CEH v8 Labs Module 11 Session Hijacking PDF

CEH Lab Manual
Session Hijacking
Module 11
Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..1 of 15.
CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..1 of 15.
Module 11 - Session Hijacking
Hijacking Sessions
Session hijacking refers to the exploitation of a valid computer session, ))herein an
attachr takes over a session between two computers.
Lab Scenario
Source: http: / /krebsonsecuntv.com/2012/11/yahoo-emai l -steal i ng-expl oi t-
fetches-700
A ccordi ng to K rebsonSecuri ty news and investi gati on, zero-dav vul nerabi l i ty 111
yahoo.com that lets attackers hijack Y ahoo! email accounts and redi rect users to
malicious websi tes otters a fasci nati ng gl i mpse i nto the underground market for
l arge-scal e expl oits.
T he expl oi t, bei ng sol d for S700 by an E gypti an hacker on an exclusi ve
cybercri me forum, targets a cross-si te scri pti ng (XSS) weakness i n vahoo.com
that lets attackers steal cooki es f rom Y ahoo! webmai l users. Such a flaw woul d
l et attackers send or read email f rom the vi cti ms account. 111 a tvpical X SS
attack, an attacker sends a mal i ci ous link to an unsuspecti ng user; i f the user
clicks the link, the scri pt is executed, and can access cooki es, sessi on tokens, or
other sensitive i nf ormati on retai ned by the browser and used wi th that site.
T hese scri pts can even rewri te the content of the H T M L page.
K rebsOnSecuri ty.com al erted Y ahoo! to the vul nerabi l i ty, and the company
says i t is respondi ng to the issue. Ramses M arti nez, di rector of securi ty at
Y ahoo!, said the challenge now is worki ng out the exact vahoo.com U RL that
triggers the expl oi t, whi ch is di ffi cul t to di scern f rom watchi ng the vi deo.
T hese types ot vul nerabi l i ti es are a good remi nder to be especiall y cauti ous
about cl icki ng links 111 emails f rom strangers or 111 messages that you were not
expecti ng.
Being and admi ni strator you shoul d i mpl ement securi ty measures at A ppl i cati on
level and N etwork level to protect your network from sessi on hijacking.
N etwork level hijacks is prevented by packet encrypti on whi ch can be obtai ned
by usi ng protocol s such as I PSE C, SSL , SSH, etc. I PSE C allows encrypti on of
packets on shared key between the two systems i nvol ved 111 communi cati on.
A ppl i cati on-l evel securi ty is obtai ned by usi ng strong sessi on I D. SSL and SSH
also provi des strong encrypti on usi ng SSL certi fi cates to prevent sessi on
hijacki ng.
Lab Objectives
T he obj ecti ve of this l ab is to hel p sui dents l earn sessi on hij acki ng and take
necessary acti ons to def end agai nst sessi on hijacking.
111 this lab, you will:
I ntercept and modi fy web traffic
I CON KEY
& Valuableinformation
Test your knowledge
H Web exercise
caWorkbook review
Ethi cal Hacki ng and Countemieasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C E H L ab M anual Page 716
Simulate a T roj an, whi ch modi fi es a workstati on's proxy server settings
Lab Environment
T o carry out tins, you need:
A computer mi mi ng Windows Server 2012 a s host machine
Tins lab will mn on Windows 8 virtual machine
Web browser wi th I nternet access
A dministrative privileges to configure settings and mn tools
Lab Duration
Time: 20 M inutes
Ov erv iew o f Session Hijacking
Session hijacking refers to the exploitation of a valid computer session where an
attacker t ak es over a session between two computers. T he attacker s t e a l s a valid
session I D, whi ch is used to get i nto the system and sniff the data.
111 TCP s e s s i o n lnjacking, an attacker takes over a T CP session between two
machines. Since most authentications occur only at the start of a T CP session, this
allows the attacker to gain a c c e s s to a machine.
Lab Tasks
Pick an organizati on di at you feel is worthy of your attention. Tins coul d be an
educational i nstituti on, a commerci al company, or perhaps a nonprofi t chanty.
Recommended labs to assist you 111 session lnjacking:
Session lnjacking using ZAP
Lab Analysis
A nalyze and document die results related to the lab exercise. Give your opi ni on on
your targets security posture and exposure.
PL EASE TAL K TO Y OUR I NST RUCT OR I F Y OU HAVE QUEST I ONS
REL A TED TO T HI S LAB.
