CEH Lab Manual
Session H ijacking
M odule 11
Module 11 - Session Hijacking
Hijacking Sessions
Session hijacking refers to the exploitation of a valid computer session, ))herein an
attachr takes over a session between two computers.
I CON
&
KE Y
Lab S cenario
Valuable information
S o u rc e : h ttp : / / k r e b s o n s e c u n t v . c o m / 2 0 1 2 / 1 1 / y a h o o - e m a il- s te a lin g - e x p lo it-
Test your knowledge
f e tc h e s - 7 0 0
H Web exercise
ca Workbook review
A c c o r d i n g to K r e b s o n S e c u r it y n e w s a n d in v e s tig a tio n , z e r o - d a v v u ln e r a b ility 111
y a h o o .c o m t h a t le ts a tta c k e r s h ija c k Y a h o o ! e m a il a c c o u n t s a n d r e d ir e c t u s e r s to
m a lic io u s w e b s i te s o t t e r s a f a s c in a tin g g lim p s e i n t o th e u n d e r g r o u n d m a r k e t f o r
la rg e -s c a le e x p lo its .
The
e x p lo it, b e i n g s o ld
f o r S 7 0 0 b y a n E g y p tia n h a c k e r o n
a n e x c lu s iv e
c y b e r c r im e f o r u m , ta r g e ts a “ c r o s s - s ite s c r ip t in g ” (X S S ) w e a k n e s s in v a h o o .c o m
th a t le ts a tta c k e r s s te a l c o o k ie s f r o m Y a h o o ! w e b m a il u s e rs . S u c h a f la w w o u ld
le t a tta c k e r s s e n d o r r e a d e m a il f r o m th e v i c t i m ’s a c c o u n t . 111 a tv p ic a l X S S
a tta c k , a n a t ta c k e r s e n d s a m a lic io u s lin k to a n u n s u s p e c ti n g u s e r; i f th e u s e r
c lic k s th e lin k , th e s c r ip t is e x e c u te d , a n d c a n a c c e s s c o o k ie s , s e s s io n t o k e n s , o r
o t h e r s e n s itiv e in f o r m a t i o n r e ta in e d b y th e b r o w s e r a n d u s e d w ith t h a t site.
T h e s e s c r ip ts c a n e v e n r e w r ite th e c o n t e n t o f th e H T M L p a g e .
K r e b s O n S e c u r ity .c o m a le r te d Y a h o o ! to th e v u ln e r a b ility , a n d th e c o m p a n y
say s it is r e s p o n d i n g to th e is s u e . R a m s e s M a r tin e z , d ir e c to r o f s e c u r ity a t
Y a h o o ! , sa id th e c h a lle n g e n o w is w o r k i n g o u t th e e x a c t v a h o o .c o m U R L t h a t
tr ig g e rs th e e x p lo it, w h ic h is d if f ic u lt to d is c e r n f r o m w a tc h in g th e v id e o .
T h e s e ty p e s o t v u ln e r a b ilitie s a re a g o o d r e m i n d e r to b e e s p e c ia lly c a u tio u s
a b o u t c lic k in g lin k s 111 e m a ils f r o m s tr a n g e r s o r 111 m e s s a g e s t h a t y o u w e r e n o t
e x p e c tin g .
B e in g a n d a d m in is t r a to r y o u s h o u ld i m p l e m e n t s e c u r ity m e a s u r e s a t A p p lic a tio n
le v e l a n d
N e tw o rk
le v e l to
p ro te c t y o u r n e tw o rk
fro m
s e s s io n
h ija c k in g .
N e t w o r k le v e l h ija c k s is p r e v e n t e d b y p a c k e t e n c r y p tio n w h ic h c a n b e o b ta in e d
b y u s in g p r o t o c o l s s u c h as I P S E C , S S L , S S H , e tc . I P S E C a llo w s e n c r y p tio n o f
p a c k e ts o n s h a r e d k e y b e t w e e n th e tw o s y s te m s in v o lv e d 111 c o m m u n ic a ti o n .
A p p lic a tio n - le v e l s e c u r ity is o b ta in e d b y u s in g s t r o n g s e s s io n I D . S S L a n d S S H
a ls o
p r o v id e s
s tr o n g
e n c r y p tio n
u s in g
SSL
c e r tif ic a te s
to
p r e v e n t s e s s io n
h ija c k in g .
Lab O b jectives
T h e o b je c tiv e o f th is la b is to h e lp s u id e n ts le a r n s e s s io n h ija c k in g a n d ta k e
n e c e s s a r y a c tio n s to d e f e n d a g a in s t s e s s io n h ija c k in g .
111 th is la b , y o u w ill:
■
C E H L a b M a n u a l P a g e 716
I n t e r c e p t a n d m o d if y w e b tr a f f ic
E th ic a l H a c k in g a n d C o u n te m ie a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
■
S 7T o o ls
d e m o n str a ted in
th is lab are
a v a ila b le in
D:\CEHTools\CEH v 8
M odule 11
S e s s io n H ijacking
S im u la te a T r o j a n , w h ic h m o d if ie s a w o r k s ta ti o n 's p r o x y s e r v e r s e ttin g s
Lab E nvironm ent
T o c a rry o u t tin s, y o u n e e d :
■
A c o m p u te r m im in g W indow s S erver 2 0 1 2 a s h o st m a ch in e
■
T in s la b w ill m n o n W indow s 8 v irtu a l m a c h in e
■
W e b b r o w s e r w ith I n te r n e t ac ce ss
■
A d m in is tra tiv e p riv ile g es to c o n fig u re se ttin g s a n d m n to o ls
Lab D uration
T im e : 2 0 M in u te s
O verview o f Session H ijackin g
m.
T A S K
1
O verview
S e ssio n h ija c k in g re fe rs to th e e x p lo ita tio n o f a v a lid c o m p u te r se ssio n w h e r e a n
a tta c k e r t a k e s o v er a s e s sio n b e tw e e n tw o c o m p u te r s . T h e a tta c k e r s t e a ls a v alid
s e ssio n I D , w h ic h is u s e d to g e t in to th e sy ste m a n d sn iff th e d ata.
