Network Session Hijacking

Network-level session hijacking is a hijacking method that focuses on exploiting a TCP/IP connection after initialization or authentication has occurred. There are some specific hijacking techniques that are in this category of attack. Some common ones we will discuss are TCP/IP hijacking, man-in-the-middle attacks, and UDP session hijacking.

TCP/IP Session Hijacking

TCP/IP session hijacking is an attack on a TCP session. The attacker attempts to predict the sequence numbers of the packets flowing from the victim’s machine to the connected resource. If successful, the attacker can then begin to inject packets that are “in sequence” with the packet sequence of the legitimate user’s traffic.

As shown in Figure 1, once the initial handshake process is complete, the subsequent packets stay in a general sequence between the victim and the resource. Each packet in an ongoing conversation over TCP is incremented by 1. This rule applies to both SYN and ACK sequence numbers.

Screenshot from 2020-09-28 17-12-59

F I G U R E 1. TCP three-way handshake

Implementation of this kind of attack first begins with the attacker sniffing the traffic between the victim’s machine and the host machine. Once the attacker successfully sniffs the connection and predicts (to the best of their ability) the packet sequence numbers, they can inject custom packets onto the wire that have a spoofed IP of the victim machine as well as a sequence number incremented appropriately based on previously captured packets. An attacker spoofs the IP address of the victim’s machine to try to assume the identity of the victim by hijacking the connection and the current session. From the server’s or host’s perspective, packets coming from a legitimate IP address, as well as having a properly incremented sequence number, are deemed legitimate traffic. Figure .1 outlines what this would look like.