CEH Lab Manual

Session Hijacking
Module 11
ICON KEV

E7 Valuable information

:7) Test your knowledge

E:  Web exercise

Q Workbook review

CEH Lab Manual Page 716

...
Moduie11—sessionii§acking

' Simulate a Trojan,  which modifies a workstation's proxy server settings

E 7”" Lab Environme...
ICON KEV

if Valuable
information

 Test your
knowlgge

Web exercise

Ill]

Q Workbook review

Mod| le11—sess| onHIackhg

...
1“:  Tools

demonstrated in

this lab are
available in
D: CEl-| -
Too| sCEI-Iva
Module 1 1

Session Hijacking

E

Setting-...
., —._
i"_/  You can also

download ZAP

http:  / /  code. google: com/  p
/  zaproxy/  downloads /  list

Q3 At its heart...
Module 11 —Sess| on Hijacking

' 
0 H II mi saw u — nwAsD 7AP
he tn 5..  me:  775.?  I. .: mt
_|  siloso ’ J Haiuett ‘ >mt...
Module 11 — Session Hijacking

0 Onions

‘ .  ggbon; 
‘ ran;  Sun
L mu, w- Imrzu

 

Rnlfi-it-Hn 4|»

     
  

 

; ;. . “...
~. 
E: -izi ZAP detects anti
CSRF tokens purely by
attribute names - the list of
attribute names considered
to be anti CSR...
Module 11 —Session Hijacking

 

 

 

FIGURE 2.9: Paros proxy main window

15. In Internet Properties Wizard,  click Conn...
‘ ~. 

  

,  It should be noted
that there is minimal
security built into the API, 
which is 'l1_V' it is disabled
by def...
Module 11 —session Hijacking

U "Km-d ‘mwnn A HMVASV / AV '

». ...  n. ... . .  M. ..“-. .,

l '- W:  um:  - Heuerle‘ -1 ...
25.

 

This functionality is
based on code from the
OV: SP }BroFuzz project
and includes files from the
fuzzdb project.  N...
Module 11 —Sess| on Hijacking

u "mu-d ‘mcwwn A mvnw / :.v

m. ‘ mg»;  . ‘Rn; -A-u.  ‘lei? 

5"‘-’ Hra: z*Ict‘ v inc» Ieu ...
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS
RELATED TO THIS LAB. 

Questions
1. Evaluate each of the following Pa...
Upcoming SlideShare
Loading in …5
×

Ceh v8 Labs - Module11: Session Hijacking.

1,457 views

Published on

Cehv8 labs
Module11: Session Hijacking

Download here:
CCNAv5: ccna5vn.wordpress.com
CEHv8: cehv8vn.blogspot.com

Published in: Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,457
On SlideShare
0
From Embeds
0
Number of Embeds
32
Actions
Shares
0
Downloads
2
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Ceh v8 Labs - Module11: Session Hijacking.

