The first step in the session hijack attack is locating a target user. Attackers look for two things prior to their attack- first, they look for networks that have a high level of utilization; high volume networks help attackers to remain anonymous and they also provide a healthy supply of users to choose from, which also helps the attack. Second, because of the intrinsic insecurity of unsecure network protocols like Telnet, rlogin (remote login), and FTP (file transfer protocol), users who utilize them are easy targets. Network traffic can be scanned using packet sniffing software to find weak protocols like FTP, Telnet, and rlogin. Software that scans ports can also be used to locate hosts with open FTP, Telnet, or rlogin ports.
1. Sniffing into Active Session:
The attacker then finds an active session between the target and another machine and places himself between them. Using a sniffer like Wireshark, he captures the traffic and tries to gather information about the session.
He then monitors the traffic for vulnerable protocols like HTTP, telnet, rlogin, etc., and tries to find any valid authentication packets passing through.
3. Session Id Retrieval:
Using the data at hand, the attacker tries to estimate the session id. Sequence number prediction is the next step in the session hijacking procedure once a target has been determined. Sequence number prediction is a critical step because failing to predict the correct sequence number will result in the server sending reset packets and terminating the connection attempt. If the attacker guesses the sequence numbers wrong repeatedly, the likelihood of detecting the attack increases.
In application-level hijacking, active attacks are pursued to steal the session Id. Man in the middle attack, cross-site scripting, sniffing are used to steal the session id.
Brute Forcing: This is a time-consuming process.
While sequencing number guessing can be done manually by skilled attackers, software tools are available to automate the process.
5. Take One of the Parties Offline:
Once a session is chosen and sequence numbers predicted, one of the targets has to be silenced. This is generally done with a denial of service attack. The attacker must ensure that the client computer remains offline for the duration of the attack, or the client computer will begin transmitting data on the network causing the workstation and the server to repeatedly attempt to synchronize their connections; resulting in a condition known as an ACK storm.
6. Take over the Session and Maintain the Connection:
Taking control of the communication session between the workstation and server is the last step of the session hijack attack. To prevent being discovered, the attacker will impersonate their client’s IP address and include a sequence number that was previously predicted. The communication session has been successfully assaulted if the server accepts this information.