S 7Tools
demonstrated in
this lab are
available in
D:\CEH-
Tools\CEHv8
Module 11
Se s sion Hijacking
m . T A S K 1
Overview
Ethi cal Hacki ng and Countermeasures Copyright by EC-Council
Lab
Session Hijacking Using Zed Attack
Proxy (ZAP)
The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integratedpenetration
testing too1 for finding vulnerabilities in neb applications.
Lab Scenario
A ttackers are conti nuousl y watchi ng f or websi tes to hack and deyel opers must
be prepared to counter-attack malicious hackers by wri ti ng strong secure codes.
A common f orm of attack is sessi on hijacki ng, i.e., accessi ng a websi te usi ng
someone el ses sessi on I D. A sessi on I D mi ght contai n credi t card detail s,
passwords, and other sensi ti ve i nf ormati on that can be mi sused by a hacker.
Sessi on hij acki ng attacks are perf ormed ei ther by sessi on I D guessi ng 01 by
stol en sessi on I D cooki es. Sessi on I D guessi ng i nvol ves gatheri ng a sampl e of
sessi on I D s and guessi ng a val id sessi on I D assi gned to someone else. I t is
always recommended not to repl ace A SP.N E T sessi on I D s wi th I D s of your
own, as this will prevent sessi on I D guessing. Stol en sessi on I D cooki es sessi on
hi j acki ng attack can be prevent by usi ng SSL ; however, usi ng cross-si te scri pti ng
attacks and other methods, attackers can steal the sessi on I D cooki es. I f an
attacker gets ahol d of a val id sessi on I D, then A SP.N E T connects to the
correspondi ng sessi on wi th 110 f urther authenti cati on.
T here are many tool s easily available now that attackers use to hack i nto
websi tes 01 user detail s. One of the tool s is Fi resl i eep, whi ch is an add-011 for
Fi refox. Whi l e you are connected to an unsecure wireless network, tins F i refox
add-011 can sni f f the network traffi c and capture all your i nf ormati on and
provi de i t to the hacker 111 the same network. T he attacker can now use tins
i nf ormati on and l ogi n as you.
A s an et hic al hacker, penetrati on tester, 01 s e c ur it y administrator, you
shoul d be fami liar wi th network and web authenti cati on mechani sms. 111 your
rol e of web securi ty admi ni strator, you need to test web server traffic for w e a k
s e s s i o n IDs, i nsecure handl i ng, identity theft, and information l o s s . A lways
ensure that you have an encrypted connecti on usi ng https whi ch will make the
sni ffi ng of network packets di ffi cul t for an attacker. A lternati vel y, Y PN
1 C <ON K E Y
/ Valuable
information
y5Test your
knowledge
=
Web exercise
m Workbook review
connecti ons too can be used to stay safe and advi se users to l og of f once they
are done wi th thei r work. 111tins lab you will l earn to use ZA P proxy to
i ntercept proxi es, scanni ng, etc.
Lab Objectives
T he obj ecti ve of tins l ab is to hel p students l earn sessi on hi jacki ng and how to
take necessary acti ons to def end agai nst sessi on hijacking.
111 tins lab, you will:
I ntercept and modi fy web traffi c
Simulate a T roj an, whi ch modi fi es a workstati on's proxy server settings
Lab Environment
T o carry out the lab, you need:
Paros Proxy located at D:\CEH-Tools\CEHv8 Module 11 Session
Hijacking\Session Hijacking Tools\Zaproxy
Y ou can also downl oad the l atest versi on of ZAP f rom the link
http: / / code.googl e.com/p/zaproxv/downl oads/l i st
I f you deci de to downl oad the l a t e s t version, then screenshots shown
111 the l ab mi ght di ffer
A system wi th runni ng W indows Server 2012 H ost M achine
Run tins tool ni Windows 8 V irtual M achine
A web browser wi th I nternet access
A dministrative privileges to configure settings and run tools
Ensure that Java Run Time Environment (JRE) 7 (or above) is nistalled. I f
not, go to http://i ava.sun.com/i 2se to download and install it.
Lab Duration
Time: 20 M inutes
Ov erv iew o f Zed A t t ac k Proxy (ZAP)
Zed A ttack Proxy (ZA P) is designed to be used by peopl e wi th a wide range of
security experience and as such is ideal for developers and functi onal testers who are
new to penetrati on testing as well as bei ng a useful addi tion to an experienced pen
testers toolbox. I ts features include intercepting proxy, automated scanner, passive
scanner, and spider.
