MOD 11 - Session Hijacking Flashcards
Session Hijacking
Discuss the various techniques for performing a session hijack. (document.cookie) is the session-ID (cookie) for the current user on a website. Steal that and you can impersonate the user and do a session hijack
Session Fixation vs Session Donation
In a session fixation attack, you take advantage of a vulnerability on a web server to hijack a victim’s established session. First, create a session ID (let’s say 1234), then trick a victim to log-in to a website using that session ID (that’s where the vuln comes in: the server should generate the ID, not accept a pre-generated one! Unfortunately some do, which is why it’s a vulnerability). Now the attacker can hijack the victim’s session since he knows the ID already.
Session Hijacking causes & cures
Use random, non-predictable session cookies, and only allow server-generated cookies (never user-supplied cookies)
FTP is unencrypted. FTPS (FTP secure) transfers data using encryption and digital signatures, which reduces the chances of an attacker stealing credentials and doing a session hijack. (SFTP - Secure FTP is another protocol that does the same)
Use HTTPS instead of HTTP. Also, use the latest & greatest protocol for this: TLS v1.2 (or 1.3). Do NOT use SSL as it has serious vulns.
To encrypt e-mail messages between mail servers using TLS, use the command STARTTLS
Use SSH (Secure Shell) instead of Telnet. SSH can be used to encrypt other types of traffic too.
Modern OS implementations use non-predictable TCP sequence numbers so someone can’t do a TCP style session hijack
- Burp Suite
Suite of tools for penetration testing web applications. Allows you to do session hijacking via a proxy that can intercept, inspect, and modify traffic on the way to the server.
”* IPSEC - IP Security
(Layer-3 security protocol)”
Used to create VPN tunnels. Can Authenticate the sender, Hash the data (as an integrity check), and can Encrypt the payload and/or headers for confidentiality.
- AH vs ESP
AH (Authentication Header) ONLY does Authentication and Integrity (hashing). ESP (Encapsulating Security Payload) does all that PLUS encryption. If you need Confidentiality, you must choose ESP over AH.
- Transport vs Tunnel
Use IPSEC Transport Mode for your LAN, and Tunnel Mode for going across the internet.
- Authentication factors:
Something you know, have, are, etc.
Biometrics - something you are
Retina, Iris, fingerprint scanners, voice recognition, etc. Very processor-intense; needs a good CPU & a lot of RAM to analyze your scanned-data, compare it to the database, and to accept or reject you.
*Behavioral biometrics
Measures something you “do”. Ex: the way you type, walk, sign your name, etc
- Counter-based authentication
Authentication system that creates one-time passwords that are encrypted with secret keys
*Bettercap
Tool for wireless ARP poisoning and sniffing
