MN623 – Cyber Security and

Analytics
Week 3 – Lecture 03- Threats and attacks on Enterprise-
Advanced spoofing & Session Hijacking

Acknowledgements:
The contents are compiled from
Glen D. Singh (2019). Learn Kali Linux 2019: Perform powerful penetration
testing using Kali Linux, Metasploit, Nessus, Nmap, and Wireshark . Packt.
Zaid Sabih - Learn Ethical Hacking From Scratch_ Your Stepping Stone To
Penetration Testing-Packt Publishing (2018)
 Recall of Penetration Testing
and AES from Week 2 Lecture
 Penetration testing required to become ethical
hackers/professional to avoid threats and attacks on Enterprise.
 How to use VirtualBox, which allows us to install machines such
as Kali Linux, Metasploitable and Windows, inside our own
machine.
 Different Password Cracking tools were explored like Hydra, John,
Rainbowcrack etc.
 For AES encryption, each round consists of the following four
steps: 1) Substitute bytes, 2) Shift rows,
3) Mix columns, and 4) Add round key.

March 2020 Compiled by: Dr Ajay Shiv Sharma 2

 Lecture 3 Overview

 Reconnaissance and open source intelligence tools

 Phishing/ Spoofing Concepts
 ARP, IP and DNS Spoofing, Avanced Spoofing framework
 Session Hijacking and TCP/IP Hijacking
 how attackers can capture and analyze the traffic by placing
a packet sniffer with a real-time example incorporating WIL
to learn varied tools.

March 2020 Compiled by: Dr Ajay Shiv Sharma 3

 Reconnaissance

• As a penetration tester,
– we definitely need to know about our target,
– as well as its vulnerabilities and operating
systems,
– before we attempt to gain access via exploitation.
 To assist in retrieving information and specific details
pertaining to a target.

March 2020 Compiled by: Dr Ajay Shiv Sharma 4

 Reconnaissance categories

• Passive:
– Uses an indirect approach and does not engage
the target
• Active:
– Directly engages the target to gather specific
details

March 2020 Compiled by: Dr Ajay Shiv Sharma 5

 OSINT Framework

• OSINT tools 
– are used in the reconnaissance phase to gather as much
information about the target as possible.
• These open source intelligence tools 
– utilize artificial intelligence features to mine data from the
Web about all possible matches to the desired target.
 https://osintframework.com/

March 2020 Compiled by: Dr Ajay Shiv Sharma 6

 What Is Phishing?

• Phishing is a cybercrime in which scammers

send a malicious email  
– by impersonating a known individual or a business partner
or a service provider.
• Both Spoofing and phishing involve posing as a
different sender to trick the recipient into carrying out
an action.
 Spoofing can be part of the phishing.  

March 2020 Compiled by: Dr Ajay Shiv Sharma 7

 Origin of Phishing

• Phishing has been one of the fastest

evolution in the hacking history.  
– 1990: Algorithm-Based Phishing
– 2000: Email Phishing
– 2003: Domain Spoofing
– 2018: Phishing via HTTPS

March 2020 Compiled by: Dr Ajay Shiv Sharma 8

 5 Categories of Phishing

Based on the phishing channel

1. Vishing
2. Smishing
3. Search Engine Phishing
4. Spear Phishing
5. Whaling

March 2020 Compiled by: Dr Ajay Shiv Sharma 9

 Types of Phishing /Spoofing
Attacks
1. Email Spoofing – Name Impersonation
2. Mass Target – Brand Impersonation
3. URL Phishing
4. Subdomain Attack
5. Pop-Up Messages: In-Session Phishing
6. Search Engine Attack
7. Website Spoofing

March 2020 Compiled by: Dr Ajay Shiv Sharma 10

 Types of Phishing/Spoofing
Attacks
8. Scripting
9. Man-in-the-Middle Attack
10. Clone Phishing
11. Image Phishing
12. Voice Phishing Attack
13. CEO Fraud
14. Malware Injection

March 2020 Compiled by: Dr Ajay Shiv Sharma 11

 Man-in-the-Middle Attacks
• Most dangerous and effective attacks
– that we can carry out in a network.
– Used to redirect the flow of packets from any client to attacker device.

