Post on 09-Oct-2015
transcript
CEH Lab Manual
Session H ijackingM odule 11
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..1 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..1 of 15.
Module 11 - Session Hijacking
Hijacking SessionsSession hijacking refers to the exploitation of a valid computer session, ))herein an attachr takes over a session between two computers.
Lab ScenarioS o u rc e : h t tp : / / k r e b s o n s e c u n t v .c o m / 2 0 1 2 / 1 1 / y a h o o -e m a il-s te a lin g -e x p lo i t- f e tc h e s -7 0 0
A c c o rd in g to K re b s o n S e c u r i ty n e w s a n d in v e s tig a tio n , z e ro -d a v v u ln e ra b il i ty 111 y a h o o .c o m th a t le ts a t ta c k e rs h ija c k Y a h o o ! e m a il a c c o u n ts a n d r e d ir e c t u s e rs to m a lic io u s w e b s i te s o t te r s a fa sc in a tin g g lim p se in to th e u n d e r g r o u n d m a rk e t fo r la rg e -sc a le e x p lo its .
T h e e x p lo it , b e in g so ld fo r S 700 b y a n E g y p tia n h a c k e r o n a n ex c lu s iv e c y b e rc r im e fo ru m , ta rg e ts a c ro s s - s i te s c r ip t in g (X SS) w e a k n e s s in v a h o o .c o m th a t le ts a t ta c k e rs s te a l c o o k ie s f ro m Y a h o o ! w e b m a il u se rs . S u c h a f law w o u ld le t a t ta c k e rs s e n d o r re a d e m a il f ro m th e v ic t im s a c c o u n t . 111 a tv p ic a l X S S a tta c k , a n a t ta c k e r se n d s a m a lic io u s lin k to a n u n s u s p e c t in g u se r; i f th e u s e r c licks th e lin k , th e s c r ip t is e x e c u te d , a n d c a n ac ce ss c o o k ie s , s e s s io n to k e n s , o r o th e r s e n s itiv e in f o r m a t io n r e ta in e d b y th e b ro w s e r a n d u s e d w ith th a t site . T h e s e sc r ip ts c a n e v e n r e w ri te th e c o n te n t o f th e H T M L p ag e .
K re b s O n S e c u r i ty .c o m a le r te d Y a h o o ! to th e v u ln e ra b ili ty , a n d th e c o m p a n y says i t is r e s p o n d in g to th e is su e . R a m se s M a r tin e z , d ir e c to r o f se c u r ity a t Y a h o o ! , sa id th e c h a lle n g e n o w is w o rk in g o u t th e e x a c t v a h o o .c o m U R L th a t tr ig g e rs th e e x p lo it , w h ic h is d if f ic u lt to d is c e rn f ro m w a tc h in g th e v id e o .
T h e s e ty p e s o t v u ln e ra b ilit ie s a re a g o o d r e m in d e r to b e e sp ec ia lly c a u tio u s a b o u t c lic k in g lin k s 111 e m a ils f ro m s tra n g e rs o r 111 m e ssa g e s th a t y o u w e re n o t e x p e c tin g .
B e in g a n d a d m in is t r a to r y o u s h o u ld im p le m e n t se c u r ity m e a s u re s a t A p p lic a tio n le v e l a n d N e tw o r k le v e l to p r o te c t y o u r n e tw o r k f ro m se s s io n h ija ck in g . N e tw o r k le v e l h ija c k s is p r e v e n te d b y p a c k e t e n c ry p t io n w h ic h c a n b e o b ta in e d b y u s in g p r o to c o ls s u c h as I P S E C , S SL , S S H , e tc . I P S E C a llo w s e n c ry p t io n o f p a c k e ts o n s h a re d k ey b e tw e e n th e tw o sy s te m s in v o lv e d 111 c o m m u n ic a t io n .
A p p lic a tio n - le v e l se c u r ity is o b ta in e d b y u s in g s t r o n g s e s s io n I D . S SL a n d S S H a lso p ro v id e s s t r o n g e n c r y p t io n u s in g S SL c e r tif ic a te s to p r e v e n t se s s io n h ija ck in g .
Lab O bjectivesT h e o b je c tiv e o f th is la b is to h e lp s u id e n ts le a rn s e s s io n h ija c k in g a n d ta k e n e c e s sa ry a c tio n s to d e f e n d a g a in s t s e s s io n h ija ck in g .
