client, making it close its side of the session

  3. Hacker then starts sending packets with the guessed session ID, generated by an algorithm

Steps

  1. Sniff the traffic between the client and the server

  2. Monitor the traffic and predict the sequence numbering

  3. Desynchronize the session with the client

  4. Predict the session token and take over the session

  5. Inject packets to the target server

  • NOTE - Sequence numbers increment on acknowledgment

  • ACK number + Window size = Acceptable Sequence number

Tools

  • Ettercap

  • Hunt

  • T-sight

  • Zaproxy

  • Paros

  • Burp Suite

  • Juggernaut

  • Hamster

  • Ferret

Countermeasures

  • Using unpredictable session IDs

  • Limit incoming connections

  • Minimize remote access

  • Regenerate the session key after authentication is complete

  • Use encryption to protect the channel

  • IPSec

PreviousGaining AccessNextBuffer Overflows

Last updated