CEH Lab Manual

Session H ijacking
M odule 11

Module 11 - Session Hijacking

Hijacking Sessions
Session hijacking refers to the exploitation of a valid computer session, ))herein an
attachr takes over a session between two computers.
I CON
&

KE Y

Lab S cenario

Valuable information

S o u rc e : h ttp : / / k r e b s o n s e c u n t v . c o m / 2 0 1 2 / 1 1 / y a h o o - e m a il- s te a lin g - e x p lo it-

Test your knowledge

f e tc h e s - 7 0 0

H Web exercise
ca Workbook review

A c c o r d i n g to K r e b s o n S e c u r it y n e w s a n d in v e s tig a tio n , z e r o - d a v v u ln e r a b ility 111

y a h o o .c o m t h a t le ts a tta c k e r s h ija c k Y a h o o ! e m a il a c c o u n t s a n d r e d ir e c t u s e r s to
m a lic io u s w e b s i te s o t t e r s a f a s c in a tin g g lim p s e i n t o th e u n d e r g r o u n d m a r k e t f o r
la rg e -s c a le e x p lo its .
The

e x p lo it, b e i n g s o ld

f o r S 7 0 0 b y a n E g y p tia n h a c k e r o n

a n e x c lu s iv e

c y b e r c r im e f o r u m , ta r g e ts a c r o s s - s ite s c r ip t in g (X S S ) w e a k n e s s in v a h o o .c o m
th a t le ts a tta c k e r s s te a l c o o k ie s f r o m Y a h o o ! w e b m a il u s e rs . S u c h a f la w w o u ld
le t a tta c k e r s s e n d o r r e a d e m a il f r o m th e v i c t i m s a c c o u n t . 111 a tv p ic a l X S S
a tta c k , a n a t ta c k e r s e n d s a m a lic io u s lin k to a n u n s u s p e c ti n g u s e r; i f th e u s e r
c lic k s th e lin k , th e s c r ip t is e x e c u te d , a n d c a n a c c e s s c o o k ie s , s e s s io n t o k e n s , o r
o t h e r s e n s itiv e in f o r m a t i o n r e ta in e d b y th e b r o w s e r a n d u s e d w ith t h a t site.
T h e s e s c r ip ts c a n e v e n r e w r ite th e c o n t e n t o f th e H T M L p a g e .
K r e b s O n S e c u r ity .c o m a le r te d Y a h o o ! to th e v u ln e r a b ility , a n d th e c o m p a n y
say s it is r e s p o n d i n g to th e is s u e . R a m s e s M a r tin e z , d ir e c to r o f s e c u r ity a t
Y a h o o ! , sa id th e c h a lle n g e n o w is w o r k i n g o u t th e e x a c t v a h o o .c o m U R L t h a t
tr ig g e rs th e e x p lo it, w h ic h is d if f ic u lt to d is c e r n f r o m w a tc h in g th e v id e o .
T h e s e ty p e s o t v u ln e r a b ilitie s a re a g o o d r e m i n d e r to b e e s p e c ia lly c a u tio u s
a b o u t c lic k in g lin k s 111 e m a ils f r o m s tr a n g e r s o r 111 m e s s a g e s t h a t y o u w e r e n o t
e x p e c tin g .
B e in g a n d a d m in is t r a to r y o u s h o u ld i m p l e m e n t s e c u r ity m e a s u r e s a t A p p lic a tio n
le v e l a n d

N e tw o rk

le v e l to

p ro te c t y o u r n e tw o rk

fro m

s e s s io n

h ija c k in g .

N e t w o r k le v e l h ija c k s is p r e v e n t e d b y p a c k e t e n c r y p tio n w h ic h c a n b e o b ta in e d
b y u s in g p r o t o c o l s s u c h as I P S E C , S S L , S S H , e tc . I P S E C a llo w s e n c r y p tio n o f
p a c k e ts o n s h a r e d k e y b e t w e e n th e tw o s y s te m s in v o lv e d 111 c o m m u n ic a ti o n .
A p p lic a tio n - le v e l s e c u r ity is o b ta in e d b y u s in g s t r o n g s e s s io n I D . S S L a n d S S H
a ls o

p r o v id e s

s tr o n g

e n c r y p tio n

u s in g

SSL

c e r tif ic a te s

to

p r e v e n t s e s s io n

h ija c k in g .

Lab O b jectives
T h e o b je c tiv e o f th is la b is to h e lp s u id e n ts le a r n s e s s io n h ija c k in g a n d ta k e
n e c e s s a r y a c tio n s to d e f e n d a g a in s t s e s s io n h ija c k in g .
111 th is la b , y o u w ill:

C E H L a b M a n u a l P a g e 716

I n t e r c e p t a n d m o d if y w e b tr a f f ic

E th ic a l H a c k in g a n d C o u n te m ie a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

S 7T o o ls
d e m o n str a ted in
th is lab are
a v a ila b le in
D:\CEHTools\CEH v 8
M odule 11
S e s s io n H ijacking

S im u la te a T r o j a n , w h ic h m o d if ie s a w o r k s ta ti o n 's p r o x y s e r v e r s e ttin g s

Lab E nvironm ent

T o c a rry o u t tin s, y o u n e e d :

A c o m p u te r m im in g W indow s S erver 2 0 1 2 a s h o st m a ch in e

T in s la b w ill m n o n W indow s 8 v irtu a l m a c h in e

W e b b r o w s e r w ith I n te r n e t ac ce ss

A d m in is tra tiv e p riv ile g es to c o n fig u re se ttin g s a n d m n to o ls

Lab D uration
T im e : 2 0 M in u te s

O verview o f Session H ijackin g

m.

T A S K

O verview

S e ssio n h ija c k in g re fe rs to th e e x p lo ita tio n o f a v a lid c o m p u te r se ssio n w h e r e a n

a tta c k e r t a k e s o v er a s e s sio n b e tw e e n tw o c o m p u te r s . T h e a tta c k e r s t e a ls a v alid
s e ssio n I D , w h ic h is u s e d to g e t in to th e sy ste m a n d sn iff th e d ata.
111 TCP s e s s io n ln ja ck in g , a n a tta c k e r ta k e s o v e r a T C P s e ssio n b e tw e e n tw o
m a c h in e s . S in ce m o s t a u th e n tic a tio n s o c c u r o n ly a t th e s ta rt o f a T C P se ssio n , th is
allo w s th e a tta c k e r to gain a c c e s s to a m a c h in e .

Lab Tasks
P ic k a n o r g a n iz a tio n d ia t y o u fee l is w o r th y o f y o u r a tte n tio n . T in s c o u ld b e a n
e d u c a tio n a l in s titu tio n , a c o m m e r c ia l c o m p a n y , o r p e r h a p s a n o n p r o f it c h a n ty .
R e c o m m e n d e d la b s to assist y o u 111 se ssio n ln jack in g :

S e ssio n ln ja c k in g u s in g ZAP

Lab A nalysis
A n a ly z e a n d d o c u m e n t d ie re s u lts re la te d to th e la b ex ercise. G iv e y o u r o p in io n o n
y o u r ta rg e ts se c u rity p o s tu r e a n d e x p o s u re .

P L E AS E TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D T O T H I S LAB.

C E H L a b M a n u a l P a g e 717

E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

Lab

Session Hijacking Using Zed A ttack

Proxy (ZAP)
The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integratedpenetration
testing too1forfinding vulnerabilities in neb applications.
1C <
ON

KEY

/ Valuable
information

Lab S cenario
A tta c k e r s a r e c o n t in u o u s ly w a tc h in g f o r w e b s ite s to h a c k a n d d e y e lo p e r s m u s t
b e p r e p a r e d to c o u n t e r - a tta c k m a lic io u s h a c k e r s b y w r i tin g s tr o n g s e c u r e c o d e s .

your
y5Test
knowledge

A c o m m o n f o r m o f a tta c k is s e s s io n h ija c k in g , i.e ., a c c e s s in g a w e b s ite u s in g

Web exercise

p a s s w o r d s , a n d o t h e r s e n s itiv e i n f o r m a t i o n t h a t c a n b e m is u s e d b y a h a c k e r .

m Workbook review

S e s s io n h ija c k in g a tta c k s a re p e r f o r m e d e ith e r b y s e s s io n I D g u e s s in g 01 b y

s o m e o n e e ls e s s e s s io n I D . A s e s s io n I D m ig h t c o n t a i n c r e d it c a r d d e ta ils ,

s to le n s e s s io n I D c o o k ie s . S e s s io n I D g u e s s in g in v o lv e s g a t h e r in g a s a m p le o f
s e s s io n I D s a n d g u e s s in g a v a lid s e s s io n I D a s s ig n e d to s o m e o n e else. I t is
a lw a y s r e c o m m e n d e d n o t to r e p la c e A S P .N E T s e s s io n I D s w i t h I D s o f y o u r
o w n , as th is w ill p r e v e n t s e s s io n I D g u e s s in g . S to le n s e s s io n I D c o o k ie s s e s s io n
h ija c k in g a tta c k c a n b e p r e v e n t b y u s in g S S L ; h o w e v e r , u s in g c r o s s - s ite s c r ip tin g
a tta c k s a n d o t h e r m e th o d s , a tta c k e r s c a n s te a l th e s e s s io n I D c o o k ie s . I f a n
a tta c k e r g e ts a h o l d o f a v a lid s e s s io n I D , th e n A S P .N E T c o n n e c t s t o th e
c o r r e s p o n d i n g s e s s io n w ith 110 f u r t h e r a u t h e n ti c a tio n .
T h e r e a r e m a n y to o ls e a sily a v a ila b le n o w t h a t a tta c k e r s u s e to h a c k i n t o
w e b s ite s 01 u s e r d e ta ils . O n e o f t h e to o ls is F ir e s lie e p , w h i c h is a n a d d -011 f o r
F ir e f o x . W h ile y o u a re c o n n e c t e d to a n u n s e c u r e w ir e le s s n e t w o r k , tin s F ir e f o x
a d d -011 c a n s n i f f t h e n e t w o r k tr a f f ic a n d c a p tu r e all y o u r in f o r m a t i o n a n d
p r o v id e it to th e h a c k e r 111 th e s a m e n e t w o r k . T h e a tta c k e r c a n n o w u s e tin s
in f o r m a t i o n a n d lo g in as y o u .
A s a n e t h ic a l h a c k e r , p e n e t r a t i o n te s te r , 01 s e c u r ity a d m in istr a to r, y o u
s h o u ld b e fa m ilia r w ith n e t w o r k a n d w e b a u t h e n ti c a tio n m e c h a n is m s . 111 y o u r
r o le o f w e b s e c u r ity a d m in is t r a to r , y o u n e e d to te s t w e b s e r v e r tr a f f ic f o r w e a k

s e s s i o n IDs, in s e c u r e h a n d lin g , id e n tity th e ft, a n d in form ation lo s s . A lw a y s

e n s u r e t h a t y o u h a v e a n e n c r y p te d c o n n e c t i o n u s in g h t t p s w h ic h w ill m a k e th e
s n if f in g o f n e t w o r k p a c k e ts d if f ic u lt f o r a n a tta c k e r . A lte r n a tiv e ly , Y P N

C E H L a b M a n u a l P a g e 718

E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

c o n n e c t io n s to o c a n b e u s e d to sta y s a fe a n d a d v is e u s e r s to lo g o f f o n c e th e y
a re d o n e w ith th e ir w o r k . 111 tin s la b y o u w ill le a r n to u s e Z A P p r o x y to
in t e r c e p t p r o x ie s , s c a n n in g , e tc .

