ceh v8 labs module 11 session hijacking.pdf

CEH Lab Manual

Session H ijackingM odule 11

Key4VIP.info_License Windows 7,8.1,Kaspersky Server,Bitdefender.Visio.Project..1 of 15.

CD4pro.info _License Windows Server 2K3,2K8,2012 R2,SQL.ExchangeServer.SharePoint.TMG..1 of 15.

Module 11 - Session Hijacking

Hijacking SessionsSession hijacking refers to the exploitation of a valid computer session, ))herein an attachr takes over a session between two computers.

Lab ScenarioS o u rc e : h t tp : / / k r e b s o n s e c u n t v .c o m / 2 0 1 2 / 1 1 / y a h o o -e m a il-s te a lin g -e x p lo i t- f e tc h e s -7 0 0

A c c o rd in g to K re b s o n S e c u r i ty n e w s a n d in v e s tig a tio n , z e ro -d a v v u ln e ra b il i ty 111 y a h o o .c o m th a t le ts a t ta c k e rs h ija c k Y a h o o ! e m a il a c c o u n ts a n d r e d ir e c t u s e rs to m a lic io u s w e b s i te s o t te r s a fa sc in a tin g g lim p se in to th e u n d e r g r o u n d m a rk e t fo r la rg e -sc a le e x p lo its .

T h e e x p lo it , b e in g so ld fo r S 700 b y a n E g y p tia n h a c k e r o n a n ex c lu s iv e c y b e rc r im e fo ru m , ta rg e ts a c ro s s - s i te s c r ip t in g (X SS) w e a k n e s s in v a h o o .c o m th a t le ts a t ta c k e rs s te a l c o o k ie s f ro m Y a h o o ! w e b m a il u se rs . S u c h a f law w o u ld le t a t ta c k e rs s e n d o r re a d e m a il f ro m th e v ic t im s a c c o u n t . 111 a tv p ic a l X S S a tta c k , a n a t ta c k e r se n d s a m a lic io u s lin k to a n u n s u s p e c t in g u se r; i f th e u s e r c licks th e lin k , th e s c r ip t is e x e c u te d , a n d c a n ac ce ss c o o k ie s , s e s s io n to k e n s , o r o th e r s e n s itiv e in f o r m a t io n r e ta in e d b y th e b ro w s e r a n d u s e d w ith th a t site . T h e s e sc r ip ts c a n e v e n r e w ri te th e c o n te n t o f th e H T M L p ag e .

K re b s O n S e c u r i ty .c o m a le r te d Y a h o o ! to th e v u ln e ra b ili ty , a n d th e c o m p a n y says i t is r e s p o n d in g to th e is su e . R a m se s M a r tin e z , d ir e c to r o f se c u r ity a t Y a h o o ! , sa id th e c h a lle n g e n o w is w o rk in g o u t th e e x a c t v a h o o .c o m U R L th a t tr ig g e rs th e e x p lo it , w h ic h is d if f ic u lt to d is c e rn f ro m w a tc h in g th e v id e o .

T h e s e ty p e s o t v u ln e ra b ilit ie s a re a g o o d r e m in d e r to b e e sp ec ia lly c a u tio u s a b o u t c lic k in g lin k s 111 e m a ils f ro m s tra n g e rs o r 111 m e ssa g e s th a t y o u w e re n o t e x p e c tin g .

B e in g a n d a d m in is t r a to r y o u s h o u ld im p le m e n t se c u r ity m e a s u re s a t A p p lic a tio n le v e l a n d N e tw o r k le v e l to p r o te c t y o u r n e tw o r k f ro m se s s io n h ija ck in g . N e tw o r k le v e l h ija c k s is p r e v e n te d b y p a c k e t e n c ry p t io n w h ic h c a n b e o b ta in e d b y u s in g p r o to c o ls s u c h as I P S E C , S SL , S S H , e tc . I P S E C a llo w s e n c ry p t io n o f p a c k e ts o n s h a re d k ey b e tw e e n th e tw o sy s te m s in v o lv e d 111 c o m m u n ic a t io n .

A p p lic a tio n - le v e l se c u r ity is o b ta in e d b y u s in g s t r o n g s e s s io n I D . S SL a n d S S H a lso p ro v id e s s t r o n g e n c r y p t io n u s in g S SL c e r tif ic a te s to p r e v e n t se s s io n h ija ck in g .

