Session Hijacking!!
In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.
If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net.
A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".
Example 1
Session Sniffing
In the example, as we can see, first the attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server.
Example 2
Cross-site script attack
The attacker can compromise the session token by using malicious code or programs running at the client-side. The example shows how the attacker could use an XSS attack to steal the session token. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. The example in figure 3 uses an XSS attack to show the cookie value of the current session; using the same technique it's possible to create a specific JavaScript code that will send the cookie to the attacker.
<SCRIPT>alert(document.cookie);</SCRIPT>
In this tutorial I will show you how to hijack a Facebook session from a user on the network. You should be aware that this is not a hack in the sense of gaining account credentials, only accessing that particular user session.
Now that's out the way, you will need:
Now that's out the way, you will need:
- Wireshark
- A LAN to sniff
- Firefox + Greasemonkey + CookieInjector script
Note: Greasemonkey is also available for Chrome but for the purposes of this exercise I am using Firefox.
To start, we need to open up Wireshark and select the network interface to start capturing packets from.
Leave the capture program running for a little while to be sure you've captured a cookie. You don't necessarily need to be sniffing at the time of login, as multiple cookies will be sent over the duration of the session.
After a few minutes we can stop the packet capture, and proceed to find the cookie. In order to do this click the small icon at the top (highlighted green) to stop.
In order to help pinpoint the packets we're interested in, we can apply a filter to the results. I have used http.cookie, input the filter and click apply.
After a few minutes we can stop the packet capture, and proceed to find the cookie. In order to do this click the small icon at the top (highlighted green) to stop.
In order to help pinpoint the packets we're interested in, we can apply a filter to the results. I have used http.cookie, input the filter and click apply.
The packets we're interested in are the ones beginning with /x/:
i.e. /x/2376515155/3114201186/true/p_538563194=502 HTTP/1.1
That is the cookie itself, now we can copy that data from the packet. Close the window and in the capture window right click on the packet and select Copy>Bytes>Printable Text Only. You can then paste this into notepad. The only information we need from this is the bottom line:
Cookie: p=18; locale=en_GB; L=2; act=1317413463503%2F0; c_user=548368154; datr=CuScTLAi9nGeN9rjQ-ANdDZQ7g..; lu=ggLaOJXYbt0xJoqkTD3nkzYw; sct=1317413802; xs=1%3A38f16cf9f1b0d601563299cab6cd8caa; presence=EM317413806L18REp_5f538563194F502X317413809350K1H1EblcF0EsndF1ODiF543545449CAcDiF500984076CQ0EsF0CEblFDacF12G317413804PEalFD500984076FDiF0EmF0CCCC
This is the code we will input to CookieInjector to get your session.Open up Firefox and go to facebook.com but don't login. Press Alt + C and it should open up a small CookieInjector window for you to input the code. Copy the cookie in and click ok, you should then get a confirmation.
Now refresh the Facebook page, and you should login as that user!
Comments
Post a Comment