There are some MITM (Man-in-the-middle) attacks that we have already covered in these previous articles which you can read about: ARP and DNS spoofing; well now it’s time to look at Session Hijacking.
Session Hijacking, also known as cookie hijacking is a method used to gain access to an established connection that has already been set up. We are going to look specifically at session hijacking using the cookie capture from HTTP sessions. An example is a login form on certain websites. You must be authenticated by the website with a username or email and password in order to start the session connection setup.
Some websites work by maintaining their sessions with cookies. Cookies capture and include the time out expiration, usernames, passwords and other parameters. This information is useful for websites in order to keep their users logged in, however when this information falls into the wrong hands it can be extremely dangerous. Can you imagine someone stealing your session? You can have the same session with another user and not even realise.
As with other MITM attacks, we can capture a cookie with all the necessary information required to steal someone’s log in details: username and password.
One example of hijacking is to steal email account credentials by intercepting the communication of a user logging in to their email account. There are many tools available to perform such attacks, such as cookies Hamstel and Ferret, both are cli tools.
The first step is to employ the ARP cache poisoning technique in order to obtain access to sniff the packets (using Wireshark).
The attacker need to sniff the traffic and save it into a pcap file in order to proceed later with the Ferret software.
After the attacker loads the pcap file; Ferret software processes and creates a txt file which is going to be used by the Hamster tool for hijacking the session. With the HTTP data intercepted and prepared to be used by the Hamster, it can then effectively execute the attack. Hamster has automation mechanisms that work like a proxy to perform attacks.
Then the attacker need to start his browser and set the proxy server to the same as the Hamster settings (as Hamster acts like a proxy server) therefore these settings must match.
For example, if the attacker stole a Facebook account and started Hamster, they can then see the session and can continue with this session. Or if and attacker stole a Gmail cookie session they can login normally (continue the session). The worst case scenario would be the stealing of a bank session cookies if your bank has not secured the session; this could potentially be very dangerous.
Protect against Session Hijacking.
Never use public hotspots to access your online banking or any other websites using personal and sensitive data that you don’t immediately need access to.
If it is possible to use a VPN connection to encrypt your data; that way even if they do steal data with sensitive passwords or information, they can be decrypted easily.