Lab O bjectives
T h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a r n s e s s io n h ija c k in g a n d h o w to
ta k e n e c e s s a r y a c tio n s to d e f e n d a g a in s t s e s s io n h ija c k in g .
111 tin s la b , y o u w ill:

Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 11
Session Hijacking

I n t e r c e p t a n d m o d if y w e b tr a f f ic

S im u la te a T r o j a n , w h ic h m o d if ie s a w o r k s ta ti o n 's p r o x y s e r v e r s e ttin g s

Lab E nvironm ent

T o c a rry o u t th e la b , y o u n ee d :

P aros Proxy lo c a te d a t D:\CEH-Tools\CEHv 8 M odule 11 S e s s io n

H ija ck in g \S ession H ijacking T ools\Z aproxy

Y o u c a n a lso d o w n lo a d th e la te s t v e r s io n o f ZAP f r o m th e lin k

h ttp : / / c o d e . g o o g l e . c o m / p / z a p r o x v / d o w n l o a d s / l i s t

I f y o u d e c id e to d o w n lo a d th e l a t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n
111 th e la b m ig h t d if f e r

Win d o w s

A sy ste m w ith r u n n in g

R u n tin s to o l n i W indow s 8 V irtu a l M a c h in e

A w e b b r o w s e r w ith I n te r n e t ac ce ss

A d m in is tra tiv e p riv ile g es to c o n fig u re se ttin g s a n d r u n to o ls

S e rv e r 2 0 1 2 H o s t M a c h in e

E n s u r e th a t J a v a Run T im e E nvironm ent (JRE) 7 (o r a b o v e ) is n istalled . I f

n o t, g o to h t t p : / / i a v a .s u n .c o m / i2 s e to d o w n lo a d a n d in stall it.

Lab D uration
T im e : 2 0 M in u te s

O verview o f Z ed A tta c k Proxy (ZA P)

Z e d A tta c k P ro x y (Z A P ) is d e s ig n e d to b e u s e d b y p e o p le w ith a w id e r a n g e o f
se c u rity e x p e rie n c e a n d as s u c h is id e a l f o r d e v e lo p e rs a n d fu n c tio n a l te ste rs w h o are
n e w to p e n e tr a tio n te s tin g as w e ll as b e in g a u s e fu l a d d itio n to a n e x p e rie n c e d p e n
te s te r s to o lb o x . I ts fe a tu re s in c lu d e in te r c e p tin g p ro x y , a u to m a te d s c a n n e r, p a ssiv e
s c a n n e r, a n d sp id e r.

Lab Tasks
1.
m.

T A S K

L o g 111 t o y o u r W in d o w s 8 V ir tu a l M a c h in e .

Setting-up ZAP
C E H L a b M a n u a l P a g e 719

E th ic a l H a c k in g a n d C o u n te m ie a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

2.

111 W in d o w s 8 V ir tu a l M a c h in e , f o llo w th e w iz a r d - d r iv e n in s ta lla tio n

s te p s to in s ta ll ZAP.
3.

T o la u n c h ZAP a f te r in s ta lla tio n , m o v e y o u r m o u s e c u r s o r to th e lo w e r le f t c o r n e r o f y o u r d e s k to p a n d c lic k S tart.

Y o u can also

d o w n lo ad Z A P
h ttp :/ / c o d e.g o o g le .c o m /p
/z a p ro s y /d o w n lo a d s /lis t

F IG U R E 2.1: P aros p ro s y m ain w indow

C lic k ZAP 1.4 .1 111 th e S ta r t m e n u a p p s .

! 2 2 A t its h eart Z A PS in
ail in tercep tin g pro sy . Y o u
n e ed to configure yo u r
b ro w ser to c o n n ec t to d ie
w eb application you w ish
to te st th ro u g h ZA P . I f
required yo u can also
configure Z A P to co n n ect
th ro u g h a n o th e r p ro s y this is o fte n necessary in a
c o rp o rate environm ent.

Admini-PC

4S

Mozilla
Firefox

Microsoft
Excel 2010

SkyOiftt

Safari

jr

tlim w
M icrosoft
PowerPoint
2010

ZAP 1.4.1

Microsoft
Publisher
2010

(2

I f y ou k n o w h o w to
set u p p ro sie s in y o u r w eb
b ro w ser th e n go ahead and
give it a go!
I f y ou are un su re th e n have
a lo o k a t the C onfiguring
p ro sie s section.

C E H L a b M a n u a l P a g e 720

F IG U R E 2.2: P aros p ro s y m ain w indow

5.

T h e m a in in te r f a c e o f ZAP a p p e a r s , as s h o w n 111 th e f o llo w in g

s c re e n sh o t.

6.

I t w ill p r o m p t y o u w i t h SSL R oot CA c e r t ific a te . C lic k G e n e r a te to

c o n tin u e .

E th ic a l H a c k in g a n d C o u n te n n e a s u r e s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

O n c e you have
configured Z A P as yo u r
b row ser's p ro x y th e n try to
c o n n ec t to d ie w eb
application yo u will be
testing. I f y o u can n o t
c o n n ec t to it th e n check
y o u r p ro s y settings again.
Y o u will n eed to check
y o u r b row ser's p roxy
settings, and also Z A P 's
p ro x y settings.

F IG U R E 2.3: Paros proxy main window

Active scanning

a ttem p ts to find p o ten tial

vulnerabilities by using
kn o w n attacks against the
selected targets.

O p tio n s w in d o w , s e le c t D y n a m ic SSL c e r t if ic a t e s t h e n c lic k

r

G e n e r a te to g e n e r a te a c e r tif ic a te . T h e n c lic k S a v e .
^

K *

Options

A ctive scanning is an attack

o n th o se targets. Y o u
sh o u ld N O T use it o n w eb
applications th a t y ou do
n o t ow n.

