Your SlideShare is downloading. ×
Session Hijacking By Rahul Tyagi Ethical Hacker from Punjab TCIL-IT Certified Ethical Hacker
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Session Hijacking By Rahul Tyagi Ethical Hacker from Punjab TCIL-IT Certified Ethical Hacker


Published on

Session Hijacking By Rahul Tyagi Ethical Hacker from Punjab TCIL-IT Certified Ethical Hacker

Session Hijacking By Rahul Tyagi Ethical Hacker from Punjab TCIL-IT Certified Ethical Hacker

Published in: Technology

1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. TCIL-IT Certified Ethical Hacker Module Session Hijacking
  • 2. Topics• Session Hijacking• Difference Between Spoofing & Hijacking• Types of Session Hijacking• Session Hijacking Tools• Session Hijacking With Firesheep• Preventions to Session Hijacking• Conclusion
  • 3. Session HijackingSession Hijacking is whenan attacker gets access tothe session state of aparticular user.The attacker steals a validsession ID which is used toget into system and retrievethe data
  • 4. Spoofing & HijackingIn spoofing , an attackerdoes not actively takeanother user offline toperform the attack. Hemainly pretends to beanother user or machineto gain access.Its done through Cain nAbel
  • 5. Spoofing & HijackingHijacking is done only aftervictim has connected to theserver. With hijacking , anattacker takes over an existingsession, which means he relieson the legitimate user to make aconnection and authenticate.At last the attacker takes overthe session.
  • 6. Steps in Session Hijacking1.First you should able to sniff the network2.Monitor the flow of packets3. Predict the sequence number4.Kill the connection to the victim’s machine5. Take over the session6. Start injecting packets to the target server
  • 7. Types of HijackingActive:- In an active attack , anattacker finds an active sessionand takes over.Passive:- With passive attack, anattacker hijacks a session, butsits back, and watches andrecords all the traffic that sbeing sent forth
  • 8. Session Hijacking With FiresheepFiresheepFiresheep is free, open source, and isavailable now for Mac OS X andWindows. Linux support is on the way.When logging into a website youusually start by submitting yourusername and password. The serverthen checks to see if an accountmatching this information exists and ifso, replies back to you with a "cookie"which is used by your browser for all requests.
  • 9. Session Hijacking With FiresheepIts extremely common for websites toprotect your password by encryptingthe initial login, but surprisinglyuncommon for websites to encrypteverything else. This leaves thecookie (and the user) vulnerable.HTTP session hijacking (sometimescalled "sidejacking") is when anattacker gets a hold of a users cookie,allowing them to do anything the usercan do on a particular website. On anopen wireless network, cookies arebasically shouted through the air,making these attacks extremely easy.
  • 10. Session Hijacking With FiresheepAfter installing the extension youll seea new sidebar. Connect to any busyopen wifi network and click the big"Start Capturing" button. Then wait.
  • 11. Session Hijacking With FiresheepAs soon as anyone on the networkvisits an insecure website known toFiresheep, their name and photo willbe displayed:
  • 12. Session Hijacking With FiresheepDouble-click on someone, and youreinstantly logged in as them.
  • 13. ConclusionWebsites have a responsibility to protect thepeople who depend on their services. Theyvebeen ignoring this responsibility for too long, andits time for everyone to demand a more secureweb.