111 th is la b , y o u w ill:
I n te r c e p t a n d m o d ify w e b tra ff ic
I C O N KE Y
& Valuable information
Test your knowledge
H Web exerciseca Workbook review
E th ic a l H a c k in g a n d C o u n te m ie a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.
C E H L a b M a n u a l P a g e 716
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..2 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..2 of 15.
Module 11 - Session Hijacking
S im u la te a T ro ja n , w h ic h m o d if ie s a w o rk s ta t io n 's p ro x y se rv e r se ttin g s
Lab Environm entT o ca rry o u t tins , y o u need :
A c o m p u te r m im in g W indows Server 2 0 1 2 a s h ost m achine
T in s lab w ill m n o n W indows 8 v irtu a l m a c h in e
W e b b ro w s e r w ith In te rn e t access
A d m in is tra tiv e priv ileges to co n fig u re se ttings a n d m n to o ls
Lab DurationT im e : 20 M in u tes
O verview of Session H ijackingS ession h ijack ing refers to th e exp lo itation o f a valid c o m p u te r sessio n w h e re an a ttac k e r ta k e s over a se ssio n b e tw e e n tw o c o m p u te rs . T h e a ttac k e r s te a ls a valid se ssio n ID , w h ic h is u se d to g e t in to th e sy stem an d sn iff th e data.
111 TCP s e s s io n ln jack ing , a n a ttac k e r takes o v e r a T C P se ssio n b e tw e e n tw o m a ch in e s . S ince m o s t au th en tica tion s o c c u r o n ly a t th e s ta rt o f a T C P session , th is allow s th e a ttac k er to gain a c c e s s to a m ach in e .
Lab TasksP ick an o rg an iz a tio n d ia t y o u feel is w o r th y o f y o u r a tte n tio n . T in s c o u ld b e an e d u c a tio n a l in s titu tio n , a co m m e rc ia l co m p a n y , o r p e rh a p s a n o n p ro f i t ch an ty .
R e c o m m e n d e d labs to assist y o u 111 sessio n lnjacking:
S essio n ln jack ing u s in g ZAP
Lab AnalysisA n aly ze a n d d o c u m e n t d ie resu lts re la ted to th e lab exercise. G iv e y o u r o p in io n o n y o u r ta rg e ts secu rity p o s tu re a n d ex p o su re .
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F YOU H A V E Q U E S T I O N SR E L A T E D T O T H I S LAB.
S 7 T ools d em onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 11 S e ss io n Hijacking
m . T A S K 1
O verview
E th ic a l H a c k in g a n d C o u n te rm e a su re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.
C E H L a b M a n u a l P a g e 717
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..3 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..3 of 15.
Module 11 - Session Hijacking
Lab
Session Hijacking Using Zed A ttack Proxy (ZAP)The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integratedpenetration testing too1 for finding vulnerabilities in neb applications.
Lab ScenarioA tta c k e rs a re c o n t in u o u s ly w a tc h in g f o r w e b s i te s to h a c k a n d d e y e lo p e rs m u s t b e p r e p a re d to c o u n te r - a t ta c k m a lic io u s h a c k e rs b y w r i t in g s tr o n g s e c u re c o d e s . A c o m m o n f o rm o f a t ta c k is s e s s io n h ija c k in g , i.e ., a c c e s s in g a w e b s i te u s in g s o m e o n e e lse s s e s s io n I D . A s e s s io n I D m ig h t c o n ta in c re d it c a rd d e ta ils , p a s s w o rd s , a n d o th e r se n s itiv e in f o rm a t io n th a t c a n b e m is u s e d b y a h a c k e r .
S e ss io n h ija c k in g a tta c k s a re p e r f o r m e d e i th e r b y se s s io n I D g u e s s in g 01 b y s to le n s e s s io n I D c o o k ie s . S e ss io n I D g u e s s in g in v o lv e s g a th e r in g a sa m p le o f s e s s io n I D s a n d g u e s s in g a v a lid se s s io n I D a s s ig n e d to s o m e o n e else. I t is a lw ays r e c o m m e n d e d n o t to re p la c e A S P .N E T se s s io n I D s w i th I D s o f y o u r o w n , as th is w ill p r e v e n t s e s s io n I D g u e s s in g . S to le n s e s s io n I D c o o k ie s se s s io n h ija c k in g a t ta c k c a n b e p r e v e n t b y u s in g S SL ; h o w e v e r , u s in g c ro s s - s i te s c r ip t in g a tta c k s a n d o th e r m e th o d s , a t ta c k e rs c a n s te a l th e se s s io n I D c o o k ie s . I f a n a t ta c k e r g e ts a h o ld o f a v a lid s e s s io n I D , th e n A S P .N E T c o n n e c ts to th e c o r r e s p o n d in g s e s s io n w ith 110 f u r th e r a u th e n tic a tio n .
