Wednesday, 22 January 2014

Session Hijacking How it happens Tips for it and how to avoid it

Session hijacking sometimes called as cookie hijacking.

If hackers hack your computer then he/she easily see the cookies on your computer in that cookies your username and password is stored and hacker can easily decode it.

How TCP session hijacking is done?
First of all learn something How TCP works like explaining below to understand the session.
TCP 3-way Handshaking Connection.
1. Step 1 - SYN
When a workstation wants to communicate with a server it builds a packet with
the SYN or synchronization bit set and then sends the packet to the server. Included in this
SYN packet is an initial sequence number When the client computer generates the sequence number, it uses a random number generator. Random number generators are used to help prevent communication sessions from being compromised (more on this in the next section). Sequence numbers are critical to network communications as they are used to guarantee packet delivery. Source computers use sequence numbers for tracking incoming packets and reassembling them as they arrive
at their destination. From the attacker’s perspective; however, the ability to predict sequence
numbers provides the mechanisms needed to successfully hijack a communication session.

2. Step 2 – SYN/ACK
When the server receives the clients SYN (synchronization) packet, it responds to the
workstation computer with a packet containing both the SYN and ACK (Synchronization and
Acknowledgement) bits set. The packet includes the server’s own randomly generated
sequence number (represented in the drawing by the letter P). The server also acknowledges
the clients sequence number by adding 1 to the sequence number sent by the client computer
(X + 1).
3. Step 3 - ACK.
The final phase of the three-way-handshake involves the client sending an ACK packet to the server confirming its desire to communicate. The workstation prepares a packet with the ACK (acknowledgement) bit set and includes an acknowledgement sequence number (X+ 1). When the packet arrives at the destination server, the communication session is established and communication can now begin. An active communication session will be maintained until one of the machines sends a RST (Reset) or FIN (Finish) packet to the other

A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.
If source-routing is turned off, the hacker can use "blind" hijacking(, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.
A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".

A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss. 

 What Makes the Attack so Dangerous?
Why is the session hijack attack so dangerous? Should security professionals really be concerned? the risks resulting from session hijack attacks can not be eliminated by software patches, complex passwords, or multi-factor authentication. The root cause of the attack lies with design limitations inherent to the TCP/IP protocol. In addition, all machines regardless of operating system or hardware architecture are vulnerable to the session hijack attack provided they are running TCP/IP.
The attacker has the ability to read and modify data, violating the confidentiality and integrity portion of the model. Availability is also affected by the session
hijack attack due to ARP storms and denial of service conditions that are a byproduct of the attack.

Detecting Session Hijack Attacks
There are two primary technologies that assist in session hijack detection. The more manual of the two methods is packet sniffing software which can be used to scan for signatures of an attack. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) provide a more automated method of detection, but they can also create more analysi work for the security administrator.Session hijack attacks are very difficult to detect on busy networks. There are tell tale signs, like computers getting disconnected from the network or periodic network congestion, but these signs usually get ignored by users as “typical network problems”. There are several steps a network administrator can take to preemptively protect their network. Remember,
defense in depth is critical to an effective security plan, and when possible, multiple layers of protection should be implemented. 

Post a Comment