Summary

This chapter introduced session hijacking, which is the process of taking over an already existing TCP session between two hosts. This is especially dangerous because malicious hackers do not need to know passwords to gain access to systems; they merely need to take over an authenticated session between a host and a server.

You can accomplish session hijacking using tools such as Hunt and T-Sight.

You can detect session hijacking attempts by using packet sniffers or IDSs or by monitoring your network for symptoms like hanging applications.

To prevent session hijacking, use encrypted communications. Use switches instead of hubs to minimize the threat in shared Ethernet environments. Disable Telnet access to network devices such as routers and switches, and use secure protocols such as SSH when available.

Session hijacking is a scary reality that network administrators need to be aware of. Not taking steps to detect and prevent these attacks is negligence.

Like all topics covered in this book, be sure to read up on the latest session hijacking techniques regularly. Review such web sites as the SANS reading room (http://www.sans.org), Phrack magazine (http://www.phrack.com), and the Security Focus web portal (http://www.securityfocus.com).