The concept of session hijacking is fairly simple and can be
applied to various scenarios. An interception in the line of
communication allows the attacker either to assume the role
of the authenticated user or to stay connected as an intermediary, as in a man-in-the-
middle attack. Different techniques help the attacker hijack a session. One discussed in
Chapter 9, “Sniffers,” is Address Resolution Protocol (ARP) poisoning. We’ll expand on
setup techniques in this chapter, and you’ll get your hands dirty with a few examples that
illustrate how to accomplish a session hijack.
Understanding Session Hijacking
Session hijacking is synonymous with a stolen session, in which an attacker intercepts
and takes over a legitimately established session between a user and a host. The user-
host relationship can apply to access of any authenticated resource, such as a web server,
Telnet session, or other TCP-based connection. Attackers place themselves between the
user and host, thereby letting them monitor user traffic and launch specific attacks. Once
a successful session hijack has occurred, the attacker can either assume the role of the
legitimate user or simply monitor the traffic for opportune times to inject or collect specific
packets to create the desired effect. Figure 12.1 illustrates a basic session hijack.
FIGURE 12.1 Session hijack
Authenticated
Connection
Victim HostAttacker