session hijacking

Session Hijacking

1. What is Session Hijacking?

Session hijacking refers to the abuse, profiteering, and exploitation of a legitimate computer session during which an attacker takes over a session between two computers. The attacker steals a valid session ID and uses it to get into the system and extract the data. The host assailant exploits the transmission control protocol (TCP) to establish connection and exchange of a stream of data between two hosts.


Session hijacking is one of the major attacks on the web today.  This article will show you how to deal with spoofing methods, the three-way TCP handshake, and how attackers use these methods for man-in-the-middle attacks. A ploy to taking over the intellectual property of a specific website.

2. Methods Used in Hijacking

2.1. TCP Session Hijacking

This method empowers the session assailant to take control over a TCP between two hosts. A logged in attacker can participate in the existing conversation of other users on other systems by diverting packets to his or her hidden host. This method of hijacking is carried out through source-routed IP packets

2.2. Blind Hijacking

This method is borne out of guessing or assumption to launch the attack.

2.3. MITM (man-in-the-middle) Hijacking

A mitm method is employed when a sniffer is used to track down a conversation between two users. A denial-of-service (DoS) attack is executed so that a system crashes, which leads to a greater loss of packets.

Gaining basic understanding on how session hijacking work is a valuable asset you would need to figure out whenever you are hit to learn what steps were actually taken in the day-to-day activity between your web browser and the host.

3. How it Works

Consider an everyday scenario in which computers (regardless of the internet protocol address) access the Internet using a Web browser such as Internet Explorer (IE), Mozilla, Google Chrome and the host of other browsers.

  1. IE works at the application layer. When it begins a connection between two hosts, it creates a request datagram to be sent across the Internet to the Web server to establish a connection.
  2. The transport protocol comes into play at the transport layer, the layer of the TCP stack that allows connections between software services on connected systems. At the transport layer, the appropriate protocol header is added to the datagram. This header ensures the reliability of the data transported and controls many aspects of the communication between the two hosts. The initial segment is an SYN request and the first phase of what is known as the TCP three-way handshake (SYN, SYN/ACK, and ACK) used to establish a reliable connection-oriented session with the Web server. 
  3. In the network layer, routers allow the datagram to hop from the source to the destination, one hop at a time. The IP header is added to the packet in the network layer.
  4.  The final layer is the data link layer. This layer communicates with the physical hardware and is responsible for the delivery of signals from the source to the destination over a physical communication platform, in this case, the Ethernet. At this layer, the frame header is added to the datagram.4.0 

4.0 Steps Employed in Hijacking

Taking over an existing active session is a subtle stratagem and knowing the step the attacker use in making this happen is paramount.  An attacker can hijack a genuine user’s session by finding an established session and taking it over after the user has been authenticated. These are the steps observed in executing such slime.

  • Tracking the connection
  • Desynchronizing the connection 
  • Injecting the attacker’s packet

4.1 Step 1 – Tracking The Connection

The attacker utilizes a network sniffer to track a victim and host (the computer) or applies a tool like Nmap to examine the network for a target with a TCP sequence that is predictable. Once the victim is identified, the attacker captures sequence and acknowledgment numbers from the victim. Since the packets are checked by TCP through a sequence and/or acknowledgment numbers, the attacker exploits and take advantage of these numbers to construct packets.

4.2 Step 2 – Desynchronizing the Connection

A desynchronize state is established when a connection between the target and host is in a stable state without data transmission. It also occurs also whenever the server’s sequence number is not proportional to the client’s acknowledgment number.

In order to desynchronize the connection between the target and host, the attacker must change the sequence number or the acknowledgment number (SEQ/ACK) of the server. To do this, the attacker sends null data to the server so that the server’s SEQ/ACK numbers will advance, while the target machine will not register such an increment. 

4.2.1 Tricks 

Attacker sends a reset flag to the server to cripple the connection on the server side. The goal here is to break the connection on the server side and create a new look of connection with a different SQ(sequence number).

