Introduction

The term session hijacking refers to an attacker's ability to take over a portion of a session (often a network conversation) and act as one of the participants. Session hijacking is usually an extension of sniffing, except that sniffing is passive and hijacking requires active participation.

Hijacking exploits the inherent weaknesses in most types of networks and unencrypted protocols, namely that the information passes in the clear. This is the same weakness that sniffing takes advantage of. In addition to monitoring, a hijacking attack may also inject a packet or frame pretending to be one of the communicating hosts. This act is similar to spoofing, except no guessing is involved all the necessary information is available to the attacker.

This chapter discusses what a hacker can accomplish with hijacking and the tools that are currently available to perform hijacking attacks.

Understanding Session Hijacking

Session hijacking is probably best explained with an example: Imagine that the hacker has accomplished enough of an attack or has positioned himself fortuitously so that he's able to monitor traffic between two machines. One of the machines is a server that he's been trying to break into. The other is obviously a client. In our example, the attacker catches the root user logging in via Telnet, and he successfully steals the password only to find out that it is an s/key one-time password. As the name implies, one-time passwords are used one time, so even if someone is monitoring and steals the password, it will do...