Lab O bjectivesT h e o b je c tiv e o f th is la b is to h e lp s u id e n ts le a rn s e s s io n h ija c k in g a n d ta k e n e c e s sa ry a c tio n s to d e f e n d a g a in s t s e s s io n h ija ck in g .

111 th is la b , y o u w ill:

I n te r c e p t a n d m o d ify w e b tra ff ic

I C O N KE Y

& Valuable information

Test your knowledge

H Web exerciseca Workbook review

E th ic a l H a c k in g a n d C o u n te m ie a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.

C E H L a b M a n u a l P a g e 716




S im u la te a T ro ja n , w h ic h m o d if ie s a w o rk s ta t io n 's p ro x y se rv e r se ttin g s

Lab Environm entT o ca rry o u t tins , y o u need :

A c o m p u te r m im in g W indows Server 2 0 1 2 a s h ost m achine

T in s lab w ill m n o n W indows 8 v irtu a l m a c h in e

W e b b ro w s e r w ith In te rn e t access

A d m in is tra tiv e priv ileges to co n fig u re se ttings a n d m n to o ls

Lab DurationT im e : 20 M in u tes

O verview of Session H ijackingS ession h ijack ing refers to th e exp lo itation o f a valid c o m p u te r sessio n w h e re an a ttac k e r ta k e s over a se ssio n b e tw e e n tw o c o m p u te rs . T h e a ttac k e r s te a ls a valid se ssio n ID , w h ic h is u se d to g e t in to th e sy stem an d sn iff th e data.

111 TCP s e s s io n ln jack ing , a n a ttac k e r takes o v e r a T C P se ssio n b e tw e e n tw o m a ch in e s . S ince m o s t au th en tica tion s o c c u r o n ly a t th e s ta rt o f a T C P session , th is allow s th e a ttac k er to gain a c c e s s to a m ach in e .

Lab TasksP ick an o rg an iz a tio n d ia t y o u feel is w o r th y o f y o u r a tte n tio n . T in s c o u ld b e an e d u c a tio n a l in s titu tio n , a co m m e rc ia l co m p a n y , o r p e rh a p s a n o n p ro f i t ch an ty .

R e c o m m e n d e d labs to assist y o u 111 sessio n lnjacking:

S essio n ln jack ing u s in g ZAP

Lab AnalysisA n aly ze a n d d o c u m e n t d ie resu lts re la ted to th e lab exercise. G iv e y o u r o p in io n o n y o u r ta rg e ts secu rity p o s tu re a n d ex p o su re .

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F YOU H A V E Q U E S T I O N SR E L A T E D T O T H I S LAB.

S 7 T ools d em onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 11 S e ss io n Hijacking

m . T A S K 1

O verview

E th ic a l H a c k in g a n d C o u n te rm e a su re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.





Lab

Session Hijacking Using Zed A ttack Proxy (ZAP)The OWASP Zed Attack Proxy (ZAP) is an easy-to-use integratedpenetration testing too1 for finding vulnerabilities in neb applications.

Lab ScenarioA tta c k e rs a re c o n t in u o u s ly w a tc h in g f o r w e b s i te s to h a c k a n d d e y e lo p e rs m u s t b e p r e p a re d to c o u n te r - a t ta c k m a lic io u s h a c k e rs b y w r i t in g s tr o n g s e c u re c o d e s . A c o m m o n f o rm o f a t ta c k is s e s s io n h ija c k in g , i.e ., a c c e s s in g a w e b s i te u s in g s o m e o n e e lse s s e s s io n I D . A s e s s io n I D m ig h t c o n ta in c re d it c a rd d e ta ils , p a s s w o rd s , a n d o th e r se n s itiv e in f o rm a t io n th a t c a n b e m is u s e d b y a h a c k e r .