' Options
Active Scan

cem n cate s

Arti c s r f T0K3ns
API

Root CA certificate

Applicators
Authertc330n
Ernie Force
certncate

I t should b e n o te d th at
active scanning can only
find certain types o f
vulnerabilities. Logical
vulnerabilities, su ch as
b ro k e n access c o ntro l, will
n o t be fo u n d b y any active
o r a u to m ated vulnerability
scanning. M anual
p e n etra tio n testing should
always be p e rfo rm ed in
add itio n to active scanning
to find all types o f
vulnerabilities.

Check Fee Updates

Connection
Dataoase

Pi5pa<____
Diay

Ercod et)e ccde

Extensions
Fuzier
Language
Local prarr
Passive Scar
P oll Scan
Session Tokens

Spider

(_2!L 1
F IG U R E 2.4: P aros proxy m ain w indow

8.

S a v e th e c e r tif ic a te 111 th e d e f a u lt lo c a ti o n o f ZAP. I f th e c e r tif ic a te

a lre a d y e x is ts , r e p la c e i t w ith th e n e w o n e .

C E H L a b M a n u a l P a g e 721

E th ic a l H a c k in g a n d C o u n te n n e a s u r e s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Strictly Prohibited.

Module 11 - Session Hijacking

Options
r Options

c enmr.aies

Active 3can
* CSRF TOKMS 1

R oolC A caitncate

API

Actficaions

u a A 11 alert is a p o ten tial

q Generate j

A^ntrvcaagn,__

vulnerability an d is
associated w ith a specific
request. A req u est can have
m o re th a n o n e alert.

Look m:

IB

Music

[a l Pictures

Downloads

jy u ic s

IB
IB
IB

Saved Games

1 ^ D o a n e its

IB

S e a rs e s

Favorites

JK02 . hv

cly

ODZ3H:0<OCTu7tMMa0CX^t'KC<3(wNTl*a:!
.

tit II a
IB

Contacts

JMzur

Hlc9X0VN0TFplZC3BdHahV;cUHJvHVj-Jn9vdCBI|r

! ! j A d m ri FC

Desktop

IB
IB

MI 10 3 : CCAsaaAwIBAal:

, a in n ! a

|Q | owasp_23p_root_ca.ccr 1

Videos
OV/ASP ZAP

Pie Name

|owasp_zap_roct_ca cer |

Fles DfTypo

Al Pias______________

. " 1e w

3d r e

F IG U R E 2.5: P aros proxy m ain w indow

9.

C lic k OK in th e O p tio n s w in d o w .

Q J A n ti C SR F to k en s are
(pseudo) ra n d o m
p aram eters u sed to p ro te c t
against C ross Site R equest
Forgery (CSRF) attacks.
H o w ev er th ey also m ake a
p en etra tio n testers job
h ard er, especially if the
to k en s are regenerated
every tim e a fo rm is
requested.

10. Y o u r P a r o s p r o x y s e r v e r is n o w r e a d y to in t e r c e p t r e q u e s ts .

C E H L a b M a n u a l P a g e 722

E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

U ntitled
ile Cdit View Maiy5e Report

U id , sji

D 0

Session OWASP 7AP

Toaa Help
V

] sQ __

0
| KsquMI

| Rspons4

H3cr xt

ActvoScan $

|~

SpidorS^;

Brute Force ^

J Brea* . j

J Body: !xt

Port Scan :

_)

lTl I

Fuzzsri,^

PararrtSLj

Break Points v-i

3utput

0_

AJ9:t3

Filter.CFF

Z A P detects anti
C SR F to k en s purely by
attrib u te nam es - th e list o f
attrib u te nam es considered
to b e anti C SR F tokens is
configured u sing th e
O p tio n s A n ti C SR F screen.
W h en Z A P d etects these
to k en s it records d ie to k en
value an d w h ich U R L
g en erated th e token.

Aieits ^0 k-0 . 0 a o

current scans

ft 0

F IG U R E 2.7: P aros proxy m ain w indow

11. L a u n c h a n y w e b b r o w s e r , 111 th is la b w e a re u s in g th e C hrom e b r o w s e r .

12. Y o u r V M w o r k s ta ti o n s h o u ld h a v e C h rom e v e r s io n 2 2 .0 o r la te r
in s ta lle d .
13. C h a n g e th e P roxy S e r v e r s e t t in g s 111 C h r o m e , b y c lic k in g th e

C u sto m iz e an d c o n tr o l G o o g le C h rom e b u t t o n , a n d t h e n c lic k

S e t t in g s .
Tab

Foi quickkcc; placeycurbcclrwfaSeeanSietntroti bs

Newtab
New vwodow
Nr*inccgniro window

Bocfcmiria
EM

Cut

Cop, Pae

- . - Q
Svt p9
Find...
Tods

r T |

Sign in to Chiwn*..

0 0 > Wb S:c#

F IG U R E 2.8: IE Internet O ptions window

14. O il th e G o o g le C h r o m e S e td n g s p a g e , c lic k th e S h o w a d v a n c e d

s e t t in g s ... lin k b o t t o m o f th e p a g e , a n d t h e n c lic k d ie C h a n g e p roxy

LUsi Z A P provides an
A pplication P ro g ram m in g
In terface (API) w h ich
allows y o u to in teract w ith
Z A P program m atically.

s e t t in g s ... b u t t o n .

T lie A P I is available in
J S O N , H T M L and X M L
form ats. T h e A P I
d o c u m e n tatio n is available
via th e U R L h t t p : / / z a p /
w h e n you are proxying via
ZAP.

