SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized user.
METHODS TO COMMIT A SESSION HIJACK IP SPOOFING: A method that the attackers use when they wish to send packets with malicious content to a target machine and do not wish to get identified. SESSION SIDEJACKING: A method, an attacker uses packet sniffing to read network traffic between two parties to steal the session cookies. SESSION FIXATION: In this, an attack fixes the user’s session ID before the user even logs into the target Web server, thereby eliminating the need to obtain the user’s session ID afterwards.
CROSS-SITE SCRIPTING: A hacker collects malicious data through a hyperlink from a user. The hyperlink holds the malicious content that is located in a web site. When a user visits a Web site and clicks on the link, the hacker sends the malicious data straight to the web application. After he clicks on the link, another page is created and the malicious content is generated within that page. The user remains absolutely unaware of the forged content and assumes it to be valid data generated from the host Web site.
IP SPOOFING It is a technique used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with an IP address, indicating that the message is coming from a trusted host. Although the IP address is actually a forged one, in brief, the attacker is fooling (spoofing) the distant computer into believing that they are legitimate hosts of the network.
TYPES OF IP SPOOFING NON-BLIND SPOOFING: The attacker is on the same subnet as a victim. The sequence and acknowledgment numbers can be sniffed, thereby eliminating the potential difficulty of calculating them accurately. BLIND SPOOFING: This is a more sophisticated attack, because the sequence and acknowledgment numbers are unreachable. In order to beat this, several packets are sent to the target machine in order to sample sequence numbers. While, most OS’s implement random sequence number generation that makes it difficult to predict them accurately. Machines in the past used basic techniques for generating sequence numbers. It was relatively easier to discover the exact formula by studying the packets and TCP sessions. However, if the sequence number was compromise, data could be sent to the target.
IP SPOOFING It is a technique used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with an IP address, indicating that the message is coming from a trusted host. Although the IP address is actually a forged one, in brief, the attacker is fooling (spoofing) the distant computer into believing that they are legitimate hosts of the network.
SNIFFING Sniffing, or eavesdropping, is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information. With a simple packet sniffer, an attacker can easily read all the plaintext traffic.
ARP SPOOFING
INTRODUCTION A computer connected to an IP/Ethernet has two addresses: – Address of network card (MAC address): Globally unique and unchangeable address stored on the network card. Ethernet header contains the MAC address of the source and the destination computer. – IP address: Each computer on a network must have a unique IP address to communicate. Virtual and assigned by software.
IP communicates by constructing packets. Packet are delivered by Ethernet. 1.Adds an Ethernet header for delivery. 2.Splits the packets into frames. 3.Sends them down the cable to the switch. 4.The switch then decides which port to send the frame to. By comparing the destination address of the frame to an internal table which maps port numbers to MAC addresses.
When an Ethernet frame is constructed from an IP packet, it has no idea what the MAC address of the destination machine is. The only information available is the destination IP address. There must be a way to the Ethernet protocol to find the MAC address of the destination machine, given a destination IP. This is where ARP, Address Resolution Protocol, come in.
ADDRESS RESOLUTION AND REVERSE ADDRESS RESOLUTION
HOW ARP FUNCTIONS? 1.Get IP address of target. 2.Create a request ARP message –Fill sender physical address –Fill sender IP address –Fill target IP address –Target physical address is filled with 0 3.The message is passed to the data link layer where it is encapsulated in a frame. –Source address: physical address of the sender. –Destination address: broadcast address.
4.Every host or router on the LAN receives the frame. –All stations pass it to ARP. –All machines except the one targeted drop the packet. 5.The target machine replies with an ARP message that contains its physical address. –A unicast message. 6.The sender receives the reply message and knows the physical address of the target machine.
– To avoid having to send an ARP request packet each time, a host can cache the IP and the corresponding host addresses in its ARP table (ARP cache). – Each entry in the ARP table is usually “aged” so that the contents are erased if no activity occurs within a certain period. – When a computer receives an ARP reply, it will update its ARP cache. – ARP is a stateless protocol, most operating systems will update their cache if a reply is received, regardless of whether they have sent out an actual request.
ARP SPOOFING Construct spoofed ARP replies. A target computer could be convinced to send frames destined for computer A to instead go to computer B. Computer A will have no idea that this redirection took place. This process of updating a target computer’s ARP cache is referred to as “ARP poisoning”.
THANK YOU