Ethical Hacking Tutorials - What is Session Hijacking?

Ethical Hacking Tutorials - What is Session Hijacking?

What is Session?

The session is semi-permanent interactive information interchange, also known as a dialogue a conversation, or a meeting between two or more communicating devices or between a computer and user.

What is Session Hijacking?

In computer science, Session Hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session sometimes also called a session key to gain unauthorized access to information or services in a computer system.

Types of Session Hijacking 

• Active Session Hijacking

• Passive Session Hijacking

Active Session Hijacking

Active session Hijacking involves hijacking already authenticated session.
Active Session Hijacking means that the original has logged in his account or profile(e.g back account, Facebook) and then the attacker steals the cookies to hijack the active session and then disconnect the original user from the server.


Passive Session Hijacking

In Passive Session Hijacking attackers does not hijack active session instead they capture the login credentials while the original user is trying to establish a new connection with the server and attacker sitting silently on the same network and recording the login credentials.

Spoofing VS Session Hijacking 

In a spoofing attack, the valid user may still be active but the attacker will utilize that user's identity and or data (the valid user's session is not interrupted).

In a spoofing attack, the valid user must not be active that the attacker may access the IP address or other identifying data. masquerading as the valid user until the valid user's session becomes active again. 

A Session Hijacking attack occurs when a hacker steals the session key or magic cookie taking over the session and disconnecting the valid user.

A Session Hijacking attack occurs when a hacker steals the session key or magic cookie taking over the session without disconnecting.

Advantages of Session Hijacking for the Attacker

This type of attack is the ability to gain access to a server without having to authenticate to it.
Once the attacker hijacks a session they no longer have to worry about authenticating to the server as long as the communication session remains active.

A successful session hijack attack also allows the attacker to issue commands to servers on the network.

Session Hijacking is also very easy to do. especially on older operating systems.
However, the session hijack attack does not depend on specific software on hardware vulnerabilities. but rather a design limitation within the TCP/IP protocol that does not guarantee security the connection is made.

What a successful attack is achieved, the attacker has the ability to read and modify data, violating the confidentiality and integrity portion of the model. Availability is also affected by the session hijack attack due to ARP storms and denial of service conditions that are a by-product to the attack.

Procedural Overview of the Session Hijack Attack

• Locating Target
• Find Active Session
• Perform Sequence Number Prediction
• Take one of the Parties Offline
• Take over the Session and Maintain the Connection

See:  Ethical Hacking Tutorials - Learn Web Hacking

See:  Ethical Hacking Tutorials - What is SQL Injection?

Tags: session hijacking,what is session hijacking,session,hijacking,hacking,what is session,what is session hijacking hindi,session hijacking in hindi,what is the meaning of session hijacking,session hijacking explained,what is the definition of session hijacking,session hijacking tutorial hindi,ethical hacking,what does session hijacking mean,what does session hijacking stand for