Session Hijacking

The concept of session hijacking is an interesting topic among other scenarios. It is basically hijacking of sessions by intercepting the communication between hosts. The attacker usually intercepts the communication to obtain the roles of authenticated user or for the intention of Man-in-the-Middle attack.

Session Hijacking

In order to understand the session hijacking concept, assume an authenticated TCP session between two hosts. The attacker intercepts the session and takes over the legitimate authenticated session. When a session authentication process is complete, and the user is authorized to use resources such as web services, TCP communication or other, the attacker takes advantage of this authenticated session and places himself in between the authenticated user and the host. Authentication process initiates at the start of TCP session only, once the attacker successfully hijacks the authenticated TCP session, traffic can be monitored, or attacker can get the role of the legitimate authenticated user. Session hijacking becomes successful because of weak session IDs or no blocking upon receiving an invalid session ID.

Session Hijacking Techniques

Session Hijacking process is categorized into the following three techniques:

Stealing

Stealing category includes the different technique of stealing session ID such as "Referrer attack" network sniffing, Trojans or by any other mean.

Guessing

Guessing category include tricks and techniques used to guess the session ID such as by observing the variable the variable components of session IDs or calculating the valid session ID by figuring out the sequence etc.

Brute-Forcing

Brute-Forcing is the process of guessing every possible combination of credential. Usually, Brute-Forcing is performed when an attacker gains information about the range of Session ID.

Session Hijacking Process

The process of session hijacking involves:

Sniffing

Attacker attempt to place himself in between victim and target in order to sniff the packet.

Monitoring

Monitor the traffic flow between victim and target.

Session Desynchronization

The process of breaking the connection between the victim and the target.

Session ID

Attacker takes control over the session by predicting the session ID.

Command Injection

After successfully taking control over the session, the attacker starts injecting the command.

Types of  Session Hijacking

Active Attack

The active attack includes interception in the active session from the attacker. An attacker may send packets to the host in the active attack. In an active attack, the attacker is manipulating the legitimate users of the connection. As the result of an attack, the legitimate user is disconnected from the attacker.

Passive Attack

The passive attack includes hijacking a session and monitoring the communication between hosts without sending any packet.

Session Hijacking in OSI model

Network Level Hijacking

Network level hijacking includes hijacking of a network layer session such as TCP or UDP session.

Application Level Hijacking

Applicaion level hijacking includes hijacking of Application layer such as hijacking HTTPS session.

Spoofing vs Hijacking

The major difference between Spoofing and Hijacking is of the active session. In a spoofing attack, the attacker is pretending to be another user by impersonating to gain access. The attacker does not have any active session; it initiates a new session with the help of stolen information.

Hijacking is basically the process of taking control over an existing active session between an authenticated user and a target host. The attack uses the authenticated session of a legitimate user without initiating a new session with the target.

These are the some basics of Session Hijacking. Thank you for reading