3. What is session?
• A lasting connection between a user and a
server usually involving the exchange of many
requests
5. Validate
Session
CLIENT SERVER
SESSIO
N DATA
1. Request
connection
2.Create session
3. Session id
4. Session id passed
6. Retrieve Session id
7. Successful response
4. Session Hijacking
Session Hijacking is the act of taking
control of a user session after
successfully obtaining of an
authenticate session Id.
Session hijacking involves an attack
using captured session id to grab
control of legitimate users web
application session while that
application still in progress.
Session hijacking takes place at
5. TCP SESSION HIJACKING
Hacker takes control of a TCP session
between two hosts.
It can be hijacked after hosts have
authenticated successfully.
The authentication process followed
by TCP is defined as a three-way
handshake method.
7. Categories of TCP Session
Hijacking
Based on the anticipation of sequence
numbers there are two types of TCP
hijacking:
◦ Blind Hijacking
◦ Man-in-the-middle (MITM) attack
8. Man-in-the-middle (MITM)
A hacker can also be "inline" between B and C using a
sniffing program to watch the sequence numbers and
acknowledge numbers in the IP packets transmitted
between B and C. And then hijack the connection. This is
known as a "man-in-the-middle attack".
9. Continuous ACK transfer
Losing the ACK packet
Ending connection
Resynchronizing client and server
14. Methods of TCP session
hijacking with packet blocking
Route Table Modification
Route table can be seen by netstat –
nra command at console prompt in
Windows or Linux/ Unix O.S
There are two entries in Linux route
table
1. Way to all the node within the LAN
2. Way to all the addresses not on the
LAN
18. Active connection section
Network addresses of computers that
are connected to host computer can
be seen by netstat –F (or netstat –n)
on Linux box and active connection
section on window box.
20. ARP(Address Resolution
Protocol) attack
ARP table on computer stores the IP
address and corresponding MAC
address
ARP table can be seen by arp –a
command at console prompt.
23. Session hijacking tools
Hunt
• It performs sniffing and session hijacking
• Hunt tool provides following menu option
1. Listing
2. Watching
3. Resetting connections
• It hijack a session through ARP attack
• Allows hacker to synchronize connection
among host and server during session
hijacking.
24. UDP Hijacking
It does not have error recovery
features
More vulnerable to hijacking
Vitim is local computer not server
27. Storm watching
Refers to watch for abnormal
increases in network traffic and alert
the security officer when they occur.
Two packets with the same header
information but different sizes could be
evidence of hijacking.
28. SUMMERY
Hijacking is the process of taking the
authority of the authorized person and
inject itself in network as legitimate
user.
Hijacking can be done in TCP session
hijacking, packet blocking, UDP
hijacking.
Hunt is session hijacking tool.
For prevention from hijacking SSH
and TLS protocols are used.
29. QUESTIONS
Explain how session hijacking is
achieved?
Explain TCP session hijacking with
packet blocking?
Explain following terms:
i) Hunt ii) Storm watching