111 TCP s e s s io n ln ja ck in g , a n a tta c k e r ta k e s o v e r a T C P s e ssio n b e tw e e n tw o
m a c h in e s . S in ce m o s t a u th e n tic a tio n s o c c u r o n ly a t th e s ta rt o f a T C P se ssio n , th is
allo w s th e a tta c k e r to gain a c c e s s to a m a c h in e .
Lab Tasks
P ic k a n o r g a n iz a tio n d ia t y o u fee l is w o r th y o f y o u r a tte n tio n . T in s c o u ld b e a n
e d u c a tio n a l in s titu tio n , a c o m m e r c ia l c o m p a n y , o r p e r h a p s a n o n p r o f it c h a n ty .
R e c o m m e n d e d la b s to assist y o u 111 se ssio n ln jack in g :
י
S e ssio n ln ja c k in g u s in g ZAP
Lab A nalysis
A n a ly z e a n d d o c u m e n t d ie re s u lts re la te d to th e la b ex ercise. G iv e y o u r o p in io n o n
y o u r ta rg e t’s se c u rity p o s tu r e a n d e x p o s u re .
P L E AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
R E L A T E D T O T H I S LAB.
C E H L a b M a n u a l P a g e 717
E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
Lab
Session Hijacking Using Zed A ttack
Proxy (ZAP)
The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integratedpenetration
testing too1forfinding vulnerabilities in n׳eb applications.
1C <
ON
KEY
/ Valuable
information
Lab S cenario
A tta c k e r s a r e c o n t in u o u s ly w a tc h in g f o r w e b s ite s to h a c k a n d d e y e lo p e r s m u s t
b e p r e p a r e d to c o u n t e r - a tta c k m a lic io u s h a c k e r s b y w r i tin g s tr o n g s e c u r e c o d e s .
your
y5Test
knowledge
A c o m m o n f o r m o f a tta c k is s e s s io n h ija c k in g , i.e ., a c c e s s in g a w e b s ite u s in g
=
Web exercise
p a s s w o r d s , a n d o t h e r s e n s itiv e i n f o r m a t i o n t h a t c a n b e m is u s e d b y a h a c k e r .
m Workbook review
S e s s io n h ija c k in g a tta c k s a re p e r f o r m e d e ith e r b y s e s s io n I D g u e s s in g 01 ־b y
s o m e o n e e ls e ’s s e s s io n I D . A s e s s io n I D m ig h t c o n t a i n c r e d it c a r d d e ta ils ,
s to le n s e s s io n I D c o o k ie s . S e s s io n I D g u e s s in g in v o lv e s g a t h e r in g a s a m p le o f
s e s s io n I D s a n d “ g u e s s in g ״a v a lid s e s s io n I D a s s ig n e d to s o m e o n e else. I t is
a lw a y s r e c o m m e n d e d n o t to r e p la c e A S P .N E T s e s s io n I D s w i t h I D s o f y o u r
o w n , as th is w ill p r e v e n t s e s s io n I D g u e s s in g . S to le n s e s s io n I D c o o k ie s s e s s io n
h ija c k in g a tta c k c a n b e p r e v e n t b y u s in g S S L ; h o w e v e r , u s in g c r o s s - s ite s c r ip tin g
a tta c k s a n d o t h e r m e th o d s , a tta c k e r s c a n s te a l th e s e s s io n I D c o o k ie s . I f a n
a tta c k e r g e ts a h o l d o f a v a lid s e s s io n I D , th e n A S P .N E T c o n n e c t s t o th e
c o r r e s p o n d i n g s e s s io n w ith 110 f u r t h e r a u t h e n ti c a tio n .
T h e r e a r e m a n y to o ls e a sily a v a ila b le n o w t h a t a tta c k e r s u s e to h a c k i n t o
w e b s ite s 01 ־u s e r d e ta ils . O n e o f t h e to o ls is F ir e s lie e p , w h i c h is a n a d d -011 f o r
F ir e f o x . W h ile y o u a re c o n n e c t e d to a n u n s e c u r e w ir e le s s n e t w o r k , tin s F ir e f o x
a d d -011 c a n s n i f f t h e n e t w o r k tr a f f ic a n d c a p tu r e all y o u r in f o r m a t i o n a n d
p r o v id e it to th e h a c k e r 111 th e s a m e n e t w o r k . T h e a tta c k e r c a n n o w u s e tin s
in f o r m a t i o n a n d lo g in as y o u .
A s a n e t h ic a l h a c k e r , p e n e t r a t i o n te s te r , 01 s e c u r ity a d m in istr a to r, y o u
s h o u ld b e fa m ilia r w ith n e t w o r k a n d w e b a u t h e n ti c a tio n m e c h a n is m s . 111 y o u r
r o le o f w e b s e c u r ity a d m in is t r a to r , y o u n e e d to te s t w e b s e r v e r tr a f f ic f o r w e a k
s e s s i o n IDs, in s e c u r e h a n d lin g , id e n tity th e ft, a n d in form ation lo s s . A lw a y s
e n s u r e t h a t y o u h a v e a n e n c r y p te d c o n n e c t i o n u s in g h t t p s w h ic h w ill m a k e th e
s n if f in g o f n e t w o r k p a c k e ts d if f ic u lt f o r a n a tta c k e r . A lte r n a tiv e ly , Y P N
C E H L a b M a n u a l P a g e 718
E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
c o n n e c t io n s to o c a n b e u s e d to sta y s a fe a n d a d v is e u s e r s to lo g o f f o n c e th e y
a re d o n e w ith th e ir w o r k . 111 tin s la b y o u w ill le a r n to u s e Z A P p r o x y to
in t e r c e p t p r o x ie s , s c a n n in g , e tc .
Lab O bjectives
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n s e s s io n h ija c k in g a n d h o w to
ta k e n e c e s s a r y a c tio n s to d e f e n d a g a in s t s e s s io n h ija c k in g .