S e ss io n h ija c k in g a tta c k s a re p e r f o r m e d e i th e r b y se s s io n I D g u e s s in g 01 b y s to le n s e s s io n I D c o o k ie s . S e ss io n I D g u e s s in g in v o lv e s g a th e r in g a sa m p le o f s e s s io n I D s a n d g u e s s in g a v a lid se s s io n I D a s s ig n e d to s o m e o n e else. I t is a lw ays r e c o m m e n d e d n o t to re p la c e A S P .N E T se s s io n I D s w i th I D s o f y o u r o w n , as th is w ill p r e v e n t s e s s io n I D g u e s s in g . S to le n s e s s io n I D c o o k ie s se s s io n h ija c k in g a t ta c k c a n b e p r e v e n t b y u s in g S SL ; h o w e v e r , u s in g c ro s s - s i te s c r ip t in g a tta c k s a n d o th e r m e th o d s , a t ta c k e rs c a n s te a l th e se s s io n I D c o o k ie s . I f a n a t ta c k e r g e ts a h o ld o f a v a lid s e s s io n I D , th e n A S P .N E T c o n n e c ts to th e c o r r e s p o n d in g s e s s io n w ith 110 f u r th e r a u th e n tic a tio n .

T h e r e a re m a n y to o ls easily av a ila b le n o w th a t a t ta c k e rs u se to h a c k in to w e b s i te s 01 u s e r d e ta ils . O n e o f th e to o ls is F ire s lie e p , w h ic h is a n a d d -011 fo r F ire fo x . W h ile y o u a re c o n n e c te d to a n u n s e c u re w ire le ss n e tw o rk , tin s F ire fo x a d d -011 c a n s n i f f th e n e tw o r k tra f f ic a n d c a p tu re all y o u r in f o r m a t io n a n d p r o v id e i t to th e h a c k e r 111 th e s a m e n e tw o rk . T h e a t ta c k e r c a n n o w u s e tin s in f o rm a t io n a n d lo g in as y o u .

A s a n e th ic a l h ack er, p e n e tr a t io n te s te r , 01 se c u r ity ad m in istrator, y o us h o u ld b e fa m ilia r w ith n e tw o r k a n d w e b a u th e n t ic a t io n m e c h a n is m s . 111 y o u r ro le o f w e b se c u r ity a d m in is t ra to r , y o u n e e d to te s t w e b se rv e r tra ff ic fo r w e a k s e s s io n IDs, in s e c u re h a n d lin g , id en tity th e ft, a n d in form ation lo s s . A lw ay s e n s u re th a t y o u h a v e a n e n c ry p te d c o n n e c t io n u s in g h t tp s w h ic h w ill m a k e th e sn if f in g o f n e tw o r k p a c k e ts d if f ic u lt fo r a n a tta c k e r . A lte rn a tiv e ly , Y P N

1 C


c o n n e c t io n s to o c a n b e u s e d to s ta y sa fe a n d a d v ise u s e rs to lo g o f f o n c e th e y a re d o n e w ith th e ir w o rk . 111 tin s la b y o u w ill le a rn to u se Z A P p ro x y to in te r c e p t p ro x ie s , s c a n n in g , e tc .

Lab O bjectivesT h e o b je c tiv e o f tin s la b is to h e lp s tu d e n ts le a rn s e s s io n h ija c k in g a n d h o w to ta k e n e c e s sa ry a c tio n s to d e f e n d a g a in s t s e s s io n h ija ck in g .

111 t in s la b , y o u w ill:

I n te r c e p t a n d m o d ify w e b tra f f ic

S im u la te a T ro ja n , w h ic h m o d if ie s a w o rk s ta t io n 's p ro x y se rv e r se ttin g s

Lab Environm entT o carry o u t th e lab , y o u need:

Paros Proxy lo c a te d a t D:\CEH-Tools\CEHv8 M odule 11 S e ss io n H ijacking\Session Hijacking Tools\Zaproxy

Y o u c a n a lso d o w n lo a d th e la te s t v e r s io n o f ZAP f ro m th e lin k h ttp : / / c o d e .g o o g le .c o m /p /z a p r o x v /d o w n lo a d s / l i s t

I f y o u d e c id e to d o w n lo a d th e la te s t v ers io n , th e n s c re e n s h o ts s h o w n 111 th e la b m ig h t d if fe r

A sy stem w ith ru n n in g W in d o w s S erv er 2012 H o s t M a ch in e

R u n tins to o l n i W indows 8 V irtu a l M a ch in e

A w e b b ro w s e r w ith In te rn e t access

A d m in is tra tiv e priv ileges to co n fig u re se ttings a n d r u n to o ls

E n su re th a t Java Run Tim e Environment (JRE) 7 (o r ab o v e ) is n istalled . I fn o t, g o to h t tp : / / i a v a .s u n .c o m / i2 s e to d o w n lo a d a n d install it.