T h e r e a re m a n y to o ls easily av a ila b le n o w th a t a t ta c k e rs u se to h a c k in to w e b s i te s 01 u s e r d e ta ils . O n e o f th e to o ls is F ire s lie e p , w h ic h is a n a d d -011 fo r F ire fo x . W h ile y o u a re c o n n e c te d to a n u n s e c u re w ire le ss n e tw o rk , tin s F ire fo x a d d -011 c a n s n i f f th e n e tw o r k tra f f ic a n d c a p tu re all y o u r in f o r m a t io n a n d p r o v id e i t to th e h a c k e r 111 th e s a m e n e tw o rk . T h e a t ta c k e r c a n n o w u s e tin s in f o rm a t io n a n d lo g in as y o u .
A s a n e th ic a l h ack er, p e n e tr a t io n te s te r , 01 se c u r ity ad m in istrator, y o us h o u ld b e fa m ilia r w ith n e tw o r k a n d w e b a u th e n t ic a t io n m e c h a n is m s . 111 y o u r ro le o f w e b se c u r ity a d m in is t ra to r , y o u n e e d to te s t w e b se rv e r tra ff ic fo r w e a k s e s s io n IDs, in s e c u re h a n d lin g , id en tity th e ft, a n d in form ation lo s s . A lw ay s e n s u re th a t y o u h a v e a n e n c ry p te d c o n n e c t io n u s in g h t tp s w h ic h w ill m a k e th e sn if f in g o f n e tw o r k p a c k e ts d if f ic u lt fo r a n a tta c k e r . A lte rn a tiv e ly , Y P N
1 C
Module 11 - Session Hijacking
c o n n e c t io n s to o c a n b e u s e d to s ta y sa fe a n d a d v ise u s e rs to lo g o f f o n c e th e y a re d o n e w ith th e ir w o rk . 111 tin s la b y o u w ill le a rn to u se Z A P p ro x y to in te r c e p t p ro x ie s , s c a n n in g , e tc .
Lab O bjectivesT h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a rn s e s s io n h ija c k in g a n d h o w to ta k e n e c e s sa ry a c tio n s to d e f e n d a g a in s t s e s s io n h ija ck in g .
111 t in s la b , y o u w ill:
I n te r c e p t a n d m o d ify w e b tra f f ic
S im u la te a T ro ja n , w h ic h m o d if ie s a w o rk s ta t io n 's p ro x y se rv e r se ttin g s
Lab Environm entT o carry o u t th e lab , y o u need:
Paros Proxy lo c a te d a t D:\CEH-Tools\CEHv8 M odule 11 S e ss io n H ijacking\Session Hijacking Tools\Zaproxy
Y o u c a n a lso d o w n lo a d th e la te s t v e r s io n o f ZAP f ro m th e lin k h ttp : / / c o d e .g o o g le .c o m /p /z a p r o x v /d o w n lo a d s / l i s t
I f y o u d e c id e to d o w n lo a d th e la te s t v ers io n , th e n s c re e n s h o ts s h o w n 111 th e la b m ig h t d if fe r
A sy stem w ith ru n n in g W in d o w s S erv er 2012 H o s t M a ch in e
R u n tins to o l n i W indows 8 V irtu a l M a ch in e
A w e b b ro w s e r w ith In te rn e t access
A d m in is tra tiv e priv ileges to co n fig u re se ttings a n d r u n to o ls
E n su re th a t Java Run Tim e Environment (JRE) 7 (o r ab o v e ) is n istalled . I fn o t, g o to h t tp : / / i a v a .s u n .c o m / i2 s e to d o w n lo a d a n d install it.