111 tin s la b , y o u w ill:
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 11
Session Hijacking
■
I n t e r c e p t a n d m o d if y w e b tr a f f ic
■
S im u la te a T r o j a n , w h ic h m o d if ie s a w o r k s ta ti o n 's p r o x y s e r v e r s e ttin g s
Lab E nvironm ent
T o c a rry o u t th e la b , y o u n ee d :
■
P aros Proxy lo c a te d a t D:\CEH-Tools\CEHv 8 M odule 11 S e s s io n
H ija ck in g \S ession H ijacking T ools\Z aproxy
■
Y o u c a n a lso d o w n lo a d th e la te s t v e r s io n o f ZAP f r o m th e lin k
h ttp : / / c o d e . g o o g l e . c o m / p / z a p r o x v / d o w n l o a d s / l i s t
■
I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n
111 th e la b m ig h t d if f e r
Win d o w s
■
A sy ste m w ith r u n n in g
י
R u n tin s to o l n i W indow s 8 V irtu a l M a c h in e
י
A w e b b r o w s e r w ith I n te r n e t ac ce ss
י
A d m in is tra tiv e p riv ile g es to c o n fig u re se ttin g s a n d r u n to o ls
י
S e rv e r 2 0 1 2 H o s t M a c h in e
E n s u r e th a t J a v a Run T im e E nvironm ent (JRE) 7 (o r a b o v e ) is n istalled . I f
n o t, g o to h t t p : / / i a v a .s u n .c o m / i2 s e to d o w n lo a d a n d in stall it.
Lab D uration
T im e : 2 0 M in u te s
O verview o f Z ed A tta c k Proxy (ZA P)
Z e d A tta c k P ro x y (Z A P ) is d e s ig n e d to b e u s e d b y p e o p le w ith a w id e r a n g e o f
se c u rity e x p e rie n c e a n d as s u c h is id e a l f o r d e v e lo p e rs a n d fu n c tio n a l te ste rs w h o are
n e w to p e n e tr a tio n te s tin g as w e ll as b e in g a u s e fu l a d d itio n to a n e x p e rie n c e d p e n
te s te r ’s to o lb o x . I ts fe a tu re s in c lu d e in te r c e p tin g p ro x y , a u to m a te d s c a n n e r, p a ssiv e
s c a n n e r, a n d sp id e r.
Lab Tasks
1.
m.
T A S K
L o g 111 t o y o u r W in d o w s 8 V ir tu a l M a c h in e .
1
Setting-up ZAP
C E H L a b M a n u a l P a g e 719
E th ic a l H a c k in g a n d C o u n te m ie a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
2.
111 W in d o w s 8 V ir tu a l M a c h in e , f o llo w th e w iz a r d - d r iv e n in s ta lla tio n
s te p s to in s ta ll ZAP.
3.
T o la u n c h ZAP a f te r in s ta lla tio n , m o v e y o u r m o u s e c u r s o r to th e lo w e r le f t c o r n e r o f y o u r d e s k to p a n d c lic k S tart.
£ 7
Y o u can also
d o w n lo ad Z A P
h ttp :/ / c o d e.g o o g le .c o m /p
/z a p ro s y /d o w n lo a d s /lis t
F IG U R E 2.1: P aros p ro s y m ain w indow
C lic k ZAP 1.4 .1 111 th e S ta r t m e n u a p p s .
! 2 2 A t its h eart Z A PS in
ail in tercep tin g pro sy . Y o u
n e ed to configure yo u r
b ro w ser to c o n n ec t to d ie
w eb application you w ish
to te st th ro u g h ZA P . I f
required yo u can also
configure Z A P to co n n ect
th ro u g h a n o th e r p ro s y this is o fte n necessary in a
c o rp o rate environm ent.
Admini-PC
m
4S
Mozilla
Firefox
Microsoft
Excel 2010
SkyOiftt
* י
Safari
jr
©
S
tlim w
M icrosoft
PowerPoint
2010
־ ־׳ ־
ZAP 1.4.1
£
| ן
Microsoft
Publisher
2010
(2
I f y ou k n o w h o w to
set u p p ro sie s in y o u r w eb
b ro w ser th e n go ahead and
give it a go!
I f y ou are un su re th e n have
a lo o k a t the C onfiguring
p ro sie s section.
C E H L a b M a n u a l P a g e 720
F IG U R E 2.2: P aros p ro s y m ain w indow
5.
T h e m a in in te r f a c e o f ZAP a p p e a r s , as s h o w n 111 th e f o llo w in g
s c re e n sh o t.
6.
I t w ill p r o m p t y o u w i t h SSL R oot CA c e r t ific a te . C lic k G e n e r a te to
c o n tin u e .
E th ic a l H a c k in g a n d C o u n te n n e a s u r e s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
O n c e you have
configured Z A P as yo u r
b row ser's p ro x y th e n try to
c o n n ec t to d ie w eb
application yo u will be
testing. I f y o u can n o t
c o n n ec t to it th e n check
y o u r p ro s y settings again.
Y o u will n eed to check
y o u r b row ser's p roxy
settings, and also Z A P 's
p ro x y settings.
ט
•
.
.
F IG U R E 2.3: Paros proxy main window
Active scanning
a ttem p ts to find p o ten tial
vulnerabilities by using
kn o w n attacks against the
selected targets.
r
y
‘
O p tio n s w in d o w , s e le c t D y n a m ic SSL c e r t if ic a t e s t h e n c lic k
r
י
G e n e r a te to g e n e r a te a c e r tif ic a te . T h e n c lic k S a v e .
^
K *
Options
A ctive scanning is an attack
o n th o se targets. Y o u
sh o u ld N O T use it o n w eb
applications th a t y ou do
n o t ow n.
