Understanding Session Hijacking 295
TCP/IP Session Hijacking
TCP/IP session hijacking is an attack on a TCP session. The attacker attempts to predict
the sequence numbers of the packets flowing from the victim’s machine to the connected
resource. If successful, the attacker can then begin to inject packets that are “in sequence”
with the packet sequence of the legitimate user’s traffic.
As shown in Figure 12.7, once the initial handshake process is complete, the subsequent
packets stay in a general sequence between the victim and the resource. Each packet in an
ongoing conversation over TCP is incremented by 1. This rule applies to both SYN and
ACK sequence numbers.
FIGURE 12.7 TCP three-way handshake
Sending SystemSystem 1SSYN ystem 2SYN-ACKACKReceiving SystemSystem 1System 2System 1System 2Implementation of this kind of attack first begins with the attacker sniffing the traffic
between the victim’s machine and the host machine. Once the attacker successfully sniffs
the connection and predicts (to the best of their ability) the packet sequence numbers, they
can inject custom packets onto the wire that have a spoofed IP of the victim machine as
well as a sequence number incremented appropriately based on previously captured packets.
An attacker spoofs the IP address of the victim’s machine to try to assume the identity of
the victim by hijacking the connection and the current session. From the server’s or host’s
perspective, packets coming from a legitimate IP address, as well as having a properly
incremented sequence number, are deemed legitimate traffic. Figure 12.7 outlines what this
would look like.
Before we move on, let’s go through the basic steps of a TCP session hijack attack. You
don’t have to memorize these steps for the exam, but understanding their sequence and
what each step accomplishes will help you apply common sense to the challenging scenarios