Part of taking over a TCP session is knowing how it works, that’s why I was previously talking about the TCP handshake.
To take over a session there is a few general steps that need to be done.
1. You need to know the ISN, there is a few ways to do this.
- In between, the conversation. Using some sort of sniffer to watch the traffic to know the ISN.
- Guess, that is not as easy as it was since before RFC 1948.
- Use source routing, but that should be disabled.
2. Once you know the ISN by one way or the other you then need to take the session over. As the session is being taken over the client that is being replaced needs to be knocked off the network. Typically this is done with some sort of DOS.
In most cases this is used to gain access to a target system, back in the days of telnet. You could take over the session then through the needed commands to setup a shell to the machine.
This type of attack is still useful for other things, http sessions and other non-encrypted traffic.