Tuesday, April 12, 2011

Session Hijacking : How to hack online Sessions

Hello friends, i am back and from now onwards we will explore the most advanced Hacking Techniques. One of them is Session Hijacking. In today's tutorial we will discuss How to hack the online sessions using Session Hijacking. In today's Hacking class, i will explain basics of Session Hijacking like What is session Hijacking and Different types of Session Hijacking attacks and different methods to Hijack the sessions. In my next tutorial that is tomorrow i will explain you in Detail How to Hijack the Sessions and what tools you will need to Hijack the active sessions. So friends read on...

How to hack online sessions, session hijacking
How Session Hijacking works

What is Session Hijacking?
Let's discuss them in common term's, Session Hijacking by the name only it suggests that we are hacking someone's active session and trying to exploit it by taking the unauthorized access over their computer system or Network. So Session Hijacking is the exploitation of valid computer or network session. Sometimes technical guys also call this HTTP cookie theft or more correctly Magic Cookie Hack. Now you guys surely be thinking what is Magic Cookie.
Magic cookie is simply a cookie that is used to authenticate the user on remote server or simply computer. In general, cookies are used to maintain the sessions on the websites and store the remote address of the website. So in Session Hijacking what Hacker does is that he tries to steal the Magic cookies of the active session that's why its called HTTP cookie Theft. Nowadays several websites has started using HTTPS cookies simply called encrypted cookies. But we all know If encrypter exits so its decrypter also :P..

Session Hijacking is the process of taking over a existing active session. One of the main reason for Hijacking the session is to bypass the authentication process and gain the access to the machine. Since the session is already active so there is no need of re-authenticating and the hacker can easily access the resources and sensitive information like passwords, bank details and much more. 

Different Types of Session Hijacking
Session Hijacking involves two types of attacks :
1. Active attack
2. Passive attack

In Passive attack, the hacker Hijacks a session, but just sits back and watches and records all the traffic that is being sent from the computer or received by the computer. This is useful for finding the sensitive information like username passwords of websites, windows and much more...

In Active attack, hacker finds the active session and takes over it. This is done by forcing one of the parties offline which is usually achieved by DDOS attack (Distributed Denial of service attack) . Now the hacker takes control over the active session and executes the commands on the system that either give him the sensitive information such as passwords or allow him to login at later time.
 There are also some hybrid attacks, where the attacker watches a session for while and then becomes active by taking it over. Another way is to watch the session and periodically inject data into the active session without actually taking it over.

Methods to Hijack Sessions
 There are four main methods used to perpetrate a session hijack. These are:

  • Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
  • Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
  • Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
  • Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.
That's all for today tomorrow we will discuss in detail How to do the Session Hijacking practically. 
I hope you all like this...
If you have any queries ask me in form of comments...


  1. Nice tutorial brother...keep it up

  2. awsome trick lokesh...
    and pls keep checking ur mails nd comments on previous posts also ;-) ;-)..

    can u pls post a tutorial on how to share files using ftp?
    or what is best way to share files on a local network.?

  3. vary nice tutorials

  4. in session fixation.............
    how can we generate tath particular id and what is that id link????

  5. nice dude keep it up best of luck...

  6. Hello,

    i want to say thank you for a great job you've done on your blog.
    I have a software download website and I also write articles for people to help them with their computers and software. Is it possible to place this article on your blog as a guest post?

    Andy G.

  7. lokesh bahi.... kaha tha itne din se????
    Awesome tutorial....

  8. visit http://worldhackerz.blogspot.com/
    for mare tricks than lokesh

  9. nice work lokesh i got a question is it normal for 2 computers to have the same ip address ? me and my friend got the same ip address also i'm trying to install backtrack but i'm wondring when i install it, is it going delete the other files in the same hard drive ????? thank u & please answer as soon as possible :) thx again

  10. @Anonymous

    No its not good to have 2 computers same IP...
    IP conflict error will come and that will make the later disconnect from the network or result into no packet transfer.

    Also there can be system who has same IP address. But note their broadcast address or subnet should be different. And on LAN two computers with same IP can work.

    But on Internet as IP address is the network address so it can't be same. But the above case that different broadcast address and subnet also works here to...

  11. @Mike Niller

    Yes brother its possible, you can write articles on my website as Guest. For this contact me at shiviskingg@gmail.com

    So that i can provide you guest privileges to write posts.

  12. lokesh bhai hosting websites par HTML pages upload nahi ho rahe hai..now what should we do...plz tell..i m asking many times ...Please tell immediately as possible...

  13. @Ashish
    Yes, some websites have blocked that. You can use new website .

  14. ip address

  15. hey brother!
    i am preparing dessertation on session hijacking security,so could you please blog on that


Please do not spam.

Designed by Hackingloops.