Have you ever wondered how some Web sites personalize their visitors? This can be expressed, for example, in remembering the contents of the “cart” (if this node is intended for selling goods) or in the way of filling out the fields of some form. In the HTTP protocol underlying the operation World Wide Web, there are no tools that allow you to track events from one visit to a node to another, so a special add-on was developed to be able to store such “states”. This mechanism, described in RFC 2109, ensures that special fragments are inserted into transmitted HTTP requests and responses. cookie data, allowing Web sites to track their visitors.
Cookie data may be stored for the duration of the communication session ( per session), while remaining in random access memory during one session and being deleted when the browser is closed, or even after a specified period of time has elapsed. In other cases they are permanent ( persistent), remaining on the user's hard drive as a text file. They are usually stored in the Cookies directory (%windir%\Cookies on Win9x and %userprofile%\Cookies on NT/2000). It is not difficult to guess that after the capture cookies on the Internet, an attacker can impersonate a user of this computer, or collect contained in these files important information. After reading the following sections, you will understand how easy it is to do.
Cookie interception
The most direct method is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. This problem can be solved using any packet interception utility, but one of the best is Lavrenty Nikula’s program ( Laurentiu Nicula) SpyNet/PeepNet. SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and stores it on disk, and the PeepNet utility opens the file and converts it into a human-readable format. The following example is a fragment of a communication session reconstructed by PeepNet, during which the cookie serves to authenticate and control access to the pages viewed (names have been changed to maintain anonymity).
GET http://www.victim.net/images/logo.gif HTTP/1.0 Accept: */* Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid=96114024278141622; cuid=TORPM!ZXTFRLRlpWTVFISEblahblah
The example above shows a cookie fragment placed in an HTTP request coming to the server. The most important is the field cuid=, which specifies a unique identifier used for user authentication on the www.victim.net node. Let's say that after this the attacker visited the victim.net node, received his own identifier and a cookie (it is assumed that the node does not place the cookie data in virtual memory, but writes it to HDD). The attacker can then open his own cookie and replace the cuid= field ID with it from the captured packet. In this case, when logging into the victim.net server, he will be perceived as the user whose cookie data was intercepted.
Program ability PeepNet replaying the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. Using a button Go get it! You can re-fetch the pages a user viewed using their cookie data previously captured by CaptureNet. In the PeepNet utility dialog box you can see information about someone’s completed orders. This uses cookie data intercepted by CaptureNet for authentication. Note the frame located in the lower right corner of the session data dialog box and the line that follows the Cookie: line. This is the cookie data used for authentication.
It's a pretty neat trick. In addition, the utility CaptureNet can provide a complete decrypted record of traffic, which is almost equivalent to the capabilities of professional-grade utilities such as Network Associates, Inc.'s Sniffer Pro. However, the utility SpyNet Even better - you can get it for free!
Countermeasures
You should be wary of sites that use cookies for authentication and storing sensitive identification information. One tool that can help with security is Kookaburra Software's Cookie Pal, which can be found at http://www.kburra.com/cpal.html. This software You can configure it to generate warning messages for the user when a Web site attempts to use the cookie mechanism. In this case, you can "look behind the scenes" and decide whether these actions should be allowed. IN Internet Explorer There is a built-in cookie support mechanism. To enable it, launch the Internet Options applet in Control Panel, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and for permanent and temporary cookie data, set the switch to Prompt. Setting up the use of cookies in the Netscape browser is done using the command Edit › Preferences › Advanced and setting the Warn me before accepting a cookie or Disable cookies mode (Fig. 16.3). When you accept a cookie, you need to check whether it is written to disk and see if the Web site collects information about users.
When visiting a site that uses cookies for authentication, you must ensure that the username and password you initially provide are at least SSL encrypted. Then this information will appear in the PeepNet program window, at least not in the form of plain text.
The authors would prefer to avoid cookies entirely if many frequently visited Web sites did not require this option. For example, for the worldwide popular Hotmail service Microsoft Cookies are required for registration. Since this service uses several different servers during the authentication process, adding them to the Trusted Sites zone is not so easy (this process is described in the section "Using Security Zones Wisely: Common decision Activex Element Problems") The *.hotmail.com notation will help in this case. Cookies are not a perfect solution to the problem of incomplete HTML protocol, but alternative approaches seem to be even worse (for example, appending an identifier to the URL, which can stored on proxy servers) Until a better idea comes along, the only option is to control cookies using the methods listed above.
Capture cookies via URL
Let's imagine something terrible: Internet Explorer users click on specially crafted hyperlinks and become potential victims, risking their cookies being intercepted. Bennett Haselton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) from the teen organization Peacefire, which advocates for freedom of communication via the Internet, published a script that brings this idea to life. This script retrieves cookies from the client computer when its user clicks on a link contained on this page. As a result, the contents of the cookie become available to Web site operators.
This feature can be used for nefarious purposes by embedding IFRAME descriptors in the HTML code of a Web page, email message, HTML format or messages from a newsgroup. The following example, provided by security consultant Richard M. Smith, demonstrates the ability to use IFRAME handles with a utility developed by Peacefire.
It's possible to craft a sneaky email message that "hijacks" cookies from hard drive user and transmitted them to the operators of the peacefire.org node. To do this, you need to place a link to this node in it many times as shown in the example. Despite the fact that the guys from Peacefire seem like pretty nice people, it’s unlikely that anyone would be happy if they got their hands on confidential data.
Countermeasures
Install the updater, which can be found at http://www.microsoft.com/technet/security/bulletin/ms00-033.asp. You can also use the program Cookie Pal or built-in Internet Explorer capabilities as described above.
Have you noticed that when you return to a site that you have already visited, the site recognizes you and opens with the settings that you applied last time? Yes, and quite often? This happens thanks to cookies that store information about visitors such as login, password, session ID and other variables required to identify the visitor and display page content according to the user’s preferences chosen during the last visit to the resource. The WebCookiesSniffer program will show the user the cookies and their contents of the sites that the user is viewing in the browser.
View Cookies
You open a website and WebCookiesSniffer captures cookies in real time. The utility adds all caught cookies to a table that stores data about the host, request path, total length of the cookie file, the number of variables in the cookie file, and the Cookie itself with the names of the variables and values. WebCookiesSniffer may store collected information about cookies in text file. The program also has the ability to generate an HTML report for all or selected cookies. For the program to work, you must install the WinPcap driver (located in the archive along with WebCookiesSniffer). To change the language of the WebCookiesSniffer program to Russian, copy the file WebCookiesSniffer_lng.ini (also included in the archive) to the directory with the utility.
Screenshots of the WebCookiesSniffer program
|
|
Ways to steal cookies
This hacking method, stealing cookies, works great and is used by many hackers. If you also want to try it, but don’t know what to do, read our recommendations.
What are cookies?
This is information about a user's visit to a specific site. It is stored in a separate text document. There you can find a variety of information. Including logins, passwords, mailbox addresses and phone numbers. That is why burglars strive to get their hands on these documents. To steal the materials they need, hackers resort to different methods.
Ways to steal cookies
XSS vulnerability
It can be found and used on any website. When a specialist finds a vulnerability, he injects special code into it. Depending on the purpose, the codes are different; they are written for a specific resource. When a user visits this page and refreshes it, all changes are applied. The code begins to act - it is embedded in the victim’s computer and collects all necessary information from the browser.
To introduce code, you can use any type of vulnerability - an error in a web resource, in a browser or in a computer system.
There are 2 types of XSS attacks:
Passive - directed to the page script. In this case, you need to look for vulnerabilities in page elements. For example, a dialog tab, a search box, a video catalog, etc.
Active - You should look for them on the server. They are especially frequent on various forums, blogs and chats.
How to force a person to apply XSS?
The task is not easy, because often to activate the code you need to click on the link with it. You can disguise the link and send it in an email along with an interesting offer. For example, offer a big discount in an online store. You can also implement all this into the picture. User with high probability will look through it and not suspect anything.
Installing a sniffer
This is the introduction of specialized programs for monitoring traffic on someone else's device. The sniffer allows you to intercept transmitted sessions with other people's data. This way you can get all logins and passwords, addresses, any important information transmitted over the network by the user. In this case, attacks are most often carried out on unprotected HTTP data. Unsecured wi-fi works well for this.
There are several ways to implement a sniffer:
- Copy traffic;
- Data analysis using traffic attacks;
- Listening to interfaces;
- Introducing a sniffer into a channel break.
All data is stored on the web server in its original form. If you change them, this will be considered a substitution. All received materials can be used on another computer. This way you will receive full access to the user's personal data. You can modify cookies using browser settings, add-ons or special programs. Editing is also possible in any standard notepad on a PC.
Stealing cookies using a virus
Experts advise not to use cookies unless there is a special need for it. If it is possible to disable them, it is better to do so. This is because cookies are very vulnerable. They are often stolen by criminals. A huge amount of personal information can be obtained from these files. confidential information, which will be used against a person. The most dangerous type of files are those that remain on the system after the session has already ended.
Cookies are often stolen using a virus utility. This is done quite simply. Any safe utility is embedded with a virus that collects certain materials on the computer. Virus program will be connected to its owner's server. The program must be configured so that the browser uses it as a proxy server.
When the program reaches the victim’s PC, it will automatically begin collecting all stored data and sending it to you.
Viruses are different, their functions may also differ. Some allow you to completely control the browser and view any information. Others are capable of stealing protected materials. Still others collect only unsecured data.
You may have difficulty introducing a virus program onto someone else's computer. It is necessary to force the user to download it and run it. Here you can either send him a letter with a link to the program, or pass off the program as safe and wait for the person to download it from your website.
How to protect cookies from theft?
Most web resources are not sufficiently protected. Hackers easily find vulnerabilities and bugs in these platforms.
Cookie protection rules:
- Link the computer id to the current session. Then, when you log into the site from a third-party device, a new session will be started, and data from the previous one will not be retrieved.
- Link the session to the browser. The same principle will work as in the previous paragraph.
- Encrypt parameters sent over the network. Then the information stored in the document will not be understandable. It will be useless to the one who intercepted it. This technique will not protect you 100%; some specialists can decrypt any materials.
- Create a separate folder for identifiers.
How to find out the password for someone else's account through cookies?
To obtain someone else's login data, you must first get to the file in which it was saved.
For those who use Mozilla Firefox you need to go to the tools tab, which is located in the main menu. Next in the system settings you will find the “Protection” section, where you should look for all the important information about accounts on social networks. All passwords are hidden, so click on the “display” button. You can immediately install protection and put a special code. Then no one except you will receive this information.
In Opera, only usernames are available for public viewing. But in the menu you can find a password manager and view everything stored on your computer. The full list is in the manager. In order to gain access to passwords, you need to install an additional extension.
IN Google Chrome All these materials can be seen in the advanced settings. There is a tab with all saved cookies.
Unfortunately, standard Internet browser Explorer does not have such features. To find out information about the web platforms that the PC owner visits, you need to download a special program. You can find it on the Internet for free, it is completely safe, but it is better to download it from trusted sources. Do not forget that any program must be scanned by an antivirus. This is especially true for those utilities that work with passwords.
This technique is only suitable for those who have physical access to the victim's computer. You can also find out someone else’s password if the person logged in to the platform through your PC and saved their data.
Programs for stealing cookies
There are many hacker forums on the Internet where hackers communicate with each other. People go there hoping to get free help. It is there that you can find a huge number of different programs for hacking. We want to warn you that you should not trust these programs. Utilities for remotely stealing cookies from someone else’s device are dummies or virus programs. If you download this software onto your PC, you will most likely fall into the trap of a scammer. Scammers post programs for free. Thus, they distribute virus software and gain control over other people's PCs. In general, such programs are a scam, you will understand this by their interface and content. If you are going to use any software to extract files, then let it be sniffers. Of course, using them is not so easy. And finding a good sniffer on the Internet is not easy. But such software is available from specialists who can sell it to you for money. Remember that there are many scammers, each with their own tricks. You should only trust trusted hackers who have a good reputation, have reviews and have their own website.
In conclusion, I would like to note that stealing cookies is a truly powerful method, the effectiveness of which is very high. If you want to hack someone's profile on a social network or instant messenger, be sure to consider this option. This method works best when you can use the victim's computer. It is much more difficult to obtain materials from a distance, but you can use our tips and try to put this method into practice.
In chapter
Hello, this short article, rather even short description I would like to dedicate myself simple way interception cookies V wi-fi networks. I won’t tell you here what cookies are and why they are needed, if a person is interested in intercepting “baked goods”; in a wireless network, I think he should know what it is and why he needs it. I’ll just say one thing: using these files you can gain access to other people’s accounts on various sites that require users to go through an authentication process (For example, mail.ru, vkontakte.ru, etc.).
So let's get started. First, we need to find the wireless network itself, with an open Internet access gateway, and it is desirable that this network has quite a lot of clients. For example, any network in large shopping centers, airports, various coffee shops is suitable; in such places people usually use wi-fi access on the Internet, for reading mail, checking accounts on various dating sites, viewing LJ and various forums. This is all exactly what we need. Having decided on the choice of network location, having studied certain hours of the maximum number of clients, let’s move on directly to combat operations. For this we need a laptop with wi-fi adapter, and a certain set of programs. In my case, I used a laptop Acer Aspire 3610, D-Link DWL G650 client wi-fi card and BackTrack3 OS installed.
I advise you to use this OS, since it already includes the entire set of programs that you may need, and the most important advantage is that you do not have to install Backtrack on your hard drive, you can load this OS directly from a CD or flash drive.
Now let's move on to the necessary software. I used kismet for network discovery, and WifiZoo for intercepting cookies. I will dwell in detail on the second program. WifiZoo is a passive airwave scanner and collects quite a lot useful information, such as: pop3, smtp traffic, http cookies/authinfo, msn, ftp credentials, telnet network traffic, nbt, etc. The only drawback of this program is the lack of Channel hopping mode, WifiZoo simply listens to the wireless interface, and cannot, so to speak, jump from channel to channel. But this disadvantage is compensated by another program, Kismet, which supports this mode. To start WifiZoo you will need:
- python
- scapy
- Kismet
So let’s launch the program, first let’s launch Kismet to support the channel hopping mode, then launch WifiZoo directly, the following window should appear in front of you:
Now all that remains is to sit and wait until you intercept something; everything that the program intercepts can be found in the logs, which are located in the directory with the program /logs/. You can also launch a GUI interface that automatically connects to http at 127.0.0.1:8000
I won’t write about all the features of this wonderful program, I think you will figure out the rest of the possibilities yourself, and since this moment We are only interested in cookies. Click on the link that says cookies and see what we intercepted:
Many users do not realize that by filling out a login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in an unsecured form. Therefore, if the site you are trying to log into uses the HTTP protocol, then it is very easy to capture this traffic, analyze it using Wireshark, and then use special filters and programs to find and decrypt the password.
The best place to intercept passwords is the core of the network, where the traffic of all users goes to closed resources (for example, mail) or in front of the router to access the Internet, when registering on external resources. We set up a mirror and we are ready to feel like a hacker.
Step 1. Install and launch Wireshark to capture traffic
Sometimes, to do this, it is enough to select only the interface through which we plan to capture traffic and click the Start button. In our case, we are capturing over a wireless network.
Traffic capture has begun.
Step 2. Filtering captured POST traffic
We open the browser and try to log in to some resource using a username and password. Once the authorization process is complete and the site is opened, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. This is where most IT professionals give up because they don't know what to do next. But we know and are interested in specific packages that contain POST data that is generated on our local machine when filling out a form on the screen and sent to a remote server when we click the “Login” or “Authorization” button in the browser.
We enter a special filter in the window to display captured packets: http.request.method == “POST"
And we see, instead of thousands of packages, only one with the data we are looking for.
Step 3. Find the user's login and password
Quick click right button mouse and select the item from the menu Follow TCP Steam
After this, text will appear in a new window that restores the contents of the page in code. Let's find the fields “password” and “user”, which correspond to the password and username. In some cases, both fields will be easily readable and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources such as Mail.ru, Facebook, VKontakte, etc., then the password will be encrypted:
HTTP/1.1 302 Found
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: password= ; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/
Location: loggedin.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Thus, in our case:
Username: networkguru
Password:
Step 4. Determine the encoding type to decrypt the password
For example, go to the website http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the identification window. I was given a list of encoding protocols in order of priority:
Step 5. Decrypting the user password
On at this stage we can use the hashcat utility:
~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
At the output we received a decrypted password: simplepassword
Thus, with the help of Wireshark, we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker, intercepting passwords that users enter in web forms. You can also find out passwords for mailboxes users using simple filters to display:
- The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"
- The IMAP protocol and filter will be: imap.request contains "login"
- The protocol is SMTP and you will need to enter the following filter: smtp.req.command == "AUTH"
and more serious utilities for decrypting the encoding protocol.
Step 6: What if the traffic is encrypted and uses HTTPS?
There are several options to answer this question.
Option 1. Connect when the connection between the user and the server is broken and capture traffic at the moment the connection is established (SSL Handshake). When a connection is established, the session key can be intercepted.
Option 2: You can decrypt HTTPS traffic using the session key log file recorded by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file (FireFox based example) and you should receive that log file. Essentially, you need to steal the session key file from another user's hard drive (which is illegal). Well, then capture the traffic and use the resulting key to decrypt it.
Clarification. We're talking about the web browser of a person whose password they're trying to steal. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you are trying to decrypt the HTTPS traffic of other users without access to their computers, this will not work - that is both encryption and privacy.
After receiving the keys according to option 1 or 2, you need to register them in WireShark:
- Go to the menu Edit - Preferences - Protocols - SSL.
- Set the flag “Reassemble SSL records spanning multiple TCP segments”.
- “RSA keys list” and click Edit.
- Enter the data in all fields and write the path in the file with the key