This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.
Here we are discussing the subject of session hijacking attacks within the scope of an HTTP/HTTPS conversation. It is important to note several distinctions here. Firstly, session hijacking is a vulnerability of many protocols, but we will only be examining web traffic, and secondly, performing session hijacking over HTTPS is a much more involved process then doing the same to its less evolved cousin. In this post we will not be directly attacking HTTPS, but we will; however, discuss methods to get around it.
Session Hijacking: The process of assuming control of an active or latent TCP/IP session through impersonation of a user by way of a session identifier as opposed to legitimate authentication credentials.
Web is a stateless protocol. This means that the web server does not, and cannot remember who you are in between browser requests. Each time you click a link on a website the webserver thinks that you are an entirely new person. This facet of the protocol we have most closely come to identify with on the Internet is extremely problematic. If a web server does not remember who we are, how can it remember what is in our shopping cart, or more importantly whom that cart belongs to? To solve this issue we have session cookies.
Here’s an example of a session cookie embedded within a TCP Stream:
Most importantly, this cookie is sent along with every single HTTP request your browser makes to the associated web server. If we steal this cookie from a victim, and tell our browser to use it whilst communicating with the server, we can essentially become them. If you are interested in an example of how to modify your browser cookies through URL injection check out this [post].
Stealing Session Cookies
So how do we acquire session cookies from victims? Really the limit here is your creativity, but some criteria must be met. As the penetration tester you must be able to leverage some form of access to the flow of data that the cookie follows. This means you need access to either the data a rest, or the data in motion.
Data at Rest
With the exception of potential caching at proxies and other network resources there are two primary locations where cookies live: on the web server and on the client computer. We now have two targets.
Data in Motion
Alternately, if we have access to any host that must route the web traffic it is trivial to pull the session cookie out of the TCP stream, but there is a problem. These days most cookies are no longer sent across the Internet in plaintext. They use HTTPS. This means that access to routers along the path the data takes is not enough steal the plaintext cookie needed to perpetrate session hijacking. We’ll end by demonstrating a method to get around this issue using Subterfuge.
Attacking the Web Server
Once we inject this into the target website the simple act of a victim browsing to the webpage will cause the plaintext cookie to be transmitted to our webserver. The last step is to retrieve the cookies from our webserver. Typically this is done with a catcher script, but we’re going to be a bit different. Below is a bash script to pull the cookies out of your apache logs. By using this we can theoretically utilize a compromised webserver to perpetrate our attack without leaving behind any artifacts like a cookie stealer script!
[Apache Logs Cookie Parser Script]
Attacking the User
We will only be discussing the Firefox browser here; however, the same techniques can be applied regardless of browser. If you are able to trigger a vulnerability to gain access to a victim’s machine you may be able to directly access the cookie database associated with his browser profile. Firefox uses an SQLite database to store session cookies. In order to dump the database, run the following commands:
Then read the plaintext cookies!
Attacking the Network with Subterfuge
Paste the script into a text editor. We now have to set the value of the cookie we want to impersonate. In Subterfuge, clicking on the session allows you to copy the cookie value.
[Cookie Copy Pic]
In your text editor replace section of the script that says “COOKIE DATA GOES HERE!!!” with the value you copied from subterfuge (be sure to put the data within “”).
[Script Console Pic]
Refresh the page and enjoy your session!
For a video of this attack in action click [here].
I hope that this post thoroughly demonstrates the dangers of session hijacking. Attackers really don’t need your login username and password to wreak havoc on your online footprint. Don’t leave your security up to the vendors, or network operators, because they have no incentive to protect you! Take your security into your own hands.
To protect yourself from attacks like this one we recommend the use of encryption to encapsulate your traffic when operating on untrusted networks. OpenVPN is an outstanding protocol, and is fairly simple to setup as well. Client programs exist for all major operating systems including Android and iOS. Personally, I use [Link TunnelBlick] on my Mac, and the official clients elsewhere.
I hope that this post has been informative for you!