HIJACKING SESSION WITH MITM ATTACK
So far, we have utilized MITM attacks only to capture the plain text passwords, However, we
can also use it to steal session tokens/cookies, which are responsible for authenticating a user on a website. We should understand that this attack would only work where the communication is performed via http or full end-to-end encryption is not enabled. It won’t work where communications are encrypted (https).
can also use it to steal session tokens/cookies, which are responsible for authenticating a user on a website. We should understand that this attack would only work where the communication is performed via http or full end-to-end encryption is not enabled. It won’t work where communications are encrypted (https).
ATTACK SCENARIO
Since we will use ARP spoofing to get in the middle of the communication, this attack would
work only when the attacker and victim are on the same local area network. It could be that an attacker has compromised a target, and by using it, he is able to sniff the traffic of computers on the local area network of the compromised box; it could be in a coffee shop where the attacker and the victim are already on the same local area network; or it could be that the attacker has physically plugged in a laptop to the same local area network.
work only when the attacker and victim are on the same local area network. It could be that an attacker has compromised a target, and by using it, he is able to sniff the traffic of computers on the local area network of the compromised box; it could be in a coffee shop where the attacker and the victim are already on the same local area network; or it could be that the attacker has physically plugged in a laptop to the same local area network.
The attack we will perform is divided into three parts:
Part 1—We will use Cain and Abel to perform an ARP spoofing attack. Cain and Abel is a
Windows-based tool that is most commonly used as a password cracker and to implement
an ARP spoofing network.
Part 1—We will use Cain and Abel to perform an ARP spoofing attack. Cain and Abel is a
Windows-based tool that is most commonly used as a password cracker and to implement
an ARP spoofing network.
Part 2—Once we have successfully ARP-poisoned the network, all the victim’s traffic would be directed to us. We will open our favorite “packet capturing” tool, namely, “Wireshark,” to capture all the traffic. We will specifically look for the victim’s cookies to hijack the session.
Part 3—Finally, we will use a cookie injector to inject cookies in our browser so that we can
take over the victim’s session.
take over the victim’s session.
ARP POISONING WITH CAIN AND ABEL
So let me walk you through the process of ARP poisoning a network with Cain and Abel. For the simplicity, I have divided the process into five steps:
Step 1—Download “Cain and Abel” from the following link, install it, and launch it.
http://oxid.it/cain.html
http://oxid.it/cain.html
Step 2—Turn on the sniffer by clicking on the green button at the top just above the decoder tab. Next, scan for the MAC addresses by clicking on the plus sign (+) at the top. This will bring us all the hosts inside our subnet. Alternatively, you can also define your own range and set your targets.
Step 3—Once you have scanned all the MAC addresses and IP addresses, it’s time to perform an ARP spoofing attack. To do that, click on the “APR” tab at the bottom and then click on the white area in the top frame. This will turn the “+” sign into blue color.
Step 4—Next click on the “+” sign; lists of hosts will appear. Select the hosts that you want to intercept the traffic between. In my case, at the left side would be my default gateway and
on the right would be my victim hosts.
on the right would be my victim hosts.
Step 5—Click “Ok” and then finally click on the yellow button just under the file menu. And it will begin poisoning the routes in a short span of time and you will start to see traffic being captured by Cain and Abel.
SNIFFING SESSION COOKIES WITH WIRESHARK
Our next goal is to capture the session cookies of the victim so we can hijack his/her session. Every site has its own session cookie that it uses to authenticate a user. For demonstration purposes, I will capture the session cookies of Facebook, which are c _ user and xs.
Note: If the victim has logged out of his/her Facebook account, you will not be able to use the session cookies, since session cookies expire upon logging out.
I have already walked you through the process of how to start a packet capture inside
Wireshark, so I won’t do it again. What we will do inside Wireshark is that we apply a filter to filter out all the HTTP cookies containing the word “c _ user” or “xs”, since they are the session cookies. If you can’t find them, I would suggest that you use http.cookie and then manually check for the cookies.
Note: If the victim has logged out of his/her Facebook account, you will not be able to use the session cookies, since session cookies expire upon logging out.
I have already walked you through the process of how to start a packet capture inside
Wireshark, so I won’t do it again. What we will do inside Wireshark is that we apply a filter to filter out all the HTTP cookies containing the word “c _ user” or “xs”, since they are the session cookies. If you can’t find them, I would suggest that you use http.cookie and then manually check for the cookies.
So we have filtered all the HTTP requests containing the cookies named “c _ user.” Let’s
try to inspect the first request. On inspecting the HTTP request, we find all the cookies associated with Facebook.
try to inspect the first request. On inspecting the HTTP request, we find all the cookies associated with Facebook.
To get a clear view of all the cookies, we will right-click on the cookie field and then to
Copy → Bytes → Copy printable text only. Now, all the cookies will be selected. We will delete the other cookies and will save only the authentication cookies.
Copy → Bytes → Copy printable text only. Now, all the cookies will be selected. We will delete the other cookies and will save only the authentication cookies.
No comments:
Post a Comment