The picture shows that the cookie contains the string wordpress_logged_in_\u003d admin. This value is in unencrypted form in the cookie and can be easily intercepted using the Achilles utility, but as a rule, in most cases, only the hash of a particular entry can be seen in Achilles. Before sending a request to the server, you can try to replace this string with any similar one (although in this case it makes no sense) - the number of attempts is not limited. Then, by sending this request to the server using the Send button, you can receive a response from the server intended for the administrator.
In the previous example, you can directly override the user ID. In addition, the name of the parameter, the substitution of the value of which provides additional opportunities for the hacker, can be the following: user (for example, USER \u003d JDOE), any expression with the ID string (for example, USER \u003d JDOE or SESSIONID \u003d BLAHBLAH), admin (for example, ADMIN \u003d TRUE), session (for example, SESSION \u003d ACTIVE), cart (for example, CART \u003d FULL), and expressions such as TRUE, FALSE, ACTIVE, INACTIVE. Typically, the format of cookies is very dependent on the application for which they are used. However, these tips for finding application flaws with cookies work for almost all formats.
Client-Side Countermeasures for Cookies
In general, the user should be careful about Web sites that use cookies to authenticate and store sensitive data. It should also be remembered that a Web site that uses cookies for authentication must support at least SSL to encrypt the username and password, since in the absence of this protocol, the data is transmitted unencrypted, which allows it to be intercepted using the simplest software to view the data being sent over the network.
Kookaburra Software has developed a tool to facilitate the use of cookies. The tool is called CookiePal ( http://www.kburra.com/cpal.html (see www.kburra.com)). This program is designed to alert the user when a Web site tries to install a cookie on a machine, and the user can allow or deny this action. Similar functions for blocking cookies are currently available in all browsers.
Another reason for the regular installation of web browser updates is the constantly revealed security flaws in these programs. For example, Bennet Haselton and Jamie McCarthy created a script that, after clicking a link, retrieves cookies from a client machine. As a result, the entire content of the cookies that are located on the user's machine becomes available.
A hack of this kind can also be done using the handle
In order to prevent such things from threatening our personal data, I do this myself and I advise everyone to always update the software that works with HTML code (e-mail clients, media players, browsers, etc.).
Many people prefer to simply block the receipt of cookies, however, most Web sites require cookies to be viewed. Conclusion - if in the near future there is an innovative technology that makes it possible to dispense with cookies, programmers and administrators will breathe a sigh of relief, and while the cookie remains a tasty morsel for a hacker! This is true, since there is no better alternative yet.
Server side countermeasures
In the case of recommendations on how to ensure server security, experts give one simple advice: do not use the cookie mechanism unnecessarily! It is especially necessary to be careful when using cookies that remain in the user's system after the end of the communication session.
It is, of course, important to understand that cookies can be used to secure Web servers to authenticate users. If, nevertheless, the application being developed needs to use cookies, then this mechanism should be configured in such a way that different keys with a short validity period are used for each session, and also try not to put information in these files that can be used by hackers for hacking (such as ADMIN \u003d TRUE).
In addition, to make your cookies more secure, you can use encryption to prevent the extraction of sensitive information. Of course, encryption does not solve all the security problems when working with cookie technology, but this method will prevent the most simple hacks described above.
How to steal cookies
This hacking method like stealing cookies works great and is used by many hackers. If you also want to try it, but do not know what to do, read our recommendations.
What are cookies?
This is information about a user's visit to a specific site. It is stored in a separate text document. There you can find a variety of information. Including logins, passwords, mailbox addresses and phone numbers. That is why crackers are eager to get hold of these documents. Hackers use different methods to steal the materials they need.
How to steal cookies
XSS vulnerability
It can be found and used on any site. When a specialist finds a vulnerability, he injects special code into it. Depending on the purpose, the codes are different, they are written for a specific resource. When a user visits this page and refreshes it, all changes are applied. The code take action - is injected into the victim's computer and collects all the necessary information from the browser.
To enter the code, you can use any type of vulnerability - an error on a web resource, in a browser or on a computer system.
