Full Report
Ok.. so its a lot later than i promised, but i did mention that i would post some feedback on some of the talks i ended up catching at this years BlackHat. By far the talk that grabbed the most press was the Erratasec talk on Side-Jacking. Essentially the researchers demonstrated a tool (hamster) that allows an attacker on a shared network (wifi was used as an example, but i guess any shared medium would suffice) to hi-jack users accounts by sniffing their session-ids.
Analysis Summary
# Tool/Technique: Hamster (Related to Side-Jacking)
## Overview
Hamster is a tool demonstrated to facilitate "Side-Jacking" attacks. Side-Jacking involves hijacking user sessions on a shared network by capturing and reusing session identifiers (session-ids) transmitted over unencrypted HTTP connections. This allows the attacker to impersonate the legitimate user.
## Technical Details
- Type: Tool
- Platform: Not explicitly stated, but the capability relies on sniffing traffic on a shared network medium (e.g., Wi-Fi), implying an operating system capable of network sniffing.
- Capabilities: Sniffing network traffic on a shared medium to capture session IDs, and subsequently using these IDs to impersonate users (session hijacking).
- First Seen: Associated with a BlackHat presentation in 2007.
## MITRE ATT&CK Mapping
The core activity described falls under capturing credentials and session hijacking.
- **TA0006 - Credential Access**
- **T1003 - OS Credential Dumping** (Less direct, but session ID acts as a temporary credential)
- **T1552 - Unsecured Credentials**
- **T1552.001 - Credentials in Files** (Session IDs stored in memory/traffic)
- **TA0001 - Initial Access**
- **T1090 - Proxy** (An attacker observing traffic on a shared medium acts as an intermediary)
## Functionality
### Core Capabilities
- Sniffing network traffic on a shared medium (e.g., Wi-Fi).
- Capturing user session identifiers transmitted over unencrypted protocols (HTTP).
- Utilizing captured session IDs to impersonate users whose sessions were hijacked (Side-Jacking).
### Advanced Features
The description focuses on exploiting the lack of encryption on shared networks. The article notes that the Ferret/Hamster combination discussed might be vulnerable to counter-attacks if the attacker is also running the tool on the same network.
## Indicators of Compromise
Since Hamster is a sniffing/session hijacking tool targeting *in-transit* data rather than malware installation:
- File Hashes: N/A (Tool binary hash might exist but is not provided.)
- File Names: Hamster, Ferret (mentioned in context of the talk).
- Registry Keys: N/A
- Network Indicators: Network traffic containing session IDs transmitted over standard HTTP (non-SSL/TLS). Capture of raw session identification tokens from network packets on shared infrastructure.
- Behavioral Indicators: Unauthorized network sniffing activity on a local segment.
## Associated Threat Actors
The tool was demonstrated by researchers at Erratasec/SensePost. The article implies that this technique (Side-Jacking) is an established vulnerability exploitation method, not necessarily tied to a specific sophisticated threat group mentioned here.
## Detection Methods
- Signature-based detection: Unlikely to be effective against a specific tool version unless signatures for the tool binary are created.
- Behavioral detection: Detection of unauthorized network packet capturing (promiscuous mode usage) on network interfaces.
- YARA rules: N/A
## Mitigation Strategies
- **Prevention measures:** Mandating and enforcing the use of **SSL/TLS (HTTPS)** for all web browsing, especially for sites managing user sessions (e.g., GMail mentioned in the text).
- **Hardening recommendations:** Avoiding connecting to untrusted or unencrypted public/shared Wi-Fi networks for sensitive transactions.
## Related Tools/Techniques
- Ferret (Mentioned alongside Hamster by the presenter).
- Session Hijacking (General technique).
- Packet Sniffing (Enabling technique).