Lab Tasks
1. L og 111 to your Windows 8 V i rtual M achine.
Tools
demonstrated in
this lab are
available in
D:\CEH-
Tools\CEHv8
Module 11
Session Hijacking
m . T A S K 1
Setting-up ZAP
Admini -PC
!22 A t its heart ZAPS in
ail intercepting prosy. Y ou
need to configure your
browser to connect to die
web application you wish
to test through ZAP. I f
required you can also
configure ZAP to connect
through another prosy -
this is often necessary in a
corporate environment.
3.
2.
FI GURE 2.1: Paros prosy main window
Cl ick ZAP 1.4.1 111 the Start menu apps.
111 Windows 8 V irtual M achi ne, fol l ow the wi zard-dri ven i nstal l ati on
steps to install ZAP.
T o l aunch ZAP after i nstal l ati on, move your mouse cursor to the lower-
l eft corner of your desktop and cl ick Start.
7 Y ou can also
download ZAP
http:/ / code.google.com/p
/zaprosy/downloads/list
m 4 S
SkyOiftt
ZAP 1.4.1 Safari
j r
*
tl i m w
Mozilla
Firefox
Microsoft
Excel 2010
S
|
Microsoft
PowerPoint
2010
(2
Microsoft
Publisher
2010
FI GURE 2.2: Paros prosy main window
5. T he mai n i nterface of ZAP appears, as shown 111 the fol l owi ng
screenshot.
6. I t will prompt you wi th SSL Root CA c e r t if ica t e . Cl ick Generate to
conti nue.
I f you know how to
set up prosies in your web
browser then go ahead and
give it a go!
I f you are unsure then have
a look at the Configuring
prosies section.
Ethi cal Hacki ng and Countenneasures Copyright by EC-Council
Once you have
configured ZAP as your
browser's proxy then try to
connect to die web
application you will be
testing. I f you can not
connect to it then check
your prosy settings again.
Y ou will need to check
your browser's proxy
settings, and also ZAP's
proxy settings.
. . FI GURE 2.3: Paros proxy main window

Active scanning r
attempts to find potential y ^ Options wi ndow, select Dynamic SSL c e r t i f i c a t e s then click
vulnerabilities by using r
known attacks against the Generate to generate a certificate. T hen click Save.
selected targets.
Active scanning is an attack
on those targets. Y ou
should NOT use it on web
applications that you do
not own.
I t should be noted that
active scanning can only
find certain types of
vulnerabilities. Logical
vulnerabilities, such as
broken access control, will
not be found by any active
or automated vulnerability
scanning. Manual
penetration testing should
always be performed in
addition to active scanning
to find all types of
vulnerabilities.
8. S a v e the certi fi cate 111 the defaul t l ocati on of ZAP. I f the certi fi cate
al ready exi sts, repl ace i t wi th the new one.
K * Options
cemncates
(_2!L 1
RootCA certificate
' Options
Active Scan
Arti c s r f T0K3ns
API
Applicators
Authertc330n
Ernie Force
certncate
Check FeeUpdates
Connection
Dataoase
Pi5pa<____ Diay
Ercodet)eccde
Extensions
Fuzier
Language
Local prarr
Passive Scar
Poll Scan
Session Tokens
Spider
FI GURE 2.4: Paros proxy main window
All Rights Reserved. Reproduction is Strictly Prohibited.
u a A11 alert is a potential
vulnerability and is
associated with a specific
request. A request can have
more than one alert.
9. Cl ick OK in the Options wi ndow.
Q J Anti CSRF tokens are
(pseudo) random
parameters used to protect
against Cross Site Request
Forgery (CSRF) attacks.
However they also make a
penetration testers job
harder, especially if the
tokens are regenerated
every time a form is
requested.
10. Y our Paros proxy server is now ready to i ntercept requests.

Options
cenmr.aies
MI 103: CCAsaaAwIBAal: JMzur J K02. hv cly
Hlc9X0VN0TFplZC3BdHahV;cUHJvHVj-Jn9vdCBI|r
ODZ3H:0<OCTu7tMMa0CX^t'KC<3(wNTl *a:!.
