Apart from the active and passive hijacking classifications, which true to their name depict the level of involvement of an attacker to the system, there are level based hijackings that are peculiar to the network and applications of the target system.
This type of hijacking, allows the attacker gain access to session IDs through theft or guessing, for the sole purpose of getting through the web server without authorization. There are different techniques for gaining session IDs or tokens: Cross-site scripting attacks Session fixation Session relay Cross-site request forgery attack Man-in-the-middle attack Prediction Man-in-the-browser attack Session sniffing
This technique deals with the attacker guessing the right token for the target system, with a varying number of tokens present to make the prediction from. Attackers could choose to carry out the prediction by hand, or through different cryptanalytic devices. Attackers do this by recognizing a pattern in the generation of tokens, and capitalizing on this analysis. The prediction method, works mainly for weak algorithms.
Since the algorithms used for generating session IDs are custom fitted to the systems, there is a pattern to this development. Hence, one the attacker can guess the session value or the session IDs, it is easier to carry out a session hijacking. The session IDs are gotten by the attacker for analysis, through capturing various session IDs.
This is an active type of hijacking, meaning the communication between two systems is on-going, and the attacker intercepts this connection to gain access to messages. Once the TCP communication is intercepted, the attacker is able to access and change information passing to the server and client.
This successful interception is divided into two connections:
This uses Trojans to intercept calls between the browser and the security walls put in place to prevent attacks. The Trojans should be installed into the system, before attackers are able to interrupt and manipulate financial transactions in internet banking systems.
This exploits the trust connection between users, by using a trusted site to carry out attacks. Session fixation
This works by hijacking a valid session by tricking the user to use an authenticated session ID after which the attacker hijacks the session without the knowledge of the user. There are some ways to lure users into using a pre-prepared token - By putting the token in a cookie By putting the token in a hidden form field * By putting the token in a URL argument
This allows the attacker gain important information that can be used to attack the application levels. This is done through hijacking transport and internet protocols used by web applications in the application layer.
Some of the techniques for network level hijacking are: Blind hijacking UDP hijacking TCP/IP hijacking RST hijacking * IP spoofing: source routed packets.
This method uses packets that have been spoofed, to intercept the connection between the victim and its target machine. If this method is successful, the victim’s connection hangs, and the attacker is able to connect with the target machine in place of the victim. This can only be successful when the attacker is on the same network as the victim, but the victim and the attacker’s machines can be located anywhere.
The attacker uses a trusted IP address to gain unauthorized access to the computer, spoofs the host computer, so the victim keeps receiving packets from the attacker to establish a connection. Once this is done, the attacker injects forged packets, before the host can reply to the server, which causes the original packets to be lost, because the server gets a sequence number used by the attacker. The attacker is able to re-route the packets to its specified IP address.
Here the attacker can send comments but cannot see any response, after it has intercepted the communications between two systems, even when the source routing is disabled.
Zaproxy: this is used to find weaknesses in web applications. It consists of a passive scanner, brute force scanner, spider and fuzzer, port scanner, dynamic SSL certificates among others.
Burp Suite: this allows for modification and inspection of traffic, between the browser and target application.
JHijack: Used for numeric session hijacking and parameter enumeration, the JHijack is a web application security session assessment tool.
DroidSheep: this tool is used for android hijacking, and works by extracting session IDs from HTTP packets sent via wireless connections.
DroidSniff: checks for weaknesses in wireless connections, and captures data from social media platforms.
Published with the express permission of the author.