Lab DurationT im e : 20 M in u tes

O verview of Zed A ttack Proxy (ZAP)Z e d A tta c k P ro x y (Z A P ) is d es ig n ed to b e u se d b y p e o p le w ith a w id e ran g e o f secu rity ex p e rien ce a n d as su c h is idea l fo r d ev e lo p e rs a n d fu n c tio n a l te s te rs w h o are n e w to p e n e tra tio n te s tin g as w ell as b e in g a u se fu l a d d itio n to a n e x p e rien c ed p e n te s te rs to o lb o x . I ts fea tu re s in c lu d e in te rc e p tin g p ro x y , a u to m a te d scan n e r, passive sc an n e r, a n d sp ider.

Lab Tasks1. L o g 111 to y o u r W indow s 8 V ir tu a l M a c h in e .

Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 11 Session Hijacking

m . T A S K 1

Setting-up ZAP






Admini-PC

! 2 2 A t its heart ZAPS in ail intercepting prosy. Y ou need to configure your b row ser to connect to d ie w eb application you wish to test th rough ZA P. I f required you can also configure ZA P to connect th rough another p ro sy - this is o ften necessary in a corporate environm ent.

3.

2 .

F IG U R E 2.1: Paros p ro sy m ain w indow

C lick ZAP 1.4 .1 111 th e Start m e n u a p p s .

111 W indow s 8 V ir tu a l M a c h in e , fo llo w th e w iz a rd -d r iv e n in s ta l la t io n s te p s to in s ta ll ZAP.

T o la u n c h ZAP a f te r in s ta lla tio n , m o v e y o u r m o u s e c u r s o r to th e lo w e r- le f t c o r n e r o f y o u r d e s k to p a n d c lick Start.

7 Y ou can also dow nload Z A P h t tp :/ / code.google .com /p /zap ro sy /d o w n lo ad s /lis t

m 4 SSkyOiftt

ZAP 1.4.1 Safari

j r

* t l i m w

MozillaFirefox

Microsoft Excel 2010

S

|

MicrosoftPowerPoint2010

(2

MicrosoftPublisher2010

F IG U R E 2.2: Paros p ro sy m ain w indow

5. T h e m a in in te r fa c e o f ZAP a p p e a rs , as s h o w n 111 th e fo llo w in g s c re e n s h o t .

6. I t w ill p r o m p t y o u w i th SSL R oot CA c e r t if ic a te . C lick G en era te to c o n t in u e .

I f you know how to set up p rosies in your web brow ser then go ahead and give it a go!

I f you are unsure then have a look a t the C onfiguring p rosies section.

E th ic a l H a c k in g a n d C o u n te n n e a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.





O nce you have configured ZA P as your brow ser's proxy then try to connect to d ie web application you will be testing. I f you can no t connect to it then check your p ro sy settings again. Y ou will need to check your brow ser's proxy settings, and also ZA P's proxy settings.

. . FIG U R E 2.3: Paros proxy main windowActive scanning r attem pts to find potential y ^ O p tion s w in d o w , se le c t D ynam ic SSL c e r t if ic a te s th e n c lickvulnerabilities by using r know n attacks against the G en era te to g e n e ra te a c e r tif ic a te . T h e n c lick S a v e .selected targets.

Active scanning is an attack o n those targets. Y ou should N O T use it o n w eb applications tha t you do n o t own.

I t should be no ted that active scanning can only find certain types o f vulnerabilities. Logical vulnerabilities, such as b roken access control, will n o t be found by any active o r autom ated vulnerability scanning. M anual penetra tion testing should always be perform ed in addition to active scanning to find all types o f vulnerabilities.

8. S a v e th e c e r tif ic a te 111 th e d e fa u lt lo c a t io n o f ZAP. I f th e c e r tif ic a te a lre a d y ex is ts , r e p la c e i t w ith th e n e w o n e .

K *Options

cem ncates

(_2!L 1

Root CA certificate

' OptionsActive ScanArti c s r f T0K3nsAPIApplicatorsAuthertc330nErnie ForcecertncateCheck Fee UpdatesConnectionDataoasePi5pa


u a A11 alert is a potential vulnerability and is associated w ith a specific request. A request can have m ore than one alert.