Fig. 1 MITM

March 2020 Compiled by: Dr Ajay Shiv Sharma 12

 What is ARP Spoofing?

• The switch is set in forwarding mode 

– and after the ARP table is flooded with spoofed ARP
responses,
– the attackers can sniff all network packets.
• Attackers flood a target computer ARP cache with
forged entries,
– which is also known as poisoning.
– ARP poisoning uses MITM access to poison the network.

March 2020 Compiled by: Dr Ajay Shiv Sharma 13

 Work Integrated Learning (WIL) -
ARP Poisoning using Ettercap
• Open up the terminal and type “Ettercap –G” to start graphically
• Now click the tab “sniff” in the menu bar and select “unified sniffing”
– and click OK to select the interface. We are going to use “eth0” which means Ethernet
connection.

Fig. 2 Ettercap Input

 https://www.ettercap-project.org/

March 2020 Compiled by: Dr Ajay Shiv Sharma 14

 WIL - ARP Poisoning
• Now click the “hosts” tab in the menu bar and click “scan for hosts”.
• Next, click the “hosts” tab and select “hosts list” to see the number
of hosts available in the network.
– This list also includes the default gateway address.

Fig. 3 Ettercap host tab

March 2020 Compiled by: Dr Ajay Shiv Sharma 15

 WIL - ARP Poisoning
To choose the targets.
– In MITM, our target is the host machine, and the route will be the router
address to forward the traffic.
• Take a scenario, our target is “192.168.121.129” and the router is “192.168.121.2”.
• Add target 1 as victim IP and target 2 as router IP.
• Click on “MITM” and click “ARP poisoning”. Thereafter, check the option “Sniff
remote connections” and click OK.

Fig. 4 MITM Attack

March 2020 Compiled by: Dr Ajay Shiv Sharma 16

 WIL - ARP Poisoning
• Click “start” and select “start sniffing”.
• Now it’s time to see the results; if our victim logged
into some websites.
– You can see the results in the toolbar of Ettercap.

Fig. 5 Results Example

March 2020 Compiled by: Dr Ajay Shiv Sharma 17

 MITM – ARP Spoofing Tools

• Dsniff
 Arpspoof—Used for poisoning the ARP cache by forging
ARP replies

 Mailsnarf—Used to sniff e-mail messages sent from

protocols like SMTP and POP

 Msgsnaf—Sniffs all the IM messaging conversations

 Webspy—Used to sniff all the URLs that a victim has visited

via his browser and later use to open it in our browser

 Urlsnarf—Sniffs all the URLs

 Macof—Used to perform a MAC flooding attack

March 2020 Compiled by: Dr Ajay Shiv Sharma 18

 IP Address Spoofing Attacks

• IP address spoofing is one of the most frequently used

spoofing attack methods.
• an attacker sends IP packets from a false (or “spoofed”)
source address in order to disguise itself
 Denial-of-service attacks often use IP spoofing
 to overload networks and devices with packets that appear to
be from legitimate source IP addresses.

March 2020 Compiled by: Dr Ajay Shiv Sharma 19

 The Process of an IP Spoofing
Attack

Fig. 6 Process of IP Spoofing

March 2020 Compiled by: Dr Ajay Shiv Sharma 20

 Anesthetize the host

• First, use any network protocol analyzer to monitor

your LAN
• Then anesthetize, or stun, the host that you want to
impersonate
• By performing a SYN flood (or SYN attack), Ping of Death, or
some other denial-of-service attack

March 2020 Compiled by: Dr Ajay Shiv Sharma 21

 Forging the Address

• Forging the address of the stunned host could be

done with the same utility
– Used to stun the trusted machine
• Big problem is guessing something close to the
correct incremented victim-side sequence number
– ISNs are not random, so the guess is not random
• Sequence numbers start at 1 when the machine is
booted up and incremented by fixed values.

