Tweet
Session hijacking on the network level is a hijacking method that focuses on exploiting a TCP/IP connection after the initialization or authentication has occurred. Some techniques in this category are TCP/IP hijacking, Man-in-the-middle attacks and UDP session hijacking.
TCP/IP session hijacking
This attack is targeting a TCP session that has already been established and the sequence numbers has been exchanged between the two participants of the connection. The attacker will attempt to predict the sequence numbers of the packets flowing from the victim's host to the resource the victim is connected to. When this attack is successful the attacker is able to inject packets that are in sequence and will be accepted as valid by the host serving the resource.
Performing this attack first begins with the attacker sniffing traffic between the victim and the server offering a resource or service. The attacker will then have the ability to guess the sequence numbers based on the captured traffic. The attacker will then inject custom packets that have a spoofed IP of the victim machine as well as a sequence number incremented appropriately based on the captured packets. This is an attempt to assume the identity of the victim by hijacking the connection thus hijacking the already authenticated session. The server sees the packets as valid traffic as both the source IP and the sequence number is correct.
Some times an attempt to desynchronize or perform a denial-of-service attack on the victim may increase the chance of a successful attack. Another possibility would be to send a RST packet to the client with a spoofed source address of the server the prevent the victim from communicating with the server. In a passive hijack the victims connection is not necessarily severed.
Man-in-the-Middle
This attack is one of the well-known attacks in the session hijacking category. As the name implies, this attack places the attacker between a victim and the host the victim is communicating with such as a server or the victim default gateway using a technique such as ARP poisoning. This enables the attacker to passively monitor traffic or inject malicious packets into either the victim or the server.
The attacker will first passively capture traffic between the victim and the server to collect information needed for the attack. This includes IP and the MAC address also referred to as the Burned In Address (BIA). Then the attacker will perform ARP poisoning by sending gratuitous ARP replies that map the victim's traffic to the attackers machine that the attacker will then forward to the original destination.
UDP Session Hijacking
As UDP is a connectionless protocol this kind of attack is by far simpler than TCP connection hijacking. This is due to UDP not using sequence numbers as UDP packets does not have to arrive at the destination in correct order and an UDP connection does not establish a verifiable connection between the client and the server.
The aim of a UDP hijack is to fool the victim into thinking the attacker's machine is the server. The attacker will attempt to get a response packet back to the client before the server does, thereby assuming the role of the server. Different techniques can be used to intercept legitimate server traffic prior to its response to the victim, but the end goal is the same.
In general, session hijacking relies on many prerequisites to work properly. Sniffing traffic from a network not located in the attackers broadcast domain increase the complexity. A disgruntled employee is in a much better position to perform this kind of attack than an external party.
TCP/IP session hijacking
This attack is targeting a TCP session that has already been established and the sequence numbers has been exchanged between the two participants of the connection. The attacker will attempt to predict the sequence numbers of the packets flowing from the victim's host to the resource the victim is connected to. When this attack is successful the attacker is able to inject packets that are in sequence and will be accepted as valid by the host serving the resource.
Performing this attack first begins with the attacker sniffing traffic between the victim and the server offering a resource or service. The attacker will then have the ability to guess the sequence numbers based on the captured traffic. The attacker will then inject custom packets that have a spoofed IP of the victim machine as well as a sequence number incremented appropriately based on the captured packets. This is an attempt to assume the identity of the victim by hijacking the connection thus hijacking the already authenticated session. The server sees the packets as valid traffic as both the source IP and the sequence number is correct.
Some times an attempt to desynchronize or perform a denial-of-service attack on the victim may increase the chance of a successful attack. Another possibility would be to send a RST packet to the client with a spoofed source address of the server the prevent the victim from communicating with the server. In a passive hijack the victims connection is not necessarily severed.
Man-in-the-Middle
This attack is one of the well-known attacks in the session hijacking category. As the name implies, this attack places the attacker between a victim and the host the victim is communicating with such as a server or the victim default gateway using a technique such as ARP poisoning. This enables the attacker to passively monitor traffic or inject malicious packets into either the victim or the server.
The attacker will first passively capture traffic between the victim and the server to collect information needed for the attack. This includes IP and the MAC address also referred to as the Burned In Address (BIA). Then the attacker will perform ARP poisoning by sending gratuitous ARP replies that map the victim's traffic to the attackers machine that the attacker will then forward to the original destination.
UDP Session Hijacking
As UDP is a connectionless protocol this kind of attack is by far simpler than TCP connection hijacking. This is due to UDP not using sequence numbers as UDP packets does not have to arrive at the destination in correct order and an UDP connection does not establish a verifiable connection between the client and the server.
The aim of a UDP hijack is to fool the victim into thinking the attacker's machine is the server. The attacker will attempt to get a response packet back to the client before the server does, thereby assuming the role of the server. Different techniques can be used to intercept legitimate server traffic prior to its response to the victim, but the end goal is the same.
In general, session hijacking relies on many prerequisites to work properly. Sniffing traffic from a network not located in the attackers broadcast domain increase the complexity. A disgruntled employee is in a much better position to perform this kind of attack than an external party.