9. C lick OK in th e O ptions w in d o w .

Q J A nti CSRF tokens are (pseudo) random param eters used to p ro tect against Cross Site Request Forgery (CSRF) attacks.

H ow ever they also m ake a penetra tion testers job harder, especially if the tokens are regenerated every tim e a form is requested.

10. Y o u r P a ro s p ro x y se rv e r is n o w re a d y to in te r c e p t re q u e s ts .

Optionsc enmr.aies

MI 103 : CCAsaaAwIBAal: JMz ur JK02 . hv clyHlc9X0VN0TFplZC3BdHahV;cUHJvHVj-Jn9vdCBI|r ODZ3H:0


ile Cdit View Maiy5e Report Toaa Help

sji D 0 , U id V 0] sQ__ | KsquMI | Rspons4 J Brea* . j

Untitled Session OWASP 7AP

H3cr xt J Body: !xt _) lTl I

ActvoScan $ |~ SpidorS^; Brute Force ^ ) Port Scan : } Fuzzsri,^ ] PararrtSLj [ 3utputAJ9:t3Break Points v-i

Filter.CFF

ft 0 0_ 0current scansAieits ^0 k-0 . 0 a o

F IG U R E 2.7: Paros proxy m ain w indow

11. L a u n c h a n y w e b b ro w s e r , 111 th is la b w e a re u s in g th e C hrom e b ro w s e r .

12. Y o u r V M w o rk s ta t io n s h o u ld h a v e C hrom e v ers io n 2 2 .0 o r la ter in s ta lle d .

13. C h a n g e th e Proxy S erver s e t t in g s 111 C h r o m e , b y c lic k in g th e C u sto m ize and con tro l G o o g le C hrom e b u t to n , a n d th e n c lick S e tt in g s .

New tabNew vwodowNr* inccgniro windowBocfcmiria

Cut Cop, Pae

- . - QEM

Svt p9Find...

Tods

Sign in to Chiwn*..

Tab

M C

Foi quick kcc; place ycur bcclrwfa See an Sie tntroti bs

r T |

0 >0 Wb S:c#

m ZA P detects anti CSRF tokens purely by attribute nam es - the list o f attribute nam es considered to be anti CSRF tokens is configured using the O ptions A nti CSRF screen. W hen Z A P detects these tokens it records d ie token value and w hich URL generated the token.

FIGU RE 2.8: IE Internet Options window

14. O il th e G o o g le C h r o m e S e td n g s p a g e , c lick th e S h o w a d v a n ced s e t t in g s . . . l in k b o t to m o f th e p a g e , a n d th e n c lick d ie C h an ge proxy s e t t in g s . . . b u t to n .LUsi ZA P provides an

Application Program m ing Interface (API) w hich allows you to interact w ith Z A P programmatically.

Tlie A P I is available in JS O N , H T M L and XM L form ats. The A PI docum entation is available via the U R L h t tp : / / z a p / w hen you are proxying via ZA P.

E tliic a l H a c k in g a n d C o u n te n n e a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.





* C Li


Local Area Network (LAN) Settings

Automatic configuration

Automatic configuration may override manual settings. To ensure the use o f manual settings, disable automatic configuration.

@ Autom aticaly de tec t settings

Use automatic configuration script

Address

Proxy server

r a L ls e a p roxy server fo r your LAN (These settings will n o t apply to L J d ia l-u p o r VPN connections).

Port: | 8080| | Advanced127.0.0 .1Address:

Bypass p roxy server fo r local addresses

Cancel

Q I t should be no ted that there is minimal security built in to the A PI, w hich is w hy it is disabled by default. I f enabled then the A P I is available to all m achines that are able to use ZA P as a proxy. By default ZA P listens only on 'localhost' and so can only be used from the host machine.

T he A P I provides access to the core ZA P features such as the active scanner and spider. Future versions o f Z A P will increase the functionality available via the APi.

FIG U R E 211: IE Internet Options W indow with Proxy Settings Window

17. C lick S e t break on all r e q u e s ts a n d S e t break on all r e s p o n s e s totra p all th e re q u e s ts a n d r e s p o n s e s f ro m th e b ro w s e r .

