issuhub.com

CEH

(Jeff_L) #1

286 Chapter 12 ■ Session Hijacking


So what is a session ID? Well, its form can vary a bit depending on whether

we are talking an application or a network. However, in both cases it is usu-

ally some form of alphanumeric sequence that uniquely identifies a spe-

cific connection. A session ID could look like 123456abcdef, for example,

but usually with a lot more entropy or randomness sprinkled in. Capturing,

guessing, or calculating an ID allows the attacker to take over a connection

or session.

Note that session IDs are also known as session tokens.

Spoofing vs. Hijacking


Before we go too far, you should know that spoofing and hijacking are two distinctly

different acts.

Spoofing is when an attacking party pretends to be something or someone else, such as a

user or computer. The attacker does not take over any session.

In hijacking, the attacker takes over an existing active session. In this process, the

attacker waits for an authorized party to establish a connection to a resource or service and

then takes over the session.

The process of session hijacking looks like this:

Step 1: Sniffing This step is no different than the process we explored when we discussed

sniffing in Chapter 9. You must be able to sniff the traffic on the network between the two

points that have the session you wish to take over.

Step 2: Monitoring At this point your goal is to observe the flow of traffic between the

two points with an eye toward predicting the sequence numbers of the packets.

Step 3: Session Desynchronization This step involves breaking the session between the

two parties.

Step 4: Session ID Prediction At this point, you predict the session ID itself (more on that

later) to take over the session.

Step 5: Command Injection At this final stage as the attacker you are free to start inject-

ing commands into the session targeting the remaining party (most likely a server or other

valuable resource).

It is important for you to understand that session hijacking can take place

at two entirely different levels of the Open Systems Interconnection (OSI)

model, so it is very important to pay attention to details. A session hijack

can take place at the Network layer or at the Application layer—that is, an

attack can target the TCP/UDP protocols or the much higher protocols at

the Application layer, such as HTTP or FTP.
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.