  1. 1. CEH Lab Manual Session Hijacking Module 11
  2. 2. ICON KEV E7 Valuable information :7) Test your knowledge E: Web exercise Q Workbook review CEH Lab Manual Page 716 ModIIe11—8ess| onH| ackhg . S'e. t.r/ '01] / Jfi/10%/ '/{g rzflrr to f/ JP exp/0/'f(If/ on of (I Ln/ id ro/ /41)/ /fa‘ m‘: /'0// , 1) / m'e/ '// rm / Ifirmée/ * I/ Léar am‘ (I rmiozl 11€f)) '(’(’II In '0 to/ /{p/ /fm‘. Lab Scenario krebsonsecuritycom 2012 11 yahoo~email~stealin —ex loit- U) 9 R 0 re LT‘ F? H fetches—70O According to Krebsonsecurity news and investigation, zero—day vulnerability in yahoo. com that lets attackers hijack Yahoo! email accounts and redirect users to malicious websites offers a fascinating glimpse into the underground market for large—scale exploits. The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum. targets a “cross-site scripting” (XSS) weakness in yahoo. con1 that lets attackers steal cookies from Yahoo! webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting 11ser; if tl1e user clicks the link. the script is executed. and can access cookies, session tokens. or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTl[L page. KrebsOnSecurity. com alerted Yahoo! to the vulnerability, and the company says it is responding to the issue. Ramses Martinez, director of security at Yahoo! , said the challenge now is working out the exact yahoo. com URL that triggers the exploit, which is difticult to discern from watching the video. These types of vulnerabilities are a good reminder to be especially cautious about clicking links in emails from strangers or in messages that you were not expecting. Being and administrator you should implement security measures at Application level and Network level to protect your network from session hijacking. Network level hijacks is prevented by packet encryption which can be obtained by using protocols such as IPSEC, SSL, SSH, etc. IPSEC allows encryption of packets on shared key between the two systems involved in communication. App1ication—level security is obtained by using strong session ID. SSL and SSH also provides strong encryption using SSL certificates to prevent session hijacking. Lab Objectives Tl1e objective of this lab is to help students learn session hijacking and take necessary actions to defend against session hijacking. In this lab, you will: ' Intercept and modify web traffic Ethical Hacking and Countenneasures Copyiight © EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  3. 3. Moduie11—sessionii§acking ' Simulate a Trojan, which modifies a workstation's proxy server settings E 7”" Lab Environment deinonstratod in ““’_"b ": ° To carry out this, you need: available in ' ' | ):cE| -|. ' A computer running Windows Sewer 2012 as host machine T IsCEHv8 . . . . 0° ' This lab will run oi1 Windows 8 virtual machine Module 1 1 Session Hijacking ' Web browser with Internet access ' Administrative privileges to configure settings and run tools Lab Duration Time: 20 Minutes Overview of Session Hijacking E 1 A s K 1 - -. _~ - . . - v - _ _ Session hijacking reters to the exploitation ot a valid computer session here an n “ 3' “B W attacker takes over a session between two computers. The attacker steals a valid session ID, which is used to get into the system and sniff the data. In TCP session hijacking, an attacker takes over a TCP session between two machines. Since most authentication: occur only at the start of a TCP session, this allows the atmcker to gain access to a machine. Lab Tasks Pick an organization that you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in session hijacking: ' Session hijacking using ZAP Lab Analysis Analyze and (l0Cl1ll)€1lt the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. PLEASE TALK TO YOIVR INSTRIVCTOR IF YOIV HAVE QIVESTIONS REI. ATED TO THIS LAB. CEH Lab hlaiiual Page 717 Ethical Hacking and Countermeasures Copyiiglit © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. ICON KEV if Valuable information Test your knowlgge Web exercise Ill] Q Workbook review Mod| le11—sess| onHIackhg Session Hijacking Using Zed Attack Proxy (ZAP) T/ J!’ OWHS P Zer/ A/f/ ml’: Praxj ix rm m. _ry—fo-/ /st’ / '// fqg/ ‘rIfer/ _1>H/ e/mfi0// rm‘/ '// ‘g foo/ forfi/ m’/ '// kg w/ /// m711i/ i/7'e. r// / W1) rgpp/ irm‘/ '0// .r. Lab Scenario Attackers are continuously watching for websites to hack and developers must be prepared to counter—attack malicious hackers by writing strong secure codes. A common form of attack is session hijacking, i. e., accessing a website using someone else’s session ID. A session ID might contain credit card details, passwords, and other sensitive information that can be misused by a hacker. Session hijacking attacks are performed either by session ID guessing or by stolen session ID cookies. Session ID guessing involves gathering a sample of session IDs and “guessing” a valid session ID assigned to someone else. It is always recommended not to replace ASP. NET session IDs with IDs of _your own, as this will prevent session ID guessing. Stolen session ID cookies session hijacking attack can be prevent by using SSL; however, using cross—site scripting attacks and other methods, attackers can steal the session ID cookies. Ifan attacker gets ahold of a valid session ID, then ASP. NET connects to the corresponding session with no further authentication. There are many tools easily available now that attackers use to hack into websites or user details. One of the tools is Firesheep, wl1icl1 is an add—on for Firefox. ‘C"hile you are coi1i1ected to an ui1sec11re wireless network, this Firefox add—on can sniff the network traffic and capture all your information and provide it to the hacker in the same network. The attacker cai1 now use this information and login as you. As an ethical hacker, penetration tester, or security administrator, you should be familiar with network and web authentication mechanisms. In your role of web security administrator, you need to test web server traffic for weak session IDs, insecure handling, identity theft, and information loss. Always ensure that you have an encrypted connection using https which will make the sniffing of network packets difficult for an attacker. Alternatively, VPN CEH Lab Manual Page 718 Ethical Hacking and Countermeasures Copyright © EC—Council All Rights Reserved. Reproduction is Suictly Prohibited
  5. 5. 1“: Tools demonstrated in this lab are available in D: CEl-| - Too| sCEI-Iva Module 1 1 Session Hijacking E Setting-up ZAP TASK 1 Modiire11—sessionHrackrig connections too can be used to stay safe and advise users to log off once they are done with their work. In this lab you will learn to use ZAP proxy to intercept proxies, scanning, etc. Lab Objectives The objective of this lab is to help students learn session hijacking and how to take necessary actions to defend against session hijacking. In this lab, you will: ' Intercept and modify web traffic ' Simulate a Trojan, which modifies a workstation's proxy server settings Lab Environment To carry out the lab, you need: ' Paras Proxy located at D: CEI-I-TooIscEI-lv8 Module 11 Session HijackingSession Hijacking TooIsZaproxy ' You can also download the latest version of ZAP from the link htt : code. oo le. com za rox ' downloads list ' If you decide to download the latest version, then screenshots shown in the lab might differ ' A system with running V'indows Server 2012 Host lIachine ' Run this tool in Vfindows 8 Virtual Machine ' A web browser with Internet access " Administrative privileges to configure settings and run tools ' Ensure that Java Run Time Environment (JRE) 7 (or above) is installed. If i1ot, go to httprg 1java. sun. com(j2se to download and install it. Lab Duration Time: 20 Minutes Overview of Zed Attack Proxy (ZAP) Zed Atmck Proxy is designed to be 11sed by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen tester’s toolbox. Its features include intercepting proxy, automated scanner, passive scanner, and spider. Lab Tasks 1. Log in to your Windows 8 Virtual Machine. CEH Lab Manual Page 719 Ethical Hacking and Couutenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. ., —._ i"_/ You can also download ZAP http: / / code. google: com/ p / zaproxy/ downloads / list Q3 At its heart ZAPS it) an intercepting proxy. You need to configure your browser to connect to the web application you wish to test through ZAP. If required you can also configure ZAP to connect through another proxy ~ this is often necessary in 2 corporate environment. QQ lfyou know how to set up proxies in your web browser then go ahead and give it I go! If you are unsure then have 2 look at the Configucirrg proxies section. _U1 ModuIe11—SesslonHiackhg In Windows 8 Virtual Machine, follow the wizard—driven installation steps to install ZAP. To launch ZAP after installation, move your mouse cursor to the lower- left corner of your desktop and click Start. FIGURE 2.1: Paros proxy main window Click ZAP 1.4.1 in the Start menu apps. AdmmvrF‘C & FIGURE 2.2: Paros proxy main window The main interface of ZAP appears, as shown in the following screenshot. It will prompt you with SSL Root CA certificate. Click Generate to continue. CEH Lab Manual Page 720 Ethical Hacking and Countenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Module 11 —Sess| on Hijacking ' 0 H II mi saw u — nwAsD 7AP he tn 5.. me: 775.? I. .: mt _| siloso ’ J Haiuett ‘ >mt: m.— ' umar } Ole: . Once you have Wm’ ‘N 'l Eur M! 'l configured ZAP as your biowser's proxy then try to connect to the web ‘ OWASP ZAP 551 Inn! {A nomina- applicafio-1 Y0“ “'11 bc *4 23.51 1§‘.5§; .‘? $2." §‘§2"§. §'ff'§3[”. '§ L'. ".'? .§I'. '§. ?,‘. '., “.‘. '§. ‘§i. ‘t. " testing. If you can not onwis mm sciatic: niX'Ia’Iett: mminqninw 1 connect to it then check your proxy settings again. You will need to check your browser's proxy Sc » and also ZAP: we 6: -c anions ranel ano create wcfvcaenvw IT-IflgS. a . car Pm“ Sm-u'ngs_ ‘ hlilifv - Lana» mrcw hiittraatr reitficata lain’ Filler CFF r i A-li V: H H H 4) Iiw-11' raw: U 17 I 4: 1 FIGURE 2.5: Paros proxy main Wlll(lO’ Ac tire scanning attempts to find potential 7 . _> , . . > _ mlnmbmm byming . . In the Options indo , select Dynamic SSL certificates then click known attacks against thc Generate to generate a certificate. Then click Save. selected targets. "0 7 7 iépionsii ' E Active scanning is an attack . L, ,,, ,; on those targets. You ‘GM 31*" 1 “id N01‘ ‘, 1, "" “"“’ "‘““ n. ..r. t.. m Alt! 5 1° “$9 ‘ °" WC in . ~ui_u-ct - t1AuLaA: .-Alix-Vi. x4>4J. ¥.§: i.L. ziv: applications that you do : m.; a-us ‘ff? ’ r"""~‘°: ::: ‘": ““j~" ~. . 2, . .. .: . mm, - 5 . =~ not own. “"_""°': °" mm 'Jl. aHkJ‘: I vt:331D3I: xC ; “'-'nYIAn. ht. t4I4 5"‘ 5 “'3' . ~tm. it: m JL‘ylE: »qY7xJxA)E~; .tl'. .‘BAQ(! r5X9‘. '2' Cerntate It should be noted that CtierkFctLta! es active scanning can only gt’ *““‘ . 1 2 32$! find certain types of irzlszirtIluikaC; :YT9;31zpb? h. 13hd: :lEY! £qXI. Vl: n2biaXtr:3BEp jideeflnt. .EkeK1‘KD’. :e, P.’Yln. Y]. L:. vulnerabilities. Logical vulnerabilities. such as broken access control, will ). :A3'l1u)II«Ct. /EAJ‘A: ‘. :E . , LaIi. l.I1Jb ayuim~e= uraa: rtFAmr'1.Q=1:7 -«mm-. nv "°‘ '3‘ f°““d b. V “.7 “CU” [tea mm. 1:. xrr: r'vH7:13l; ~t 1=, ... ,.r , ~ «- or automated vulnerability Fc: ::. c Scar i= ‘=c-niravbcur-us-'-vm . F‘. M, EM-pTXpCx’u(f7ri‘{R4UbX‘begl’: l" scam-mg. Manual Pexleuauoll Itstulg Sll°“ld sud" l| :!ILJH’.4 uK‘KaDa.7IJrluuiGnllL! ‘J , _ ‘L: iiU. tL. .r. a----~ always be pertormed in addition to active scanning to find all types of . _nvw . viiliierabilities. <‘ V‘ > on FIGURE 2.4: Paros proxy main window 8. Save the certificate in tlie default location of ZAP. If the certificate already exists, replace it with the new one. CEH Lab lflanual Page 721 Ethical Hacking and Couiitetmezisures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Module 11 — Session Hijacking 0 Onions ‘ . ggbon; ‘ ran; Sun L mu, w- Imrzu Rnlfi-it-Hn 4|» ; ;. . “HiJ4'CLIl alum: M(zvr. x1u. z4t. tu. .n: [H . -mu u: vrgv7.~= A=4-unv: -qr‘ _ > - » nu-Am = t. .m. «u . ..s_ An alert is a potential am” . ‘ L i 7 vulnerability and is 0 associated with a specific , _ > A .1 FC ‘ ca . ,. . request. : request can have N n K mm -3 L ‘ ““ more than one alert. 