Session Hi-jack Testing

So I've been doing a lot of different security testing exercises and was wanting to get in some better session hijacking practice than the very stripped down labs that we used in my CEH course. I was wondering if it is illegal to perform a session hi-jacking attack against your own session with a third party. My immediate thoughts were, "its my session that i'm hi-jacking so...no harm, no foul." But its obviously a grey area, just given the fact that there is a third party involved. So just curious if anyone knows if this actually is illegal. Thanks.
Justin Hutchens
www.linkedin.com/in/justinhutchens
http://www.youtube.com/drstarskymrhutch - BackTrack / Kali-Linux Tutorials - CHECK EM OUT AND SUBSCRIBE!!! :thumbup:

Comments

  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,476Admin Admin
    Before you consider "illegal," consider the user agreement you signed with the organization that supplies you your Internet service. You do anything that contradicts that agreement you signed and you could permanently loose your service through that provider. So you first need to find out if your ISP will allow you to schedule a specific time to do pen testing on the IP address(es) they lease you.
  • the_hutchthe_hutch Posts: 827Banned
    JDMurray wrote: »
    So you first need to find out if your ISP will allow you to schedule a specific time to do pen testing on the IP address(es) they lease you.

    Actually, there is no formal agreement of terms between myself and my ISP. I use public internet that is supplied by my complex (i know I am going to have stones hurled at me for admitting this is in the security certifications forums). I would purchase my own internet, but I'm hitting way faster speeds (more than double) with their free wireless than I ever did with my $90 "high-speed" Comcast.
    Justin Hutchens
    www.linkedin.com/in/justinhutchens
    http://www.youtube.com/drstarskymrhutch - BackTrack / Kali-Linux Tutorials - CHECK EM OUT AND SUBSCRIBE!!! :thumbup:
  • afcyungafcyung Posts: 212Member
    Why not build a lab to pen test instead of working on production servers?
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,476Admin Admin
    You should still check with the providers of the Internet service. It's a utility and subject to usage restrictions by the provider. If you do something that gets the property owner in trouble with the ISP, they'll attempt to track you down via the DCHP IP address that's assigned to you by the wireless access point when you connect to their network. They can then blacklist you computer (via its MAC address), or just knock on your door and possibly yank your rental contract. Or you could do a bunch of pentesting over their free Internet anyway and take the chance that nobody will care or even notice. It's your choice.
  • GAngelGAngel Posts: 708Member
    the_hutch wrote: »
    Actually, there is no formal agreement of terms between myself and my ISP. I use public internet that is supplied by my complex (i know I am going to have stones hurled at me for admitting this is in the security certifications forums). I would purchase my own internet, but I'm hitting way faster speeds (more than double) with their free wireless than I ever did with my $90 "high-speed" Comcast.

    Just because it's free does not mean there are no terms associated with it. There are always terms and conditions.
    You can set up your own lab to do what you're asking though no need to go out to the internet.
  • docricedocrice Posts: 1,706Member ■■■■■■■■■■
    It may be "your session," but it's also a session that involves someone else who did not authorize the interception. The general rule is to not practice such attacks against public resources over public wire. I guess the obvious exception would be recon work on public data sources which is indistinguishable from normal searches.

    Websites usually have a terms of service. ISPs have similar provisions. To be sure, ask your lawyer, understanding that laws also vary from location to location. Otherwise, I'd practice in your own lab network. Also keep in mind you are not the owner on the complex's network and there's the potential that if your session hijacking could affect your neighbours in any way, that could get you into technical / legal hot water.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • the_Grinchthe_Grinch Posts: 4,161Member ■■■■■■■■■■
    Setup a VM with a web server and serve up a session. Might take a little longer, but at least then you will be in the clear (I'd also disable internet access while doing it, but that's just me).
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • the_hutchthe_hutch Posts: 827Banned
    Alright...the general consesus seems to be that this is a bad idea. And I was hesitant to begin with, hence the post, so I think I'll drop the idea and go with building a simulated virtual environment. My main reason for not doing this in the first place is that I've never installed/configured a certificate authority...or worked much with HTTPS on a web-server. But I guess I should look at this as something that I'm going to need to learn to do sooner or later anyways. So now is that time I suppose.
    Justin Hutchens
    www.linkedin.com/in/justinhutchens
    http://www.youtube.com/drstarskymrhutch - BackTrack / Kali-Linux Tutorials - CHECK EM OUT AND SUBSCRIBE!!! :thumbup:
Sign In or Register to comment.