{"id":405,"date":"2010-03-10T20:49:00","date_gmt":"2010-03-10T12:49:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=405"},"modified":"2024-02-17T20:33:10","modified_gmt":"2024-02-17T12:33:10","slug":"session-hijacking","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/405","title":{"rendered":"session hijacking"},"content":{"rendered":"\n

session hijacking<\/strong>
\u63a5\u7ba1\u73fe\u5b58\u52d5\u614b\u6703\u8a71\u7684\u904e\u7a0b
refer to the exploitation of a valid computer session where an attack takes over a session between two computer
\u7528\u9014:The connection can be taken over after authentication
\u5f71\u97ff\u7bc4\u570d: \u5927\u90e8\u4efd\u96fb\u8166\u90fd\u5b58\u5728\u6b64\u5f31\u9ede,\u56e0\u70ba\u4f7f\u7528tcp\/ip
\u5f88\u591a\u61c9\u7528\u7cfb\u7d71\u63a1\u7528\u547d\u4ee4\u884c\u767b\u9304\u662f\u4e0d\u5b89\u5168\u7684\uff0c\u5c24\u5176\u662ftelnet\u3001 rsh\u3001rlogin\u53caFTP\u7a0b\u5f0f\uff0c\u5b83\u5011\u5168\u662f\u9ed1\u5ba2\u653b\u64ca\u5c0d\u8c61\u3002
\u4efb\u4f55\u4e00\u500b\u9ed1\u5ba2\u5728\u9023\u63a5\u4e86\u5ba2\u6236\u8207\u4f3a\u670d\u5668\u4e4b\u9593\u7684\u7db2\u6bb5\u5f8c\uff0c\u53ef\u4ee5\u7528Session Hijacking\u5de5\u5177\u63a5\u7ba1\u6703\u8a71\u3002
ex:
\u7576\u4e00\u500b\u5408\u6cd5\u7528\u6236\u767b\u9304\u5230\u547d\u4ee4\u884c\u9032\u884c\u6703\u8a71\u6642\uff0c\u9ed1\u5ba2\u53ef\u4ee5\u627e\u5230\u6b64\u6703\u8a71\u4e26\u99ac\u4e0a\u4ee3\u8868\u7528\u6236\u63a5\u7ba1\u6b64\u6703\u8a71\uff0c\u91cd\u65b0\u9023\u63a5\u5ba2\u6236\uff0c\u9019\u6a23\u9ed1\u5ba2\u4fbf\u5b8c\u5168\u63a7\u5236\u9019\u500b\u767b\u9304\uff0c\u9032\u800c\u9ed1\u5ba2\u6210\u70ba\u5408\u6cd5\u7528\u6236\u3002\u800c\u771f\u6b63\u7684\u7528\u6236\u6703\u7c21\u55ae\u5730\u8a8d\u70ba\u7db2\u7d61\u51fa\u6545\u969c\u4e86\uff0c\u5f9e\u800c\u6703\u65b7\u6389\u6703\u8a71\u3002<\/p>\n\n\n\n

ps:session and permanent cookies can be generated while visiting different web sites on the internet<\/p>\n\n\n\n


spoofing vs hijacking<\/strong>
hijacking:\u628a\u5df1\u5b58\u5728\u7684session\u5077\u904e\u4f86
spoofing:\u6b3a\u9a19\u5c0d\u65b9,\u5e38\u898b\u7684\u653b\u64ca\u6709 arp spoofing<\/p>\n\n\n\n

…………………………………………….<\/p>\n\n\n\n

three broad phases of session hijacking:<\/strong>
1 tracking the connection
2 desynchronizing the connection
3 injecting the attacker’s packet<\/p>\n\n\n\n

session hijacking steps<\/strong>
1 place yourself between the victim and the target
2 monitor the flow of packets
3 predict the sequence number
\u8981\u628a\u53e6\u4e00\u500b\u4eba\u8e22\u6389,\u8b93sequence number\u4e82\u6389,\u8b93\u5c0d\u65b9\u6536\u5230\u4e0d\u662f\u4ed6\u9810\u671f,\u7531\u65bc\u90fd\u6703\u8981\u6c42seq\u6703\u9020\u6210\u5169\u908a\u4e0d\u5c0d\u7a31,\u56e0\u6b64\u5bb9\u6613\u7522\u751fack storm
4 kill the connection to the victim’s machine
5 take over the session
6 start injecting packets to the target server<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………………………<\/p>\n\n\n\n

types of session hijacking<\/strong>
active:\u4e3b\u52d5\u52ab\u6301\u5247\u662f\u5c07\u6703\u8a71\u7576\u4e2d\u7684\u67d0\u4e00\u53f0\u4e3b\u6a5f\u300c\u8e22\u300d\u4e0b\u7dda\uff0c\u7136\u5f8c\u7531\u653b\u64ca\u8005\u53d6\u4ee3\u4e26\u63a5\u7ba1\u6703\u8a71
\u5047\u8a2d\u539f\u672c\u662fa<->b,\u653b\u64ca\u8005\u662fc,\u653b\u64ca\u5f8c\u8b8aa<->c
passive:\u88ab\u52d5\u52ab\u6301\u5be6\u969b\u4e0a\u5c31\u662f\u5728\u5f8c\u53f0\u76e3\u8996\u96d9\u65b9\u6703\u8a71\u7684\u6578\u64da\u6d41\uff0c\u5f9e\u4e2d\u7372\u5f97\u654f\u611f\u6578\u64da
\u5047\u8a2d\u539f\u672c\u662fa<->b,\u653b\u64ca\u8005\u662fc,\u653b\u64ca\u5f8c\u8b8a a<->c<->b<\/p>\n\n\n\n

session hijacking leves:
network level hijacking<\/strong>
\u3000tcp\/ip hijacking
\u3000ip spofing:source routed packets
\u3000rst hijacking
\u3000blind hijacking
\u3000man-in-the-middle:packet sniffer
\u3000udp hijacking
application level hijacking<\/strong>
\u3000obtaining session id’s
\u3000sniffing
\u3000brute force
\u3000misdirected trust<\/p>\n\n\n\n

…………………………………………………………………………………………..<\/p>\n\n\n\n

network level hijacking<\/strong>
implement on the data flow of protocol shared by all web applications
attack on network level sessions provids some critical information to the attacker which is used to attack application level sessions<\/p>\n\n\n\n

sequence number prediction<\/strong>
\u5148\u4e86\u89e3\u5c0d\u65b9sequence number\u5982\u4f55\u9001
attacker \u7528\u81ea\u5df1\u7684ip\u9023\u7dda\u5230server,\u8a18\u9304\u5c0d\u65b9\u56de\u50b3sequence number\u7684\u7bc4\u570d,\u901a\u5e38\u662f\u96a8\u6a5f\u7684\u4f46\u4e0d\u6703\u5dee\u592a\u591a
\u63a5\u8457\u507d\u5192\u53e6\u4e00\u7aefip,\u4e14\u8a2d\u5b9a\u4e0d\u6703\u6536\u5230\u8a0a\u606f\u5f8c,\u958b\u59cb\u731c\u6e2csequence number\u662f\u5426\u53ef\u884c
\u56e0\u6b64\u5efa\u8b70\u4f7f\u7528unpredictable sequence numbers\u4f86\u9810\u9632
…..<\/p>\n\n\n\n

tcp\/ip hijacking<\/strong>
use spoofed packets to take over a connection between a victim and a target machine
ps:attacker\u548cvictim\u9700\u5728same network<\/p>\n\n\n\n

steps:
1 the victim’s connection is sniffed by gaining his\/her sequence numbers
2 using the sequence number,the attacker sends a spoofed packet from the victim’s system to the pc_b
3 the pc_b responds to the victim,assuming that the packet has arrived from it ,thus incrementing the sequence number
ps:\u901a\u5e38\u6703\u4e2d\u65b7
…..<\/p>\n\n\n\n

