Module : Session hijacking:

Session hijacking is synonymous with a stolen session, in which an attacker intercept and takes over a legitimately established session between a user and a host. The user–host relationship can apply to access of any authenticated resource, such as a web server, Telnet session, or other TCP-based connection. Attackers place themselves between the user and host, thereby letting them monitor user traffic and launch specific attacks. Once a successful session hijack has occurred, the attacker can either assume the role of the legitimate user or simply monitor the traffic for opportune times to inject or collect specific packets to create the desired effect.

In its most basic sense, a session is an agreed-upon period of time under which the connected state of the client and server is vetted and authenticated. This simply means that both the server and the client know (or think they know) who each other are, and based on this knowledge, they can trust that data sent either way will end up in the hands of the appropriate party.

If a session hijack is carried out successfully, what is the danger? Several events can take place at this point, including identity theft and data corruption.

How attacker steal the session ID concept

An attacker carrying out a session hijack is seeking to take over a session for their own needs. Once they have taken over a session, they can then go about stealing data, issuing commands, or even committing transactions that they wouldn’t be able to otherwise.

Session hijacks are easy to launch. TCP/IP is vulnerable, and most countermeasures,except for encryption, do not work. The following also contribute to the success of session

Hijacking :

■■ No account lockout for invalid session IDs

■■ Insecure handling

■■ Weak session ID generation algorithm

■■ Indefinite session expiration time

■■ Cleartext transmission

■■ Small session IDs

Spoofing vs. Hijacking

Before we go too far, you should know that spoofing and hijacking are two distinctly different acts.

Spoofing occurs when an attacking party pretends to be something or someone else, such as a user or computer. The attacker does not take over any session.

In hijacking, the attacker takes over an existing active session. In this process, the attacker waits for an authorized party to establish a connection to a resource or service and then takes over the session.

The process of session hijacking looks like this:

Step 1: Sniffing You must be able to sniff the traffic on the network between the two points that have the session you wish to take over.

Step 2: Monitoring At this point your goal is to observe the flow of traffic between the two points with an eye toward predicting the sequence numbers of the packets.

Step 3: Session Desynchronization This step involves breaking the session between the two parties.

Step 4: Session ID Prediction At this point, you predict the session ID itself (more on that later) to take over the session.

Step 5: Command Injection At this final stage, as the attacker you are free to start injecting commands into the session targeting the remaining party (most likely a server or other valuable resource).

Practical :

For stealing cookies, theirs a plugin in the chrome browser -editthiscookie

Editthiscookie is to steal cookies from the victim browser and use that cookie for their own purpose.

C_user – is the victim user ID of the social media ex- Facebook we can find c_user ID of any victim in view source section of the victim’s page.

Xs – session ID is the important thing to get

Tools to get session IDS

Wireshark

Burp suite

Cookies folder location in Windows 10/8/7

To see where Internet Explorer stores its Cookies in Windows 10/8.1/8/7/Vista, open Explorer > Organize > Folder Options > Views > Check ‘Do not show hidden files and folders’ and Uncheck ‘Hide protected OS files‘ > Apply > OK.

Now you will be able to see the two real locations of Windows Cookies folders at the following address in Windows 7:

  • C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies
  • C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low

In Windows 8 and Windows 8.1, the Cookies are stored in this folder:

  • C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies

In Windows 10 you may open Run box, type shell:cookies and hit Enter to open the Cookies folder. It is located here:

  • C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies

LEAVE A REPLY

Please enter your comment!
Please enter your name here