- In session hijacking, an attacker relies on the legitimate user to connect and authenticate, and will then take over the session.
- In a spoofing attack, the attacker pretends to be another user or machine to gain access.
- Successful session hijacking is difficult and is only possible when a number of factors are under the attacker's control.
- Session hijacking can be active or passive in nature depending on the degree of involvement of the attacker.
- By attacking the network-level sessions, the attacker gathers some critical information that is used to attack the application-level sessions.
- A variety of tools exist to aid the attacker in perpetrating a session hijack.
- Session hijacking could be dangerous, and therefore, there is a need for implementing strict countermeasures.
Q1) What type of session hijacking attack is shown in the exhibit?
- Session Sniffing Attack
- Cross-site scripting Attack
- SQL Injection Attack
- Token sniffing Attack
Q2) After a client sends a connection request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by the client. This sequence number is predictable; the attack connects to a service first with its own IP address, records the sequence number chosen, and then opens a second connection from a forged IP address. The attack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP address is used for authentication, then the attacker can use the one-sided communication to break into the server. What attacks can you successfully launch against a server using the above technique?
- Denial of Service attacks
- Session Hijacking attacks
- Web page defacement attacks
- IP spoofing attacks
Q3) John is using tokens for the purpose of strong authentication. He is not confident that his security is considerably strong.
In the context of Session hijacking why would you consider this as a false sense of security?
- The token based security cannot be easily defeated.
- The connection can be taken over after authentication.
- A token is not considered strong authentication.
- Token security is not widely used in the industry.
A3) A token will give you a more secure authentication,but the tokens will not help against attacks that are directed against you after you have been authenticated.
Q4) What is the key advantage of Session Hijacking?
- It can be easily done and does not require sophisticated skills.
- You can take advantage of an authenticated connection.
- You can successfully predict the sequence number generation.
- You cannot be traced in case the hijack is detected.
A4) As an attacker you don’t have to steal an account and password in order to take advantage of an authenticated connection.
Q5) You want to carry out session hijacking on a remote server. The server and the client are communicating via TCP after a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250.
Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server?
A5) Package number 120 have already been received by the server and the window is 250 packets, so any package number from 121 (next in sequence) to 371 (121+250). (?)
Q6) How would you prevent session hijacking attacks?
- Using biometrics access tokens secures sessions against hijacking
- Using non-Internet protocols like http secures sessions against hijacking
- Using hardware-based authentication secures sessions against hijacking
- Using unpredictable sequence numbers secures sessions against hijacking
A6) Protection of a session needs to focus on the unique session identifier because it is the only thing that distinguishes users. If the session ID is compromised,attackers canimpersonate other users on the system. The first thing is to ensure that the sequence of identification numbers issued by the session management system is unpredictable; otherwise,it's trivial to hijack another user's session. Having a large number of possible session IDs (meaning that they should be very long) means that there are a lot more permutations for an attacker to try.
Q7) Which of the following attacks takes best advantage of an existing authenticated connection?
- Session Hijacking
- Password Sniffing
- Password Guessing
A7) Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured,brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.
Q8) What type of information can be obtained during a session-hijacking attack? (Choose all that apply.) (?)
- Credit card numbers
- Confidential data
- Authentication information
A8) Passwords, credit card numbers, and other confidential data can be gathered in a session-hijacking attack. Authentication information isn’t accessible because session hijacking occurs after the user has authenticated.
Q9) Which of the following is essential information to a hacker performing a session-hijacking attack?
- Session ID
- Session number
- Sequence number
- Source IP address
A9) In order to perform a session-hijacking attack, the hacker must know the sequence number to use in the next packet so the server will accept the packet.
Q10) Which of the following is a session-hijacking tool that runs on Linux operating systems? (?)
- TCP Reset Utility
- Juggernaut runs on Linux operating systems。
Q11) Which of the following is the best countermeasure to session hijacking?
- Port filtering firewall
- Session monitoring
- Strong passwords
A11) Encryption make any information the hacker gathers during a session-hijacking attempt unreadable.
Q12) Which of the following best describes sniffing? (?)
- Gathering packets to locate IP addresses, in order to initiate a session-hijacking attack
- Analyzing packets in order to locate the sequence number to start a session hijack
- Monitoring TCP sessions in order to initiate a session-hijacking attack
- Locating a host susceptible to a session-hijack attack
A12) Sniffing is usually used to locate the sequence number, which is necessary for a session hijack.
Q13) What is session hijacking?
- Monitoring UDP session
- Monitoring TCP sessions
- Taking over UDP sessions
- Taking over TCP sessions
A13) The most common form of session hijacking is the process of taking over a TCP session.
Q14) What types of packets are sent to the victim of a session-hijacking attack to cause them to close their end of the connection?
- FIN and ACK
- SYN or ACK
- SYN and ACK
- FIN or RST
A14) FIN (finish) and RST (reset) packets are sent to the victim to desynchronize their connection and cause them to close the existing connection.
Q15) Which of the following is the best way to protect against session hijacking?
- Use only nonroutable protocols.
- Use unpredictable sequence numbers.
- Use a file verification application, such as Tripwire.
- Use a good password policy.
A15) Unpredictable sequence numbers make session hijacking nearly impossible.
Q16) Which of the following attacks an already-authenticated connection?
- Denial of service
- Session hijacking
A16) Session hijacking takes advantage of connections already in place and already authenticated.
Q17) Which statement defines session hijacking most accurately?
- Session hijacking involves stealing a user’s login information and using that information to pose as the user later.
- Session hijacking involves assuming the role of a user through the compromise of physical tokens such as common access cards.
- Session hijacking is an attack that aims at stealing a legitimate session and posing as that user while communicating with the web resource or host machine.
- Session hijacking involves only web applications and is specific to stealing session IDs from compromised cookies.
A17) Session hijacking focuses on the victim’s session. There are different ways of accomplishing this task, but the basic concept is the same. Be sure to know what constitutes a session hijack; the exam will expect you to be able to recognize one at first glance.
Q18) Network-level hijacking focuses on the mechanics of a connection such as the manipulation of packet sequencing. What is the main focus of web app session hijacking?
- Breaking user logins
- Stealing session IDs
- Traffic redirection
- Resource DoS
A18) Stealing session IDs is the main objective in web session hijacking. Session IDs allow the attacker to assume the role of the legitimate client without the time-consuming task of brute-forcing user logins or sniffing out authentication information.
Q19) Session hijacking can be performed on all of the following protocols except which one?
A19) SSL is designed with many goals in mind; one of them is that it is not as vulnerable to session hijacking as the other protocols listed here.
Q20) Which technology can provide protection against session hijacking?
Q21) Session hijacking can be thwarted with which of the following? (?)
A21) Authentication mechanisms such as Kerberos can provide protection against session hijacking. Authentication provides verification of the party or parties involved in the communication.
Q22) Session hijacking can do all of the following except which one?
- Take over an authenticated session
- Be used to steal cookies
- Take over a session
- Place a cookie on a server
A22) A session hijack can be used to read cookies on a client but not on a server.
Q23) Which attack can be used to take over a previous session?
- Cookie snooping
- Session hijacking
- Cookie hijacking
- Session sniffing
A23) Session hijacking can be used to take over an existing session that has been authenticated, or to forge a valid session.