4 Count: 4 -mm: mm :2 net - '_, llesbhp _, amuse : Domoaas gwcws _] moves _] : w«sPzAP ; um J sand '. ‘:rm£ L Domms Q Seymes I! ‘#216 3W3$ DU (2 6! In: :v‘_. po an 51:: v E ‘View mam q 7» ox Gan. FIGURE 2.5: Paros proxy main window 9. Click OK in the Options vindo'. Octons ' , v z rum: tam : :.ux “"°5": “"" RJJ| Crr. elfl. n|e ' l, -.. .~: rr; z:*s. t ’“""‘"= T°*“~"'= ".7733Sf‘'73§”’i?357i‘f‘V; i§TT§31“i‘'3;77 * ‘~'"""““" -m‘, .;r~ Q-M wk 1.’-Be-N"EAI‘r) .3.. . , . , ,, . . , _ . .. . F”‘°‘°'?9 % mum-x, t-, .m. .,m, ;,nscwarmm ~1- 9" ' 19 '12:)-rdCl3QTEDflc: A1UIIvvCFxh; D3'Jx32 ; x cnecmurc-us m. .,w. .s-. csac1:m, u; Corremrl A-u4)1:ZB1:! .H‘Bqkuns. Gsv: BACERAD Anti CSRF tokens are W, ,,, ~. &11O5_5£§E. !qr. .7.vza1Ia. ‘.l. rm2A: ¢1y3S34.uq. "!'! Sc 0) mndom mm; -mas: -nr. q2=: ::uemzcmqum; (P “d Qvllwutxthxikslslliluuletc. -Y Snsisvbizui. Palamems used to protect mmamm 1a~mcgLt. n‘qxLv4». -vrznunu rp _ _ E‘ _ ’ -nu '3:-M’. -I-=1«»=3(; r2/i5n, n‘i«v1t. F- : "fir: i against Cross Site Request F "-"°"- >2; vu . a.: sxaem. ;rrigngw.1:: na: xz I1-‘H , - . - «-- -V. -.: ,. .~ : x Forget? (CSRF) «Hacks 120912;: :51:5‘§? :Z$§$to§. $§? ’§s"". m’ T133. Ltca um. 'spscu1:2L€>ia1:: a:r4r. :ua rams; However they also make a F . Inf sq: .» nsupu$b: uhLa§! '.flz3'. h'-1)1u. B1:S;3Szuz1:ir. . ' . F .9 rv: >:)ip: .x . ’ehw! A&5:>x| :cuA§! .5I. cl.5JIn .15; pmemou was ‘ob ; ;', ,‘, ,$ ~ - xw nuns» harder. especially if the Hint: 7 W rigwm A / tokens are regenerated 1 . . T‘ every time a form is ‘l ’ ’ requested. J"-W w L A-‘W . V. FIGURE 2.6: Paros proxy main window 10. Your Paros proxy server is now ready to intercept requests. CEH Lab lflanual Page 722 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. ~. E: -izi ZAP detects anti CSRF tokens purely by attribute names - the list of attribute names considered to be anti CSRF tokens is configured using the Options Anti CSRF screen. When ZAP detects these tokens it records the token value and which URL generated the token. Q; ZAP provides an Application Programming Interface (API) which allows you to interact with ZAP programmatically. The API is available in JSON, HTAH. and )QIL formats. The API documentation is available via the URL http: //zap/ when you are proxying via ZAP. Module 11 —session Hijacking Q 1111 | rvI§e« ll’ OWAV’ 75117 J uazuesx ‘ i<ssr: nsn— ' umav } Hcacfirwrt vi uni, mi 7‘ [ Por1St2n l Fuzzr, ] E'caVPurrI:1s’ Murat-: ‘z1: ‘ u v u FIGURE 2.7: Paros proxy main window 11. Launch any web browser. in this lab we are using the Chrome browser. 12. Your VM workstation should have Chrome version 22.0 or later installed. 13. Change the Proxy Server settings in Chrome, by clicking the Customize and control Google Chrome button, and then click Settings. ' ~. Inf '. __ C —. .v. .1. u. ;. . L. .4rn| :' x. 'I"V<k. :lf «.1. . : -<~. .-. .e: ‘:~ FIGURE 2.8: lE Internet Options window 14. On the Google Chrome Settings page, click the Show advanced settings. .. link bottom of the page, and then click the Change proxy settings. .. button. CEH Lab Manual Page 723 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Module 11 —Session Hijacking FIGURE 2.9: Paros proxy main window 15. In Internet Properties Wizard, click Connections and click LAN Settings. . y‘ , F inteme‘. Pvopemes ‘ . .. . ... ... . .,. ... ... ... ... W. .. ; ' 3. ta set up In lmeme: cmmemn, dirk semi Sell-F amp and mud Frwat: Nelrvnrkszllnqs Choose sam-gs mm need :1 cnnfigme a waxy sener for a c3rne: hon . o<a Mu Nuwwvh (LAM runny: rm Sertmqsdo not apoiv tc dI<! i'. lD cmnecaons. LAM sennas Ooose Setmqs £0»! for aim: settngs. FIGURE 110 IE Internet Options wiirrlaw with Connections tab 16. Check Use a proxy server for your LAN, type 127.0.01 in the Address, enter 8080 in the Port field, and click OK. El; Click OK several times until all configuration dialog boxes are closed. CEH Lab lllanual Page 724 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. ‘ ~. , It should be noted that there is minimal security built into the API, which is 'l1_V' it is disabled by default. If enabled then the API is available to all machines that are able to use ZAP as a proxy. By default ZAP listens only on 'localhost' and so can only be used from the host machine. The : PI provides access to the core ZAP features such as the active scanner and spider. Future versions of ZAP xvill increase the functionality available via the APi. E TASK z Hijacking Victim’s Session .1.