Session Hi-jack Testing

So I've been doing a lot of different security testing exercises and was wanting to get in some better session hijacking practice than the very stripped down labs that we used in my CEH course. I was wondering if it is illegal to perform a session hi-jacking attack against your own session with a third party. My immediate thoughts were, "its my session that i'm hi-jacking so...no harm, no foul." But its obviously a grey area, just given the fact that there is a third party involved. So just curious if anyone knows if this actually is illegal. Thanks.

Find more posts tagged with

Comments

JDMurray

Before you consider "illegal," consider the user agreement you signed with the organization that supplies you your Internet service. You do anything that contradicts that agreement you signed and you could permanently loose your service through that provider. So you first need to find out if your ISP will allow you to schedule a specific time to do pen testing on the IP address(es) they lease you.

the_hutch

JDMurray wrote: »

So you first need to find out if your ISP will allow you to schedule a specific time to do pen testing on the IP address(es) they lease you.

Actually, there is no formal agreement of terms between myself and my ISP. I use public internet that is supplied by my complex (i know I am going to have stones hurled at me for admitting this is in the security certifications forums). I would purchase my own internet, but I'm hitting way faster speeds (more than double) with their free wireless than I ever did with my $90 "high-speed" Comcast.

afcyung

Why not build a lab to pen test instead of working on production servers?

JDMurray

You should still check with the providers of the Internet service. It's a utility and subject to usage restrictions by the provider. If you do something that gets the property owner in trouble with the ISP, they'll attempt to track you down via the DCHP IP address that's assigned to you by the wireless access point when you connect to their network. They can then blacklist you computer (via its MAC address), or just knock on your door and possibly yank your rental contract. Or you could do a bunch of pentesting over their free Internet anyway and take the chance that nobody will care or even notice. It's your choice.

GAngel

the_hutch wrote: »

Actually, there is no formal agreement of terms between myself and my ISP. I use public internet that is supplied by my complex (i know I am going to have stones hurled at me for admitting this is in the security certifications forums). I would purchase my own internet, but I'm hitting way faster speeds (more than double) with their free wireless than I ever did with my $90 "high-speed" Comcast.

Just because it's free does not mean there are no terms associated with it. There are always terms and conditions.
You can set up your own lab to do what you're asking though no need to go out to the internet.

docrice

It may be "your session," but it's also a session that involves someone else who did not authorize the interception. The general rule is to not practice such attacks against public resources over public wire. I guess the obvious exception would be recon work on public data sources which is indistinguishable from normal searches.

Websites usually have a terms of service. ISPs have similar provisions. To be sure, ask your lawyer, understanding that laws also vary from location to location. Otherwise, I'd practice in your own lab network. Also keep in mind you are not the owner on the complex's network and there's the potential that if your session hijacking could affect your neighbours in any way, that could get you into technical / legal hot water.

the_Grinch

Setup a VM with a web server and serve up a session. Might take a little longer, but at least then you will be in the clear (I'd also disable internet access while doing it, but that's just me).

the_hutch

Alright...the general consesus seems to be that this is a bad idea. And I was hesitant to begin with, hence the post, so I think I'll drop the idea and go with building a simulated virtual environment. My main reason for not doing this in the first place is that I've never installed/configured a certificate authority...or worked much with HTTPS on a web-server. But I guess I should look at this as something that I'm going to need to learn to do sooner or later anyways. So now is that time I suppose.