296 Chapter 12 ■ Session Hijacking
you’ll face. We’ve already covered a few of these, so we’re ahead of the game! Just pay
attention to the sequence and relate it to what you’ve already learned.- Referring back to Chapter 9 once more, you must have a means of sniffing or captur-
ing the traffic between the victim machines. This places you in the position required to
perform the hijack. - Predict the sequence numbers of the packets traversing the network. Remember that
null packets can be used to increment the host sequence numbers, thereby desynchro-
nizing the victim’s connection and making sequence number prediction easier. - Perform a denial-of-service attack on the victim’s machine, or reset their connection
in some fashion so you can assume the victim’s role as the legitimate client. Remember
that in a passive hijacking, the victim connection is not necessarily severed; the traffic
between the victim and the host is simply monitored, and you wait for the opportune
time to act. - Once you take over the victim’s session, you can start injecting packets into the server,
imitating the authenticated client.
Be sure that you understand TCP hijacking and the packet sequencing an
attacker uses to implement the attack. Refer to Chapter 9 if necessary to
help you get comfortable with these topics. Both will show up on the exam
and will be applied to session hijacking.Let’s go back to blind hijacking for a moment. As we discussed earlier, in blind hijacking
the attacker is not able to see the result of the injected packets, nor are they able to
sniff the packets successfully. This creates a major challenge for the attacker because
sequencing packets properly is a critical step in launching a successful TCP-based session
hijacking. Referring back to Chapter 9, recall that there is a logistical challenge in sniffing
traffic from other networks or collision domains. This is because each switchport is an
isolated collision domain. An attacker attempting to perform a session hijack attack on
a victim machine outside the attacker’s network or network segment creates a challenge
similar to the one you faced in sniffing traffic in Chapter 9. The attacker will be going in
“blind” because they will not be able to receive a return traffic confirmation of success.Hacker on the RunThe infamous hacking saga of Kevin Mitnick is always a good read for ethical hackers as
well as Tom Clancy fans. Mr. Mitnick’s hacking activities finally landed him in prison in
1995, but the events leading up to the arrest read like a suspense novel. The noteworthy
portion of the story is the fact that Mitnick used IP spoofing and a form of TCP session
hijacking to gain access to the resources that inevitably landed him in hot water. This is