RoolCAcaitncate
q Generate j
r Options
Active 3can
1 CSRF TOKMS *
API
Actficaions
__ , A^ntrvcaagn
tit II a 1 , a i n n ! a 1
Look m: !!j Admri FC
IB Contacts IB Music |Q| owasp_23p_root_ca.ccr 1
Desktop [al Pictures
IB Downloads IB Videos
IB Favorites IB OV/ASP ZAP
j y u i c s IB Saved Games
1^Doaneits IB Searses
PieName |owasp_zap_roct_cacer |
Fles DfTypo Al Pias______________
3d r e . 1e w " .
ile Cdit View Maiy5e Report Toaa Help
sji D 0 , U id V 0
] sQ__ | KsquMI | Rspons4 J Brea* . j
Untitled Session OWASP 7AP
H3cr xt J Body: !xt _) lTl I
ActvoScan $ |~ SpidorS^; Brute Force ^ ) PortScan : } Fuzzsri,^ ] PararrtSLj [ 3utput
AJ 9:t3 BreakPoints v-i
Filter.CFF
ft 0 0_ 0 current scans Aieits ^0 k-0 . 0 a o
11. L aunch any web browser, 111 this lab we are usi ng the Chrome browser.
12. Y our V M workstati on shoul d have Chrome version 2 2 . 0 or later
install ed.
13. Change the Proxy Server s e t t i n g s 111 Chrome, by cl icki ng the
Customize and control Google Chrome button, and then click
Se t t ings .
Newtab
Newvwodow
Nr*inccgnirowindow
Bocfcmiria
Cut Cop, Pae
- . - Q
EM
Svtp9
Find...
Tods
SignintoChiwn*..
Tab
M C
Foiquickkcc; placeycurbcclrwfaSeean Sietntroti bs
rT |
0 > 0 WbS:c#
m ZAP detects anti
CSRF tokens purely by
attribute names - the list of
attribute names considered
to be anti CSRF tokens is
configured using the
Options Anti CSRF screen.
When ZA P detects these
tokens it records die token
value and which URL
generated the token.
FI GURE 2.8: I E I nternet Options window
14. Oi l the Googl e C hrome Setdngs page, click the Show advanced
s e t t i n g s . . . l i nk bottom of the page, and then click di e Change proxy
s e t t i n g s . . . button.
LUsi ZAP provides an
Application Programming
I nterface (API) which
allows you to interact with
ZAP programmatically.
Tlie A PI is available in
J SON, HTML and XML
formats. The API
documentation is available
via the URL http://zap/
when you are proxying via
ZAP.
Etli ical Hacki ng and Countenneasures Copyright by EC-Council
* C Li <*rorr*//chrome/settings/
Chrome Settings
Ocoy't ihc'H o 1&ngjcuf tcnpvtar't1, 111!prwy1M!ji tocenntcttotht nctwoi
ICh91 p>**y m1 |
LtnguigK
C*v*0t,X**CN0(*MTxjk;Mdtopt*>5Unguises
l9< u9 tdifxa-<t1<k<( *dings...
/ Cfltrist*nti*teacrtKxaren'tin1LanguageI read
Dsvmlc*dk-n&ott C'.C1er1.AdrTw1\Eownlc<fe Change..
[ I *4n^t 10 KfifcMci dc*l<w<)1"9
HTTPVSSL
M^e(0t1Aul6-
_ Chedtforsevacertrfieaterrwecation
Google Ooud Pnnt
GoogleCloudMrslasyouseeetttheenpjter5printersfromanywhere. Clicktoenab
B30tgw,d apes
i Co'it'-v*v 9 t*v91-c-jJtfi-. *fn0ocglCh1cr
Hide* ***? $ .*> ,
15. 111 Internet Properties wi zard, click Connections and click LAN
Settings.
Internet Properties
General Security Privacy Content |"Connections [Prpgrame *\dvanced
Toset up an In erne: connection, dek Setup
Setup.
Dial-up and Virtual Private Network settings
Settirgc
% Never da a ccmeoon
C) Oial whenever a network connection is not present
4 ' Always dal my defait ccnnection
Cure* None Set default
Local Area Network (LAN) settings
LAS Settjngsdo not apoly to dialup connections. | LAN settings |
Choose Settngs aoove for dal upsettngs.
FI GURE 2.10: I E I nternet Options window with Connections tab
16. Check U se a proxy server for your LAN, type 127.0.01 111 the Address,
enter 8080 111 the Port tield, and click OK.
