Ethical Hacking: What is Session Hijacking?

Transcription

The first thing to do is define session hijacking. Session hijacking takes two significant forms. First of all, it’s finding and taking over an existing network session. This could be something like two or more clients talking to each other. As an attacker, you find that and then get involved and take it over in some way. Or, another possibility is finding a session that maybe isn’t active. Maybe it’s a saved session. Maybe it’s a timed out session. Maybe it’s a session that has some remnants that we could possibly use, and then using that information, those compromises, to re enable or reestablishes that session in a different context. This would be reestablished in the context of the session that was previously going on.

What you are doing is kind of stumbling across something and potentially reinvigorating that in that context, but with us controlling it instead of whoever might have been controlling it in the past. This is really interesting.

Imagine, for example, if you closed a web browser and walked away and someone was able to walk up to your web browser, connect back up to your session that you had with the bank, and not have to type in a username or a password. They just just become you.

Big Money Bank Scenario

Well then, take that to the next step. What if that person shouldn’t be on your computer in the first place, but can still do that kind of thing? It gets much, much worse.

A great way to think about this is within the context of a session hijacking at our scenario company, Big Money Bank. We have two folks here, Alice and Bob. Alice being the employee or legitimate user of Big Money Bank, and Bob is an ethical hacker who wants access to Alice’s account. In this context, it’s pretty straightforward.

Going apart from the tools for a moment, essentially what happens is Alice connects up to this web client using her browser and authenticates. She provides login name, password and whatever else she’s going to provide, possibly smart card credential, possibly a secure ID or a one time pad token.

She goes through all this rigmarole and actually hooks up with account.bmb.com and convinces it that she is Alice, which is fine. But then, if Bob can swoop in and become Alice, either for just a moment, or for an extended period, Bob can do whatever he wants without having to re authenticate.

The Goal of Session Hijacking

Bob becomes Alice long enough to do some naughty things. That’s the key of session hijacking. That’s the goal of session hijacking. Doing that is not simple. It’s not as straightforward as just throwing a switch, or just asking someone for a password, but it certainly has a profound impact, especially if you can make this attack last any length of time.

Length of Attack

If Bob can become Alice indefinitely, or for an entire day, he’s obviously got a heck of a compromise on his hands; compared to if he can become Alice for one minute, or two minutes. Certainly just becoming Alice for two minutes is a significant gain and it is part of an ethical hack to prove that this thing is possible. The longer it lasts, and the more profound it is, the better for Bob.