There are 2 types of XSS attacks:
Passive - directed to the page script. In this case, you need to look for vulnerabilities in page elements. For example, a tab with dialogs, a search box, a video directory, etc.
Active - they should be looked for on the server. They are especially often on various forums, blogs and chats.
How to get a person to apply XSS?
The task is not easy, because often to activate the code, you need to click on the link with it. You can mask the link and send it in an email along with an interesting offer. For example, offer a big discount in an online store. You can also embed it all in a picture. The user is very likely to view it and not suspect anything.
Sniffer installation
This is the introduction of specialized programs for tracking traffic on someone else's device. Sniffer allows you to intercept transmitted sessions with other people's data. So you can get all the logins and passwords, addresses, any important information transmitted over the network by the user. In this case, attacks are most often carried out on unprotected HTTP data. Unsecured wi-fi works well for this.
There are several ways to implement sniffer:
- Copy traffic;
- Data analysis using traffic attacks;
- Listening to interfaces;
- Sniffer insertion into the channel gap.
All data is stored on the web server in its original form. If you change them, it will be considered a substitution. All received materials can be used on another computer. Thus, you will get full access to the user's personal data. You can modify cookies using browser settings, add-ons or special programs. Editing is also possible in any standard notebook on a pc.
Stealing cookies with a virus
Experts advise against using cookies unless there is a particular need for it. If it is possible to disable them, it is best to do so. This is because cookies are very vulnerable. They are often stolen by intruders. From these files, you can get a huge amount of personal confidential information that will be used against a person. The most dangerous kind of files are those that remain on the system when the session has already ended.
Cookies are often stolen using a virus utility. This is done quite simply. A virus is introduced into any safe utility that collects certain materials on the computer. The virus program will be connected to its host's server. The program must be configured so that the browser uses it as a proxy server.
When the program gets to the victim's PC, it will automatically start collecting all stored data and send it to you.
Viruses are different, and their functions may also differ. Some allow you to completely control the browser and view any information. Others are capable of stealing protected materials. Still others collect only unprotected data.
You may find it difficult to implement a virus program on someone else's computer. You need to force the user to download it and run it. Here you can either send him a letter with a link to the program, or pass the program off as safe and wait for the person to download it from your site.
How to protect cookies from theft?
Most of the web resources are not secure enough. Hackers easily find vulnerabilities and bugs on these platforms.
Cookie protection rules:
- Bind the computer id to the current session. Then, when you enter the site from an external device, a new session will be started, data from the previous one will not be retrieved.
- Bind the session to the browser. The same principle will work as in the previous paragraph.
- Encrypt the parameters transmitted over the network. Then the information stored in the document will be impossible to understand. It will be useless to the one who intercepted it. This technique will not protect you 100%, some experts are able to decipher any material.
- Create a separate folder for identifiers.
How to find out the password from someone else's account through cookies?
To get someone else's data for authorization, you must first get to the file in which they were saved.
For those who use Mozilla Firefox, you need to go to the tools tab, which is located in the main menu. Further in the system settings you will find the "Protection" section, where you should look for all the important information about accounts in social networks. All passwords are hidden, so click on the "display" button. Right there you can set protection and put a special code. Then no one except you will receive this information.
In Opera, only usernames are available for general viewing. But in the menu you can find a password manager and view all stored on your computer. See the manager for a complete list. In order to gain access to passwords, you need to install an additional extension.
In Google Chrome, all these materials can be seen in the advanced settings. There is a tab with all saved cookies.
Unfortunately, the standard Internet Explorer browser does not have these features. To find out information about the web platforms that the PC owner visits, you need to download a special program. It can be found on the Internet for free, it is completely safe, but it is better to download it from trusted sources. Do not forget that any program must be checked by an antivirus. This is especially true for those utilities that work with passwords.
This technique is only suitable for those who have physical access to the victim's computer. You can also find out someone else's password if a person is authorized on the platform through your PC and saved their data.