Q=a! Click OK several
times until all configuration
dialog boxes are closed.
Local Area Network (LAN) Settings
Automatic configuration
Automatic configuration may override manual settings. To ensure the
use of manual settings, disable automatic configuration.
@ Automaticaly detect settings
Use automatic configuration script
Address
Proxy server
ra L ls e a proxy server for your LAN (These settings will not apply to
L J dial-up or VPN connections).
Port: | 8080| | Advanced 127.0.0.1 Address:
Bypass proxy server for local addresses
Cancel
Q I t should be noted
that there is minimal
security built into the API ,
which is why it is disabled
by default. I f enabled then
the A PI is available to all
machines that are able to
use ZAP as a proxy. By
default ZAP listens only on
'localhost' and so can only
be used from the host
machine.
The A PI provides access to
the core ZAP features such
as the active scanner and
spider. Future versions of
ZAP will increase the
functionality available via
the APi.
FI GURE 211: I E Internet Options Window with Proxy Settings Window
17. Cl ick S e t break on all r e q u e s t s and S e t break on all r e s p o n s e s to
trap all the requests and responses f rom the browser.
Untitled Session- OWASP 7AP 5--------------------------------------
11 EJ it Vi *A Aiulyb Repoil T0J t* H*p
pybiifci go / e ~
J Sites(* j____________________ Request-^] Response*- [ BreakX ]
[Header Icxi * jtoay: Text j PI
_ Sites
^ j FurrerW . PatamsLJ ActiveScan A Spdet | BruteForce v-~
Cunent Scans 0 0 0
18. N ow navi gate to a chrome browser, and open www.bi ng.com.
19. Start a search for Cars.
20. Open ZAP, whi ch shows fi rst trapped i ncomi ng web traffic.
21. Observe the fi rst few lines of the trapped traffic 111 the trap wi ndows,
and keep cl icki ng Submit and s t e p to next r e quest or r e s p o n s e unti l
you see cars 111 the GET request 111 the Break tab, as shown 111 the
fol l owi ng screenshot.
T A S K 2
o
Hijacking Victims
Session
m ZAP allows you to try
to brute force directories
and files.
A set of files are provided
which contain a large
number of file and
directory names.
m A break point allows
you to intercept a request
from your browser and to
change it before is is
submitted to the web
application you are testing.
Y ou can also change the
responses received from
the application The request
or response will be
displayed in the Break tab
which allows you to change
disabled or hidden fields,
and will allow you to
bypass client side validation
(often enforced using
javascript). I t is an essential
penetration testing
technique.
All Rights Reserved. Reproduction is Strictly Prohibited.
CEH L ab M anual Page 725
de Euu VtaA Analyse Report Tools Hp
to ki ui Q v CP 4- > |>
| Sites* Request-v | Response* \Break>41
UntiMrd Session OWASP 7AP
Mer.03 Heoaer: re*1 * j uoav: ext J
hctp://wM.blng.ccm/aarcft? q=fagakqo=*q*-nfcfom^0BIJ Ur11t-aa1fcpq^* r t.?J 0-0
43p - :s a k- HTTP/1.1
Hose: wvw.Mng.cox
P roxy-C onnection: keep-alive
U3er A;er. : M oz illa/S .G IWindows NT 6.2; KOW64) AcpleWecK1t/S37.4 (KHTHL, .
l i r e secJ c:. cnrone/22.0.1229.94 s ara n/537.4
Accept: te xt /h e r! , appl i cation/xhtml*xml fappl ic a c io n/ xml; q- 0. 9 , * / * ; q-0 . 8
R ererer: h ttp ://vw v.b 1ng. con/
Accept-Encoding: 3tier.
Irrrr.T-:j-.rsr.-.nev - rn - "^ rn-n- H fl_________________________________________________________ I
FGiles
(3 rp/*wngcor1
Spider^
Al&its f t Searcn
CurrentScans 0 #1 u- 0 0 *1mc 11 1 0
FI GURE 2.6: Paros Proxy with Trap option content
22. N ow change the query text from Cars to Cakes i n the G E T request.
llntiWea Session- OWASP 7AP
4e Eait VIe* Analyte Report Toole Help
Request-v | Response^ [ Brea I
Met!00 * j ^Header. Ted )] |Body Tot
GET
hc tp: / / w .ti n g . com/ search ?q=fcaice3^go=tq3=n* rorm=QBI.Htf 1l c - a l l*pq^Calcesfrsc-0
-:43p l&ak- HTTP !, 1 . 1
Hose: vw.D ing, cox
P roxy-C oonection: lreep-alive
Uaer-Asenz: M ozilla/S .O !Windows NT 6.2; KCW64) AcpleWeC K1537.4 / (KHTHL, .