' Options
Active Scan
cem n cate s
Arti c s r f T0K3ns
API
Root CA certificate
Applicators
Authertc330n
Ernie Force
certncate
I t should b e n o te d th at
active scanning can only
find certain types o f
vulnerabilities. Logical
vulnerabilities, su ch as
b ro k e n access c o ntro l, will
n o t be fo u n d b y any active
o r a u to m ated vulnerability
scanning. M anual
p e n etra tio n testing should
always be p e rfo rm ed in
add itio n to active scanning
to find all types o f
vulnerabilities.
Check Fee Updates
Connection
Dataoase
Pi5pa<____
Diay
Ercod et)e ccde
Extensions
Fuzier
Language
Local prarr
Passive Scar
P oll Scan
Session Tokens
Spider
(_2!L 1
F IG U R E 2.4: P aros proxy m ain w indow
8.
S a v e th e c e r tif ic a te 111 th e d e f a u lt lo c a ti o n o f ZAP. I f th e c e r tif ic a te
a lre a d y e x is ts , r e p la c e i t w ith th e n e w o n e .
C E H L a b M a n u a l P a g e 721
E th ic a l H a c k in g a n d C o u n te n n e a s u r e s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Strictly Prohibited.
Module 11 - Session Hijacking
וי ד
Options
r Options
c enmr.aies
Active 3can
* «־CSRF TOKMS 1
R oolC A caitncate
API
Actficaions
u a A 11 alert is a p o ten tial
■q ■Generate j
A^ntrvcaagn,__
vulnerability an d is
associated w ith a specific
request. A req u est can have
m o re th a n o n e alert.
Look m:
IB
Music
[a l Pictures
Downloads
jy u ic s
IB
IB
IB
Saved Games
1 ^ D o a n e its
IB
S e a rs e s
Favorites
JK02 . hv
cly
ODZ3H:0
.
tit II a
IB
Contacts
JMz•♦ur
Hlc9X0VN0TFplZC3BdHahV;«cUHJv»HVj-Jn9vdCBI|r
! ! j A d m ri FC
Desktop
IB
IB
MI 10 3 : CCAsaaAwIBAal:
1
, a in n ! a
ן
1
|Q | owasp_23p_root_ca.ccr 1
Videos
OV/ASP ZAP
Pie Name־
|owasp_zap_roct_ca cer |
Fles DfTypo
Al Pias______________
. " ־1e w
ן
.
3d r e
F IG U R E 2.5: P aros proxy m ain w indow
9.
C lic k OK in th e O p tio n s w in d o w .
Q ־J A n ti C SR F to k en s are
(pseudo) ra n d o m
p aram eters u sed to p ro te c t
against C ross Site R equest
Forgery (CSRF) attacks.
H o w ev er th ey also m ake a
p en etra tio n testers job
h ard er, especially if the
to k en s are regenerated
every tim e a fo rm is
requested.
10. Y o u r P a r o s p r o x y s e r v e r is n o w r e a d y to in t e r c e p t r e q u e s ts .
C E H L a b M a n u a l P a g e 722
E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
U ntitled
£ile Cdit View Maiy5e Report
נU id , ־sji
D 0
Session ־OWASP 7AP
Toaa Help
V
© «» ־
] s»«§Q __
► 0
| KsquMI
| R«spons«4»
H©3c«r •xt
ActvoScan $
|~
SpidorS^;
Brute Force ^
)
J Brea* . j
▼J Body: !•xt
Port Scan :
_▼)
}
lT־l I
Fuzzsri,^
]
PararrtSLj
Break Points v-i
[
3utput
0_
0
AJ9:t3
Filter.CFF
m
Z A P detects anti
C SR F to k en s purely by
attrib u te nam es - th e list o f
attrib u te nam es considered
to b e anti C SR F tokens is
configured u sing th e
O p tio n s A n ti C SR F screen.
W h en Z A P d etects these
to k en s it records d ie to k en
value an d w h ich U R L
g en erated th e token.
Aieits ^0 k-0 . 0 a o
current scans
ft 0
F IG U R E 2.7: P aros proxy m ain w indow
11. L a u n c h a n y w e b b r o w s e r , 111 th is la b w e a re u s in g th e C hrom e b r o w s e r .
12. Y o u r V M w o r k s ta ti o n s h o u ld h a v e C h rom e v e r s io n 2 2 .0 o r la te r
in s ta lle d .
13. C h a n g e th e P roxy S e r v e r s e t t in g s 111 C h r o m e , b y c lic k in g th e
C u sto m iz e an d c o n tr o l G o o g le C h rom e b u t t o n , a n d t h e n c lic k
S e t t in g s .
Tab
M
C
י
Foi quickkcc; placeycurbcclrwfaSe־eanSietntroti bs׳
Newtab
New vwodow
Nr*■inccgniro window
Bocfcmiria
EM
Cut
Cop, P»ae
- להגו. - Q
S«vt p»9«
Find...
Tods
r «T |
Sign in to Chiwn*..
0 זי0 > •ייW«b S:c׳#
F IG U R E 2.8: IE Internet O ptions window
14. O il th e G o o g le C h r o m e S e td n g s p a g e , c lic k th e S h o w a d v a n c e d
s e t t in g s ... lin k b o t t o m o f th e p a g e , a n d t h e n c lic k d ie C h a n g e p roxy
LUsi Z A P provides an
A pplication P ro g ram m in g
In terface (API) w h ich
allows y o u to in teract w ith
Z A P program m atically.
s e t t in g s ... b u t t o n .
T lie A P I is available in
J S O N , H T M L and X M L
form ats. T h e A P I
d o c u m e n tatio n is available
via th e U R L h t t p : / / z a p /
w h e n you are proxying via
ZAP.
C E H L a b M a n u a l P a g e 723
E tliic a l H a c k in g a n d C o u n te n n e a s u r e s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
» *»■ ־ ־C
Chrome
Li <*־rorr*//chrome/settings/
Settings
Ocoy't ih c 'H o 1&ngj cuf tcnpvtar't 1, 111 !״prwy 1«M! ״ji to cenntct to tht nctwoi
I Ch»»91p>**ym«1
|
LtnguigK
C*v*«0t ,X*•*CN0(*« ►MTxjk•; Md topt*>5־Unguises
l»9<׳u»9« «td ifxa-
«/ Cfltris t»*nti*te a»cr» tKx aren't in 1 Language I read
Dsvmlc*d k-n&ott C'.C1er1’.AdrTw1\Eownlc«
[ I *•4 n»^t 10
Change..