Untitled Session - OWASP 7AP5 -------------------------------------- 11 EJit Vi *A Aiulyb Repoil T0Jt* H*p

pybiifci g o / e ~J Sites(* j____________________ Request-^ ] Response*- [ Break X ]

[Header Icxi * jtoay: Text j PI_ Sites

^ j Furrer W . PatamsLJActive Scan A Spdet | Brute Force v-~

Cunent Scans 0 0 0

F IG U R E 2.12: Paros proxy m ain w indow

18. N o w n a v ig a te to a c h r o m e b ro w s e r , a n d o p e n w w w .b in g .c o m .

19. S ta r t a s e a rc h fo r C ars.

20 . O p e n ZAP, w h ic h sh o w s f irs t t r a p p e d in c o m in g w e b tra ff ic .

21 . O b s e r v e th e f irs t fe w lin e s o f th e t r a p p e d tra ff ic 111 th e trap w in d o w s , a n d k e e p c lic k in g Subm it and s te p to n e x t r e q u e st or r e sp o n se u n ti l y o u se e ca rs 111 th e GET r e q u e s t 111 th e B reak ta b , as s h o w n 111 th e fo llo w in g s c re e n s h o t .

T A S K 2o

Hijacking Victim s S ess io n

m ZA P allows you to try to brute force directories and files.

A set o f files are provided w hich contain a large num ber o f file and directory names.

m A break po in t allows you to in tercept a request from your brow ser and to change it before is is subm itted to the web application you are testing. Y ou can also change the responses received from the application T he request o r response will be displayed in the Break tab w hich allows you to change disabled or h idden fields, and will allow you to bypass client side validation (often enforced using javascript). I t is an essential penetra tion testing technique.

E th ic a l H a c k in g a n d C o u n te rm e asu re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Strictly Prohibited.





de Euu VtaA Analyse Report Tools Hp

to k i u i Q v CP 4- > |>

| S ites* Request-v | Response* \ Break >41

UntiMrd Session OWASP 7AP

Mer.03 Heoaer: re*1 * j uoav: ext J

h c tp :/ /w M .b ln g .c c m /a a rc ft? q = fa g a k q o = *q *-n fc fo m ^ 0 B IJ U r1 1 t-a a 1 fc p q ^ * r t . ?J0 -043p - : s a k - HTTP/1.1 Hose: w vw .M n g .co xP ro x y -C o n n e c tio n : k e e p -a liv eU3er A ;er. : M o z i l la /S .G IWindows NT 6 .2 ; KOW64) AcpleW ecK1t/S37.4 (KHTHL, . l i r e secJc:. c n ro n e /2 2 .0 .12 2 9 .9 4 s a r a n /5 3 7 .4A c c e p t: t e x t /h e r ! , a p p l i ca tion /xh tm l* xm l f a p p l ic a c io n / xm l; q - 0 . 9 , * / * ; q -0 . 8 R e re re r : h t t p : / / v w v .b 1n g . con /Accept-Encoding: 3tier.Irrrr.T-:j-.rsr.-.nev - r n - " ^ r n -n - H fl___________ ______________________________________________ I

F Giles(3 rp/*wngcor1

Spider^Al&its f tSearcn

Current Scans 0 # 1 u - 0 0*1m c 11 1 0

FIGU RE 2.6: Paros Proxy with Trap option content

22. N o w c h a n g e th e q u e ry te x t f ro m Cars to C a k es in th e G E T re q u e s t.

llntiWea Session - OWASP 7AP

4e Eait VIe* Analyte Report Toole Help

R equest-v | R e sp o n se ^ [ Brea I

Met!00 * j ^Header. Ted )] | Body Tot

GETh c t p : / / w . t i n g . com/ sea rch ?q=fcaice3^go= tq3=n* rorm=QBI.Htf 1 l c - a l l * p q ^Calcesfrs c -0 - :4 3 p l& a k - HTTP !, 1 . 1 Hose: v w .D in g , cox P ro x y -C o o n e c tio n : lre e p -a liv eU aer-Asenz: M o z il la /S .O !Windows NT 6 .2 ; KCW64) A cp leW eC K 1 53 7 .4 / (KHTHL, . l i t Geclcoj C H zane/22.0 .12 29 .94 S a E a n /5 3 7 .4A c c c p t: t e x t /h tm l , a p p l i c a t io n /x h tm l! xm l, a p p l ic a c io n /x m l; q - 0 .9 , * / * ; qC. 6 R e fe re r : t tp : / / v w v .b 1r.g .c o n /A cc e p t-E n c o d in g : sdcfcI r r . - r . T rn-T.^ r n n - a P. . 1