March 2020 Compiled by: Dr Ajay Shiv Sharma 22

 IP spoofing Next Steps

• Once the hacker has put the trusted machine to sleep with a
SYN attack
– Sends a SYN packet to the victim machine
• Hacker should connect to the victim machine several times
on port 23 or 25
– To get an idea of how quickly the ISN advances
• Attacker also needs to deduce the packet’s round-trip time
(RTT)
• When the attack is done, the trusted machine must be
released and returned to normal

March 2020 Compiled by: Dr Ajay Shiv Sharma 23

 Re-check on the Spoofing
Model

Fig. 7 Spoofing Model

March 2020 Compiled by: Dr Ajay Shiv Sharma 24

 What is DNS Spoofing?

• DNS Poisoning is a technique that tricks a DNS server into

• believing that it has received authentic information when, in reality, it has
not.
– It results in the substitution of false IP address at the
DNS level
• An attacker can create fake DNS entries for the server which may contain
malicious content with the same name.

March 2020 Compiled by: Dr Ajay Shiv Sharma 25

 WIL - DNS Poisoning

Fig. 8 Opening etter.dns in Nano

Fig. 9 Redirect

March 2020 Compiled by: Dr Ajay Shiv Sharma 26

 WIL - DNS Poisoning

Fig. 10 DNS Spoof Plugin

March 2020 Compiled by: Dr Ajay Shiv Sharma 27

 WIL - DNS Poisoning

• After activating the DNS spoof,

 you will see in the results that facebook.com
will start spoofed to Google IP whenever
someone types it in his browser.

Fig. 11 Demo DNS Spoofing

March 2020 Compiled by: Dr Ajay Shiv Sharma 28

 Defenses against Poisoning

• Use a hardware-switched network for the most sensitive portions

• Implement IP DHCP Snooping on switches to prevent ARP poisoning and
spoofing attacks.
• Implement policies to prevent promiscuous mode on network adapters.
• Encrypt your sensitive traffic using SSH or IPsec.
– SSL is a great defense along with IPsec.
• Port security is used by switches that have the ability to be programmed
– to allow only specific MAC addresses to send and receive data on each port.
• Replacing FTP and Telnet with SSH is an effective defense against sniffing.
• Virtual Private Networks (VPNs) can provide an effective defense

March 2020 Compiled by: Dr Ajay Shiv Sharma 29

 Advanced Spoofing
Framework- MITMf
• man-in-the-middle framework (MITMf)
– ARP spoofing,
– bypassing HTTPS,
– and DNS spoofing
– Keyloggers
– Code injection

March 2020 Compiled by: Dr Ajay Shiv Sharma 30

 Session hijacking

• Session hijacking, sometimes also known as cookie

hijacking 
• is the exploitation of a valid Computer Session—
• sometimes also called a session key—
• to gain unauthorized access to information or
services
• Session IDs are a tasty treat for malicious hackers.
• Once an attacker gets their hands on a session ID,
 they can get unauthorized access to a web application
and fully impersonate a valid user.

March 2020 Compiled by: Dr Ajay Shiv Sharma 31

 Methods to obtain a valid
session ID
• Guessing a valid session ID (session prediction)
• Creating a valid session ID and tricking the user into
using it (session fixation)
• Obtaining a valid session ID from a user (session side
jacking)
• Cross-site scripting

March 2020 Compiled by: Dr Ajay Shiv Sharma 32

 Session Prediction

• Brute force
– the attacker can simply try to guess the session key
of a user’s active session,
– which is feasible only if the application uses short or
predictable session identifiers.
 To ensure resistance to brute force attacks,
 the key generation algorithm must give truly
unpredictable values with enough entropy to
make guessing attacks impractical.

March 2020 Compiled by: Dr Ajay Shiv Sharma 33

 Session Fixation

• Session fixation takes place when the attacker

generates a valid session ID
– that has not yet been used and
– then provides it to the user, who then uses it
– to authenticate.
 The attacker must first figure out what format of
session IDs is valid and then trick the user to use.