«K» fifc M c׳i dc*״l
HTTPVSSL
M «^e(0t1A ul6_ Chedtforseva certrfieaterrwecation
Google Ooud Pnnt
Google Cloud Mrs las youseeettth« ee»np«jter 5 printers fromanywhere. Click to enab
B30tg־w,־d apes
• i Co'it'-v* v «9 t*v 91-״c-j־׳J tfi-. *f«־n0ocgl«Ch1cr
Hide *ג.* נ»>י׳$*׳?**זז,
F IG U R E 2.9: P aros proxy m ain w indow
15. 111 In te r n e t P r o p e r tie s w iz a r d , c lic k C o n n e c tio n s a n d c lic k LAN
S e ttin g s .
Internet Properties
General
Security
Privacy
Content | " Connections [ Prpgrame
To set up an In •erne: connection, dek
Setup.
*\dvanced
Setup
Dial-up and Virtual Private Network settings
Settirgc
% Never d a a c c m e o o n
C ) Oial whenever a network connection is not present
4 '־Always dal m y d e fa it ccnnection
C u re *־
None
Set default
Local Area Network (LAN) settings
LAS Settjngsdo not apoly to dialup connections.
Choose Settngs aoove for dal ■up settngs.
|
LAN settings
|
F IG U R E 2.10: IE Internet O ptions window w ith Connections tab
16. C h e c k U s e a p roxy s e r v e r for you r LAN, ty p e 1 2 7 .0 .0 1 111 th e A d d r e ss,
e n t e r 8 0 8 0 111 th e Port tie ld , a n d c lic k OK.
Q=a! Click O K several
tim es un til all configuration
dialog boxes are closed.
C E H L a b M a n u a l P a g e 724
E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
£ Q I t should be n o te d
th a t th ere is m inim al
security built in to th e A P I,
w h ich is w h y it is disabled
b y default. I f enabled th e n
th e A P I is available to all
m achines th a t are able to
use Z A P as a proxy. By
d efau lt Z A P listens only o n
'localhost' and so can only
be u sed from th e h o st
m achine.
Module 11 - Session Hijacking
Local Area Network (LAN) Settings
A utom atic configuration
A utom atic co nfig uratio n m ay o verrid e manual settings. To ensure the
use o f manual se ttin g s, disable autom atic configuration.
@ A u to m a tica ly d e te c t settin g s
T h e A P I p ro v id es access to
th e core Z A P features such
as th e active scanner and
spider. F u tu re versions o f
Z A P will increase the
functionality available via
th e APi.
□
Use autom atic config uratio n script
Address
P ro xy se rve r
r a L ls e a p ro x y se rve r fo r yo ur LAN (These settin g s will n o t apply to
L J d ia l- u p o r VPN connections).
Address:
1 2 7 .0 .0 .1
P ort:
| 8080|
|
Advanced
Bypass p ro x y se rve r fo r local addresses
Cancel
F IG U R E 211: IE Internet O ptions W indow w ith Proxy Settings W indow
17. C lic k S e t b rea k on all r e q u e s t s a n d S e t b rea k on all r e s p o n s e s to
o
T A S K
2
H ijacking V ictim ’s
S e s s io n
tr a p all th e r e q u e s ts a n d r e s p o n s e s f r o m th e b r o w s e r .
5 --------------------------------------
pybiifci g o /
J
m Z A P allows y ou to try
to b ru te force directories
and files.
Untitled Session - OWASP 7AP
£ 11• EJit Vi*A Aiulyb• Repoil T0Jt* H *p
►e
Sites(* ׳j____________________ Request-^
_
Sites
] Response*-
[Header Icxi
*
~
[ Break X ]
jtoay: Text
▼j
PI
A set o f files are pro v id ed
w h ich contain a large
n u m b e r o f file and
d irecto ry nam es.
Active Scan A
Spdet
|
Brute Force v-~
^דז
j
Furrer W
.
PatamsLJ
Cunent Scans £
0
0
0״
m
A break p o in t allows
y o u to in te rc e p t a req u est
fro m your b ro w ser and to
change it b efo re is is
su b m itted to th e w eb
application yo u are testing.
Y o u can also change the
resp o n ses received from
th e application T h e req u est
o r resp o n se will be
displayed in th e B reak tab
w h ich allows y o u to change
disabled o r h id d e n fields,
an d will allow you to
bypass client side validation
(o ften en fo rced using
javascript). I t is an essential
p en etra tio n testin g
technique.
C E H L a b M a n u a l P a g e 725
F IG U R E 2.12: P aros proxy m ain w indow
18. N o w n a v ig a te to a c h r o m e b r o w s e r , a n d o p e n w w w .b in g .c o m .
19. S ta r t a s e a r c h f o r “C a r s.”
2 0 . O p e n ZAP, w h i c h s h o w s f ir s t t r a p p e d in c o m in g w e b tr a ffic .
2 1 . O b s e r v e th e f ir s t f e w lin e s o f t h e t r a p p e d tr a f f ic 111 th e trap w in d o w s ,
a n d k e e p c lic k in g S u b m it an d s t e p to n e x t r e q u e s t or r e s p o n s e u n til
y o u s e e c a rs 111 th e GET r e q u e s t 111 th e B reak ta b , as s h o w n 111 th e
f o llo w in g s c r e e n s h o t.
E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Strictly Prohibited.
Module 11 - Session Hijacking
UntiMrd Session ־OWASP 7AP
£de Euu VtaA Analyse Report Tools H«p
t o k i ו־וu i
v
כיQ
| S ite s* ן
F®Giles
(3 אr«p/*־w » n g co r1 ׳
m Filters add extra
features th a t can be applied
to every request and
response. By default n o
filters are initially enabled.