l i t Geclcoj CHzane/22.0.1229.94 S aE an/537.4
A cccpt: te xt/h tml, a ppli cation/xhtml!xml, appl icacion/xml; q- 0.9, * / * ; qC. 6
R eferer: ttp ://vw v.b 1r.g.con/
Accept-E ncoding: sdcfc
I r r . - r . T rn-T.^ r n n- a P. . 1
J Sites I * |_
, f t PSies
Q ^ nup/'AiMvangcorn
*JfcllS f t Searcn -v
504 cataway urno. 388mc
504 Gateway Time... 389ms,
Aieits C 11 0
23. Click Submit and s t e p to next request or response.
24. Search for a title i n the Respo nse pane and replace Cakes wi th Cars as
shown 111 following figure.
m Filters add extra
features that can be applied
to every request and
response. By default no
filters are initially enabled.
Enabling all of the filters
may slow down die proxy.
Future versions of die ZAP
User Guide will document
the default filters in detail.
Ly=i Fuzzing is configured
using the Options Fuzzing
screen. Additional fuzzing
files can be added via this
screen or can be put
manually into the " fiizzers"
directory where ZAP was
installed - they will then
become available after
restarting ZAP.
Lyj! The request or
response will be displayed
in the Break tab which
allows you to change
disabled or hidden fields,
and will allow you to
bypass client side validation
(often enforced using
javascript). I t is an essential
penetration testing
technique.
Unt i t l ed Session OWASP 7AP
ile EOil Vie* Analyte Report Tools H*p
Request* | Response^- [ Break
0 I la . u b . I
I 3m1 I
l tea:c lei U3c- lei! * j 1 1[ I
HTTP/1.1 200 OK
C i c h e - C o n c r o l : p r i v a t e , n a x - a g e - 0
C ca t ea Type: t e x c / h s n l ; c h a r a e t - u t f 8
E x p i r e a : Moa, I S Oct 2012 1 2 : 3 0 : 1 9 GMT
P2P: CF--NOS UST COM WAV 3TA LOC CURa DFVa PSAa P3Da OUR TND"
t 1st> 1e.;e v e a t . s r c E l e x e a t : a . t a r g e t ) >, 0 ! . s 3_ ce d , rccuse do va, run0t 10n(a! {s
) <) * __
//) j x / s c r 1 p t x c 1 c l e|cak ea| - B1 ag</ t1tl eX l m k r .r ef =" /s/v l f l ag. i cc ze~-
Bl eaa " / x l l a k r.r er
*/3caxch?(j -Cal r e3601nc; oc-6t ur p; q3-nf i ar p; forr c-OBL!Uan,p; f i l e al l f i an r ^ i j -Cak es f i an
p;3c=0-043E x?3p=-l axp;3J c=i aap;formac=r33" r el =" al ternace" t1tl e=" X M L rype=
f t FGiles
(3 r*tp/*wo1hgcor1
Params Oufcut
j_____ Alerts f t _______
PortScan j Furzer
BreakPoints &
[ B1*e Force
Search
504 GatewayTine . 389ms -
504 GatewayTim... 389ms
1 GET httpSfflMN.CingcorV
3 GET cov
CurrentScans 0 ^ 0 ^ 0 0 * 0 AleIts F*0 1* 1 0
Untitled Session OWASP 7AP
110 Edit View Aruly*e Repoil Tools Help
Li c. a , . 0
J H W ] Rqbtw~]R*spons*~[ X 1
|Hml.T11 | B0O).Tl | I J
HTTP/1.1 200 OK
C ach e- C ons r el : p r i v a t e , n a x - a a e - 0
c c n t a t - T y p : c * x c / n c n l ; c n a r * t t * u t 1 - 8
E xpires : Mon, 15 Get 2012 1 2 : 3 0 : 1 9 GMT
P2P: C? SOS UNI COK WAV STA LOC CURa DEVa PSAa PSDa OUR IHD"
- . - . W . i . I L i i .mwf c.' i i .. a rm * ; ,uaL un1. i l . i wi ui n 1, . . uui nuu