C E H L a b M a n u a l P a g e 723

E tliic a l H a c k in g a n d C o u n te n n e a s u r e s C opyright by E C -C ouncil

All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

* C

Chrome

Li <*rorr*//chrome/settings/

Settings
Ocoy't ih c 'H o 1&ngj cuf tcnpvtar't 1, 111 !prwy 1M! ji to cenntct to tht nctwoi

I Ch91p>**ym1

LtnguigK
C*v*0t ,X**CN0(* MTxjk; Md topt*>5Unguises
l9<u9 td ifxa-<t1<k<( *dings...
/ Cfltris t*nti*te acr tKx aren't in 1 Language I read

Dsvmlc*d k-n&ott C'.C1er1.AdrTw1\Eownlc<fe

[ I *4 n^t 10

Change..

K fifc M ci dc*l<w<)1"9

HTTPVSSL
M ^e(0t1A ul6_ Chedtforseva certrfieaterrwecation
Google Ooud Pnnt
Google Cloud Mrs las youseeettth eenpjter 5 printers fromanywhere. Click to enab

B30tgw,d apes
i Co'it'-v* v 9 t*v 91-c-jJ tfi-. *fn0ocglCh1cr
Hide *.* >$*?**,

F IG U R E 2.9: P aros proxy m ain w indow

15. 111 In te r n e t P r o p e r tie s w iz a r d , c lic k C o n n e c tio n s a n d c lic k LAN

S e ttin g s .
Internet Properties
General

Security

Privacy

Content | " Connections [ Prpgrame

To set up an In erne: connection, dek

Setup.

*\dvanced

Setup

Dial-up and Virtual Private Network settings

Settirgc
% Never d a a c c m e o o n
C ) Oial whenever a network connection is not present
4 'Always dal m y d e fa it ccnnection
C u re *

None

Set default

Local Area Network (LAN) settings

LAS Settjngsdo not apoly to dialup connections.
Choose Settngs aoove for dal up settngs.

LAN settings

F IG U R E 2.10: IE Internet O ptions window w ith Connections tab

16. C h e c k U s e a p roxy s e r v e r for you r LAN, ty p e 1 2 7 .0 .0 1 111 th e A d d r e ss,

e n t e r 8 0 8 0 111 th e Port tie ld , a n d c lic k OK.

Q=a! Click O K several

tim es un til all configuration
dialog boxes are closed.

C E H L a b M a n u a l P a g e 724

E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

 Q I t should be n o te d
th a t th ere is m inim al
security built in to th e A P I,
w h ich is w h y it is disabled
b y default. I f enabled th e n
th e A P I is available to all
m achines th a t are able to
use Z A P as a proxy. By
d efau lt Z A P listens only o n
'localhost' and so can only
be u sed from th e h o st
m achine.

Module 11 - Session Hijacking

Local Area Network (LAN) Settings

A utom atic configuration
A utom atic co nfig uratio n m ay o verrid e manual settings. To ensure the
use o f manual se ttin g s, disable autom atic configuration.
@ A u to m a tica ly d e te c t settin g s

T h e A P I p ro v id es access to
th e core Z A P features such
as th e active scanner and
spider. F u tu re versions o f
Z A P will increase the
functionality available via
th e APi.

Use autom atic config uratio n script

Address
P ro xy se rve r
r a L ls e a p ro x y se rve r fo r yo ur LAN (These settin g s will n o t apply to
L J d ia l- u p o r VPN connections).
Address:

1 2 7 .0 .0 .1

P ort:

| 8080|

Advanced

Bypass p ro x y se rve r fo r local addresses

Cancel

F IG U R E 211: IE Internet O ptions W indow w ith Proxy Settings W indow

17. C lic k S e t b rea k on all r e q u e s t s a n d S e t b rea k on all r e s p o n s e s to

o

T A S K

H ijacking V ictim s
S e s s io n

tr a p all th e r e q u e s ts a n d r e s p o n s e s f r o m th e b r o w s e r .
5 --------------------------------------

pybiifci g o /
J

m Z A P allows y ou to try
to b ru te force directories
and files.

Untitled Session - OWASP 7AP

11 EJit Vi*A Aiulyb Repoil T0Jt* H *p

Sites(* j____________________ Request-^

_

Sites

] Response*-

[Header Icxi

~
[ Break X ]

jtoay: Text

PI

A set o f files are pro v id ed

w h ich contain a large
n u m b e r o f file and
d irecto ry nam es.

Active Scan A

Spdet

Brute Force v-~

Furrer W

PatamsLJ

Cunent Scans

A break p o in t allows
y o u to in te rc e p t a req u est
fro m your b ro w ser and to
change it b efo re is is
su b m itted to th e w eb
application yo u are testing.
Y o u can also change the
resp o n ses received from
th e application T h e req u est
o r resp o n se will be
displayed in th e B reak tab
w h ich allows y o u to change
disabled o r h id d e n fields,
an d will allow you to
bypass client side validation
(o ften en fo rced using
javascript). I t is an essential
p en etra tio n testin g
technique.

C E H L a b M a n u a l P a g e 725

F IG U R E 2.12: P aros proxy m ain w indow

18. N o w n a v ig a te to a c h r o m e b r o w s e r , a n d o p e n w w w .b in g .c o m .
19. S ta r t a s e a r c h f o r C a r s.
2 0 . O p e n ZAP, w h i c h s h o w s f ir s t t r a p p e d in c o m in g w e b tr a ffic .
2 1 . O b s e r v e th e f ir s t f e w lin e s o f t h e t r a p p e d tr a f f ic 111 th e trap w in d o w s ,
a n d k e e p c lic k in g S u b m it an d s t e p to n e x t r e q u e s t or r e s p o n s e u n til
y o u s e e c a rs 111 th e GET r e q u e s t 111 th e B reak ta b , as s h o w n 111 th e
f o llo w in g s c r e e n s h o t.

E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Strictly Prohibited.