E nabling all o f the filters
m ay slow d o w n d ie proxy.
F u tu re versions o f d ie Z A P
U ser G uide will do cu m en t
the d efault filters in detail.
C P 4 - ׳£> |> ©
\Break >41
Request-v | Response־*־
Mer.03
Heoaer: re*1
* j uoav: וext
▼J
h c t p :/ /w M .b ln g .c c m /a » a r c ft? q = fa g a k q o = * q * - n fc fo m ^ 0 B IJ U r 1 1 t- a a 1 fc p q ^ * r « t .» ? J 0 -0
43p ־- : s a k - H T T P /1 .1
H ose : w v w .M n g .c o x
P r o x y - C o n n e c tio n : k e e p - a liv e
U3er A ;e r. ־: M o z illa /S .G IW indows NT 6 . 2 ; KOW64) Acp leW ecK 1 t/ ׳S 3 7.4 (KHTHL,
l i r e secJc:. c n r o n e /2 2 .0 .1 2 2 9 .9 4 s a r a n / 5 3 7 . 4
A c c e p t: t e x t / h e r ! , a p p l i c a tio n /x h tm l■ *• xm l f a p p l i c a c i o n / x m l; q - 0 . 9 , * / * ; q - 0 . 8
R e re re r: h t tp : //v w v .b n g . con/
Accept-Encoding: 3tier.
.
1
Irrrr.T-:j-.rsr.-.nev - r n - " ^ r n - n - H fl___________ ______________________________________________ I
Spider^
Searcn
*1»m »c 11 י0
Al&its f t
1׳
Current Scans £ 0 # 1
u- 0
0
FIG U R E 2.6: Paros Proxy w ith Trap option content
2 2 . N o w c h a n g e th e q u e r y te x t f r o m C ars to C a k e s in th e G E T r e q u e s t.
llntiWea Session - OWASP 7AP
£4e Eait VIe* Analyte Report Toole Help
J
Sites I * |_
R e quest-v | R e s p o n s e ^ [ Brea►
, f t PSies
I
Met!00* j ^Header. Ted )■] |Body Tot
Q ^ nup/'AiMvangcorn
GET
h c t p : / / w » . t i n g . com / s e a rc h ?q=fcaice3^g o = tq 3 = n * rorm =Q B I.H tf 1 l c - a l l * p q ^Calcesfrs c - 0
- :4 3 p — l& a k - HTTP !, 1 . 1
H ose: v w . D i n g , c o x
P r o x y - C o o n e c tio n : lr e e p - a liv e
U a e r-A s e n z : M o z illa /S .O !W indows NT 6 . 2 ; KCW64) A c p le W e C K 1 5 3 7 .4 ־/ ( ׳KHTHL,
l i t ־Geclcoj C H za n e /2 2 .0 .1 2 2 9 .9 4 S a E a n /5 3 7 .4
A c c c p t: t e x t / h t m l , a p p l i c a t io n / x h t m l ־!־x m l, a p p l ic a c io n / x m l; q - 0 .9 , * / * ; q—C . 6
R e f e r e r : £ t t p : / / v w v . b r.g .c o n /
A c c e p t-E n c o d in g : sdcfc
I r r . - r . T ־rn-T.^ r n ־n - a P.
.
Ly=i Fuzzing is configured
using th e O p tio n s Fuzzing
screen. A dditional fuzzing
files can be added via this
screen o r can b e p u t
m anually in to the "fiizzers"
directory w here Z A P was
installed - they will th en
becom e available after
restarting ZA P.
.
1
*JfcllS f t
Searcn - v
504 cataway u r n o .
504 Gateway Time...
Aieits מC 1 1■ י0
1
388mc
389m s,
׳ ז
2 3 . C lic k S u b m it and s t e p to n e x t r e q u e s t or r e s p o n s e .
2 4 . S e a r c h f o r a title in th e R e s p o n s e p a n e a n d re p la c e C a k e s w ith C ars as
s h o w n 111 f o llo w in g fig u re .
Lyj! T h e request o r
response will be displayed
in th e B reak tab w hich
allows yo u to change
disabled o r h id d en fields,
an d will allow you to
bypass client side validation
(often enforced using
javascript). I t is an essential
p en etratio n testing
technique.
C E H L a b M a n u a l P a g e 726
E th ic a l H a c k in g a n d C o u n te n n e a s u r e s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
Untitled Session ־OWASP 7AP
£ile EOil Vie* Analyte Report Tools H *p
la
I . ־u b .־I
פ0
Request■* | Response^- [ Break
I 3«m 1» I
׳f t F®Giles
lte a : c ־lei•
•
U3c- lei!
*j
1 1[ I
(3 אr*tp/*־wo1hgcor1׳
H T T P /1.1 200 OK
C ic h e - C o n c r o l : p r i v a t e , n a x - a g e - 0
C c a t e a ־ ־T y p e : t e x c / h s n l ; c h a r a e t - u t f 8־
E x p ir e a : Moa, I S O c t 2 0 1 2 1 2 : 3 0 : 1 9 GMT
P2P: CF--NOS UST COM WAV 3TA LOC CURa DFVa PSAa P3Da OUR TND"
s 3_ c e
d , ׳r c c u s e do v a ״, r u n 0t 10n ( a ! {s
t 1st> 1 e .;e v e a t .s r c E l e x e a t : a . t a r g e t ) > ,0 ! .