Programs to steal cookies
There are many hacker forums on the Internet where hackers communicate with each other. People go there hoping to get free help. It is there that you can find a huge number of different programs for hacking. We want to warn you that you should not trust these programs. Utilities for remotely stealing cookies from someone else's device are dummies or virus programs. If you download this software to your PC, then most likely you yourself will fall into the trap of a scammer. Swindlers place their programs for free. Thus, they spread viral software and gain control over other people's computers. In general, such programs are a scam, you will understand this by their interface and content. If you are going to use any software for extracting files, then let them be sniffers. Of course, using them is not so easy. And it's not easy to find a good sniffer on the Internet. But such software is available from specialists who can sell it to you for money. Remember that there are many scammers, each with their own tricks. You should only trust trusted hackers who have a good reputation, have reviews and have their own website.
In conclusion, I would like to note that stealing cookies is a really powerful method, the effectiveness of which is very high. If you want to hack someone's profile on a social network or messenger, be sure to consider this option. This method works best when you can use the victim's computer. Getting materials from a distance is much more difficult, but you can use our advice and try to apply this method in practice.
In section
“A smartphone with hacking tools? There is no such thing, ”we would have told you just recently. It was possible to launch some familiar tools for implementing attacks only on some Maemo. Now, many familiar tools have been ported to iOS and Android, and some hack-tools have been specially written for the mobile environment. Can a smartphone replace a laptop in penetration tests? We decided to check.
ANDROID
Android is a popular platform not only for mere mortals, but also for the right people. The number of useful] [- utilities is simply off scale. For this, we can say thanks to the UNIX roots of the system - it greatly simplified the porting of many tools to Android. Alas, some of them are not allowed by Google in the Play Store, so you will have to install the corresponding APKs manually. Also, some utilities require maximum access to the system (for example, the iptables firewall), so you should take care of root access in advance. Each manufacturer uses its own technology, but finding the necessary instructions is quite simple. A decent set of HOWTOs has been put together by the LifeHacker resource (bit.ly/eWgDlu). However, if you could not find any model here, the XDA-Developers forum (www.xda-developers.com) always comes to the rescue, where you can find various information on virtually any Android phone model. One way or another, some of the utilities described below will work without root access.Package manager
BotBrew Let's start our overview with an unusual package manager. The developers call it "superuser utilities", and this is not far from the truth. After installing BotBrew, you get a repository from where you can download a huge number of familiar tools compiled for Android. Among them: Python and Ruby interpreters for running the many tools that are written on them, tcpdump sniffer and Nmap scanner for network analysis, Git and Subversion for working with version control systems, and much more.Network scanners
PIPS
An inconspicuous smartphone that, unlike a laptop, fits easily into your pocket and never arouses suspicion, can be useful for network exploration. We have already told you how you can install Nmap above, but there is another option. PIPS is a specially adapted, albeit unofficial port of the Nmap scanner for Android. This means that you can quickly find active devices on the network, determine their OS using fingerprinting options, perform a port scan - in short, do everything that Nmap can do. Fing 
With Nmap, for all its power, there are two problems. First, the parameters for scanning are transmitted through the launch keys, which you need not only to know, but also to be able to enter from an inconvenient mobile keyboard. And secondly, the scan results in the console output are not as descriptive as we would like. The Fing scanner is devoid of these shortcomings, which very quickly scans the network, does fingerprinting, and then displays a list of all available devices in an understandable form, dividing them by type (router, desktop, iPhone, and so on). At the same time, for each host, you can quickly see a list of open ports. And right from here you can connect, say, to FTP using the FTP client installed in the system - it's very convenient. NetAudit 
When it comes to analyzing a specific host, NetAudit can be indispensable. It works on any Android device (even a non-rooted one) and allows not only to quickly identify devices on the network, but also to examine them using a large fingerprinting database to determine the operating system, as well as CMS systems used on the web server. Now the database contains more than 3000 digital prints. Net Tools If, on the contrary, you need to work at a lower level and thoroughly investigate the operation of the network, then you cannot do without Net Tools. This is an indispensable set of utilities in the work of a system administrator that allows you to fully diagnose the operation of the network to which the device is connected. The package contains more than 15 different kinds of programs, such as ping, traceroute, arp, dns, netstat, route. Traffic manipulation
Shark for Root