ip spoofing<\/strong>
\u4f7f\u7528source routed packets\u65b9\u5f0f,\u8b93packet\u4e0d\u7ba1\u600e\u9ebc\u8d70,\u90fd\u6703\u7d93\u904eattacker
ps:\u5728internet\u901a\u5e38\u7121\u6548,\u56e0\u70ba\u5927\u90e8\u4efdrouter\u5df1\u95dc\u9589\u6b64\u529f\u80fd
ps:\u76ee\u524d\u9084\u662f\u6982\u5ff5<\/p>\n\n\n\n

…..<\/p>\n\n\n\n

rst hijacking<\/strong>
a from of tcp\/ip hijacking where a reset packet is added
step:
1attacker:
spoofed source address with predicted ack number,\u4e26\u50b3\u9001reset packet\u7d66victim
2victim:
\u6536\u5230reset packet\u5f8cconnection reset
ps:\u901a\u5e38\u662f\u914d\u5408\u5176\u4ed6\u653b\u64ca<\/p>\n\n\n\n

…..<\/p>\n\n\n\n

blind hijacking<\/strong>
\u4e0d\u7ba1\u6709\u6c92\u6709\u770b\u5230,\u6216\u8005\u662f\u5c0d\u65b9\u56de\u61c9\u6709\u6c92\u6709\u5230\u6211\u9019\u88e1,\u90fd\u6c92\u95dc\u4fc2,\u53cd\u6b63\u9019\u4e9b\u6771\u897f\u5c31\u9001\u904e\u53bb
inject the malicious data or commands into the intercepted communicatins in the tcp session even if the source routing is disabled
send the data or comments but has no access to see the response<\/p>\n\n\n\n

…..<\/p>\n\n\n\n

MITM(man-in-the-middle)<\/strong>
\u6cdb\u6307\u6240\u6709\u4ee5\u4e2d\u9593\u4eba\u65b9\u5f0f\u4ecb\u5165,\u4e26\u6b3a\u9a19\u901a\u8a0a\u96d9\u65b9\u5176\u4e2d\u9593\u4eba\u70ba\u76ee\u6a19\u4e4b\u884c\u70ba
\u53ef\u7528\u4ee5\u4e0b\u65b9\u6cd5\u5be6\u505a
icmp:\u4f7f\u7528type 5 Redirect Message
arp spoofing
bgp(Border Gateway Protocol)
dns spoofing,\u7528proxy,fake dns,\u6b3a\u9a19user\u9023\u5230fake web,\u518d\u5e6buser\u9023\u5230\u771f\u7684web<\/p>\n\n\n\n

