Exam Essentials 303
importance of understanding packet sequencing for the exam. We also looked at different
sources of session IDs and touched on web application hijacking. We also explored man-in-
the-middle attacks and walked through the basic setup.
Exam Essentials
Know what makes up a session hijacking. Make sure you can pick up on a session hijack
attack easily. The exam is fairly straightforward on session hijacking questions. Most of the
time the image will give it away, or it will become obvious in the question discussion that a
session hijacking has either occurred or is about to.
Know your TCP sequencing. Knowing the sequencing of TCP packets is important for
you as an ethical hacker and is extremely important for the exam. Understand the TCP
three-way handshake as well.
Remember the difference between an active attack and a passive attack. An active attack
is one in which the attacker is injecting packets or manipulating the connection in some
fashion. In a passive attack, the attacker only monitors the traffic between client and host
machines.
Know the steps of a session hijack. Familiarize yourself with the steps of a TCP session
hijacking attack.
Be able to define ARP poisoning and DNS spoofing. Understand both concepts, and keep
a lookout for scenario-driven questions that begin with ARP poisoning or DNS spoofing as
supporting factors for the attack. This is a signal that the question is talking about a session
hijacking attack.
Understand web application hijacking. Remember the three sources of session IDs:
embedded in a URL, hidden in an embedded form, or in a session cookie. Your focus is
not necessarily in knowing all the nuances of each source, but to recognize what the exam
question is asking you to recognize. The exam will usually give you ample evidence and
explanatory material in each question, so your job as the test taker is to sleuth out exactly
what is important and pertinent to answer the question.
Recognize flexibility in terminology. Session hijacking is a category of attack in which
the exam presents the topic in many varied ways. A web app session hijacking may be
called something like session fixation. Or the possible answers to a diagram-based ques-
tion may sound unfamiliar, but one or two of them have session in the answer. Stay
focused on the big picture, and use common sense. If it looks like a session hijacking ques-
tion, and sounds like a session hijacking question, well, it’s a session hijacking question!
Answer accordingly.