Network Level Session Hijacking

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

7 hours 6 minutes
Video Transcription
everyone welcome back to the course. So in this video, we're gonna talk about network level session hijacking, so we'll talk about
different types of network level session hijacking attacks.
So what is network level session hijacking? First, though, this is basically where the attacker is attacking or hijacking a transport or Internet protocol, which which are what's used by Web applications in the application layer. And so, by doing that, they're able to gather critical information which can then be used to actually attack the application layer
level application level there,
which we talked about in the previous video. So there's many types of attacks that they could do. They could do blind attacks. They could do RST attacks. So blind hijacking RST hijacking. They could do TCP I p hijacking UDP hijacking. They could do things like man in the middle attacks, sniffing attacks
as well as things like i p spoofing attacks as well.
So we have T c p I p hijacking. And this is essentially the attacker spoofing packets to help take over that connection between the client and the server. And so essentially, the goal with this is to try to get that clients session toe hang up.
And that way the attacker could then directly be communicating with that server.
Now for this toe. Work the devices so the attacker need to be on the same network as that client. But the target
could be anywhere, right? So that the server machine could be anywhere but the the actual client machine needs to be on the same network as the attacker.
So what the attacker does is essentially they sniff the clients
connection, then they use that clients i p address to send a spoofed packet
to the to the server with that predicted sequence number. So they're gonna wait and try to predict what the token is, right? What the next I d is gonna be, and then send that on to the server and establish that communication.
What happens is the server will then send the acknowledgement packet back. Right. So they're sending this in packet, but the acknowledgment pack, it's gonna come back to the victim. Right? So the client machine
and it's gonna hang them hang their session because they're continuously getting these packets back because the Attackers sending the spoofed packets with the I P address of the victim for the response.
So with the i p spoofing a source brought of packets basically trusted host
I p address is gonna be spoofed. And so the server then is assuming that Hey, this is from the trusted host on what the attacker does inject forge packets before the host can actually respond to the server. So before that client can respond to the server, they're injecting forge packets.
And so the original package from that host machine, that client machine
is gonna be lost. And the only thing that server gets is the packet from the attacker
RST hijacking eyes. Basically, where the the attacker injects authentic looking reset packet or are CPAC, it's using a spoofed source i p address.
And also, they're going to need to do predict the acknowledgement number
for that communication.
And so if the attacker is successful, they could basically reset our client system or are victims session? Uh, system. They could reset that connection. Uh, and the client believes that the server sent that require RST packer. Right? So it believes that this is coming from
the server itself. And so that's why the client system is gonna perform that reset
and we can use tools for the RC hijacking like cola soft packet builder as well as TCP dumb.
So then we have our blind hijacking. This is where the attacker injects malicious data or commands into the communications that they sniff. Right? So that intercepted TCP session, even if you've got source routing disabled and so
the attacker can send these commands, but they're not gonna actually be able to see the response to those commands.
We have our man in the middle attack and so similar to what we have seen with the application level theater. Acker's gonna basically sniff that communication stream and then inject forge packets So this might be Ford's ICMP messaging. This might be also forge. AARP replies,
and then we have UDP hijacking. So this is basically where the attacker sends afford server reply to the client to the clients UDP request before the server before our Web server can actually reply to it.
And then this is used in conjunction with the man in the middle attacks. So essentially, the attacker is intercepting that response from the server. So the client never sees that on. They just see the fake reply from the attacker.
So just a quick, quick question here for you and this type of network level session hijacking attack. The attacker must be on the same network as a victim. But the target server, the target can be on a separate network.
Is that gonna be TCP I p? Is that gonna be blind? Is that gonna be i p spoofing the source right of packets, or is it gonna be the RST hijacking?
Right. So if you guess the TCP i p you are correct again, that one requires you as the attacker and the client to be on the same network.
So in this video, we just talked about network level session hijacking as well as some of the different attack types.
Up Next