Lab DurationT im e : 20 M in u tes
O verview of Zed A ttack Proxy (ZAP)Z e d A tta c k P ro x y (Z A P ) is d es ig n ed to b e u se d b y p e o p le w ith a w id e ran g e o f secu rity ex p e rien ce a n d as su c h is idea l fo r d ev e lo p e rs a n d fu n c tio n a l te s te rs w h o are n e w to p e n e tra tio n te s tin g as w ell as b e in g a u se fu l a d d itio n to a n e x p e rien c ed p e n te s te rs to o lb o x . I ts fea tu re s in c lu d e in te rc e p tin g p ro x y , a u to m a te d scan n e r, passive sc an n e r, a n d sp ider.
Lab Tasks1. L o g 111 to y o u r W indow s 8 V ir tu a l M a c h in e .
Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 11 Session Hijacking
m . T A S K 1
Setting-up ZAP
E th ic a l H a c k in g a n d C o u n te m ie a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.
C E H L a b M a n u a l P a g e 719
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..5 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..5 of 15.
Module 11 - Session Hijacking
Admini-PC
! 2 2 A t its heart ZAPS in ail intercepting prosy. Y ou need to configure your b row ser to connect to d ie w eb application you wish to test th rough ZA P. I f required you can also configure ZA P to connect th rough another p ro sy - this is o ften necessary in a corporate environm ent.
3.
2 .
F IG U R E 2.1: Paros p ro sy m ain w indow
C lick ZAP 1.4 .1 111 th e Start m e n u a p p s .
111 W indow s 8 V ir tu a l M a c h in e , fo llo w th e w iz a rd -d r iv e n in s ta l la t io n s te p s to in s ta ll ZAP.
T o la u n c h ZAP a f te r in s ta lla tio n , m o v e y o u r m o u s e c u r s o r to th e lo w e r- le f t c o r n e r o f y o u r d e s k to p a n d c lick Start.
7 Y ou can also dow nload Z A P h t tp :/ / code.google .com /p /zap ro sy /d o w n lo ad s /lis t
m 4 SSkyOiftt
ZAP 1.4.1 Safari
j r
* t l i m w
MozillaFirefox
Microsoft Excel 2010
S
|
MicrosoftPowerPoint2010
(2
MicrosoftPublisher2010
F IG U R E 2.2: Paros p ro sy m ain w indow
5. T h e m a in in te r fa c e o f ZAP a p p e a rs , as s h o w n 111 th e fo llo w in g s c re e n s h o t .
6. I t w ill p r o m p t y o u w i th SSL R oot CA c e r t if ic a te . C lick G en era te to c o n t in u e .
I f you know how to set up p rosies in your web brow ser then go ahead and give it a go!
I f you are unsure then have a look a t the C onfiguring p rosies section.
E th ic a l H a c k in g a n d C o u n te n n e a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.
C E H L a b M a n u a l P a g e 720
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..6 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..6 of 15.
Module 11 - Session Hijacking
O nce you have configured ZA P as your brow ser's proxy then try to connect to d ie web application you will be testing. I f you can no t connect to it then check your p ro sy settings again. Y ou will need to check your brow ser's proxy settings, and also ZA P's proxy settings.
. . FIG U R E 2.3: Paros proxy main windowActive scanning r attem pts to find potential y ^ O p tion s w in d o w , se le c t D ynam ic SSL c e r t if ic a te s th e n c lickvulnerabilities by using r know n attacks against the G en era te to g e n e ra te a c e r tif ic a te . T h e n c lick S a v e .selected targets.
Active scanning is an attack o n those targets. Y ou should N O T use it o n w eb applications tha t you do n o t own.
I t should be no ted that active scanning can only find certain types o f vulnerabilities. Logical vulnerabilities, such as b roken access control, will n o t be found by any active o r autom ated vulnerability scanning. M anual penetra tion testing should always be perform ed in addition to active scanning to find all types o f vulnerabilities.
8. S a v e th e c e r tif ic a te 111 th e d e fa u lt lo c a t io n o f ZAP. I f th e c e r tif ic a te a lre a d y ex is ts , r e p la c e i t w ith th e n e w o n e .
K *Options
cem ncates
(_2!L 1
Root CA certificate
' OptionsActive ScanArti c s r f T0K3nsAPIApplicatorsAuthertc330nErnie ForcecertncateCheck Fee UpdatesConnectionDataoasePi5pa
Module 11 - Session Hijacking
u a A11 alert is a potential vulnerability and is associated w ith a specific request. A request can have m ore than one alert.
