Certified Ethical Hacker - Part 10-1 - Session Hijacking

by Riazul H. Rozen
Jan. 30, 2018 0 comments 3 minute read Certifications CEH
Download PDF

Session Hijacking

For two systems to communicate with each other there has to be a TCP communication mechanism already set in place. A session Hijacking occurs when the attacker takes over the TCP communication. This process is made feasible, as a result of the authentication process which happens only at the beginning of the session. Attackers are able to gather personal information which in turn could pose a serious problem to the victim, by stealing a legitimate session ID and validating themselves with the server.

Session Hijacking

The attackers gain access to the system by sniffing through traffic, which enables them to carry out crimes like identity theft, information theft or fraud. There might be varying confusions between spoofing and hijacking, as they are methods of gaining information through victim machines, but these two hacking methods are different.

How Session Hijacking works
  • Hijacking works by taking over an on-going session, thereby enabling the attacker to gain access to private information, while spoofing does not occur in an active session. Spoofing occurs when the attacker already has stolen information from the victim and uses this information to start a new session.
  • Spoofing uses impersonation techniques, whereby the attacker pretends to be another user, for the purpose of gaining the victim’s trust. Hijacking, on the other hand, needs a legitimate user to validate its authenticity before a connection can be made.

System hijacking is usually successful, due to the weak security measures, surrounding communication between the target systems. For instance, the sessions do not have a time limit, allowing them to run for as long as possible. This gives attackers ample time, to hijack the system and perform nefarious activities. Other vulnerabilities that allow attackers the opportunity to hijack sessions are -

  • The absence of systems that run checks on generated IDs to discover which ones are legitimate and which ones are not.
  • The session IDs are not as protected as they should be, leaving them wide open for attackers to have access to.
  • The algorithms used to generate these session IDs are weak.
  • Systems that operate with TCP/IP communication modules are generally vulnerable.
  • For most protective measures to work, they need to be encrypted.

Types of Session Hijacking

Active Hijacking

Here, the attacker takes over the communication session, acts as the second communicator, and extracts information through impersonation.

Active Hijacking

Passive Hijacking

The attacker intercepts communication between the two systems, but does not take part in their interaction; rather, it records all the information from the traffic between the two systems. Network level Hijacking: this method allows the attacker intercept packets during TCP sessions when the client and server transmit information during communication.

Application level Hijacking

Here, the attacker focuses on taking over the HTTP’s user session, through gaining session IDs

Insert caption here

Techniques for Session Hijacking

Attackers use various means to retrieve session IDs for the purpose of sniffing out traffic between two communicators. Some of these methods are:


One of the methods for stealing is using the HTTP referrer header. This is done by redirecting the victim to the attacker’s website. The victim usually has its session ID on the referrer URL, which is redirected to the browser. This process cannot be successful without the inclusion of a malicious link, which when clicked by the victim, initiates the process of session ID theft. Other stealing techniques include: Traffic sniffing. Deploying Trojans to target systems. * Cross-site-scripting attacks


Here, the attacker watches the variables in the session IDs and tries to figure out which session ID belongs to its victim.

Brute force

This technique is also known as session predicted an attack when the predicted range of values for a targeted session ID is small. This is because the attacker collects a number of session IDs, and tries to guess the correct ID for its target.


The attacker places himself between two communication systems, investigates the flow of packets between these two systems, and tries to guess the sequence number. When the attacker guesses the sequence number, they operate by sending data to the server, before the next packet is sent to the victim machine.

Session desynchronization

Here, the attacker tries to break communication between the victim machine and its communicator.

Command Injection

The attacker injects packets to the target server.

How to Counter Session Hijackings

Instructions for web developers - Use complex algorithms, so that session IDs are lengthy and difficult to compromise. Session IDs should be changed after a successful login attempt to limit session fixation. Ensure that data and session keys to be used by users and transmitted through servers are encrypted. Prevent network level eavesdropping Shorten the timeframe of a session or cookie by ensuring the session expires when the user logs out. Instructions for Web Users Protect systems from malicious links by using firewalls. Do not click on links or open websites that are not trusted. Restrict cookies, with firewall and browser settings. Clear cookies, history and other sensitive information from web browsers after important transactions. If any website requires login details, it is necessary to log out after every session. *


This is a security measure designed to protect against session hijacking, by encrypting and authenticating data for each IP packet to be transmitted during communications. This is designed mostly for remote user access to implement virtual private networks.

Components of IPSec

These are made up of different software, for the purpose of delivering a system designed to implement data integrity, confidentiality, relay protection, data origin validation and network level authentication.

IPSec drivers: these use internet level protocols to encrypt and decrypt data packets Internet key exchangers: this develops the security keys used by IPSec and other protocols.

Internet security association key management protocol: this mechanism allows two systems communicate with ease and security, by encrypting the data that is transmitted between them.

Okale: this protocol uses the Diffie-Hellman algorithm to develop and initiate two keys: one is the master key, and the other is a regenerative key, which is used to initiate data transfer for each IPSec session.

IPSec policy agent: this retrieves the IPSec policy settings from the active directory, and sends the configuration to the system at the startup.

Published with the express permission of the author.