TCP/IP session hijacking is an attack on a TCP session. The attacker attempts to predict the sequence numbers of the packets flowing from the victim’s machine to the connected resource. If successful, the attacker can then begin to inject packets that are in sequence with the packet sequence of the legitimate user’s traffic.
TCP Three way to Hanshake
Implementation of this kind of attack begins with the attacker sniffing the traffic between the victim’s machine and the host machine. Once the attacker successfully sniffs the connection and predicts (to the best of their ability) the packet sequence numbers, they can inject custom packets onto the wire that have a spoofed IP of the victim machine as well as a sequence number incremented appropriately based on previously captured packets. An attacker spoofs the IP address of the victim’s machine to try to assume the identity of the victim by hijacking the connection and the current session. From the server’s or host’s perspective, packets coming from a legitimate IP address, as well as having a properly incremented sequence number, are deemed legitimate traffic
what each step accomplishes will help you apply common sense to the challenging scenarios you’ll face. We’ve already covered a few of these, so you’re ahead of the game! Just pay attention to the sequence and relate it to what you’ve already learned.
- Referring back to Chapter 9 once more, you must have a means of sniffing or capturing the traffic between the victim machines. This places you in the position required to perform the hijack.
- Predict the sequence numbers of the packets traversing the network. Remember that null packets can be used to increment the host sequence numbers, thereby desynchronizing the victim’s connection and making sequence number prediction easier.
- Perform a denial-of-service attack on the victim’s machine, or reset their connection in some fashion so you can assume the victim’s role as the legitimate client. Remember that in a passive hijacking, the victim connection is not necessarily severed; the traffic between the victim and the host is simply monitored, and you wait for the opportune time to act.
- Once you take over the victim’s session, you can start injecting packets into the server, imitating the authenticated client.