Translate

Sunday, 15 September 2013

Layer 5 Attacks (Session Layer Attacks)

Here we will see the different Session Layer Attacks. The session layer sets up, manages and terminates exchanges and conversations.
Session Layer features:

  • Session Checkpoint
  • Session Adjournment
  • Session Termination
  • Half- and Full-Duplex Operations

Session Hijacking
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
The session token could be compromised in different ways; the most common are:

Man in the Middle Attack

  • Attacker intercepts all communications between two hosts. 
  • With communications between a client and server now flowing through the attacker, he or she is free to modify their content. 
  • Protocols that rely on the exchange of public keys to protect communications are often the target of these types of attacks

Blind Hijacking

  • An attacker injects data such as malicious commands into intercepted communications between two hosts commands like "net.exe localgroup administrators /add EvilAttacker". 
  • This is called Blind Hijacking because the attacker can only inject data into the communications stream, but cannot see the response to that data (such as "The command completed successfully.") 
  • Essentially, the blind hijack attacker is shooting data in the dark, but this method is still very effective

Man-in-the-Browser attack
The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly.
Points of effect:

  • Browser Helper Objects – dynamically-loaded libraries loaded by Internet Explorer upon startup
  • Extensions – the equivalent to Browser Helper Objects for Firefox Browser
  • API-Hooking – this is the technique used by Man-in-the-Browser to perform its Man-in-the-Middle between the executable application (EXE) and its libraries (DLL).
  • Javascript – By using a malicious Ajax worm

Session Sniffing

  • First the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server. 
  • Sniff the victim for the valid session
  • Use the Session ID sniffed from the victim to authenticate with the web server
  • Activate the victim session in your own system 

SSH Downgrade Attack
  • SSH is the most famous example of a downgrade attack where the attacker forces the client and the server to use the insecure SSH1 protocol.
  • The client sends a request to establish a SSH link to the server and asks it for the version it supports The server answers either with:
  • ssh-2.xx The server supports only SSH2
    ssh-1.99 The server supports SSH1 and SSH2
    ssh-1.51 The server supports only SSH1
  •  This attack occurs at the server that supports both SSH1 and SSH2