replay attack(\u91cd\u9001\u653b\u64ca)
Session hijack\u5c31\u662f\u5176\u4e2d\u7684\u4e00\u79cd
\u85c9\u7531\u91cd\u8986\u9001\u51fa\u67d0\u4e9b\u5c01\u5305\u4f86\u9054\u6210\u653b\u64ca\u76ee\u7684\u7684\u624b\u6bb5
\u505a\u6cd5:C\u6514\u622aA\u9001\u7d66B\u7684\u5c01\u5305,\u518d\u5c07\u6b64\u5c01\u5305\u539f\u5c01\u4e0d\u52d5\u7684\u9001\u7d66B
\u7576\u653b\u64ca\u8005\u8907\u88fd\u5169\u65b9\u4e4b\u9593\u7684\u8a0a\u606f\u8cc7\u6599\u6d41\uff0c\u4e26\u4e14\u5c0d\u5176\u4e2d\u4e00\u65b9\u6216\u591a\u65b9\u91cd\u65b0\u57f7\u884c\u8cc7\u6599\u6d41,\u53d7\u5230\u653b\u64ca\u7684\u96fb\u8166\u6703\u5c07\u8cc7\u6599\u6d41\u7576\u6210\u5408\u6cd5\u8a0a\u606f\u4f86\u8655\u7406\uff0c\u5c0e\u81f4\u767c\u751f\u4e00\u9023\u4e32\u8ca0\u9762\u7684\u5f71\u97ff\uff0c\u4f8b\u5982\u9805\u76ee\u7684\u91cd\u8907\u6392\u5e8f\u3002
\u5165\u4fb5\u8005\u4f7f\u7528\u5c01\u5305\u6536\u96c6\u8edf\u9ad4\u65bc\u7db2\u8def\u901a\u8a0a\u6642\u5c07\u4f60\u52a0\u5bc6\u53ca\u7c3d\u7ae0\u7684\u8a8d\u8b49\u5c01\u5305\u6514\u622a\u4e0b\u4f86\uff0c\u4e4b\u5f8c\u518d\u5c07\u5b83\u91cd\u9001\u8b02\u7d66\u8a8d\u8b49\u4f3a\u670d\u5668\u5373\u53ef\u901a\u904e\u8a8d\u8b49\u800c\u5165\u4fb5\u7cfb\u7d71
ex:
\u5047\u8a2dAlice\u5411Bob\u8a8d\u8b49\u81ea\u5df1\u3002Bob\u8981\u6c42\u5979\u63d0\u4f9b\u5bc6\u78bc\u4f5c\u70ba\u8eab\u4efd\u4fe1\u606f\u3002\u540c\u6642\uff0cEve\u7aca\u807d\u4e86\u5169\u4eba\u7684\u901a\u8a0a\uff0c\u4e26\u8a18\u9304\u4e86\u5bc6\u78bc\u3002\u5728Alice\u548cBob \u5b8c\u6210\u901a\u8a0a\u5f8c\uff0cEve\u806f\u7e6bBob\uff0c\u5047\u88dd\u81ea\u5df1\u70baAlice\uff0c\u7576Bob\u8981\u6c42\u5bc6\u78bc\u6642\uff0cEve\u5c07Alice\u7684\u5bc6\u78bc\u767c\u51fa\uff0cBob\u8a8d\u53ef\u548c\u81ea\u5df1\u901a\u8a0a\u7684\u4eba\u662fAlice\u3002
\u9810\u9632\u65b9\u6cd5\u6709:
\u63a1\u7528Challenge-Response\u7684\u6a5f\u5236\uff0c\u78ba\u5b9a Request\u8a0a\u606f\u8207Response\u8a0a\u606f\u662f\u6210\u5c0d\u7684\u95dc\u4fc2
\u53ef\u5728\u50b3\u9001\u7684\u8a0a\u606f\u4e0a\u52a0\u5165\u6642\u6233(time stamp)\u6216\u5e8f\u865f(sequence number),\u8b93Server\u53ef\u6aa2\u5bdf\u5c01\u5305\u662f\u5426\u88ab\u91cd\u9001
\u63a1\u7528\u4e00\u6b21\u901a\u884c\u78bc (One-Time Password)\u65b9\u5f0f\u9632\u6b62\u91cd\u9001\u653b\u64ca<\/p>\n\n\n\n

…..<\/p>\n\n\n\n

udp hijacking<\/strong>
victim\u57f7\u884c udp\u67e5\u8a62\u6642,\u5728\u771f\u6b63\u56de\u61c9\u56de\u4f86\u4e4b\u524d,attacker\u5c31\u9001\u4e00\u500b\u5047\u7684\u7d66victim,\u5047\u7684udp\u53ef\u5305\u542b\u60e1\u610f\u8cc7\u8a0a
ex:victim\u57f7\u884cdns query\u6642,attacker\u9001\u4e00\u500b\u5047\u7684dns response,\u8b93victim\u53bb\u932f\u8aa4\u7684\u5730\u65b9
the hacker has to send the forged server reply to client udp before the server responds to it<\/p>\n\n\n\n