Module 11 - Session Hijacking

UntiMrd Session OWASP 7AP

de Euu VtaA Analyse Report Tools Hp
t o k i u i

| S ite s*
FGiles
(3 rp/*w n g co r1

m Filters add extra

features th a t can be applied
to every request and
response. By default n o
filters are initially enabled.
E nabling all o f the filters
m ay slow d o w n d ie proxy.
F u tu re versions o f d ie Z A P
U ser G uide will do cu m en t
the d efault filters in detail.

C P 4 - > |>

\Break >41

Request-v | Response*
Mer.03

Heoaer: re*1

* j uoav: ext

h c t p :/ /w M .b ln g .c c m /a a r c ft? q = fa g a k q o = * q * - n fc fo m ^ 0 B IJ U r 1 1 t- a a 1 fc p q ^ * r t . ? J 0 -0
43p - : s a k - H T T P /1 .1
H ose : w v w .M n g .c o x
P r o x y - C o n n e c tio n : k e e p - a liv e
U3er A ;e r. : M o z illa /S .G IW indows NT 6 . 2 ; KOW64) Acp leW ecK 1 t/ S 3 7.4 (KHTHL,
l i r e secJc:. c n r o n e /2 2 .0 .1 2 2 9 .9 4 s a r a n / 5 3 7 . 4
A c c e p t: t e x t / h e r ! , a p p l i c a tio n /x h tm l * xm l f a p p l i c a c i o n / x m l; q - 0 . 9 , * / * ; q - 0 . 8
R e re re r: h t tp : //v w v .b n g . con/

Accept-Encoding: 3tier.

Irrrr.T-:j-.rsr.-.nev - r n - " ^ r n - n - H fl___________ ______________________________________________ I

Spider^
Searcn

*1m c 11 0

Al&its f t

Current Scans 0 # 1

u- 0

FIG U R E 2.6: Paros Proxy w ith Trap option content

2 2 . N o w c h a n g e th e q u e r y te x t f r o m C ars to C a k e s in th e G E T r e q u e s t.
llntiWea Session - OWASP 7AP
4e Eait VIe* Analyte Report Toole Help

Sites I * |_

R e quest-v | R e s p o n s e ^ [ Brea

, f t PSies

Met!00* j ^Header. Ted )] |Body Tot

Q ^ nup/'AiMvangcorn
GET
h c t p : / / w . t i n g . com / s e a rc h ?q=fcaice3^g o = tq 3 = n * rorm =Q B I.H tf 1 l c - a l l * p q ^Calcesfrs c - 0
- :4 3 p l& a k - HTTP !, 1 . 1
H ose: v w . D i n g , c o x
P r o x y - C o o n e c tio n : lr e e p - a liv e
U a e r-A s e n z : M o z illa /S .O !W indows NT 6 . 2 ; KCW64) A c p le W e C K 1 5 3 7 .4 / ( KHTHL,
l i t Geclcoj C H za n e /2 2 .0 .1 2 2 9 .9 4 S a E a n /5 3 7 .4
A c c c p t: t e x t / h t m l , a p p l i c a t io n / x h t m l !x m l, a p p l ic a c io n / x m l; q - 0 .9 , * / * ; qC . 6
R e f e r e r : t t p : / / v w v . b r.g .c o n /
A c c e p t-E n c o d in g : sdcfc
I r r . - r . T rn-T.^ r n n - a P.
.

Ly=i Fuzzing is configured

using th e O p tio n s Fuzzing
screen. A dditional fuzzing
files can be added via this
screen o r can b e p u t
m anually in to the "fiizzers"
directory w here Z A P was
installed - they will th en
becom e available after
restarting ZA P.

*JfcllS f t

Searcn - v

504 cataway u r n o .
504 Gateway Time...

Aieits C 1 1 0

388mc
389m s,

2 3 . C lic k S u b m it and s t e p to n e x t r e q u e s t or r e s p o n s e .
2 4 . S e a r c h f o r a title in th e R e s p o n s e p a n e a n d re p la c e C a k e s w ith C ars as
s h o w n 111 f o llo w in g fig u re .

Lyj! T h e request o r
response will be displayed
in th e B reak tab w hich
allows yo u to change
disabled o r h id d en fields,
an d will allow you to
bypass client side validation
(often enforced using
javascript). I t is an essential
p en etratio n testing
technique.

C E H L a b M a n u a l P a g e 726

E th ic a l H a c k in g a n d C o u n te n n e a s u r e s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

Untitled Session OWASP 7AP

ile EOil Vie* Analyte Report Tools H *p

la

I . u b .I

0
Request* | Response^- [ Break

I 3m 1 I

f t FGiles

lte a : c lei

U3c- lei!

*j

1 1[ I

(3 r*tp/*wo1hgcor1
H T T P /1.1 200 OK
C ic h e - C o n c r o l : p r i v a t e , n a x - a g e - 0
C c a t e a T y p e : t e x c / h s n l ; c h a r a e t - u t f 8
E x p ir e a : Moa, I S O c t 2 0 1 2 1 2 : 3 0 : 1 9 GMT
P2P: CF--NOS UST COM WAV 3TA LOC CURa DFVa PSAa P3Da OUR TND"
s 3_ c e

d , r c c u s e do v a , r u n 0t 10n ( a ! {s

t 1st> 1 e .;e v e a t .s r c E l e x e a t : a . t a r g e t ) > ,0 ! .