s j _ b e _ d , "wzusedown", f u n c t i o n ( n I < 3 i _ c t ( 3 b _ i e ? e v e n t s r cE ler te nt : n . t a r g e t ) > , 0 ) )
)();
/ / } j x ' 3 c r 1 . p r x r - 1 - e ' | c a r s | - S i a g < / t 1 t l e x 1 1 a i c hrer="/ 3 / v l l l a g . 1 co" r e I s
i c a n V x l i n k h r e f -
/3sarch?3=CaJre3arx;gc=a1np;q3=aanpf orrt=Q3LHartp; f 1 1 t = a llan p; cq = ake 3ar:
p; s r = o - 0 a r 2 : ; s p liaa5>;3Jc=iaap;rormac=r3s r e l = " a l t e r a a :e" t1tle="XML rvpe=
l l1Sifts
Qj http birg corn
ActiveScan A [ Spds f ^ | BruteForced [ PortScan: ] FuzzerW ParamsO O-tcu:
Historj |_________ Search ^_________ J_____________Breakpoints ^ ____________ 1________ Alerts f t _______
504 GatewayTime 389ms -
504 catowa\Tine... 389ms
httpii'fttvwting conV
ntp/AVkV,.crqcov
0 *0 CurrentScans fc 0 0^ AleIts F* 0 . 0 1 * 1
FI GURE 2.7: Paros Proxy search string content
25. 111the same R e s p o n s e pane, repl ace Cakes wi th Cars as shown i n the
fol l owi ng figure at the val ue shown.
Untitled Session * OWASP ZAP - I - U 2 J
File Eon vie a Analyse Repot Tools Hp
la id ll & G O 4 H ! ^ 0
J Sites 1* | Retjues * ] Response>r! Break
nea:e lec Bogy: Text *
HlTt/l.l ZOUOil
Cacr. e- Coarrcl: p r i v a t e , na x - a g s= o
C cn te n t - Ty p e: t e x c / h t m l ; c h a r s e t u t f - 8
E x p i r e a : Mon, I S Cct 2012 1 2 : 3 0 : 1 9 GMT
P3P: Cr= SON OKI COK BRV STA. LOC CURa DEVa PSAa PSDa CtJR IND"
3u . :. Asua _ j ! ^_ s !!
x d 1 v c l a s 3 = ' , 3v_bn 1a="3w_C">o.npuc aw_fcd = d i v x d i v c l a s 3 > 3 e t a < , 12 "= 3v_fcta
cla93="3w qfcox" I3="9b rorm q* name="qn t l t l e = " E n t e r your s e a r c h c e r a t y p e
o n f o c n a - ' * t e x t * m
c n r i u r = ; #3366 = 3 t y i e . t o r d e r c o l o r . 3w b ' a o c m e a t . g e t E l e n e a t s y l d
3 - l a d o c u n c n t . g e t E l e n e n t B y l d I 3w_bt I . s t y l e b ord erCol or - ' 4 9 9 9 ' ; " / X d i v
" x / d 1 v x 1 a p u t 1 d="sb_forrt_go" cla33="3w_qbtn" t i t l e = Search 3v_dvar
' f t PSlles
Q r: mip/'A^.angcorn
Brjte Forcej* \ PottScan _____ | Furrer * | P atamsn | Output
Alfeits f t Searcn
504 GatewayTine. 389ms "
504 Gatw3yl in o . 389msr
CurrentScans v 0 :4 t 0 1/>0 0%>0
m Tliis functionality is
based on code from the
OWASP J BroFuzz project
and includes files from the
fuzzdb project. Note that
some fuzzdb files have
been left out as they cause
common anti virus
scanners to flag them as
containing viruses. Y ou can
replace them (and upgrade
fuzzdb) by downloading
the latest version of fuzzdb
and expanding it in the
,fuzzers' library.
CEH L ab M anual Page 727
UntiMrd Session OWASP 7AP
| e Edit vi** Analyfc Ropoil Tools H#p
t i rl w 0
Request | Response^ Breakv
i
Uoy: red leaser leu !
HTTP/1.1 200 OK
C *ch* C oncrol: privaca, r*ax-aga-0
Ccnccn Type: cexc/hs nl; c h a ra e t- u tf8
E xpirea: Xor., IS Oct 2012 12: 30: 19 GMT
P2P: CF--NOS UST COM WAV STR LOC CURa DEVa PSAa P3Da OUR IND"
pu : .. 3ufx1 = 2 : " 6 sw = 3wbd"><cl1v :ias3 =' 3 "= 5wct a*>B*c</davx<11v Clas3 .
