10.1 Session Hijacking Concepts

What is Session Hijacking?

  • Session hijacking refers to an attack where an attacker takes over a valid TCP communication session between two computers.
  • Since most authentication only occurs at the start of a TCP session, this allows the attacker to gain access to a machine.
  • Attackers can sniff all the traffic from the established TCP sessions and perform identity theft, information theft, fraud, etc.
  • The attacker steals a valid session ID and use it to authenticate himself with the server.

Why Session Hijacking is Successful?

  • No account lockout for invalid session IDs.

    暴力破解session IDs

  • Weak session ID generation algorithm or small session IDs.


  • Insecure handling of session IDs.

    DNS poisoning, XSS, exploiting a bug in browser

  • Indefinite session expiration time.

    不會過期的session id

  • Most computers using TCP/IP are vulnerable.
  • Most countermeasures do not work unless you use encryption. (重要)

Session Hijacking Process

  • Stealing: The attacker uses different techniques to steal session IDs.
    • Some of the techniques used to steal session IDs:
      1. Using the HTTP referrer header.
      2. Sniffing the network traffic.
      3. Using the cross-site-scripting attacks.
      4. Sending Trojans on client machines.
  • Guessing: The attacker tries to guess the session IDs by observing variable parts of the session IDs.
    • http://www.hacksite.com/view/VW48266762824302
    • http://www.hacksite.com/view/VW48266762826502
    • http://www.hacksite.com/view/VW48266762828902
  • Brute Forcing: The attacker attempts different IDs until he succeeds.
    • Using brute force attacks, an attacker tries to guess a session ID until he finds the correct session ID.
  • Stealing Session IDs:
    • Using a "referrer attack," an attacker tries to lure a user to click on a link to malicious site (say www.hacksite.com)

      透過 Referer 取得:若網站允許 Session ID 使用 URL 傳遞,便可能從 Referer 取得 Session ID

    • For example, GET /index.html HTTP/1.0 Host: www.hacksite.com Referrer: www.webmail.com/viewmsg.asp?msgid=689645&SID=2556X54VA75

      若網站使用URL傳遞Session ID,當受害者點下連結後,Session ID也跟著送給攻擊者了

    • The browser directs the referrer URL that contains the user's session ID to the attacker's site (www.hacksite.com), and now the attacker possesses the user's session ID.
  • Note: Session ID brute forcing attack is known as session prediction attack if the predicted range of values for a session ID is very small.
  • Command Injection: Start injecting packets to the target server.
  • Session ID prediction: Take over the session.
  • Session Desynchronization: Break the connection to the victim's machine.


  • Monitor: Monitor the flow of packets and predict the sequence number.
  • Sniff: Place yourself between the victim and the target (you must be able to sniff the network).
  • Session hijacking can be broken dwon into three broad phases:
    • Tracking the connection
    • Desynchronizing the connection
    • Injecting the attacker's packet

Packet Analysis of a Local Session Hijack (?)

  • According to the diagram, the next expected sequence number would be 1420. If you can transmit that packet sequence number before the user does, you can desynchronize the connection between the user and the server.
  • After establishing the connection between the attacker and the server, though the user sends the data with the correct sequence number, the server drops the data considering it as a resent packet.

  • Note: Before the user could send the next data packet, attacker predicts the next sequence number and sends the data to the server. This leads to establishment of connection between attacker and the server.
  • To conduct a session hijacking attack, the attacker performs three activities:
    • Tracks a session
    • Desynchronizes the session
    • Injects attacker's commands in between

Types of Session Hijacking (?)

  • Active Attack: In an active attack, an attacker finds an cactive session</span> and takes over.
  • Passive Attack: With a passive attack, an attacker hijacks a session but sits back and watches and records all the traffic that is being sent forth.

The essential difference between an active and passive hijacking is that while an active attack takes over an existing session, a passive hijack monitors an ongoing session.

Session Hijacking in OSI Model

  • Network Level Hijacking: Network level hijacking can be defined as the interception of the packets during the transmission between the client and the server in a TCP and UDP session.
  • Application Level Hijacking: Application level hijacking is about gaining control over the HTTP's user session by obtaining the session IDs.

Spoofing vs. Hijacking

  • Spoofing Attack:
    • Attack pretends to be another user or machine (victim) to gain access.
    • Attacker does not take over an existing active session. Instead he initiates a new session using the victim's stolen credentials.
  • Hijacking:
    • Session hijacking is the process of taking over an existing active session.
    • Attacker relies on the legitimate user to make a connection and authenticate.
  • Blind hijacking:

    • An attacker injects data such as malicious commands into intercepted communications between two hosts commands like "net.exe localgroup administrators /add EvilAttacker".
    • This is called blind hijacking because the attacker can only inject data into the communications stream; he or she cannot see the response to that data (such as "The command completed successfully.")
    • Essentially, the blind hijack attacker is shooting data in the dark, but as you will see shortly, this method of hijacking is still very effective.
  • Initial Sequence Number (ISN)

results matching ""

    No results matching ""