9. C lick OK in th e O ptions w in d o w .
Q J A nti CSRF tokens are (pseudo) random param eters used to p ro tect against Cross Site Request Forgery (CSRF) attacks.
H ow ever they also m ake a penetra tion testers job harder, especially if the tokens are regenerated every tim e a form is requested.
10. Y o u r P a ro s p ro x y se rv e r is n o w re a d y to in te r c e p t re q u e s ts .
Optionsc enmr.aies
MI 103 : CCAsaaAwIBAal: JMz ur JK02 . hv clyHlc9X0VN0TFplZC3BdHahV;cUHJvHVj-Jn9vdCBI|r ODZ3H:0
Module 11 - Session Hijacking
ile Cdit View Maiy5e Report Toaa Help
sji D 0 , U id V 0] sQ__ | KsquMI | Rspons4 J Brea* . j
Untitled Session OWASP 7AP
H3cr xt J Body: !xt _) lTl I
ActvoScan $ |~ SpidorS^; Brute Force ^ ) Port Scan : } Fuzzsri,^ ] PararrtSLj [ 3utputAJ9:t3Break Points v-i
Filter.CFF
ft 0 0_ 0current scansAieits ^0 k-0 . 0 a o
F IG U R E 2.7: Paros proxy m ain w indow
11. L a u n c h a n y w e b b ro w s e r , 111 th is la b w e a re u s in g th e C hrom e b ro w s e r .
12. Y o u r V M w o rk s ta t io n s h o u ld h a v e C hrom e v ers io n 2 2 .0 o r la ter in s ta lle d .
13. C h a n g e th e Proxy S erver s e t t in g s 111 C h r o m e , b y c lic k in g th e C u sto m ize and con tro l G o o g le C hrom e b u t to n , a n d th e n c lick S e tt in g s .
New tabNew vwodowNr* inccgniro windowBocfcmiria
Cut Cop, Pae
- . - QEM
Svt p9Find...
Tods
Sign in to Chiwn*..
Tab
M C
Foi quick kcc; place ycur bcclrwfa See an Sie tntroti bs
r T |
0 >0 Wb S:c#
m ZA P detects anti CSRF tokens purely by attribute nam es - the list o f attribute nam es considered to be anti CSRF tokens is configured using the O ptions A nti CSRF screen. W hen Z A P detects these tokens it records d ie token value and w hich URL generated the token.
FIGU RE 2.8: IE Internet Options window
14. O il th e G o o g le C h r o m e S e td n g s p a g e , c lick th e S h o w a d v a n ced s e t t in g s . . . l in k b o t to m o f th e p a g e , a n d th e n c lick d ie C h an ge proxy s e t t in g s . . . b u t to n .LUsi ZA P provides an
Application Program m ing Interface (API) w hich allows you to interact w ith Z A P programmatically.
Tlie A P I is available in JS O N , H T M L and XM L form ats. The A PI docum entation is available via the U R L h t tp : / / z a p / w hen you are proxying via ZA P.
E tliic a l H a c k in g a n d C o u n te n n e a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.
C E H L a b M a n u a l P a g e 723
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..9 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..9 of 15.
Module 11 - Session Hijacking
* C Li
Module 11 - Session Hijacking
Local Area Network (LAN) Settings
Automatic configuration
Automatic configuration may override manual settings. To ensure the use o f manual settings, disable automatic configuration.
@ Autom aticaly de tec t settings
Use automatic configuration script
Address
Proxy server
r a L ls e a p roxy server fo r your LAN (These settings will n o t apply to L J d ia l-u p o r VPN connections).
Port: | 8080| | Advanced127.0.0 .1Address:
Bypass p roxy server fo r local addresses
Cancel
Q I t should be no ted that there is minimal security built in to the A PI, w hich is w hy it is disabled by default. I f enabled then the A P I is available to all m achines that are able to use ZA P as a proxy. By default ZA P listens only on 'localhost' and so can only be used from the host machine.
T he A P I provides access to the core ZA P features such as the active scanner and spider. Future versions o f Z A P will increase the functionality available via the APi.
FIG U R E 211: IE Internet Options W indow with Proxy Settings Window
17. C lick S e t break on all r e q u e s ts a n d S e t break on all r e s p o n s e s totra p all th e re q u e s ts a n d r e s p o n s e s f ro m th e b ro w s e r .
