Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.

Slides:

Advertisements

Similar presentations

Module X Session Hijacking

Advertisements

Network Vulnerabilities and Attacks Dr. John Abraham UTPA.

Man in the Middle Attack

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

SCADA Security, DNS Phishing

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Network Attacks Mark Shtern.

Firewalls and Intrusion Detection Systems

SSL Spoofing Man-In-The-Middle attack on SSL Duane Peifer.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Web server security Dr Jim Briggs WEBP security1.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.

DNS POISONING + CENSORSHIP LAB DUSTIN VANDENBERG, VIPUL AGARWAL, LIANG ZHAO.

Exercises ARP ICMP DNS HTTP/TCP Trace analysis. ARP launch Wireshark ipconfig /all ; see local IP and gateway route -print ; find gateway arp -a ; list.

JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.

Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.

CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.

Security+ Guide to Network Security Fundamentals, Fourth Edition

Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

Wireless Networking & Security Greg Stabler Spencer Smith.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

CHAPTER 9 Sniffing.

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.

Presented by Rebecca Meinhold But How Does the Internet Work?

CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic.

DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

FIREWALLS Created and Presented by: Dawn Blitch & Fredda Hutchinson.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

TCP Sliding Windows For each TCP connection each hosts keep two Sliding Windows, send sliding window, and receive sliding window to make sure the correct.

Teaching Security of Internet of Things in Using RaspberryPi Oliver Nichols, Li Yang University of Tennessee at Chattanooga Xiaohong Yuan North Carolina.

Network security Vlasov Illia

An Introduction To ARP Spoofing & Other Attacks

Fortinet NSE8 Exam Do You Want To Pass In First Attempt.

Man-in-the-Middle Attacks

Lecture 3: Secure Network Architecture

Wireless Spoofing Attacks on Mobile Devices

Presentation transcript:

Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin Ahmad Jonas and Risul Islam and Department of Computer Science and Engineering (CSE), BUET What is Session Hijacking?  A session is a lasting connection between a user (a browser) and a server involving the exchange of many requests  Session ID is a unique identifier used by the client to gain access to session data stored on the server  Session Hijacking is the exploitation of a valid computer session where an attacker takes over a session between two computers.  It is done by stealing the Session ID. How an HTTP session can be Hijacked  Any unencrypted HTTP session can be hijacked by launching a Man- in-the-Middle attack  Three steps involved:  Poisoning the ARP cache  Sniffing the Session ID  Hijacking the Session using the stolen Session ID Poisoning the ARP Cache  Ettercap is used to poison the ARP Cache  Client IP Address , the default gateway and the attacker machine  After the attack, all traffic between client and default gateway passes through the attacker’s machine Fig. 1: Poisoning the ARP cache using Ettercap Sniffing the Session ID  After establishing the MITM attack, the Session ID can be stolen using any packet sniffer.  In Fig. 2, we have shown the use of Wireshark filters to capture the relevant HTTP traffic from our victim machine  In Fig. 3, the captured traffic is inspected to find out the secret Session ID of the current session. Fig. 2: Using Wireshark filters to capture HTTP cookies sent from our victim machine Fig. 3: Inspecting the Session ID from the captured packets. Here we can see the Session ID is 17F0B4417EB65A8066A3ECF tomcat3 Hijacking the Session with the stolen Session ID  Using the stolen Session ID, it is easy to gain access to a valid logged in session.  Figure shows, a Firefox add- on (Cookies Manager+) is used to hijack the session  We are building an automated tool to carry out all 3 steps Fig. 4: Using Cookies Manager+ to hijack the session. Here we insert the Session ID we sniffed in the previous step HTTPS Protocol and its Vulnerabilities  Due to the inherent vulnerabilities of HTTP protocol demonstrated, HTTPS connection is recommended  However, even HTTPS is not secure from all MITM attacks  Vulnerability in SSL Handshaking and oversight by end users can be exploited  SSL handshaking protocol is done over plaintext – allowing spoofing of certificates through MITM attacks. Attacks of these kinds are known as SSL Sniffing attacks.  In SSL Stripping, the man-in-the-middle-attacker strips off the SSL protocol from the server’s response, and sends the client a normal HTTP response, while at the same time maintaining an SSL connection with the server.  HProxy, HSTS, SSLock, HTTPSLock, ISAN Enforcer are proposed solutions to SSL Stripping  We are currently in the process of developing a better method of preventing SSL Stripping attacks. VoIP(Voice over Internet protocol) A protocol which is now widely used in the telephony system. Number of Residential VoIP subscribers in US is 44 million (IDC report 2010) Most people consider VoIP safe but increasingly it is becoming more vulnerable. The figure shows the communication process. Fig. 5. Communication in VoIP Attacks on VoIP and Prevention Man In The Middle(MITM) attack –A Remote Attacker (RA) acts as SIP Proxy Server(PS) to a SIP Phone and vice versa DOS attack DOS is nothing but making the service of VoIP stop or hamper. 2 types: SIP Parser attack occurs in malforming INVITE message Flooding attack means overflowing the PS with INVITE message SQL injection is injecting SQL statement in INVITE message header Prevention of VoIP attacks: Serial No Attack NameDefense MechanismPropertiesFurther attacks 1 MITM Using dynamic ID value and a wide ranged port number in DNS query. No brut force search by RA.Possible by Brut force search and sniffing Burdensome, takes time. 2 A SIP Parser(DOS) Message header checking strongly. No harmful header Not possible. No multiple connection B Flooding (DOS) Allowing the PS a max number of hit per second from a SIP Phone Flooded limited from single phone Still possible by DDOS. Poor service 3 SQL Injection Message header checking strongly No harmful header Still possible but limited. Computationally burden