: la33-"3v_ q fco x "i d- "3 b _ Eo nn _ q" name-"q" t i t l e "Enter your s e a r c h t e r n 1 t y pe -
, text value=' 3 3nf ocua =
E l e n e n c 3 y I d | , aw b 1) . 9 t y l e . b o r d e r C o l o r = ' # 3 3 6 6 f c b , ; w o nblur !' t o c u n e n t . g e
Xdi c l a s s ; " / #999 ' d o c u n e n t . g e t E l e n e n t B y l d I, a i ^ b 1 1 . s t y l e b o r d e r C o l o r
" 3v_dv:1r "> < / cL.v><input r d= "sb _ f orrt_go" cla ss="sw_ qb t n" t ! t l e = "Search
J SUfr 1_
Params G j Oufcut
j_________ Alerts f C____
PortScan ' ] Furzer j j f
BreakPoints &
[ B1*e Forcey
Search
Spd-f
T
504 GatewayTime . 389ms
504 GatewayTime. 389ms
1 GET rrltpSfflMN.CingcorV
3 GET ntptfA wa^cov
CurrentScans 0 ^ 0 ^ 0 _ 0 y o
Tliis tool keeps track
of the existing Http
Sessions on a particular Site
and allows the Zaproxy
user to force all requests to
be on a particular session.
Basically, it allows die user
to easily switch between
user sessions on a Site and
to create a new Session
without " destroying" the
existing ones.
FI GURE Z8: Paros with modified trap option content
Note: H ere we are changi ng the text Cakes to Cars; the bi ng search shows
Cars, whereas the resul ts displ ayed are f or Cakes.
26. Observe the Bing s e a r c h web page displ ayed 111 the browser wi th
search query as C a k e s .
H

X 2) www.bing.corn/search?q=cars&go=&qsn&form=QBLH&filt=all&pq=cars&sc=0
WEB IMAGES VDEOS HEWS MORE
t>1nq
Bet a
357.0000 RESULTS
Inaaes cflcakesl
tnrqcom/maces
Cake Wikipodia thofroooncvdopedia
en wk p*da og Wkt/Cake
Vaieties Special-purpose cakes Shapes Cake flout Cake decorating
Cake ts a forrr cf bread or bread-like food In its modern forms, it is typically a sweet
baod dessert In As oldest forms, cakoc voro normally fnod broadc or
FIGURE 2.6: Search results window after modifyingdie content
27. T hat's it. Y ou j ust forced an unsuspecti ng web browser to go to any
page of }7our choosi ng.
Lab Analysis
A nalyze and document di e results related to die lab exercise. Give your opi ni on on
your targets secunty posture and exposure.
LydJ I t is based on die
concept of Session Tokens,
which are HTTP message
parameters (for now only
Cookies) which allow an
HTTP server to connect a
request message with any
previous requests or data
stored. I n the case of
Zaproxy, conceptually,
session tokens have been
classified into 2 categories:
default session tokens and
site session tokens. The
default session tokens are
the ones that the user can
set in die Options Screen
and are tokens that are, by
default, automatically
considered session tokens
for any site (eg. phpsessid,
jsessionid, etc). The site
session tokens are a set of
tokens for a particular site
and are usually set up using
the popup menus available
in the Params Tab.
T ool /U ti l i ty I nf ormati on C ol l ected/O bj ecti ves A chi eved
Ze d Attack Proxy
SSL certi fi cate to hack i nto a websi te
Redi recti ng the request made i n Bing
PL EASE TAL K TO Y OUR I NST RUCT OR I F Y OU HAVE QUEST I ONS
REL A TED TO T HI S LAB.
Questions
1. Eval uate each of the following Paros proxy options:
a. T rap Request
b. T rap Response
c. Conti nue Button
d. Drop Button
Internet Connection Required
0 Y es
P l atf orm Supported
0 C l assroom
N o
!L abs

CEH v8 Labs Module 11 Session Hijacking PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CEH v8 Labs Module 11 Session Hijacking PDF

Caricato da

Copyright:

Formati disponibili

CEH Lab Manual

. . FI GURE 2.3: Paros proxy main window

Potrebbero piacerti anche