Untitled Session - OWASP 7AP5 -------------------------------------- 11 EJit Vi *A Aiulyb Repoil T0Jt* H*p
pybiifci g o / e ~J Sites(* j____________________ Request-^ ] Response*- [ Break X ]
[Header Icxi * jtoay: Text j PI_ Sites
^ j Furrer W . PatamsLJActive Scan A Spdet | Brute Force v-~
Cunent Scans 0 0 0
F IG U R E 2.12: Paros proxy m ain w indow
18. N o w n a v ig a te to a c h r o m e b ro w s e r , a n d o p e n w w w .b in g .c o m .
19. S ta r t a s e a rc h fo r C ars.
20 . O p e n ZAP, w h ic h sh o w s f irs t t r a p p e d in c o m in g w e b tra ff ic .
21 . O b s e r v e th e f irs t fe w lin e s o f th e t r a p p e d tra ff ic 111 th e trap w in d o w s , a n d k e e p c lic k in g Subm it and s te p to n e x t r e q u e st or r e sp o n se u n ti l y o u se e ca rs 111 th e GET r e q u e s t 111 th e B reak ta b , as s h o w n 111 th e fo llo w in g s c re e n s h o t .
T A S K 2o
Hijacking Victim s S ess io n
m ZA P allows you to try to brute force directories and files.
A set o f files are provided w hich contain a large num ber o f file and directory names.
m A break po in t allows you to in tercept a request from your brow ser and to change it before is is subm itted to the web application you are testing. Y ou can also change the responses received from the application T he request o r response will be displayed in the Break tab w hich allows you to change disabled or h idden fields, and will allow you to bypass client side validation (often enforced using javascript). I t is an essential penetra tion testing technique.
E th ic a l H a c k in g a n d C o u n te rm e asu re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Strictly Prohibited.
C E H L a b M a n u a l P a g e 725
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..11 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..11 of 15.
Module 11 - Session Hijacking
de Euu VtaA Analyse Report Tools Hp
to k i u i Q v CP 4- > |>
| S ites* Request-v | Response* \ Break >41
UntiMrd Session OWASP 7AP
Mer.03 Heoaer: re*1 * j uoav: ext J
h c tp :/ /w M .b ln g .c c m /a a rc ft? q = fa g a k q o = *q *-n fc fo m ^ 0 B IJ U r1 1 t-a a 1 fc p q ^ * r t . ?J0 -043p - : s a k - HTTP/1.1 Hose: w vw .M n g .co xP ro x y -C o n n e c tio n : k e e p -a liv eU3er A ;er. : M o z i l la /S .G IWindows NT 6 .2 ; KOW64) AcpleW ecK1t/S37.4 (KHTHL, . l i r e secJc:. c n ro n e /2 2 .0 .12 2 9 .9 4 s a r a n /5 3 7 .4A c c e p t: t e x t /h e r ! , a p p l i ca tion /xh tm l* xm l f a p p l ic a c io n / xm l; q - 0 . 9 , * / * ; q -0 . 8 R e re re r : h t t p : / / v w v .b 1n g . con /Accept-Encoding: 3tier.Irrrr.T-:j-.rsr.-.nev - r n - " ^ r n -n - H fl___________ ______________________________________________ I
F Giles(3 rp/*wngcor1
Spider^Al&its f tSearcn
Current Scans 0 # 1 u - 0 0*1m c 11 1 0
FIGU RE 2.6: Paros Proxy with Trap option content
22. N o w c h a n g e th e q u e ry te x t f ro m Cars to C a k es in th e G E T re q u e s t.
llntiWea Session - OWASP 7AP
4e Eait VIe* Analyte Report Toole Help
R equest-v | R e sp o n se ^ [ Brea I
Met!00 * j ^Header. Ted )] | Body Tot
GETh c t p : / / w . t i n g . com/ sea rch ?q=fcaice3^go= tq3=n* rorm=QBI.Htf 1 l c - a l l * p q ^Calcesfrs c -0 - :4 3 p l& a k - HTTP !, 1 . 1 Hose: v w .D in g , cox P ro x y -C o o n e c tio n : lre e p -a liv eU aer-Asenz: M o z il la /S .O !Windows NT 6 .2 ; KCW64) A cp leW eC K 1 53 7 .4 / (KHTHL, . l i t Geclcoj C H zane/22.0 .12 29 .94 S a E a n /5 3 7 .4A c c c p t: t e x t /h tm l , a p p l i c a t io n /x h tm l! xm l, a p p l ic a c io n /x m l; q - 0 .9 , * / * ; qC. 6 R e fe re r : t tp : / / v w v .b 1r.g .c o n /A cc e p t-E n c o d in g : sdcfcI r r . - r . T rn-T.^ r n n - a P. . 1