March 2020 Compiled by: Dr Ajay Shiv Sharma 34

 Session side Jacking

• This type of attack requires the attacker’s

active participation,
– Using packet sniffing, attackers can monitor the
user’s network traffic and intercept session cookies
after the user has authenticated on the server.
– If the website only uses SSL/TLS encryption for the
login pages and not for the entire session,
• the attacker can use the sniffed session key to
hijack the session

March 2020 Compiled by: Dr Ajay Shiv Sharma 35

 Cross-site scripting

Fig. 12 Session hijacking-using-xss

March 2020 Compiled by: Dr Ajay Shiv Sharma 36

 Exploits – Session Hijacking

• Firesheep
• WhatsApp sniffer
• DroidSheep
• CookieCadger

March 2020 Compiled by: Dr Ajay Shiv Sharma 37

 Prevention – Session Hijacking

• By correlating the application session with the SSL/TLS credentials

• Use of a long random number or string as the session key.
• Regenerating the session id after a successful login.
• make secondary checks against the identity of the user.
• change the value of the cookie with each and every request.

March 2020 Compiled by: Dr Ajay Shiv Sharma 38

 TCP/IP Hijacking

• TCP/IP Hijacking is when an authorized user

gains access to a genuine network
connection of another user.
• It is done in order to bypass the password
authentication which is normally the start
of a session.

March 2020 Compiled by: Dr Ajay Shiv Sharma 39

 TCP/IP Hijacking

• To hijack this connection, there are two

possibilities
 Find the seq which is a number that increases by
1, but there is no chance to predict it.
 The second possibility is to use the Man-in-the-
Middle attack which,
is a type of network sniffing. For sniffing, we use tools like Wireshark.

Fig. 13 TCP/IP connection

March 2020 Compiled by: Dr Ajay Shiv Sharma 40

 WIL- Wireshark
• Wireshark is one of
the best data packet
analyzers.
• It analyzes deeply the
packets in frame level.
• It is found using the
following path -
Applications →
Sniffing & Spoofing →
wireshark.

Fig. 14 Wireshark

March 2020 Compiled by: Dr Ajay Shiv Sharma 41

 WIL- Demo Wireshark

Fig. 15 Packet Capturing

March 2020 Compiled by: Dr Ajay Shiv Sharma 42

 WIL- mitmproxy

Fig. 16 mitmproxy

• mitmproxy is an SSL-capable man-in-the-middle HTTP proxy.

• To open it, go to the terminal and type “mitmproxy -
parameter” 

March 2020 Compiled by: Dr Ajay Shiv Sharma 43

 WIL- sslstrip
• sslstrip is a MITM
attack that forces a
victim's browser to
communicate in plain-
text over HTTP, and the
proxies modifies the
content from an HTTPS
server.
• Applications → Sniffing
& Spoofing → Spoofing
and MITM → sslstrip
Fig. 17 sslstrip Spoofing

March 2020 Compiled by: Dr Ajay Shiv Sharma 44

 Summary

 Reconnaissance and open source intelligence tools

 Phishing/ Spoofing Concepts
 ARP, IP and DNS Spoofing, Avanced Spoofing framework
 Session Hijacking and TCP/IP Hijacking
 how attackers can capture and analyze the traffic by placing
a packet sniffer with a real-time example incorporating WIL
to learn varied tools.

March 2020 Compiled by: Dr Ajay Shiv Sharma 45

 Lecture 3 Questions

1) Do research and evaluate OSINT Framework ?

2) Is Work Integrated Learning methodology capable of
providing you better knowledge? Justify your answer.
3) Explain the impact of MITM attack on netbanking.
4) How to do session hijacking using ferret and hamster? Try to
implement the same.
5) Explore Man in the Middle Attacks using MITMf?

March 2020 Compiled by: Dr Ajay Shiv Sharma 46