SESSION HIJACKING

PRESENTED BY: MISS. GAYATRI V. KAPSE

Contents:Introduction to session hijackingTCP session hijackingTCP session hijacking with packet

blockingSession hijacking toolsUDP hijackingPrevention

What is session?• A lasting connection between a user and a

server usually involving the exchange of many requests

5. Validate Session

CLIENT SERVER SESSION DATA

1. Request connection

2.Create session

3. Session id

4. Session id passed

6. Retrieve Session id

7. Successful response

Session HijackingSession Hijacking is the act of taking

control of a user session after successfully obtaining of an authenticate session Id.

Session hijacking involves an attack using captured session id to grab control of legitimate users web application session while that application still in progress.

Session hijacking takes place at transport layer of network layer of OSI model.

TCP SESSION HIJACKINGHacker takes control of a TCP

session between two hosts.It can be hijacked after hosts

have authenticated successfully. The authentication process

followed by TCP is defined as a three-way handshake method.

Three way handshake

Categories of TCP Session HijackingBased on the anticipation of

sequence numbers there are two types of TCP hijacking:◦Blind Hijacking ◦Man-in-the-middle (MITM) attack

Man-in-the-middle (MITM)A hacker can also be "inline" between B and C using a sniffing program to watch the sequence numbers and acknowledge numbers in the IP packets transmitted between B and C. And then hijack the connection. This is known as a "man-in-the-middle attack".

Continuous ACK transferLosing the ACK packetEnding connectionResynchronizing client and server

ACK attack

ACK attack without DoS

ACK loop

TCP session hijacking with packet blocking

Methods of TCP session hijacking with packet blockingRoute Table Modification Route table can be seen by

netstat –nra command at console prompt in Windows or Linux/ Unix O.S

There are two entries in Linux route table

1. Way to all the node within the LAN

2. Way to all the addresses not on the LAN

Linux route table

Sections of route tableThe active routeThe active connection

Route table in action

Active connection sectionNetwork addresses of computers

that are connected to host computer can be seen by netstat –F (or netstat –n) on Linux box and active connection section on window box.

Route table modification attack

ARP(Address Resolution Protocol) attackARP table on computer stores the

IP address and corresponding MAC address

ARP table can be seen by arp –a command at console prompt.

ARP request

01:23:a1:b2:ff:09Has 192.168.0.78

192.168.0.102

HACK

Who has 192.16.0.78

01:b5:44:8e:01:d7Has192.168.0.78

Capturing the ARP broadcast response

Session hijacking toolsHunt• It performs sniffing and session hijacking• Hunt tool provides following menu option 1. Listing 2. Watching 3. Resetting connections• It hijack a session through ARP attack• Allows hacker to synchronize connection

among host and server during session hijacking.

UDP HijackingIt does not have error recovery

featuresMore vulnerable to hijackingVitim is local computer not server

Prevention EncryptionStorm watching

Encryption method in SSH and TLS

Storm watchingRefers to watch for abnormal

increases in network traffic and alert the security officer when they occur.

Two packets with the same header information but different sizes could be evidence of hijacking.

SUMMERYHijacking is the process of taking

the authority of the authorized person and inject itself in network as legitimate user.

Hijacking can be done in TCP session hijacking, packet blocking, UDP hijacking.

Hunt is session hijacking tool.For prevention from hijacking

SSH and TLS protocols are used.

QUESTIONSExplain how session hijacking is

achieved?Explain TCP session hijacking

with packet blocking?Explain following terms: i) Hunt ii) Storm watching

THANK YOU!!!