J Sites I * |_

, f t PSiesQ ^ nup/'AiMvangcorn

*JfcllS f tSearcn -v

504 cataway u rn o . 388mc504 Gateway Time... 389m s,

Aieits C 1 1 0

23. C lick Subm it and s te p to n e x t req u est or re sp o n se .

24. S e a rc h fo r a title in th e R e sp o n se p a n e a n d re p la c e C ak es w ith C ars as s h o w n 111 fo llo w in g fig u re .

m Filters add extra features tha t can be applied to every request and response. By default no filters are initially enabled. Enabling all o f the filters m ay slow dow n die proxy. Future versions o f d ie ZA P U ser G uide will docum ent the default filters in detail.

Ly=i Fuzzing is configured using the O ptions Fuzzing screen. Additional fuzzing files can be added via this screen o r can be pu t manually in to the "fiizzers" directory w here Z A P was installed - they will then becom e available after restarting ZAP.

Lyj! T he request or response will be displayed in the Break tab which allows you to change disabled o r h idden fields, and will allow you to bypass client side validation (often enforced using javascript). I t is an essential penetration testing technique.

E th ic a l H a c k in g a n d C o u n te n n e a s u re s Copyright by EC-CouncilAll Rights Reserved. R eproduction is Stricdy Prohibited.





Untitled Session OWASP 7AP

ile EOil Vie* Analyte Report Tools H *p

Request* | Response^- [ Break

0 I la. u b . I I 3m 1 I

l te a : c lei U3c- lei! * j 1 1 [ I

H T T P /1.1 200 OKC ic h e -C o n c r o l : p r i v a t e , n a x - a g e -0 C c a te a Type : t e x c / h s n l ; c h a r a e t - u t f 8E x p ir e a : Moa, IS O ct 2012 1 2 : 3 0 :1 9 GMTP2P: CF--NOS UST COM WAV 3TA LOC CURa DFVa PSAa P3Da OUR TND"

t 1st> 1e .;e v e a t .s r c E le x e a t : a . t a r g e t ) > ,0 ! .s 3_ c e d , r c c u s e do v a , r u n 0 t 10n ( a ! {s ) < ) * __//) j x / s c r 1 p t x c 1 c l e |c a k e a | - B1 a g < / t 1 t l e X l m k r . r e f = " / s / v l f l a g . i c c ze~- Bl e a a " / x l l a k r .r e r */3caxch?(j-Calre3601nc;oc-6turp;q3-nfiarp; forrc-OBL!Uan,p; f i l e a llfia n r^ ij-C a k e s fia n p ;3 c = 0 -0 4 3 E x ? 3 p = - l a x p ;3 J c = ia a p ;fo r m a c = r 3 3 " r e l = " a l t e r n a c e " t1 tle = " X M L ry p e =

f t F Giles(3 r*tp/*wo1hgcor1

Pa rams Oufcutj_____ Alerts f t _______

Port Scan j Furzer Break Points &

[ B1*e ForceSearch

504 Gateway Tine . 389ms -504 Gateway Tim... 389ms

1 GET http SfflMN.Cing corV3 GET cov

Current Scans 0 ^ 0 ^ 0 0 * 0Ale Its F*0 1* 1 0

Untitled Session OWASP 7AP110 Edit View Aruly*e Repoil Tools Help

Li c. a , . 0J H W ] Rqbtw~] R*spons*~ [ X 1

|Hml.T11 | B0O).Tl | I J

HTTP/1.1 200 OKC a ch e -C o n sr e l: p r i v a t e , n a x -a a e -0 c c n t a t -T y p : c * x c /n c n l; c n a r * t t* u t1 -8 E x p ire s : Mon, 15 Get 2012 1 2 :3 0 :1 9 GMTP2P: C? SOS UNI COK WAV STA LOC CURa DEVa PSAa PSDa OUR IHD"

