294 Chapter 12 ■ Session Hijacking
sequence number and subsequent acknowledgment numbers. TCP connections begin their
sequencing of packets with what is known as an initial sequence number (ISN). The ISN is
basically a starting point on which all following packets can increment and sequence them-
selves accordingly. Desynchronizing a connection (Figure 12.6) involves breaking the linear
sequence between the victim and the host, thereby giving the attacker the opportunity, at
least sequence-wise, to jump in and take over the connection to the host. For example, sup-
pose an attacker setting up a session hijacking attack has been tracking the sequence of the
connection and is ready to launch an attack. To make the job easier, and at the same time
remove the victim from the picture, the attacker can inject a large volume of null packets
directed at the host machine. This in turn increments the sequence numbers of the host
packets without the acknowledgment or purview of the victim machine. Now the attacker
has successfully desynchronized the connection and has staged the host packet sequence
numbers to a predictable count based on the number of null packets sent.Network Session Hijacking
Network-level session hijacking is a hijacking method that focuses on exploiting a TCP/
IP connection after initialization or authentication has occurred. There are some specific
hijacking techniques that are in this category of attack. Some common ones we will discuss
are TCP/IP hijacking, man-in-the-middle attacks, and UDP session hijacking.The exam will test your ability to determine what type of attack you are
seeing in a diagram or a fairly lengthy description. In this chapter, stay
aware of the structure of each attack, as well as how each attack is identi-
fied based on its function and operation.FIGURE 12.6 Desynchronizing a connectionVictim HostAttacker1005
2112
1006
1006
2113
2114
2115(^2116) Null
Null
Null
2117
???
???
???