A tcpdump-based sniffer honestly logs all data into a pcap file, which can then be examined using familiar utilities like Wireshark or Network Miner. Since no opportunities for MITM attacks are implemented in it, it is rather a tool for analyzing its traffic. For example, this is a great way to learn what programs installed on your device from questionable repositories are transmitting. Faceniff 
If we talk about combat applications for Android, then one of the most sensational is FaceNiff, which implements interception and injection into intercepted web sessions. After downloading the APK package with the program, you can launch this hack tool on almost any Android smartphone and, by connecting to a wireless network, intercept accounts of various services: Facebook, Twitter, VKontakte and so on - more than ten in total. Session hijacking is performed by means of ARP spoofing attack, but the attack is possible only on unsecured connections (FaceNiff cannot wedge into SSL traffic). To restrain the flow of scriptdis, the author limited the maximum number of sessions to three - then you need to contact the developer for a special activation code. DroidSheep 
If the creator of FaceNiff wants money for using it, then DroidSheep is a completely free tool with the same functionality. True, on the official website you will not find a distribution kit (this is due to the harsh laws of Germany regarding security utilities), but you can easily find it on the Web. The main task of the utility is to intercept user web sessions of popular social networks, implemented using the same ARP Spoofing. But with secure connections the trouble: like FaceNiff, DroidSheep flatly refuses to work with the HTTPS protocol. Network spoofer 
This utility also demonstrates the insecurity of open wireless networks, but in a slightly different plane. It does not intercept user sessions, but it allows HTTP traffic to pass through itself using a spoofing attack, performing specified manipulations with it. Starting from the usual pranks (replacing all the pictures on the site with trollfaces, flipping all the images, or, say, changing the Google search results) and ending with phishing attacks when fake pages of such popular services as facebook.com, linkedin.com, vkontakte.ru and many others. Anti (Android Network Toolkit by zImperium LTD) 
If you ask which hack utility for Android is the most powerful, then Anti probably has no competitors. This is a real hacker harvester. The main task of the program is to scan the network perimeter. Further, various modules enter the battle, with the help of which a whole arsenal is implemented: this is listening to traffic, and performing MITM attacks, and exploiting the vulnerabilities found. True, there are also disadvantages. The first thing that catches your eye is that vulnerabilities are exploited only from the central server of the program, which is located on the Internet, as a result of which you can forget about goals that do not have an external IP address. Tunneling traffic
Total Commander
The well-known file manager is now on smartphones! As in the desktop version, there is a plug-in system for connecting to various network directories, as well as the canonical two-pane mode - especially convenient on tablets. SSH Tunnel 
Okay, but how do you keep your data safe on an open wireless network? Apart from the VPN that Android supports out of the box, you can set up an SSH tunnel. For this there is a wonderful utility SSH Tunnel, which allows you to wrap the traffic of selected applications or the entire system through a remote SSH server. ProxyDroid It is often necessary to send traffic through a proxy or sox, in which case ProxyDroid will help out. It's simple: you choose which applications' traffic you want to tunnel, and specify the proxy (HTTP / HTTPS / SOCKS4 / SOCKS5 are supported). If authorization is required, ProxyDroid also supports this. By the way, the configuration can be linked to a specific wireless network by making different settings for each of them. Wireless network
Wifi Analyzer The built-in manager of wireless networks is not very informative. If you need to quickly get a complete picture of nearby access points, then the Wifi Analyzer utility is an excellent choice. It will not only show all nearby access points, but also display the channel on which they work, their MAC address and, most importantly, the type of encryption used (seeing the cherished letters "WEP", we can assume that access to the secure network is provided ). In addition, the utility is ideal if you need to find where the desired access point is physically located, thanks to a clear signal level indicator. WiFiKill This utility, according to its developer, can be useful when the wireless network is packed to capacity with clients who use the entire channel, and at this very moment you need a good connection and a stable connection. WiFiKill allows you to disconnect clients from the Internet both selectively and according to a specific criterion (for example, it is possible to joke over all apple trees). The program just performs an ARP spoofing attack and redirects all clients to themselves. This algorithm is foolishly simply implemented on the basis of iptables. Such is the control panel for wireless fast food networks :).Web application audit
HTTP Query Builder
Manipulating HTTP requests from a computer is a breeze, there are a huge number of utilities and browser plugins for this. In the case of a smartphone, things are a little more complicated. The HTTP Query Builder will help you send a custom HTTP request with the parameters you need, for example, the desired cookie or the changed User-Agent. The query result will be displayed in a standard browser. Router Brute Force ADS 2 
