© The Author(s), under exclusive license to APress Media, LLC, part of Springer Nature 2021
A. SheikhCertified Ethical Hacker (CEH) Preparation Guidehttps://doi.org/10.1007/978-1-4842-7258-9_8

8. Session Hijacking

Ahmed Sheikh1  
Miami, FL, USA

In this chapter, you will learn about session hijacking, including the steps involved, the different types, and the countermeasures that can be used to protect against this type of attack.

By the end of this chapter, you will be able to
  1. 1.

    Identify the proper order of steps used to conduct a session hijacking attack.

  2. 2.

    Recognize different types of session hijacking.

  3. 3.

    Identify TCP/IP hijacking.

  4. 4.

    Describe countermeasures to protect against session hijacking.


Session Hijacking

Session hijacking happens when a user’s valid computer session between two computers is taken over by an attacker. In this lesson, you will learn how an attacker can steal a valid session ID and use it to get into the system and extract data. To begin, it is important to first review the transmission control protocol (TCP) stack to establish a solid base of understanding before taking a closer look at the details of session hijacking.

The TCP Stack

The header ensures the reliability of the data transported. The network layer allows the datagram to proceed from the source to the destination one hop at a time. The data link layer communicates with the physical hardware and is responsible for the delivery of signals from the source to the destination. See Figure 8-1.
Figure 8-1

TCP stack

Three-Way Handshake

To establish a connection between two parties using TCP, a three-way handshake is used. The attacker tries to disrupt the three-way handshake. An attacker can send packets, which are manipulated if the TCP sequence is easy to predict. Attackers can also gain access to unauthorized information. Sequence numbers are random, but over time, random numbers will repeat because the randomness is based on an internal algorithm within the operating system.

TCP segments provide an initial sequence number (ISN) as a part of every segment header. Each participant states the ISN in the handshake process and then the numbers from that stage are sequential. See Figure 8-2.
Figure 8-2

Three-way handshake

Steps in Session Hijacking

There are three significant steps involved with session hijacking. Review each step for details.
  1. 1.

    Track the connection: The attacker uses a network sniffer to target a victim with a TCP sequence that is easy to predict. Sequence and acknowledgement numbers are captured by the attacker and these numbers are used to build packets.

  2. 2.

    Desynchronize the connection: The attacker alters the server’s sequence number to desynchronize the connection between the host and the target. To accomplish this, the attacker sends null data to the server in order to advance the server’s SEQ/ACK number (the target machines do not have the same increment) which desynchronizes the server and target. The target is unaware of the attack.

  3. 3.

    Inject the attacker’s packet: Once the connection between the server and the target has been interrupted, the attacker is able to inject data into the network or engage in a man-in-the-middle attack.


Types of Session Hijacking

For an active attack to succeed, the attacker must guess the sequence number before the target responds to the server. Operating system vendors use random values for the initial sequence number, making the sequence numbers harder to predict. Active attacks take over existing sessions, break down the connection, and actively participate. Passive attacks monitor an ongoing session and use sniffers.

Network-Layer Hijacking

Network-layer hijacking includes intercepting packets while transmission takes place in a TCP/UDP session between the client and the server. In order to attack application layer sessions, the attacker has the essential information required.

The following is a list of network-layer hijacking methods:
  • TCP/IP hijacking uses spoofed packets to take over a connection. The attacker must be on the same network as the victim.

  • Man-in-the-middle uses packet sniffers to intercept communication between the client and server. It also redirects traffic between the client and host through the attacker.

  • IP spoofing attackers create packets to insert into the TCP session, which are used to gain unauthorized access by using a trusted host’s IP address.

  • Blind hijacking occurs when the attacker predicts the sequence numbers that a victim sends and the connection appears to originate from the host.

  • RST hijacking occurs when the attacker resets the target computer and a newly established session is rerouted through the attacker.

  • UDP hijacking does not use packet sequencing. The attacker sends a forged server reply to the client before the server responds.

Application-Layer Hijacking

An attacker takes control of an existing session by accessing the session IDs. You can find session IDs embedded in the URL.

In an HTML injection, an attacker injects malicious HTML code which is executed by the client. Session data is returned to the hijacker. Cross-site scripting authenticates user inputs by exploiting the web application.

Types of application-layer hijacking:
  • Sniffing is attacking by redirecting traffic through hosts when the HTTP traffic is unencrypted. Unencrypted data carries session IDs, usernames, and passwords.

  • Brute force attacking is simply trying multiple possibilities until a session ID works.

  • Misdirected trust uses HTML interjection and cross-site scripting.

Additional attacks include embedding code in the URL, a form, or in cookies.


The specification of the TCP protocol has been changed to make prediction of sequence numbers much difficult. There are 4.3 billion potential values possible for an ISN with a 32-bit field. A network administrator may use different best practices to defend against the session hijacking. They can limit incoming connections, use encryption, minimize remote access, use a secure protocol, educate users, and use circuit-level gateway firewalls as part of the Internet Protocol security (IPSec).

Browser Exploit

For different browsers on the marketplace, including Internet Explorer, Mozilla Firefox, Google Chrome, and Safari, Metasploit has exploits. Brower exploits, however, only work when a particular version of the operating system is used.

The information about the exploit is displayed by entering the appropriate command. You can also view the exploit’s options. See Figures 8-3 and 8-4.
Figure 8-3

Exploit info

Figure 8-4

Exploit options

Configured Settings

After using the proper commands to set the SRVHOST, SRVPORT, the payload, the local host, and URIPATH, you can view all of your settings with the show options command . The exploit command will start the listener for remote connections. No exploit will happen until a machine connects to the machine or port 80. See Figures 8-5 and 8-6.
Figure 8-5

Configuration settings

Figure 8-6

Configured settings

Spear Phish Attack

A skilled hacker can create a spear phish attack email. They can look very believable via tactics like HTML formatting, logos, and signature blocks. You can reveal the real IP address or DNS name of the link by hovering over a link. User education is key. See Figures 8-7 and 8-8.
Figure 8-7

Fake web link

Figure 8-8

Exploit successful

Exploiting the Victim Machine

The Windows LM (LAN Manager) and New Technology LAN Manager (NTLM) hashes can also be dumped from the system (Figure 8-9). Upon dumping, it is possible to use a method like John the Ripper or Cain to break password hashes. The attacker can carry out such activities as privilege escalation, dumping hashes, and also killing processes and capturing a screenshot utilizing Meterpreter. Metasploit must be used and evaluated on machines operating in isolated lab environments. It’s not meant to be used in the wild.
Figure 8-9

Exploiting the victim machine


In this chapter, you learned about key factors involving session hijacking and how to recognize the steps used to conduct an attack. You reviewed several countermeasures that can help to protect against this type of an attack.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.