J Sites I * |_
, f t PSiesQ ^ nup/'AiMvangcorn
*JfcllS f tSearcn -v
504 cataway u rn o . 388mc504 Gateway Time... 389m s,
Aieits C 1 1 0
23. C lick Subm it and s te p to n e x t req u est or re sp o n se .
24. S e a rc h fo r a title in th e R e sp o n se p a n e a n d re p la c e C ak es w ith C ars as s h o w n 111 fo llo w in g fig u re .
m Filters add extra features tha t can be applied to every request and response. By default no filters are initially enabled. Enabling all o f the filters m ay slow dow n die proxy. Future versions o f d ie ZA P U ser G uide will docum ent the default filters in detail.
Ly=i Fuzzing is configured using the O ptions Fuzzing screen. Additional fuzzing files can be added via this screen o r can be pu t manually in to the "fiizzers" directory w here Z A P was installed - they will then becom e available after restarting ZAP.
Lyj! T he request or response will be displayed in the Break tab which allows you to change disabled o r h idden fields, and will allow you to bypass client side validation (often enforced using javascript). I t is an essential penetration testing technique.
E th ic a l H a c k in g a n d C o u n te n n e a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.
C E H L a b M a n u a l P a g e 726
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..12 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..12 of 15.
Module 11 - Session Hijacking
Untitled Session OWASP 7AP
ile EOil Vie* Analyte Report Tools H *p
Request* | Response^- [ Break
0 I la. u b . I I 3m 1 I
l te a : c lei U3c- lei! * j 1 1 [ I
H T T P /1.1 200 OKC ic h e -C o n c r o l : p r i v a t e , n a x - a g e -0 C c a te a Type : t e x c / h s n l ; c h a r a e t - u t f 8E x p ir e a : Moa, IS O ct 2012 1 2 : 3 0 :1 9 GMTP2P: CF--NOS UST COM WAV 3TA LOC CURa DFVa PSAa P3Da OUR TND"
t 1st> 1e .;e v e a t .s r c E le x e a t : a . t a r g e t ) > ,0 ! .s 3_ c e d , r c c u s e do v a , r u n 0 t 10n ( a ! {s ) < ) * __//) j x / s c r 1 p t x c 1 c l e |c a k e a | - B1 a g < / t 1 t l e X l m k r . r e f = " / s / v l f l a g . i c c ze~- Bl e a a " / x l l a k r .r e r */3caxch?(j-Calre3601nc;oc-6turp;q3-nfiarp; forrc-OBL!Uan,p; f i l e a llfia n r^ ij-C a k e s fia n p ;3 c = 0 -0 4 3 E x ? 3 p = - l a x p ;3 J c = ia a p ;fo r m a c = r 3 3 " r e l = " a l t e r n a c e " t1 tle = " X M L ry p e =
f t F Giles(3 r*tp/*wo1hgcor1
Pa rams Oufcutj_____ Alerts f t _______
Port Scan j Furzer Break Points &
[ B1*e ForceSearch
504 Gateway Tine . 389ms -504 Gateway Tim... 389ms
1 GET http SfflMN.Cing corV3 GET cov
Current Scans 0 ^ 0 ^ 0 0 * 0Ale Its F*0 1* 1 0
Untitled Session OWASP 7AP110 Edit View Aruly*e Repoil Tools Help
Li c. a , . 0J H W ] Rqbtw~] R*spons*~ [ X 1
|Hml.T11 | B0O).Tl | I J
HTTP/1.1 200 OKC a ch e -C o n sr e l: p r i v a t e , n a x -a a e -0 c c n t a t -T y p : c * x c /n c n l; c n a r * t t* u t1 -8 E x p ire s : Mon, 15 Get 2012 1 2 :3 0 :1 9 GMTP2P: C? SOS UNI COK WAV STA LOC CURa DEVa PSAa PSDa OUR IHD"