If the site is password protected using Basic Access Authentication, then you can check its reliability using the Router Brute Force ADS 2 utility. Initially, the utility was created to brute force passwords to the router admin area, but it is clear that it can be used against any other resource with similar protection ... The utility works, but is clearly damp. For example, the developer does not provide for brute force, but only brute force is possible using the dictionary. AnDOSid 
You've probably heard of such a notorious program for disabling web servers like Slowloris. Its principle of operation is to create and maintain the maximum number of connections with a remote web server, thus preventing new clients from connecting to it. So, AnDOSid is an analogue of Slowloris right in the Android device! I'll tell you a secret, two hundred connections is enough to ensure unstable work of every fourth website running the Apache web server. And all this - from your phone! Miscellaneous utilities
Encode
When working with many web applications and analyzing their logic, it is quite common to encounter data transmitted in encoded form, namely Base64. Encode will help you decode this data and see what exactly is stored in it. Perhaps, substituting a quotation mark, encoding them back into Base64 and substituting them in the URL of the site under investigation, you will receive the coveted error of executing a query to the database. HexEditor If you need a hex editor, Android has one too. With the help of HexEditor, you can edit any files, including system files, if you raise the program to superuser rights. An excellent replacement for the standard text editor, allowing you to easily find the desired piece of text and change it. Remote access
ConnectBot Once you have access to a remote host, you need to be able to use it. And this requires clients. Let's start with SSH, where ConnectBot is already the de facto standard. In addition to a user-friendly interface, it provides the ability to organize secure tunnels via SSH connections. PocketCloud Remote RDP / VNC
A useful program that allows you to connect to a remote desktop via RDP or VNC services. I am very glad that these are two clients in one, there is no need to use different tools for RDP and VNC. SNMP MIB Browser 
MIB browser specially written for Android, with which it is possible to manage network devices via SNMP protocol. It can be useful for developing an attack vector on various routers, because the standard community string (in other words, a password for access) for management via SNMP has not yet been canceled. iOS
The iOS platform is no less popular among developers of security utilities. But if in the case of Android, root rights were needed only for some applications, then on Apple devices, jailbreak is almost always required. Fortunately, even the latest iDevice firmware (5.1.1) already has a jailbreak tool. Along with full access, you also get an alternative application manager Cydia, which already contains many utilities.Working with the system
MobileTerminal
The first thing to start with is installing the terminal. For obvious reasons, it is not included in the standard delivery of the mobile OS, but we need it to run the console utilities, which we will talk about further. The best implementation of a terminal emulator is MobileTerminal - it supports several terminals at once, gestures for control (for example, for transferring Control-C) and generally impresses with its thoughtfulness. iSSH 
Another, more complicated option to access the console of the device is to install OpenSSH on it (this is done through Cydia) and connect to it locally via an SSH client. If you use the right client like iSSH, which has amazingly implemented touch screen control, then this method is even more convenient than through MobileTerminal. Data interception
Pirni & Pirni Pro
Now that you have access to the console, you can try the utilities. Let's start with Pirni, which went down in history as a full-fledged sniffer for iOS. Unfortunately, the constructively limited Wi-Fi module built into the device cannot be switched to the promiscious mode required for normal data interception. So, to intercept data, classic ARP spoofing is used, with the help of which all traffic is passed through the device itself. The standard version of the utility is launched from the console, where, in addition to the MITM attack parameters, the name of the PCAP file is specified, into which all traffic is logged. The utility has a more advanced version - Pirni Pro, which boasts a graphical interface. Moreover, she knows how to parse HTTP traffic on the fly and even automatically extract interesting data from there (for example, usernames and passwords) using regular expressions that are set in the settings. Intercepter-NG (console edition) 
The well-known sniffer Intercepter-NG, which we have written about many times, has recently had a console version. As the author says, most of the code is written in pure ANSI C, which behaves the same in almost any environment, so the console version worked from the very beginning both on desktop Windows, Linux and BSD, as well as on mobile platforms, including iOS and Android. ... The console version has already implemented grabbing of passwords transmitted over a variety of protocols, interception of messenger messages (ICQ / Jabber and many others), as well as resurrection of files from traffic (HTTP / FTP / IMAP / POP3 / SMTP / SMB). At the same time, network scanning functions and high-quality ARP Poison are available. For correct operation, you must first install the libpcap package via Cydia (do not forget to enable developer packages in the settings). All startup instructions boil down to setting the correct rights: chmod + x intercepter_ios. Further, if you run the sniffer without parameters, a clear interactive interface Itercepter appears, allowing you to launch any attacks. Ettercap-NG 
