Session Hijacking
An attacker tries to access the remote session of a target by stealing the session id of the target. If the attacker can get the valid session id of a target system, he can easily access the active remote session of a target. Using a session id, an attacker can get access into the target system and take over the data.
Session hijacking can be done from various types. When the attacker can steal the TCP sessions between two hosts, this is known as TCP Session Hijacking. Most of the ports and protocols use TCP connections so that intercepting an initiating TCP session-id help an attacker to access the target system. An attacker can access a machine and perform an exploit. It can be a complete takeover of the target host.
Spoofing and session hijacking both are different. In the spoofing, an attacker spoofs and pretended to be another user and performs the attack using that. In spoofing, an attacker does not take part actively. In session hijacking, an attacker actively participates in the attack. The target host needs to be actively connected to the server. An attacker takes over the active session and manages to steal the credentials using that.
Types of Session Hijacking
1. Active:
Inactive session hijacking, an attacker can manage to steal the active and valid session id of the target user. The attacker disconnects the target from the active session and takes over that active session.
Generally, the attacker needs to intercept the packets analysis them to get valid cookies or session id information. Before that takeover of an active session are quite complex and difficult.
In the passive session hijacking, an attacker sits between two communicating hosts and analyses their communication packet traffic. After getting the session id or valid cookies attacker hijacking the session but doesn't perform any exploit.
The attacker simply analyzes all the packet communication which are going in forwarding request and tries to communicate using the fake identity to get highly sensitive information from the other side.
Steps Involved in Session Hijacking
- An attacker sits between the two communicating hosts, i.e. tries to sniff the communication packets.
- The attacker intercepts the packets and analyzes every packet
- Now attacker exploits the target's active session once he analyzed and found the required TCP packets.
- The attacker disconnects the target from its current session and takes over the session of the target host.
- Now attacker tries to exploit the target host by injecting the infected packets into the target host.
Methods of Session Hijacking
Session Hijacking can be done in the following ways:
1. Network Side Session Hijacking:
- Exploiting TCP/IP Communication.
- Exploiting 3Way Handshake.
- Exploiting UDP Communication.
- Man in the Middle Attack (MITM).
- IP Spoofing.
2. Application Side Session Hijacking:
In application side session hijacking, an attacker tries to get the valid session ids of the target user to get access to the active session, and sometimes due to the presence of critical vulnerability attacker can even create an unauthorized new session.
Session Ids might be present in the URL, of the web application which is reflected as the result of the HTTP GET request. Also, the user tries to intercept the valid session cookies of the target user and tries to hijack the session.
Generally, Brute Force is used in guessing for the session ids An Attacker uses brute force to get the session id of the target user.