- . - . W . i . I L i i .m w f c . ' i i . . a rm * ; ,u a L u n 1. i l . i wi u i n 1 , .. u u i n u u s j _ b e _ d , "wzusedown", f u n c t i o n (n I < 3 i_ c t (3 b _ ie ? e v e n t sr cE ler te n t :n . t a r g e t ) > ,0 ) ) ) ();/ / } j x ' 3 c r 1 . p r x r - 1 - e ' |c a r s | - S i a g < / t 1 t l e x 1 1 a i c h re r= " / 3 / v l l l a g . 1 co" r e I s i c a n V x l i n k h r e f -/3sarch ?3=C aJre3arx;gc=a1n p;q 3=aan p f orrt=Q3LHartp; f1 1 t= a ll a n p ;cq = a k e 3 a r : p ;sr = o -0 a r 2 :;sp liaa5> ;3Jc= iaap;rorm ac= r3s r e l= " a l t e r a a :e" t1tle="X M L rvpe=
l l1 SiftsQj http birg corn
Active Scan A [ Spds f ^ | Brute Forced [ Port Scan: ] FuzzerW ParamsO O-tcu:Historj |_________ Search ^ _________J_____________Breakpoints ^ ____________ 1________ Alerts f t _______
504 Gateway Time 389ms -504 catowa\ T ine... 389ms
http ii'fttvw ting conVntp /AVkV,.crq cov
0 * 0Current Scans fc 0 0^ Ale Its F* 0 . 0 1 * 1
F IG U R E 2.7: Paros Proxy search string content
25 . 111 th e sa m e R e sp o n se p a n e , re p la c e C a k es w ith C ars as s h o w n in th e fo llo w in g f ig u re a t th e v a lu e s h o w n .
U ntitled Session * OWASP ZAP - I - U 2 J
File Eon vie a Analyse Repot Tools Hp
la id ll & G O 4 H ! ^ 0
J Sites 1* | Retjues * ] Response>r ! Break
n ea :e lec Bogy: Text *
H lT t/l.l ZOU OilC a cr .e -C o a rr c l: p r iv a t e , n a x -a g s= o C c n te n t-T y p e : t e x c /h t m l; c h a r s e t u t f - 8 E x p ir e a : Mon, IS C ct 2012 1 2 : 3 0 :1 9 GMTP3P: Cr= SON OKI COK BRV STA. LOC CURa DEVa PSAa PSDa CtJR IND"
3u . :.Asua _ j! ^ _s !! x d 1 v c la s 3 = ' , 3v _ b n 1a="3w _C ">o.npucaw_fcd= d i v x d i v c l a s 3 >3 e t a
Module 11 - Session Hijacking
UntiMrd Session OWASP 7AP
| e Edit v i** Analyfc Ropoil Tools H#p
t i r l w 0 Request | Response^ Break v
iUoy: red leaser leu!
HTTP/1 .1 200 OKC *ch* C o n c ro l: p r iv a c a , r*ax-aga-0 Ccnccn Type : c e x c /h s n l; c h a r a e t - u t f8E x p ire a : Xor., IS O ct 2012 12 : 30:19 GMTP2P: CF--NOS UST COM WAV STR LOC CURa DEVa PSAa P3Da OUR IND"
pu:..3 u fx 1 =2: "6 sw=3w bd">
P L E A S E T A L K T O Y O U R I N S T R U C T O R I F YOU H A V E Q U E S T I O N SR E L A T E D T O T H I S LAB.
Questions1. E v a lu a te ea ch o f th e fo llo w in g P a ro s p ro x y o p tio n s :
a. T ra p R e q u e s t
b. T ra p R e sp o n se
c. C o n tin u e B u tto n
d. D r o p B u tto n
Internet C o n n e ctio n R eq u ired
0 Y e s
P l a t f o r m S u p p o r t e d
0 C l a s s r o o m
N o
!L ab s
E th ic a l H a c k in g a n d C o u n te m ie a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.
C E H L a b M a n u a l P a g e 729
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..15 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..15 of 15.
Hijacking Sessions
Lab Scenario
Lab Objectives
Lab Environment
A computer miming Windows Server 2012 as host machine
Lab Duration
Overview of Session Hijacking
Lab Tasks
Lab Analysis
Session Hijacking Using Zed Attack Proxy (ZAP)
Lab Scenario
Lab Objectives
Lab Environment
Lab Duration
Overview of Zed Attack Proxy (ZAP)
Lab Tasks
17.Click Set break on all requests and Set break on all responses to
23.Click Submit and step to next request or response.
Lab Analysis
Questions