It's hard to believe, but this most complex tool for implementing MITM attacks was still ported to iOS. After colossal work, it turned out to make a full-fledged mobile port. To save yourself from dancing with a tambourine around dependencies during self-compilation, it is better to install the already built package using Cydia, after adding theworm.altervista.org/cydia as a data source (TWRepo repository). The set also includes the etterlog utility, which helps to extract various useful information from the collected traffic dump (for example, FTP access accounts). Analysis of wireless networks
WiFi Analyzer
In older versions of iOS, craftsmen ran aircrack and could break the WEP key, but we checked: the program does not work on new devices. Therefore, to explore Wi-Fi, we will have to be content with only Wi-Fi scanners. WiFi Analyzer analyzes and displays information about all available 802.11 networks around, including information about SSID, channels, vendors, MAC addresses and encryption types. The utility builds visual graphs in real time based on the data present on the air. With such a program, it is easy to find the physical location of the point, if you suddenly forgot it, and, for example, look at the WPS PIN, which can be useful for connection. Network scanners
Scany What program does any pentester use anywhere in the world, regardless of goals and objectives? Network scanner. And in the case of iOS, it will most likely be the most powerful Scany toolkit. With a set of built-in utilities, you can quickly get a detailed picture of network devices and, for example, open ports. In addition, the package includes network testing utilities such as ping, traceroute, nslookup. Fing However, many people prefer Fing. The scanner has a fairly simple and limited functionality, but it is quite enough for the first acquaintance with the network, say, a cafeteria :). The results display information about available services on remote machines, MAC addresses and host names connected to the scanned network. Nikto It would seem that everyone has forgotten about Nikto, but why? After all, this web-based vulnerability scanner, written in a scripting language (namely Perl), you can easily install through Cydia. This means that you can easily launch it on your jailbroken device from the terminal. Nikto will be happy to provide you with additional information on the tested web resource. In addition, you can add your own search signatures to its knowledge base with your own hands. sqlmap This powerful tool for automatic exploitation of SQL vulnerabilities is written in Python, which means that by installing the interpreter, it can be used without any problems directly from a mobile device.Remote control
SNMP Scan
Many network devices (including expensive routers) are managed via SNMP. This utility allows you to scan subnets for available SNMP services with a known community string (in other words, standard passwords). Note that searching for SNMP services with standard community strings (public / private) in an attempt to gain access to device management is an integral part of any penetration test, along with identifying the perimeter itself and exposing the services. iTap mobile RDP / iTap mobile VNC 
Two utilities from the same manufacturer are designed to connect to a remote desktop using the RDP and VNC protocols. There are many similar utilities in the App Store, but these are especially convenient to use. Password recovery
Hydra
The legendary program that helps millions of hackers around the world "remember" the password has been ported to iOS. Now it is possible to brute-force passwords to services such as HTTP, FTP, TELNET, SSH, SMB, VNC, SMTP, POP3 and many others directly from the iPhone. However, for a more effective attack, it is better to stock up on good dictionaries for brute force. Pass mule 
Everyone knows firsthand such a vulnerability as the use of standard passwords. Pass Mule is a kind of directory that contains all kinds of standard logins and passwords for network devices. They are conveniently categorized by vendor name, product and model, so finding the right one is easy. The program is more likely designed to save time searching for a manual for a router, the standard login and password for which you need to find out. Exploiting vulnerabilities
Metasploit
It's hard to imagine a more hacking utility than Metasploit, and it is this one that concludes our today's review. Metasploit is a multi-tool package whose main task is to exploit vulnerabilities in software. Imagine: about 1000 reliable, proven and necessary exploits in the daily life of a pentester - right on your smartphone! With the help of such a tool, you can really settle in any network. Metasploit allows not only exploiting flaws in server applications - there are also tools for attacks on client applications (for example, through the Browser Autopwn module, when a combat load is inserted into client traffic). Here I must say that there is no mobile version of the toolkit, however, you can install a standard package on an Apple device using. Hello, I would like to devote this short article, rather even a short description, to the simplest way to intercept cookies on a wi-fi network. What cookies are and why they are needed, I will not tell you here, if a person has an idea of \u200b\u200bintercepting "baked goods"; on a wireless network, I think he should know what it is and why he needs it. I can only say one thing, with the help of these files you can get access to other people's accounts on various sites that require users to go through the authentication process (for example, mail.ru, vkontakte.ru, etc.).