__
) < ) *״
//) j x / s c r 1 p t x c 1 c l e |c a k e a | - B1 a g < / t 1 t l e X l m k r . r e f = " / s / v l f l a g . i c c • ze~Bl e a a " / x l l a k r.r e r —
*/3caxch?(j-Calre3601nc;oc-6turp;q3-nfiar»p; forrc-OBL!Uan,p; f i l e —a llfia n r^ ij-C a k e s fia n
p ;3 c = 0 - 0 4 3 E x ? 3 p = - l« a x p ; 3 J c = i a a p ;f o r m a c = r 3 3 " r e l = " a l t e r n a c e " t1 tle = " X M L • r y p e =
B1*־׳e Force
[
1
3
GET
GET
Furzer
Params
504 Gateway Tine .
504 Gateway ׳Tim©...
389ms
389ms
Alerts f t _______
-
Current Scans £ 0 ^
0 י
Oufcut
j_____
Break Points &
http SfflMN.Cing corV
co״v
Ale Its F*0 1* 1
j
Port Scan ־
Search
0 ^ 0
0 * 0
Untitled Session OWASP 7AP
£110 Edit View Aruly*e Repoil Tools Help
c. תa
Li
. 0
,
JH W ]
R«qb»»tw~] R*spons*~ [
▼l £ l1 ׳־Sifts
|H m »l.T«11
Qj ־מhttp
»|
X 1
B0O ).T«l » |
□
IJ
bir»g corn
H T T P /1.1 200 OK
C a c h e - C o n s r e l: p r i v a t e , n a x - a a e - 0
c c n t« a t-T y p « : c * x c /n c n l; c n a r * tt* u t1 -8
E x p ir e s : Mon, 1 5 G et 2 0 1 2 1 2 : 3 0 : 1 9 GMT
P2P: C? ״ ־SOS UNI COK WAV STA LOC CURa DEVa PSAa PSDa OUR IHD"
־- .
-■
■
. W . i . I L ■i i . m w f c . ' i i . . a rm * ; ,■u a L u n 1. i l ׳. ■i wi u i n 1 ,׳. «. ׳u u i n u u ׳
s j _ b e _ d , "w zusedow n ", f u n c t i o n ( n I < 3 i _ c t ( 3 b _ i e ? e v e n t • s r c E le r te n t : n . t a r g e t ) > ,0 ) )
) ();
/ / } j x ' 3 c r 1 . p r x r - 1 - e ' |c a r s | - S i a g < / t 1 t l e x 1 1 a i c h r e r = " / 3 / v l l l a g . 1 co" r e I s
־ic a n V x lin k h r e f•/3 sa r c h ? 3 = C a J r e3 £ a r x ;g c = £ a 1 n p ;q 3 = a £ a n p •׳f orrt=Q3LH£artp; f 1 1 t = a ll£ a n p ; c q = £ a k e 3 £ a r :
p ; s r = o - 0 £ a r 2 : ; s p — lia a 5 > ;3 J c = ia a p ;r o r m a c = r 3 s ״r e l = " a l t e r a a ־:e" t1 tle= " X M L • r v p e =
Active Scan A
[
Spds f ^ |
Brute Forced
[
http ii'fttvw ting conV
]
FuzzerW
ן
504 Gateway Time
504 catowa\ ׳T ine...
ntp/׳AVkV,.crqco״v
Ale Its F* 0 . 0
Port S can:
ParamsO
O-tcu:
|_________ Search ^ _________ J_____________Breakpoints ^ ____________ 1________ Alerts f t _______
Historj“
1 * 1
389ms
389ms
-
0 *0
Current Scans fc 0 0^ ■ ־
F IG U R E 2.7: P aros Proxy search string c o n te n t
2 5 . 111 th e s a m e R e s p o n s e p a n e , r e p la c e C a k e s w ith C ars a s s h o w n i n th e
f o llo w in g f ig u re a t th e v a lu e s h o w n .
Tliis functionality is
b ased o n code fro m th e
O W A S P JB ro F u zz p ro ject
and includes files fro m th e
fu zzd b project. N o te th a t
so m e fuzzdb files have
b een left o u t as th ey cause
c o m m o n anti virus
scanners to flag th em as
containing viruses. Y o u can
replace th e m (and upgrade
fuzzdb) by dow nloading
th e latest v ersion o f fuzzdb
and expanding it in th e
,fuzzers' library.
■
U n title d Session * OWASP ZAP
m
- I - U
la» i d
J
l־l &
G O
Sites 1* |
' f t PS lles
Q r: mip/'A^.angcorn
4
H
■
!
^
0
Retjues♦“ * ] Response>r ! ■־Break
n e a :e ־lec ״
Bogy: Text *
H lT t/l.l ZOU Oil
C a c r .e - C o a r r c l: p r i v a t e , n a x - a g s = o
C c n te n t - T y p e : t e x c / h t m l ; c h a r s e t —u t f - 8
E x p ir e a : Mon, I S C ct 2 0 1 2 1 2 : 3 0 : 1 9 GMT
P 3P : C r= ־SON OKI COK BRV STA. LOC CURa DEVa PSAa PSDa CtJR IND"
־ ■!! ״s! _^׳j _׳
3 v _ fc ta " = 12 ׳, < 3 e t a > ׳׳d i v x d i v c l a s 3 = ״aw_fcd ״x d 1 v c la s 3 = ', 3 v _ b n 1a= "3w _C "> o.np uc
c la 9 3 = " 3 w qfcox" I3 = " 9b rorm q* name="qn t l t l e = " E n t e r y o u r s e a r c h c e r a • t y p e
t e x t * •m * '— ״יי ו
- o n fo c n a
a o c m e a t . g e t E l e n e a t s y l d ■ ' ן3w b ן י. 3 t y i e . t o r d e r c o l o r = ׳# 3 3 6 6 = ״ ; י ם שc n r iu r
d o c u n c n t .g e t E le n e n t B y l d I ’ 3w _bt I . s t y l e •b o r d e r C o lo r - ' 4 9 9 9 ' ; " / X d i v • סl a - 3—
״3 v _ d v a r ״x / d 1 v x 1 a p u t 1 d = " sb _ fo rr t_ g o " c la 3 3 = " 3 w _ q b tn " t i t l e = ■ S e a r c h "
