Hijacking a Session

Flood the Server with ACK Packets
An attacker can flood the server with ACK packets containing different
sequence numbers, and hope that they get processed. This is a type of
man-in-the-middle attack. It has the disadvantage that for each packet
with an incorrect sequence number, the server will send an ACK packet
back to the correct client machine with its own sequence number, and
the sequence number that the server is expecting.
Send Carefully Crafted Packets
An attacker can send a carefully crafted packet with the correct
sequence number containing the required payload. This is another type
of man-in-the-middle attack. It again has the disadvantage that the
response will be sent back to the originating machine, e.g. if an attacker
sends a command of “adduser hacker” as the payload of the packet to
be accepted, any return status of the command will be sent back to the
legitimate client, and the attack may be noticed
DoS the Client
Prior to sending carefully constructed packets, as described above, a
Denial of Service (DoS) attack can be sent to the legitimate client so that
it is unable to receive the ACK packets. Using this attack it is possible to
take over the client's connection. However, an IDS system running on
the network could detect the denial of service, and trigger warnings,
thus making discovery possible.
MAC Address Spoofing
Spoofing the MAC address of the client so that the server sends its data
directly to the attacker's machine is a slightly more difficult attack to
carry out. In this case, an IDS system is unlikely to pick up the MAC
address spoofing, and the user will simply see their connection 'die'.
However, this may be enough to raise suspicion in some circumstances.
Credits/Reference
This module is designed to give an overview of TCP session hijacking.
More detailed information (including how to protect against this type
of attack) can be found from the URLS below.