__

) < ) *
//) j x / s c r 1 p t x c 1 c l e |c a k e a | - B1 a g < / t 1 t l e X l m k r . r e f = " / s / v l f l a g . i c c ze~Bl e a a " / x l l a k r.r e r
*/3caxch?(j-Calre3601nc;oc-6turp;q3-nfiarp; forrc-OBL!Uan,p; f i l e a llfia n r^ ij-C a k e s fia n
p ;3 c = 0 - 0 4 3 E x ? 3 p = - l a x p ; 3 J c = i a a p ;f o r m a c = r 3 3 " r e l = " a l t e r n a c e " t1 tle = " X M L r y p e =
B1*e Force

1
3

GET
GET

Furzer

Params

504 Gateway Tine .

504 Gateway Tim...

389ms
389ms

Alerts f t _______

Current Scans 0 ^

Oufcut

j_____

Break Points &

http SfflMN.Cing corV

cov

Ale Its F*0 1* 1

Port Scan

Search

0 ^ 0

0 * 0

Untitled Session OWASP 7AP

110 Edit View Aruly*e Repoil Tools Help

c. a

Li

. 0

JH W ]

Rqbtw~] R*spons*~ [

l l1 Sifts

|H m l.T11

Qj http

X 1

B0O ).Tl |

IJ

birg corn
H T T P /1.1 200 OK
C a c h e - C o n s r e l: p r i v a t e , n a x - a a e - 0
c c n t a t-T y p : c * x c /n c n l; c n a r * tt* u t1 -8
E x p ir e s : Mon, 1 5 G et 2 0 1 2 1 2 : 3 0 : 1 9 GMT
P2P: C? SOS UNI COK WAV STA LOC CURa DEVa PSAa PSDa OUR IHD"
- .
-

. W . i . I L i i . m w f c . ' i i . . a rm * ; ,u a L u n 1. i l . i wi u i n 1 ,. . u u i n u u
s j _ b e _ d , "w zusedow n ", f u n c t i o n ( n I < 3 i _ c t ( 3 b _ i e ? e v e n t s r c E le r te n t : n . t a r g e t ) > ,0 ) )

) ();
/ / } j x ' 3 c r 1 . p r x r - 1 - e ' |c a r s | - S i a g < / t 1 t l e x 1 1 a i c h r e r = " / 3 / v l l l a g . 1 co" r e I s
ic a n V x lin k h r e f/3 sa r c h ? 3 = C a J r e3 a r x ;g c = a 1 n p ;q 3 = a a n p f orrt=Q3LHartp; f 1 1 t = a ll a n p ; c q = a k e 3 a r :
p ; s r = o - 0 a r 2 : ; s p lia a 5 > ;3 J c = ia a p ;r o r m a c = r 3 s r e l = " a l t e r a a :e" t1 tle= " X M L r v p e =
Active Scan A

Spds f ^ |

Brute Forced

http ii'fttvw ting conV

FuzzerW

504 Gateway Time

504 catowa\ T ine...

ntp/AVkV,.crqcov

Ale Its F* 0 . 0

Port S can:

ParamsO

O-tcu:

|_________ Search ^ _________ J_____________Breakpoints ^ ____________ 1________ Alerts f t _______

Historj

1 * 1

389ms
389ms

0 *0

Current Scans fc 0 0^

F IG U R E 2.7: P aros Proxy search string c o n te n t

2 5 . 111 th e s a m e R e s p o n s e p a n e , r e p la c e C a k e s w ith C ars a s s h o w n i n th e

f o llo w in g f ig u re a t th e v a lu e s h o w n .
Tliis functionality is
b ased o n code fro m th e
O W A S P JB ro F u zz p ro ject
and includes files fro m th e
fu zzd b project. N o te th a t
so m e fuzzdb files have
b een left o u t as th ey cause
c o m m o n anti virus
scanners to flag th em as
containing viruses. Y o u can
replace th e m (and upgrade
fuzzdb) by dow nloading
th e latest v ersion o f fuzzdb
and expanding it in th e
,fuzzers' library.

U n title d Session * OWASP ZAP

- I - U

la i d

ll &

G O

Sites 1* |
' f t PS lles

Q r: mip/'A^.angcorn

Retjues * ] Response>r ! Break

n e a :e lec

Bogy: Text *

H lT t/l.l ZOU Oil

C a c r .e - C o a r r c l: p r i v a t e , n a x - a g s = o
C c n te n t - T y p e : t e x c / h t m l ; c h a r s e t u t f - 8
E x p ir e a : Mon, I S C ct 2 0 1 2 1 2 : 3 0 : 1 9 GMT
P 3P : C r= SON OKI COK BRV STA. LOC CURa DEVa PSAa PSDa CtJR IND"

!! s! _^j _
3 v _ fc ta " = 12 , < 3 e t a > d i v x d i v c l a s 3 = aw_fcd x d 1 v c la s 3 = ', 3 v _ b n 1a= "3w _C "> o.np uc
c la 9 3 = " 3 w qfcox" I3 = " 9b rorm q* name="qn t l t l e = " E n t e r y o u r s e a r c h c e r a t y p e
t e x t * m * '
- o n fo c n a
a o c m e a t . g e t E l e n e a t s y l d ' 3w b . 3 t y i e . t o r d e r c o l o r = # 3 3 6 6 = ; c n r iu r
d o c u n c n t .g e t E le n e n t B y l d I 3w _bt I . s t y l e b o r d e r C o lo r - ' 4 9 9 9 ' ; " / X d i v l a - 3
3 v _ d v a r x / d 1 v x 1 a p u t 1 d = " sb _ fo rr t_ g o " c la 3 3 = " 3 w _ q b tn " t i t l e = S e a r c h "
Br jte Force j*

Pott Scan | _____

Furrer *

P a ta m s n

Searcn

Output

Alfeits f t

504 Gateway T ine .

504 Gatw3y l i n o .

389ms "
389m sr

Current Scans v 0 :4 t 0 1/> 0

C E H L a b M a n u a l P a g e 727

2 J

File Eon vie a Analyse Repot Tools Hp

0%>0

E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

Module 11 - Session Hijacking

UntiMrd Session OWASP 7AP

| e Edit v i** Analyfc Ropoil Tools H#p

t i r l w

J SUfr 1_

R equest | Response^
! leaser leu

HTTP/1 .1 200 OK
C *c h * C o n c ro l: p r iv a c a , r*a x -a g a -0
C cnccn T y p e : c e x c / h s n l; c h a r a e t - u t f 8
E x p ir e a : Xor., IS O c t 2012 1 2 : 3 0 :1 9 GMT
P2P: CF--NOS UST COM WAV STR LOC CURa DEVa PSAa P3Da OUR IN D "

Tliis to o l keeps track

o f th e existing H ttp
Sessions o n a particular Site
and allows the Z ap ro x y
u ser to force all requests to
be o n a particular session.
Basically, it allows d ie u ser
to easily sw itch betw een
u ser sessions o n a Site and
to create a n ew Session
w ith o u t "destroying" th e
existing ones.

