What is TCP Session hijacking

--> TCP Session hijacking is the attempt to overtake an already active session between two hosts.

--> TCP session hijacking is different from IP spoofing, in which you spoof an IP address or MAC address of another host. With IP spoofing, you still need to authenticate to the target.

--> With TCP session hijacking, the attacker takes over an already-authenticated host as it communicates with the target.

--> In TCP-based applications, sequence numbers inform the receiving machine which order to put the packets in if they are received out of order.

--> Sequence numbers are a 32-bit field in the TCP header. Therefore, they range from 1 to 4,294,967,295. Every byte is sequenced, but only the sequence number of the first byte in the segment is put in the TCP header.

--> To effectively hijack a TCP session, you must accurately predict the sequence numbers that are being used between the target and host.

--> Hijacking a TCP session requires an attacker to send a packet with a right seq-number, otherwise, they are dropped. The attacker has two options to get the right seq-number,

i) Non-blind spoofing

--> The attacker can see the traffic that is being sent between the host and the target.

-->  Non-blind spoofing is the easiest type of session hijacking to perform, but it requires attacker to capture packets using Wireshark or TCP dump as they are passing between the two machines.



ii) Bind Spoofing

--> The attacker cannot see the traffic that is being sent between the host and the target.

--> Blind spoofing is the most difficult type of session hijacking because it is nearly impossible to correctly guess TCP sequence numbers.

--> TCP sequence prediction is a type of blind hijacking because an attacker needs to make an educated guess on the sequence numbers between the host and target. 

0 Comments