…………………………………………………………………………………………..<\/p>\n\n\n\n

application level hijacking<\/strong>
the attacker gains the session id’s to get control of the existing session or even create a new unauthorized session<\/p>\n\n\n\n

obtaining session id’s<\/strong>
session id\u53ef\u4ee5\u5728\u4ee5\u4e0b\u5730\u65b9\u767c\u73fe
http get request
form
cookie<\/p>\n\n\n\n

sniffing<\/strong>
intercepted session id<\/p>\n\n\n\n

brute force<\/strong>
guess the session ids
attacker can conduct 1000 session id guesses per second using a domestic dsl line<\/p>\n\n\n\n

misdirected trust<\/strong>
\u4f7f\u7528 xxs\u6216html injection\u5c07victim\u91cd\u5c0e\u5230\u53e6\u4e00\u500b\u60e1\u610f\u7db2\u9801\u53d6\u5f97session id<\/p>\n\n\n\n

ps:
\u53c3\u6578 secure\u6307\u51fa\u6b64cookie\u5c07\u53ea\u6709\u5728\u5b89\u5168\u7684HTTPS\u9023\u7d50\u6642\u50b3\u9001\u3002<\/p>\n\n\n\n

…………………………………………….<\/p>\n\n\n\n

session hijacking tools
tty watcher:for solaris
ip watcher:a commercial session hijacking tool
remote tcp session reset utility:\u53ef\u5c07\u5c0d\u65b9reset
paros http hijacker:MITM proxy,\u6536\u5230\u5c0d\u65b9\u5c01\u5305\u5f8c\u53ef\u4fee\u6539\u5f8c\u5728\u9001\u51fa
dnshijacker:\u57f7\u884cdns spoof
hiksuite
Hunt:It is useful with telnet, ftp, and others to grab traffic between two computers or to hijack sessions
juggernaut: \u4f5c\u8005\u662fdaemon9<\/p>\n\n\n\n

…………………………………………….<\/p>\n\n\n\n

countermeasures:<\/strong>
use encryption:\u5169\u7aef\u52a0\u5bc6\u4e2d\u9593\u4e0d\u592a\u5bb9\u6613\u770b\u5230
use a secure protocol:\u4f7f\u7528ipsec,\u8a8d\u8b49,\u8cc7\u6599\u5b8c\u6574\u6027,…\u7b49
limit incoming connections
minimize remote access
educate the employees<\/p>\n\n\n\n

Session Hijacking\u9632\u7bc4
\u5c0d\u65bc\u654f\u611f\u7684\u6703\u8a71\u901a\u8a0a\uff08\u5982\u9632\u706b\u7246\u7684\u9060\u7aef\u7ba1\u7406\u3001PKI\u6216\u662f\u5176\u4ed6\u91cd\u8981\u90e8\u4ef6\u7684\u7ba1\u7406\uff09\uff0c\u9078\u7528\u4e00\u500b\u6709\u5bc6\u78bc\u8a8d\u8b49\u529f\u80fd\u7684\u5de5\u5177\u628a\u6574\u500b\u6703\u8a71\u52a0\u5bc6\u662f\u4e00\u500b\u597d\u9078\u64c7\u3002
Secure Shell (SSH)\u5c31\u63d0\u4f9b\u9019\u4e9b\u529f\u80fd\u3002VPN\u7522\u54c1\u4e5f\u63d0\u4f9b\u8a8d\u8b49\u53ca\u6703\u8a71\u52a0\u5bc6\u3002\u9ed1\u5ba2\u6c92\u6709\u5728SSH\u6216VPN\u5de5\u5177\u88e1\u6240\u7528\u7684\u9470\u5319\u4fbf\u7121\u6cd5\u9032\u884c\u6703\u8a71\u653b\u64ca\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

session hijacking\u63a5\u7ba1\u73fe\u5b58\u52d5\u614b\u6703\u8a71\u7684\u904e\u7a0bre …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[39],"tags":[],"class_list":["post-405","post","type-post","status-publish","format-standard","hentry","category-concept"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=405"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/405\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}