4.3 Step 3 Data Injection

Data injection is executed once the attacker has interrupted the connection between the server and the target by injecting data into the network or participate actively as the man-in-the-middle by passing data from the target to the server.

5.0 Session Hijacking Tools

The following are the tools use by session hijackers:

  • IP Watcher
  • DNS hijacker
  • TTY-Watcher
  • Hjksuite

5.1. IP Watcher

IP Watcher is a commercial session-hijacking tool that enables an administrator to monitor connections and helps in taking over sessions.

This tool has several functions, including the ability to monitor an entire network. IP Watcher can monitor all active connections on the network and inspect information sent between communicating hosts. The IP Watcher allows the network administrator to see an exact copy of the user’s session.

5.2. DNS Hijacker

Dnshijacker is a libnet/libpcap-based packet sniffer and spoofer that supports Tcpdump-type filters and consequentially target victims. DNS answers are forged based on entries in a fabrication table or by forging a single answer to all requests. It uses the libpcap interface for packet capturing.

5.3. TTY-Watcher

TTY-Watcher is a utility to control and restrain users on a single system. It is based on the IP Watcher utility, which can be used to monitor and control users on a network. It allows the user to watch every TTY session on the system, as well as communicate with them. It allows individual connections to be logged to either a raw log file for later playback or to a text file. 

5.4. Hjksuite

Hjksuite is a collection of programs with high-level functions like hjksend, hjkrecv, hjkbnc to hijack a session. It comes with a library that implements a TCP/IP stack.

  • Hjklib: A library that implements a TCP/IP stack over hijacking. This library provides high-level functions like hjksend and hjkrecv (to send and receive data from a hijacked connection). It also contains some programs that use this library.
  • Hjknetcat: A simple hijacker for textual connections. It allows the hacker to automatically hijack a connection to a port.
  • Hjkbnc: A hijacker for IRC connections. It requires the target connection and a port where it can bind. The administrator can run the IRC client and use hjkbnc as a server. Hjkbnc detects nicks and channels and pipes the connection.

6.0. Damage Caused by Session Hijacking

Hijacking is an unfortunate experience whenever it strikes, the victim is at risk of identity theft, scam, and loss of sensitive information valuable to the person. This has always been the case since all networks that use TCP/IP are vulnerable to the session hijacking. There is little to what network administrator could do to protect this from happening, except switching to a more secure protocol. The following make this malpractice a success:

  • All one-time password schemes are vulnerable to connection hijacking. Once the user/service has authenticated, the connection can be taken over.
  • A network is susceptive to network address spoof attacks if its security depends on filtering the packets from unknown sources.
  • Encryption is not enabled by default, because of this, security is of major concern.

7.0. Preventive Measures of Hijacking

Preventing attack can be cumbersome and undeniably inaccessible, but there are preventive measures a network administrator can employ to foil the attempts.

7.1. Limit Incoming Connections

  • Limit unique session tokens to each browser’s instance. For example, generate the token with a hash of the MAC address of the computer and process ID of the browser.
  • Establish sessions with limited IP addresses. An example would be the IP address in an intranet where the specifics of the range of IPs are already known.

7.2. Use Encryption

  • Force all incoming connections from the outside world to be fully encrypted. Attackers outside the network will have a difficult time if passwords are not sniffable, and so sessions cannot be hijacked.
  • Apply X.509 certificates (to encrypt via SSL, IPSec, SSH, S/MIME, or PGP) to override more traditional types of TCP traffic predictable sequence number hijacking.

7.3.  Lessen Remote Access

  • Do this by using strong authentication and peer-to-peer VPNs.

You can check out the newly released article on the guides and application of .htaccess.


Session hijacking can be critical; strict countermeasures are vital, but not fail-safe. Always apply the countermeasure procedures before it becomes fatal. ” …My word 

    Leave Your Comment Here

    error: Content is protected !!