For two systems to communicate with each other there has to be a TCP communication mechanism already set in place. A session Hijacking occurs when the attacker takes over the TCP communication. This process is made feasible, as a result of the authentication process which happens only at the beginning of the session. Attackers are able to gather personal information which in turn could pose a serious problem to the victim, by stealing a legitimate session ID and validating themselves with the server.
The attackers gain access to the system by sniffing through traffic, which enables them to carry out crimes like identity theft, information theft or fraud. There might be varying confusions between spoofing and hijacking, as they are methods of gaining information through victim machines, but these two hacking methods are different.
System hijacking is usually successful, due to the weak security measures, surrounding communication between the target systems. For instance, the sessions do not have a time limit, allowing them to run for as long as possible. This gives attackers ample time, to hijack the system and perform nefarious activities. Other vulnerabilities that allow attackers the opportunity to hijack sessions are -
Here, the attacker takes over the communication session, acts as the second communicator, and extracts information through impersonation.
The attacker intercepts communication between the two systems, but does not take part in their interaction; rather, it records all the information from the traffic between the two systems. Network level Hijacking: this method allows the attacker intercept packets during TCP sessions when the client and server transmit information during communication.
Here, the attacker focuses on taking over the HTTP’s user session, through gaining session IDs
Attackers use various means to retrieve session IDs for the purpose of sniffing out traffic between two communicators. Some of these methods are:
One of the methods for stealing is using the HTTP referrer header. This is done by redirecting the victim to the attacker’s website. The victim usually has its session ID on the referrer URL, which is redirected to the browser. This process cannot be successful without the inclusion of a malicious link, which when clicked by the victim, initiates the process of session ID theft. Other stealing techniques include: Traffic sniffing. Deploying Trojans to target systems. * Cross-site-scripting attacks
Here, the attacker watches the variables in the session IDs and tries to figure out which session ID belongs to its victim.
This technique is also known as session predicted an attack when the predicted range of values for a targeted session ID is small. This is because the attacker collects a number of session IDs, and tries to guess the correct ID for its target.
The attacker places himself between two communication systems, investigates the flow of packets between these two systems, and tries to guess the sequence number. When the attacker guesses the sequence number, they operate by sending data to the server, before the next packet is sent to the victim machine.
Here, the attacker tries to break communication between the victim machine and its communicator.
The attacker injects packets to the target server.
Instructions for web developers - Use complex algorithms, so that session IDs are lengthy and difficult to compromise. Session IDs should be changed after a successful login attempt to limit session fixation. Ensure that data and session keys to be used by users and transmitted through servers are encrypted. Prevent network level eavesdropping Shorten the timeframe of a session or cookie by ensuring the session expires when the user logs out. Instructions for Web Users Protect systems from malicious links by using firewalls. Do not click on links or open websites that are not trusted. Restrict cookies, with firewall and browser settings. Clear cookies, history and other sensitive information from web browsers after important transactions. If any website requires login details, it is necessary to log out after every session. *
This is a security measure designed to protect against session hijacking, by encrypting and authenticating data for each IP packet to be transmitted during communications. This is designed mostly for remote user access to implement virtual private networks.
These are made up of different software, for the purpose of delivering a system designed to implement data integrity, confidentiality, relay protection, data origin validation and network level authentication.
IPSec drivers: these use internet level protocols to encrypt and decrypt data packets Internet key exchangers: this develops the security keys used by IPSec and other protocols.
Internet security association key management protocol: this mechanism allows two systems communicate with ease and security, by encrypting the data that is transmitted between them.
Okale: this protocol uses the Diffie-Hellman algorithm to develop and initiate two keys: one is the master key, and the other is a regenerative key, which is used to initiate data transfer for each IPSec session.
IPSec policy agent: this retrieves the IPSec policy settings from the active directory, and sends the configuration to the system at the startup.
Published with the express permission of the author.