Session hijacking is synonymous with a stolen session, in which an attacker intercept
and takes over a legitimately established session between a user and a host. The user–host
relationship can apply to access of any authenticated resource, such as a web server, Telnet
session, or other TCP-based connection. Attackers place themselves between the user and
host, thereby letting them monitor user traffic and launch specific attacks. Once a successful
session hijack has occurred, the attacker can either assume the role of the legitimate
user or simply monitor the traffic for opportune times to inject or collect specific packets to
create the desired effect.
In its most basic sense, a session is an agreed-upon period of time under which the connected
state of the client and server is vetted and authenticated. This simply means that
both the server and the client know (or think they know) who each other are, and based
on this knowledge, they can trust that data sent either way will end up in the hands of the
If a session hijack is carried out successfully, what is the danger? Several events can take
place at this point, including identity theft and data corruption.
How attacker steal the session ID concept
An attacker carrying out a session hijack is seeking to take over a session for their own
needs. Once they have taken over a session, they can then go about stealing data, issuing
commands, or even committing transactions that they wouldn’t be able to otherwise.
Session hijacks are easy to launch. TCP/IP is vulnerable, and most countermeasures,
except for encryption, do not work. The following also contribute to the success of session
■■ No account lockout for invalid session IDs
■■ Insecure handling
■■ Weak session ID generation algorithm
■■ Indefinite session expiration time
■■ Cleartext transmission
■■ Small session IDs
Spoofing vs. Hijacking
Before we go too far, you should know that spoofing and hijacking are two distinctly different
Spoofing occurs when an attacking party pretends to be something or someone else,
such as a user or computer. The attacker does not take over any session.
In hijacking, the attacker takes over an existing active session. In this process, the
attacker waits for an authorized party to establish a connection to a resource or service and
then takes over the session.
The process of session hijacking looks like this:
Step 1: Sniffing You must be able to sniff the traffic on the network between the two
points that have the session you wish to take over.
Step 2: Monitoring At this point your goal is to observe the flow of traffic between the
two points with an eye toward predicting the sequence numbers of the packets.
Step 3: Session Desynchronization This step involves breaking the session between the
Step 4: Session ID Prediction At this point, you predict the session ID itself (more on that
later) to take over the session.
Step 5: Command Injection At this final stage, as the attacker you are free to start injecting
commands into the session targeting the remaining party (most likely a server or other
For stealing cookies, theirs a plugin in the chrome browser -editthiscookie
Editthiscookie is to steal cookies from the victim browser and use that cookie for their own purpose.
C_user – is the victim user ID of the social media ex- Facebook we can find c_user ID of any victim in view source section of the victim’s page.
Xs – session ID is the important thing to get
Tools to get session IDS
Cookies folder location in Windows 10/8/7
To see where Internet Explorer stores its Cookies in Windows 10/8.1/8/7/Vista, open Explorer > Organize > Folder Options > Views > Check ‘Do not show hidden files and folders’ and Uncheck ‘Hide protected OS files‘ > Apply > OK.
Now you will be able to see the two real locations of Windows Cookies folders at the following address in Windows 7:
In Windows 8 and Windows 8.1, the Cookies are stored in this folder:
In Windows 10 you may open Run box, type shell:cookies and hit Enter to open the Cookies folder. It is located here: