Professional Documents
Culture Documents
CAIN
Advanced Session
Hijacking - Is coffee
shop WiFi such a
good idea?
SCOTT HELME
12 AUG 2013 • 8 MIN READ
Learn just how easy it is to hijack sessions over the LAN or Wifi
and why using that free WiFi at your local coffee shop could
cost you more than you expect!
I'm also using the Firefox browser and the Cookie Manager+
plugin or the Chrome browser and Cookie Manager to help
make things a little easier.
Important
Only ever perform the following tutorial on a network that you
own. The following tutorial explains how to use tools that will
interfere with the operation of your network. If you choose to
use any of the information provided here, you do so completely
at your own risk. You will also be accessing the data of other
clients on the network. Ensure that only your own devices are
connected to the network, or, you have permission from any
and all clients on the network to access their data. Now that's
out of the way, let's go!
Setup
Install Cain and Wireshark from the download links above.
Once you have Cain and Wireshark installed you're ready to get
started.
ARP Poisoning
After launching Cain you may get a warning about the windows
firewall. For the most part I have found no problems with using
Cain with the firewall enabled but if you do have problems with
any of the steps here disabling the firewall can help. You can
also launch Cain with admin privileges by right clicking the icon
and selecting 'Run as Administrator'. Once Cain launches you
should be at the main screen.
Here in my result list you can see the clients it found currently
on my network:
Now you can see that Cain is ready to start ARP Poisoning any
traffic between my phone and any other client on my network.
The most important one is the default gateway as this is where
the phone will be sending all traffic bound for the Internet.
To start the ARP Poisoning attack simply hit the Start APR
button at the top of the window and watch Cain begin to work!
As Cain begins to work you will see the traffic being routed via
you in the window at the bottom. Half-routing means Cain is
currently working on getting all of the traffic and Full Routing
means you have unrestricted access to the traffic going to and
from the device!
Gotcha!
Once you start the capture you will see a lot of information
flying through the list, this is normal, especially considering all
of the traffic from the target device is now passing through. As
we're specifically looking for a session ID in the traffic you can
use a filter to slow things down a little. In the filter field type in
"http.cookie && ip.src==192.168.69.100" replacing the IP
address with the IP address you want to target. This will tell
Wireshark to only look for cookies coming from the target
device. Hit 'Apply'.
Now this is normally where you would wait patiently for your
victim to start visiting websites that you can hijack the session
ID from. To speed things along I'm going to go ahead and open
the Kickstarter website on my phone. As I opened my browser,
the BBC News website was already open and I could see the
request pass through Wireshark.
It's worth observing here that the GET request started off as
"/news/" as it doesn't need to include the bbc.co.uk part. The
server knows it is bbc.co.uk and as such the request doesn't
include that. This will make it easier when you're trying to
identify websites later on. As I navigate to the Kickstarter
website I can see another HTTP GET request come through for
"/" which means the root of the site, most commonly the home
page. If you select the request, expand the 'Hypertext Transfer
Protocol' section at the bottom you can view the host website.
Once you have identified this is a website you want to try and
hijack a session for you need to scroll down to the cookie
section. Once you find the cookie line, right click on it, select
'Copy' and then 'Value'.
All that's left to do now is to insert the session ID into our own
cookie so we can impersonate the user currently logged in on
the victim's device. Open up Firefox, go to a cookie manager of
your choosing and find the _ksr_session value. Replace this
with the value copied from the step above and save it.
Now comes time for the moment of truth. When you hit the
refresh button on the browser it will submit a request for the
page but this time it will make the request using the new
session ID you have just inserted. If everything goes to plan you
will now be logged in as the victim!
Tadaa!
So, now you have the victim's session ID you can do pretty
much anything they would be able to do. HTTPS or not you can
potentially visit account pages and view personal information,
buy some expensive items or generally cause havoc on their
profile.
As always the information and tools in this blog could get you in
trouble if used in the wrong manner! Never use this
information to do anything that will get you in trouble, it's
intended to be used for informational and demonstration
purposes only. Hopefully this highlights the risks involved with
connecting to networks where you don't know who or what may
be lurking nearby trying to intercept your traffic.
Scott.
Short URL: https://scotthel.me/AdvSessHijack
Upcoming Events
Hack Yourself First (Oslo, Norway)
4th - 5th April
Cheat Sheets
CSP Cheat Sheet
HSTS Cheat Sheet
HTTPS Cheat Sheet
Performance Cheat Sheet
Projects
Report URI
Security Headers
Why No HTTPS?
Crawler.Ninja
HTTP Forever
BMW M140i
Follow
EXIF Data and Geotagging - Can Tor - Anonymity online using onion
someone track you using your routing
pictures? Tor was originally developed for the U.S. Navy to
I've seen a lot of concern online recently about the keep government communications secure. Since it's
possibility of people tracking your physical location inception it has grown to be used by the military, law
using the pictures you post online. This is made enforcement, journalists, activists and every day
possible through the act of Geotagging and the EXIF users looking to be anonymous online. The Tor
data stored in images, but what's the real risk... Project [https://www....