- . - . W . i . I L i i .m w f c . ' i i . . a rm * ; ,u a L u n 1. i l . i wi u i n 1 , .. u u i n u u s j _ b e _ d , "wzusedown", f u n c t i o n (n I < 3 i_ c t (3 b _ ie ? e v e n t sr cE ler te n t :n . t a r g e t ) > ,0 ) ) ) ();/ / } j x ' 3 c r 1 . p r x r - 1 - e ' |c a r s | - S i a g < / t 1 t l e x 1 1 a i c h re r= " / 3 / v l l l a g . 1 co" r e I s i c a n V x l i n k h r e f -/3sarch ?3=C aJre3arx;gc=a1n p;q 3=aan p f orrt=Q3LHartp; f1 1 t= a ll a n p ;cq = a k e 3 a r : p ;sr = o -0 a r 2 :;sp liaa5> ;3Jc= iaap;rorm ac= r3s r e l= " a l t e r a a :e" t1tle="X M L rvpe=

l l1 SiftsQj http birg corn

Active Scan A [ Spds f ^ | Brute Forced [ Port Scan: ] FuzzerW ParamsO O-tcu:Historj |_________ Search ^ _________J_____________Breakpoints ^ ____________ 1________ Alerts f t _______

504 Gateway Time 389ms -504 catowa\ T ine... 389ms

http ii'fttvw ting conVntp /AVkV,.crq cov

0 * 0Current Scans fc 0 0^ Ale Its F* 0 . 0 1 * 1

F IG U R E 2.7: Paros Proxy search string content

25 . 111 th e sa m e R e sp o n se p a n e , re p la c e C a k es w ith C ars as s h o w n in th e fo llo w in g f ig u re a t th e v a lu e s h o w n .

U ntitled Session * OWASP ZAP - I - U 2 J

File Eon vie a Analyse Repot Tools Hp

la id ll & G O 4 H ! ^ 0

J Sites 1* | Retjues * ] Response>r ! Break

n ea :e lec Bogy: Text *

H lT t/l.l ZOU OilC a cr .e -C o a rr c l: p r iv a t e , n a x -a g s= o C c n te n t-T y p e : t e x c /h t m l; c h a r s e t u t f - 8 E x p ir e a : Mon, IS C ct 2012 1 2 : 3 0 :1 9 GMTP3P: Cr= SON OKI COK BRV STA. LOC CURa DEVa PSAa PSDa CtJR IND"

3u . :.Asua _ j! ^ _s !! x d 1 v c la s 3 = ' , 3v _ b n 1a="3w _C ">o.npucaw_fcd= d i v x d i v c l a s 3 >3 e t a


UntiMrd Session OWASP 7AP

| e Edit v i** Analyfc Ropoil Tools H#p

t i r l w 0 Request | Response^ Break v

iUoy: red leaser leu!

HTTP/1 .1 200 OKC *ch* C o n c ro l: p r iv a c a , r*ax-aga-0 Ccnccn Type : c e x c /h s n l; c h a r a e t - u t f8E x p ire a : Xor., IS O ct 2012 12 : 30:19 GMTP2P: CF--NOS UST COM WAV STR LOC CURa DEVa PSAa P3Da OUR IND"

pu:..3 u fx 1 =2: "6 sw=3w bd">

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F YOU H A V E Q U E S T I O N SR E L A T E D T O T H I S LAB.

Questions1. E v a lu a te ea ch o f th e fo llo w in g P a ro s p ro x y o p tio n s :

a. T ra p R e q u e s t

b. T ra p R e sp o n se

c. C o n tin u e B u tto n

d. D r o p B u tto n

Internet C o n n e ctio n R eq u ired

0 Y e s

P l a t f o r m S u p p o r t e d

0 C l a s s r o o m

N o

!L ab s





Hijacking Sessions

Lab Scenario

Lab Objectives

Lab Environment

A computer miming Windows Server 2012 as host machine

Lab Duration

Overview of Session Hijacking

Lab Tasks

Lab Analysis

Session Hijacking Using Zed Attack Proxy (ZAP)

Lab Scenario

Lab Objectives

Lab Environment

Lab Duration

Overview of Zed Attack Proxy (ZAP)

Lab Tasks

17.Click Set break on all requests and Set break on all responses to

23.Click Submit and step to next request or response.

Lab Analysis

Questions

ceh v8 labs module 11 session hijacking.pdf

Documents

lab scenarios o u rc

d y a h o o

n e tw o r k

e x p lo i t

c o m th a t

f e tc h e s

e x p lo its

th e c o n