Br jte Force j* •
\
Pott Scan | _____־
Furrer *
|
P a ta m s n
Searcn
|
Output
Alfeits f t
504 Gateway T ine .
504 Gat»w3y l i n o .
389ms "■
389m sr
Current Scans v 0 :4 t 0 1/> 0
C E H L a b M a n u a l P a g e 727
2 J
File Eon vie a Analyse Repot Tools H«p
0%>0
E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
Module 11 - Session Hijacking
UntiMrd Session ־OWASP 7AP
| £«e Edit v i** Analyfc• Ropoil Tools H#p
►t i r l w
0 ס
J S«Ufr 1_
R equest | Response^
! leaser leu ״
i
HTTP/1 .1 200 OK
C *c h * ־C o n c ro l: p r iv a c a , r*a x -a g a -0
C cnccn ״ ־T y p e : c e x c / h s n l; c h a r a e t - u t f 8־
E x p ir e a : Xor., IS O c t 2012 1 2 : 3 0 :1 9 GMT
P2P: CF--NOS UST COM WAV STR LOC CURa DEVa PSAa P3Da OUR IN D "
Tliis to o l keeps track
o f th e existing H ttp
Sessions o n a particular Site
and allows the Z ap ro x y
u ser to force all requests to
be o n a particular session.
Basically, it allows d ie u ser
to easily sw itch betw een
u ser sessions o n a Site and
to create a n ew Session
w ith o u t "destroying" th e
existing ones.
Break v׳
Uo«y: red
.5wct a*>B*c»- la 3 3 -" 3 v _ q fc o x " id - " 3 b _ E o n n _ q " nam e-"q" t i t l e —" E n ter y o u r s e a r c h t e r n 1 t y p e :
=te x t■ valu e = '
3
3n f ocua,
t o c u n e n t .g e !'— ־E l e n e n c 3 y I d | , aw b 1) .9 t y le .b o r d e r C o lo r = '# 3 3 6 6 f c b , ; w o n b lu r
d o c u n e n t .g e t E le n e n t B y l d I , a i ^ b 1 1 .s t y l e • b o r d e r C o l o r ' י ־־# 9 9 9 " ; י/ X d i▼ c l a s s —
י3v_dv:1r " > < /cL .v> < in pu t r d = " s b _ f orrt_go" c la s s = " s w _ q b t n " t ! t l e = " S e a r c h "
Sp d-f £
1
3
GET
GET
B1*־׳e Force y
[
T
Port Scan '
Search
]
Furzer j j f
Params G j
rrltp SfflMN.Cing corV
n t p t f A w a ^־׳co״v
Oufcut
j _________ Alerts f C____
Break Points &
504 Gateway Time .
504 Gateway Time.
389ms
389ms
Current Scans £ 0 ^ 0
^0
_ 0 y o
F IG U R E Z 8 : Paros w ith modified trap option content
N o te: H e r e w e a re c h a n g in g th e te x t C a k e s to C a rs ; th e b in g s e a r c h s h o w s
C a rs , w h e r e a s th e r e s u lts d is p la y e d a r e f o r C a k e s .
2 6 . O b s e r v e th e B ing s e a r c h w e b p a g e d is p la y e d 111 th e b r o w s e r w ith
s e a r c h q u e r y a s “ C a k e s .”
H
ב ד
X
2) www.bing.corn/search?q=cars&go=&qs־־n&form=QBLH&filt=all&pq=cars&sc=0
WEB
LydJ I t is b ased o n d ie
c o n ce p t o f Session T o k en s,
w h ich are H T T P m essage
p aram eters (for n o w only
Cookies) w h ich allow an
H T T P server to c o n n ec t a
re q u e st m essage w ith any
p rev io u s requests o r data
stored. I n th e case o f
Z aproxy, conceptually,
session to k en s have b een
classified in to 2 categories:
default session tokens and
site session tokens. T h e
d efau lt session to k en s are
th e ones th a t th e u ser can
set in die O p tio n s Screen
and are to k en s th a t are, by
default, autom atically
co n sid ered session tokens
fo r any site (eg. phpsessid,
jsessionid, etc). T h e site
session tokens are a set o f
to k en s fo r a particular site
an d are usually set u p using
th e p o p u p m en u s available
in th e P aram s Tab.
IMAGES
VDEOS
HEWS
MORE
t>1nq
Beta
357.0000 נRESULTS
Inaaes cflcakesl
tnrq com/maces
Cake
W ik ip o d ia
thofroooncvdopedia
en w k p*d a o ־g W kt/Cake
V aieties Special-purpose cakes Shapes Cake flout Cake decorating
Cake ts a forrr cf bread or bread-like food In its modern forms, it is typically a sweet
ba«od dessert In As oldest forms, cakoc •voro normally fnod broadc or
FIGURE 2.6: Search results w indow
after
modifying d ie
c o n te n t
2 7 . T h a t 's it. Y o u ju s t f o r c e d a n u n s u s p e c ti n g w e b b r o w s e r to g o to a n y
p a g e o f }7o u r c h o o s in g .
Lab A nalysis
A n a ly z e a n d d o c u m e n t d ie re s u lts r e la te d to d ie la b ex e rcise . G iv e y o u r o p in io n o n
y o u r ta rg e t’s s e c u n ty p o s tu r e a n d e x p o s u re .
T o o l/U tility
I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d
■
S S L c e r tif ic a te to h a c k i n t o a w e b s ite
■
R e d ir e c tin g th e r e q u e s t m a d e in B in g
Z e d A t t a c k P ro x y
C E H L a b M a n u a l P a g e 728
E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.
P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S
R E L A T E D T O T H I S LAB.
Q uestions
1.
E v a lu a te e a c h o f th e fo llo w in g P a r o s p r o x y o p tio n s :
a.
T ra p R eq u est
b.
T ra p R esp o n se
c.
C o n tin u e B u tto n
d.
D r o p B u tto n
In te rn e t C o n n e c tio n R e q u ire d
0
Y es
□ No
P la tfo rm S u p p o rte d
0
C E H L a b M a n u a l P a g e 729
C la s s ro o m
□ !L a b s
E th ic a l H a c k in g a n d C o u n te m ie a s u re s C opyright © by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.