So let's get started. First, we need to find the wireless network itself, with an open gateway for Internet access, and it is desirable that this network has a lot of clients. For example, any network in large shopping malls, airports, various coffee houses is suitable, in such places people usually use wi-fi access to the Internet, to read mail, check accounts on various dating sites, view livejournal and all kinds of forums. This is all, just what we need. Having decided on the choice of the network location, having studied the certain hours of the maximum number of clients, we will proceed directly to the hostilities. For this we need a laptop with a wi-fi adapter and a certain set of programs. In my case, I used an Acer Aspire 3610 laptop, a D-Link DWL G650 client wi-fi card and the BackTrack3 OS installed.
I advise you to use this OS, since it already includes the entire set of programs that you may need, and the most important advantage is that you do not need to install Backtrack on your hard disk, you can boot this OS directly from a cd-disk or flash drive.
Now let's move on to the required software. I used kismet to detect networks, and WifiZoo to intercept cookies. I will dwell on the second program in detail. WifiZoo is a passive ethernet scanner and collects quite a lot of useful information such as: pop3, smtp traffic, http cookies / authinfo, msn, ftp credentials, telnet network traffic, nbt, etc. The only drawback of this program is the lack of Channel hopping mode, WifiZoo just listens on the wireless interface, and cannot, so to speak, jump from channel to channel. But this disadvantage is compensated for by another program, Kismet, which supports this mode. To run WifiZoo you need:
- python
- scapy
- Kismet
So we launch the program, first we launch Kismet, to support the channel hopping mode, then we launch WifiZoo directly, you should see the following window:
Now all that remains is to sit and wait until you intercept something, everything that the program intercepts can be found in the logs, which are located in the directory with the program / logs /. You can also launch the GUI interface, which automatically rises to http at 127.0.0.1:8000
I will not write about all the features of this wonderful program, I think you yourself will figure out the rest of the possibilities, and since at the moment we are only interested in cookies. Click on the link labeled cookies and see what we intercepted: 
Have you ever wondered how visitors are personalized on some Web sites? This can be expressed, for example, in memorizing the contents of the "cart" (if this site is intended for the sale of goods) or in the way of filling in the fields of some form. The HTTP protocol, which is the basis of the World Wide Web, does not have a means to track events from one site visit to the next, so a special add-on was developed to be able to store these "states". This mechanism, described in RFC 2109, inserts special pieces of cookie data into HTTP requests and responses to enable Web sites to track their visitors.
Cookie data can be remembered for the duration of the communication session ( per session), remaining in RAM for one session and deleted when the browser is closed, or even after a specified period of time has elapsed. In other cases, they are permanent ( persistent), remaining on the user's hard disk as a text file. They are usually stored in the Cookies directory (% windir% \\ Cookies in Win9x and% userprofile% \\ Cookies in NT / 2000). It is not hard to guess that after capturing cookies on the Internet, an attacker can impersonate a user of this computer, or collect important information contained in these files. As you read the following sections, you will see how easy it is to do this.
