Open in app

Sign in

Write

Sign in

Detect Session Hijacking using Wireshark

Süleyman Çelik
3 min readNov 19, 2021

--

Wireshark allows you to capture and interactively browse the traffic running on a network. The tool uses WinPcap to capture packets, and so is only able to capture packets on networks that are supported by WinPcap. It captures live network traffic from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, and FDDI networks. Security professionals can use Wireshark to monitor and detect session hijacking attempts.

Here, we will use the Wireshark tool to detect session hijacking attacks manually on the target system.

We will use the Parrot Security (10.10.10.13) machine to carry out a session hijacking attack on the Windows 10 (10.10.10.10) machine.

  1. Click to windows 10 machine

The Wireshark Network Analyzer window opens. Double-click the primary network interface (in this case, Ethernet 2) to start capturing network traffic.

-Wireshark starts capturing network traffic. Leave it running.

-Now, we shall launch a session hijacking attack on the target machine (Windows 10) using bettercap.

-Click Parrot Security machine.

-Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window.

-A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

-Now, type cd and press Enter to jump to the root directory.

-In the terminal window, type bettercap -iface eth0 and press Enter to set the network interface.

-iface: specifies the interface to bind to (in this example, eth0).

-Type net.probe on and press Enter. This module will send different types of probe packets to each IP in the current subnet for the net.recon module to detect them.

-Type net.recon on and press Enter. This module is responsible for periodically reading the system ARP table to detect new hosts on the network.

-The net.recon module displays the detected active IP addresses in the network. In real-time, this module will start sniffing network packets.

-Type net.sniff on and press Enter. This module is responsible for performing sniffing on the network.

-You can observe that bettercap starts sniffing network traffic on different machines in the network, as shown in the screenshot.

-Click Windows 10 to switch back to the Windows 10 machine and observe the huge number of ARP packets captured by the Wireshark, as shown in the screenshot.

-bettercap sends several ARP broadcast requests to the hosts (or potentially active hosts). A high number of ARP requests indicates that the system at 10.10.10.13 (the attacker’s system in this task) is acting as a client for all the IP addresses in the subnet, which means that all the packets from the victim node (in this case, 10.10.10.10) will first go to the host system (10.10.10.13), and then the gateway. Similarly, any packet destined for the victim node is first forwarded from the gateway to the host system, and then from the host system to the victim node.

-This concludes the demonstration of how to detect a session hijacking attack using Wireshark.

Session Hijacking
Detect
Wireshark

--

--

Süleyman Çelik
Süleyman Çelik

Written by Süleyman Çelik

38 Followers
22 Following

Network Security Engineer, SOC-Siem Engineer, Cyber Security Researcher, Vulnerability Management Specialist | CEH | CNSS

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams