Upload
gayatri-kapse
View
872
Download
2
Embed Size (px)
Citation preview
SESSION HIJACKING
PRESENTED BY: MISS. GAYATRI V. KAPSE
Contents:Introduction to session hijackingTCP session hijackingTCP session hijacking with packet
blockingSession hijacking toolsUDP hijackingPrevention
What is session?• A lasting connection between a user and a
server usually involving the exchange of many requests
5. Validate Session
CLIENT SERVER SESSION DATA
1. Request connection
2.Create session
3. Session id
4. Session id passed
6. Retrieve Session id
7. Successful response
Session HijackingSession Hijacking is the act of taking
control of a user session after successfully obtaining of an authenticate session Id.
Session hijacking involves an attack using captured session id to grab control of legitimate users web application session while that application still in progress.
Session hijacking takes place at transport layer of network layer of OSI model.
TCP SESSION HIJACKINGHacker takes control of a TCP
session between two hosts.It can be hijacked after hosts
have authenticated successfully. The authentication process
followed by TCP is defined as a three-way handshake method.
Three way handshake
Categories of TCP Session HijackingBased on the anticipation of
sequence numbers there are two types of TCP hijacking:◦Blind Hijacking ◦Man-in-the-middle (MITM) attack
Man-in-the-middle (MITM)A hacker can also be "inline" between B and C using a sniffing program to watch the sequence numbers and acknowledge numbers in the IP packets transmitted between B and C. And then hijack the connection. This is known as a "man-in-the-middle attack".
Continuous ACK transferLosing the ACK packetEnding connectionResynchronizing client and server
ACK attack
ACK attack without DoS
ACK loop
TCP session hijacking with packet blocking
Methods of TCP session hijacking with packet blockingRoute Table Modification Route table can be seen by
netstat –nra command at console prompt in Windows or Linux/ Unix O.S
There are two entries in Linux route table
1. Way to all the node within the LAN
2. Way to all the addresses not on the LAN
Linux route table
Sections of route tableThe active routeThe active connection
Route table in action
Active connection sectionNetwork addresses of computers
that are connected to host computer can be seen by netstat –F (or netstat –n) on Linux box and active connection section on window box.
Route table modification attack
ARP(Address Resolution Protocol) attackARP table on computer stores the
IP address and corresponding MAC address
ARP table can be seen by arp –a command at console prompt.
ARP request
01:23:a1:b2:ff:09Has 192.168.0.78
192.168.0.102
HACK
Who has 192.16.0.78
01:b5:44:8e:01:d7Has192.168.0.78
Capturing the ARP broadcast response
Session hijacking toolsHunt• It performs sniffing and session hijacking• Hunt tool provides following menu option 1. Listing 2. Watching 3. Resetting connections• It hijack a session through ARP attack• Allows hacker to synchronize connection
among host and server during session hijacking.
UDP HijackingIt does not have error recovery
featuresMore vulnerable to hijackingVitim is local computer not server
Prevention EncryptionStorm watching
Encryption method in SSH and TLS
Storm watchingRefers to watch for abnormal
increases in network traffic and alert the security officer when they occur.
Two packets with the same header information but different sizes could be evidence of hijacking.
SUMMERYHijacking is the process of taking
the authority of the authorized person and inject itself in network as legitimate user.
Hijacking can be done in TCP session hijacking, packet blocking, UDP hijacking.
Hunt is session hijacking tool.For prevention from hijacking
SSH and TLS protocols are used.
QUESTIONSExplain how session hijacking is
achieved?Explain TCP session hijacking
with packet blocking?Explain following terms: i) Hunt ii) Storm watching
THANK YOU!!!