Understanding Session Hijacking 297
Man-in-the-Middle
Man-in-the-middle (MITM) attacks take the cake as one of the best-known versions of a
session hijack attack. Essentially, an MITM attack places attackers directly between a victim
and host connection. Once attackers have successfully placed themselves in the middle of the
connection via a technique such as ARP poisoning, they have free rein to passively monitor
traffic, or they can inject malicious packets into either the victim or the host machine.
Let’s continue with ARP poisoning for our example. The attacker will first sniff the traffic
between the victim and host machine, which places them in a passive yet strategic position.
From here, the attacker can send the victim phony or “poisoned” ARP replies that map the
victim’s traffic to the attacker’s machine; in turn, the attacker can then forward the victim’s
traffic to the host machine. While in this forwarding position, the attacker can manipulate
and re-send the victim’s sent packets at will. Take a look at Figure 12.8, and then proceed to
Exercise 12.1, which shows a basic MITM attack in action.
not to say that all session hijacking leads to prison time, but rather to demonstrate that
session hijacking has a usable presence in the real world. It’s equally amazing to see just
how real things can get when someone succeeds at hacking high-profile corporations
with such a conceptually straightforward attack. Check out http://www.takedown.com for some
details on the Kevin Mitnick story.
FIGURE 12.8 MITM attack
Original ConnectionVictim HostAttackerTraf
fic R
edirectedTraffic Redirected