Session hijacking is synonymous with a stolen session, in which an attacker intercepts and takes over a legitimately established session between a user and a host. The user– host relationship can apply to access of any authenticated resource, such as a web server, Telnet session, or other TCP-based connection. Attackers place themselves between the user and host, thereby letting them monitor user traffic and launch specific attacks. Once a successful session hijack has occurred, the attacker can either assume the role of the legitimate user or simply monitor the traffic for opportune times to inject or collect specific packets to create the desired effect
In its most basic sense, a session is an agreed-upon period of time under which the connected state of the client and server is vetted and authenticated. This simply means that both the server and the client know (or think they know) who each other are, and based on this knowledge, they can trust that data sent either way will end up in the hands of the appropriate party. If a session hijack is carried out successfully, what is the danger? Several events can take place at this point, including identity theft and data corruption. In other situations session hijacks have made for a perfect mechanism through which someone can sniff traffic or record transactions. Understanding what constitutes a session makes it easy to see how session hijacking can be extremely effective when all supporting factors are set up correctly. Many of the prerequisite setup factors involved in session hijacking have already been discussed in
previous chapters. For example, a specific form of hijacking involves using a sniffer both prior to and during an attack, and you learned about sniffers in Chapter 9. In Chapter 2, “System Fundamentals,” you learned about the TCP three-way handshake, which will greatly aid your understanding of TCP session hijacking. Before we get too deeply into the details of each attack, let’s look at how session hijacking is categorized. An attacker carrying out a session hijack is seeking to take over a session for their own needs. Once they have taken over a session, they can then go about stealing data, issuing commands, or even committing transactions that they wouldn’t be able to otherwise. In this chapter, we will explore the various forms session hijacking can take and identify the methods you can use to thwart a session hijack. Session hijacks are easy to launch. TCP/IP is vulnerable, and most countermeasures, except for encryption, do not work.