TCP session hijacking is the act of taking a user's or client's place after it has already established a TCP connection with a server. Typically, the user or client device has already authenticated, and the attacker wants to take over the connection without having to provide any credentials. This attack depends on several conditions to work:
- The session must use a cleartext protocol that can be sniffed, such as telnet, FTP, or rlogin.
- The attacker must be able to observe and correctly anticipate incrementing TCP sequence numbers (they jump pseudo-randomly to evade hijacking, but can be predicted after some observation).
- The packets must not be digitally signed.
The high-level steps for TCP session hijacking are:
- Watch the client/server TCP sequence numbers increment (may require ARP poisoning).
- Send the client some spoofed TCP FIN packets so it thinks the server wants to end the session (alternatively, conduct and sustain some other denial-of-service attack against the client).
- Spoof your IP and/or MAC address to pretend you are the client.
- Once the client has disconnected, smoothly continue the conversation with the server.
TCP Session Hijacking Tools
Common tools used for TCP session hijacking include:
Note: For more information about TCP session hijacking see https://www.sans.org/reading-room/whitepapers/windows/session-hijacking-windows-networks-2124