How do you know when your system has been compromised?

In computer science, session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP cookie theft).

A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.

If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.

A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".

Countermeasures

Countermeasures to help prevent session hijacking include:

• Use encrypted session negotiation.
• Use encrypted communication channels.
• Stay informed of platform patches to fix TCP/IP vulnerabilities, such as predictable packet sequences.

Tools used in the exploit

Session Hijacking Tools:

Hunt

Hijacking software has the following functionality features:
1) Connection management
* Setting what connections you are interested in.
* Detecting an ongoing connection (not only SYN started).
* Normal active hijacking with the detection of the ACK storm.
* ARP spoofed/Normal hijacking with the detection of successful ARP spoof.
* Synchronization of the true client with the server after hijacking (so that the connection don't have to be reset).
* Resetting connection.
* Watching connection.

2) Daemons
* Reset daemon for automatic connection resetting.
* ARP spoof/relayer daemon for ARP spoofing of hosts with the ability to relay all packets from spoofed hosts.
* MAC discovery daemon for collecting MAC addresses.
* Sniff daemon for logging TCP traffic with the ability to search for a particular string.

3) Host Resolving
* Deferred host resolving through dedicated DNS helper servers.

4) packet engine
* Extensible packet engine for watching TCP, UDP, ICMP and ARP traffic.
* Collecting TCP connections with sequence numbers and the ACK storm detection.

5) misc.
* Determining which hosts are up.

Netcat

-General purpose widget

-most useful and popular tool … for interacting with a system across a network

-Send or receive data from any TCP or UDP port to any TCP or UDP port

How is the attack done?

There are four main methods used to perpetrate a session hijack. These are:
 Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
 Session side jacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSLencryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised.[1] Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
 Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
 Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.