‘ Err». ZAP allows you to try to brute force directories and files. A set of files are provided which contain a large number of file and directory names. A break point allows you to intercept a request from your browser and to change it before is is submitted to the web application you are testing. You can also change the responses received from the application The request or response will be displayed in the Break tab which allows you to change disabled or hidden fields, and will alloxv you to bypass client side validation (often enforced using iavasctipt). It is an essential penetration testing technique. Module 11 —Sesslon Hijacking Local Area Network (LAN) Settings Automatic configuration Automanc confiquraoon may overrlde manual settings. To ensure the use of manual settings, disable automatic configuration. vli Automaneally detect settings Use automatic configuabon script Proxy server e a proxy server for your LAN (These settings -mll not apply to lal-up or «1-“N connections). Ad“-"9553 PW" Advanced 7 Bypass proxy saver for local addresses FIGURE 1 l 1: IE Internet Options Wiiidow with Proxy Settings ‘V:1dOX‘ 17. Click Set break on all requests and Set break on all responses to trap all the requests and responses from the browser. ‘lrtl-(I ‘»»(<lM . mvaw / A.» M. .. ln. t.. ... , -. ..l , nea: e-Ier r , -as an v P us. .. ‘ rm-. at F. -.u= .u ls . . FIGURE 2.12: Paros proxy main window 18. Now navigate to a chrome browser, and open ''v. biiig. coi1i. 19. Start a search for “Cars. ” 20. Open ZAP, which shows first trapped incoining web traffic. 21. Observe the first fexv lines of the trapped traffic in the trap Vi11(‘lO'S, and keep clicking Submit and step to next request or response until you see cars in the GET request in the Break tab, as shown in the following screenshot. CEH Lab Manual Page 725 Ethical Hacking and Countemieasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Module 11 —session Hijacking U "Km-d ‘mwnn A HMVASV / AV ' ». ... n. ... . . M. ..“-. ., l '- W: um: - Heuerle‘ -1 La: cit - E3351. Filters add extra 1., ,. ,,, ,, , ,¢, o.. ‘ A features that can be applied I V I M_iEM‘_w_) J H‘_°__mH[__n_M‘: .‘_ to every request and response. By default no filters are initially enabled. Enabling all of the filters may slow down the proxy. Future versions of the ZAP User Guide will document the default filters in detail : ~ ‘ , ‘ , . »= .». :s, ..: ’ my arm Palms . . e-in uitwwsx um . -Km‘: an uztzwax Hr‘: ;B. m: FIGURE 26: Puos Proxy with Tiap option content 22. Now clmnge the query text from Cars to Cakes in the GET request. T T "T «g- v1 9 mm»: ‘»e¢<mr - HWAW / Au . ,,r v, ,.. —. , ». .t. n. ,.= .s | l7I[n’-r W | '-' ‘-“*5 Hero: - He. I:t'Ien‘ '1 Lon : n n -rp/ m. am can Q; Fuzziugis coufigmed VqQ, -Ag: -:uKux: |—_5L‘! .l'l, L-x). L;q31-3 “‘‘“€ "“ °1.’¥*°“‘ F“”. “‘8 .4; "i: ;§= ... . . . screen. Additional fuzzing . _, 55:31), 5 files can b: addcdvia this "111!-)wv'l, n:X7'. Ir-. ' —», .m: :u-u. =.- A: '. screen or can be put manually into the "fuzzers" directory where ZAP was installed ~ they will then F'"S"‘ LINN I: F"""" become available after F H F ' . ir. - Iesmxmlg ZAP‘ I . ,: ' ‘TD r‘AV~ 'l‘Q COW GJ/ I o§WW3' l| V"0 43 W5 J JL -t-mm r'uco'v an um-wamm JV : 23. Click Submit and step to next request or response. 24. Search for :1 title in the Response pane and replace Cakes with Cars as shown in following figure. Q; The request or response will be displayed in the Break tab which allows you to change disabled or hidden fields, and will allow you to bypass client side va. lidat. ion (often enforced using iavasctipt). It is an essential penetration testing technique. CEH Lab lflanual Page 726 Ethical Hacking and Countermeasures Copyiight © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. 