Interception of cookies
The most direct way is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. This problem can be solved using any packet capture utility, but one of the best is the program of Lavrenty Nikula ( Laurentiu nicula) SpyNet / PeepNet... SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and saves it to disk, and PeepNet opens the file and converts it to a readable format. The following example is a snippet of a communication session recovered by PeepNet, during which a cookie is used to authenticate and control access to the pages being viewed (names have been changed to preserve anonymity).
GET http://www.victim.net/images/logo.gif HTTP / 1.0 Accept: * / * Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid \u003d 96114024278141622; cuid \u003d TORPM! ZXTFRLRlpWTVFISEblahblah
In the example above, you can see a piece of cookie placed in an HTTP request to the server. The most important is the field cuid \u003d, which specifies a unique identifier used to authenticate a user on the www.victim.net site. Let's say that the attacker then visited victim.net, received his own ID and cookie (it is assumed that the site does not place the cookie data in virtual memory, but writes it to the hard disk). The attacker can then open his own cookie and replace the field identifier cuid \u003d with it from the intercepted packet. In this case, when entering the victim.net server, it will be perceived as the user whose cookie data was intercepted.
Program ability PeepNet replaying the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. Using the button Go get it! you can re-fetch pages that were viewed by the user using their cookie data previously captured by CaptureNet. In the dialog window of the PeepNet utility, you can see information about someone's executed orders. The cookie data captured by the CaptureNet program is used for authentication. Notice the frame in the lower-right corner of the session data dialog and the line that follows the Cookie: line. This is the cookie used for authentication.
This is a pretty neat trick. Also, the utility CaptureNet can provide a complete record of traffic in decrypted form, which is almost equivalent to the capabilities of professional-grade utilities such as Sniffer Pro from Network Associates, Inc. However, the utility SpyNet Better yet, get it for free!
Countermeasures
Watch out for sites that use cookies to authenticate and store sensitive credentials. Kookaburra Software's Cookie Pal is one of the security tools that can be found at http://www.kburra.com/cpal.html. The software can be configured to generate warning messages for the user when a Web site attempts to use the cookie mechanism. In doing so, you can "look behind the scenes" and decide whether to allow these actions. Internet Explorer has a built-in cookie support mechanism. To activate it, launch the Internet Options applet in the Control Panel, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and for persistent and temporary cookie data, set the radio button to Prompt. To configure the use of cookies in the Netscape browser, use the command Edit ›Preferences› Advanced and setting Warn me before accepting a cookie or Disable cookies (Figure 16.3). When you accept a cookie, you need to check if it has been written to disk and see if the Web site is collecting information about users.
When visiting a site where cookies are used for authentication, you need to make sure that the initially provided username and password are encrypted at least using SSL. This information will then appear in the PeepNet window at least not in plain text.
The authors would prefer to opt out of cookies entirely if many of the Web sites they visit do not require this mode. For example, Microsoft's worldwide popular Hotmail service requires cookies to be registered. Since this service uses several different servers in the authentication process, adding them to the Trusted Sites zone is not easy (this process is described in "Using Secure Zones wisely: General Troubleshooting Activex Elements"). In this case, the * .hotmail.com designation will help. Cookies are far from the ideal solution to the HTML incompleteness problem, but alternative approaches seem to be even worse (for example, adding an identifier to the URL that may be stored on proxy servers). Until a better idea emerges, the only way out is to control cookies using the methods listed above.
Capturing cookies via URL
Imagine something horrible: Internet Explorer users click on specially designed hyperlinks and become potential victims, at the risk of their cookies being intercepted. Bennett Hazelton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) of Peacefire, a teenage organization that promotes freedom of communication over the Internet, published a script that brings this idea to life. This script retrieves cookies from a client computer when its user clicks on a link contained on this page. As a result, the contents of the cookie are made available to the operators of the Web site.
This capability can be misused by embedding IFRAMEs in the HTML of a Web page, HTML email, or newsgroup post. The following example, provided by security consultant Richard M. Smith, demonstrates the use of IFRAMEs with a utility developed by Peacefire.