Break v

Uoy: red

.5wct a*>B*c</davx<11v Clas3"=3='3w bd"><cl1v :ias3=sw 6" : 2= 3 u f x 1 ..: pu

- la 3 3 -" 3 v _ q fc o x " id - " 3 b _ E o n n _ q " nam e-"q" t i t l e " E n ter y o u r s e a r c h t e r n 1 t y p e :

=te x t valu e = '

3n f ocua,

t o c u n e n t .g e !' E l e n e n c 3 y I d | , aw b 1) .9 t y le .b o r d e r C o lo r = '# 3 3 6 6 f c b , ; w o n b lu r
d o c u n e n t .g e t E le n e n t B y l d I , a i ^ b 1 1 .s t y l e b o r d e r C o l o r ' # 9 9 9 " ; / X d i c l a s s
3v_dv:1r " > < /cL .v> < in pu t r d = " s b _ f orrt_go" c la s s = " s w _ q b t n " t ! t l e = " S e a r c h "

Sp d-f

1
3

GET
GET

B1*e Force y

Port Scan '

Search

Furzer j j f

Params G j

rrltp SfflMN.Cing corV

n t p t f A w a ^cov

Oufcut

j _________ Alerts f C____

Break Points &

504 Gateway Time .

504 Gateway Time.

389ms
389ms

Current Scans 0 ^ 0

^0

_ 0 y o

F IG U R E Z 8 : Paros w ith modified trap option content

N o te: H e r e w e a re c h a n g in g th e te x t C a k e s to C a rs ; th e b in g s e a r c h s h o w s
C a rs , w h e r e a s th e r e s u lts d is p la y e d a r e f o r C a k e s .
2 6 . O b s e r v e th e B ing s e a r c h w e b p a g e d is p la y e d 111 th e b r o w s e r w ith
s e a r c h q u e r y a s C a k e s .

2) www.bing.corn/search?q=cars&go=&qsn&form=QBLH&filt=all&pq=cars&sc=0
WEB

LydJ I t is b ased o n d ie
c o n ce p t o f Session T o k en s,
w h ich are H T T P m essage
p aram eters (for n o w only
Cookies) w h ich allow an
H T T P server to c o n n ec t a
re q u e st m essage w ith any
p rev io u s requests o r data
stored. I n th e case o f
Z aproxy, conceptually,
session to k en s have b een
classified in to 2 categories:
default session tokens and
site session tokens. T h e
d efau lt session to k en s are
th e ones th a t th e u ser can
set in die O p tio n s Screen
and are to k en s th a t are, by
default, autom atically
co n sid ered session tokens
fo r any site (eg. phpsessid,
jsessionid, etc). T h e site
session tokens are a set o f
to k en s fo r a particular site
an d are usually set u p using
th e p o p u p m en u s available
in th e P aram s Tab.

IMAGES

VDEOS

HEWS

MORE

t>1nq

Beta

357.0000 RESULTS
Inaaes cflcakesl
tnrq com/maces

Cake

W ik ip o d ia

thofroooncvdopedia

en w k p*d a o g W kt/Cake
V aieties Special-purpose cakes Shapes Cake flout Cake decorating
Cake ts a forrr cf bread or bread-like food In its modern forms, it is typically a sweet
baod dessert In As oldest forms, cakoc voro normally fnod broadc or

FIGURE 2.6: Search results w indow

after

modifying d ie

c o n te n t

2 7 . T h a t 's it. Y o u ju s t f o r c e d a n u n s u s p e c ti n g w e b b r o w s e r to g o to a n y
p a g e o f }7o u r c h o o s in g .

Lab A nalysis
A n a ly z e a n d d o c u m e n t d ie re s u lts r e la te d to d ie la b ex e rcise . G iv e y o u r o p in io n o n
y o u r ta rg e ts s e c u n ty p o s tu r e a n d e x p o s u re .
T o o l/U tility

I n f o r m a tio n C o lle c te d /O b je c tiv e s A c h ie v e d

S S L c e r tif ic a te to h a c k i n t o a w e b s ite

R e d ir e c tin g th e r e q u e s t m a d e in B in g

Z e d A t t a c k P ro x y

C E H L a b M a n u a l P a g e 728

E th ic a l H a c k in g a n d C o u n te rm e a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.

P L E A SE TALK TO YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D T O T H I S LAB.

Q uestions
1.

E v a lu a te e a c h o f th e fo llo w in g P a r o s p r o x y o p tio n s :
a.

T ra p R eq u est

b.

T ra p R esp o n se

c.

C o n tin u e B u tto n

d.

D r o p B u tto n

In te rn e t C o n n e c tio n R e q u ire d

Y es

No

P la tfo rm S u p p o rte d
0

C E H L a b M a n u a l P a g e 729

C la s s ro o m

!L a b s

E th ic a l H a c k in g a n d C o u n te m ie a s u re s C opyright by E C -C ouncil
All Rights Reserved. R epro d u ctio n is Stricdy Prohibited.