25. This functionality is based on code from the OV: SP }BroFuzz project and includes files from the fuzzdb project. Note that some fuzzdb files have been left out as they cause common anti virus scanners to flag them as containing viruses. You can replace them (and upgrade fuzzdb) by downloading the latest version of fuzzdb and expanding it in the 'fuzzers' library. Module 11 —8ess| on Hijacking U "Km-d ‘mwnn A HMVASV / AV ' *1.. . mg»; . | Rnrn-u. -M» ' _ Ere: 1-amt». ancco-. Hra: e'Irn‘ v inc» Ieu - "3. rr am FV71 P‘! -1 in». am: rm“ 5). cu» re-even: .s: cziem= r.: 2. Junction . v. sine: EIEJC. 7 7 mi 9.-m Fu“. =r Bru| tPamIs A 5:». cmwa, nv u ‘lib-An»: 'uco'v 534 cmmt um 0 ~mx~n xrmnn nnvn-.9’ / A-’ few. ..‘ '. . su. 1-pm“. .u_. ., . -vx-: 46 av: zwna DEV: 123: r: :.». em: inn- | ".rl Sm . .. .r B(e4kPamIs fl '1'Dr-m-w'rgro‘V 'I: Dr-M~: I'at. a'v ma GA| nwa; Tvr*e 5:4 cmwm um FIGURE 2.7: Paros Proxy search string content In the same Response pane, replace Cakes with Cars as shown in the following figure at the value shown. 0 etmrd ‘union — UWASP 1.50’ [X. E4 ‘V, .. VI Jam. Fr‘lMl«vlT?9lrA‘~« —. ... 1 . . Wes 11/Am. am can mace-Iec v we» leu - P um. rm». :1 M‘ K '3 g. . I a. .. w. u. ,, 1 men: ~. L -53». Galvwn; Th‘ 1- 2 . 644 t/ Ztwwax um J ' rm‘: 0 v CuwmlSLA» 3 on : o CEH Lab Manual Page 727 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Module 11 —Sess| on Hijacking u "mu-d ‘mcwwn A mvnw / :.v m. ‘ mg»; . ‘Rn; -A-u. ‘lei? 5"‘-’ Hra: z*Ict‘ v inc» Ieu - -I-rum. use can p . f. 2. This tool keeps track of the existing Http Sessions on a particular Site and allows the Zaproxy user to force all requests to be on a particular session. n. .r. .., . W»; P‘! -i pa». ntw raw Basically, it allows the user to easily switch between user sessions on a Site and . - , , A B4e4kPr: mI: A to create a new Session without "de5[m‘. ing" the rm. -.». ;. gm » so». CI| wwi)TH‘ u - ‘tn-nv. :I'aco'v 5:4 GJIDW$v Vwn existing ones. FIGURE 18: Paros with modified trap option content Note: Here we are clmngiug the text Cakes to Cars; the bing search shows Cars, whereas the results displayed are for Cakes. 26. Observe the Bing search web page displayed in the browser with search query as “Cakes. ” 1 " i (- X 7 vww. :n'1g. (cm ma » i " ‘ ~ Q It is based on the concept of Session Tokens, which are HTTP message parameters (for now only Cookies) which allow an HTTP server to connect a request message with any previous requests or data stored. In the case of Zaproxy. conceptually. session tokens have been classified into 2 categories: default session tokens and site session tokens. The default session tokens are me out; that the us“ can FIGURE 16: Search results window after modifying the content set in the Options Screen ' _ Y _ ~ _ and are tokens um are, by 27. That s it. E ou inst forced an unsuspecting web browser to go to any default, automaticall ‘ . ‘ considered session tikens page of ion! Chooslngi for any site (eg. phpsessid, ‘K k _ isessiouid, etc). The site -5 J “:3 ' ‘; Wsws session tokens are a set of " tokens for a particular site nkes : lr_1_; >; Cdkefiuu Cdlknttuumg eac~IrKe lacd In us rroasmvuuns wt slwlcallr : sveeI 1! ‘ow; cam more rowalylnod bread: :1 Analyze and document the results related to the lab exercise. Give your opinion on and are usually set up using 3“ P°P“P m°"“5 “““513b1° Vour target’s securitv posture and exposure. in the Params Tab. ' ' ' SSL certificate to hack into a website Zed Attack Proxy , _ _ y ' Redirecting the request made 111 Bing CEH Lab hlanual Page 728 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Evaluate each of the following Paxos proxy options: a. Trap Request b. Trap Response Continue Button 0 P- Drop Button Internet Connection Required [21 Yes Platform Supported Classroom CEH Lab Manual Page 729 Ethical Hacking and Countermeasures Copynight O by EC-Council All Reserved Reproduction is Stricdy Prohibited.

×