The picture shows that the cookie contains the string wordpress_logged_in_\u003d admin. This value is in unencrypted form in the cookie and can be easily intercepted using the Achilles utility, but as a rule, in most cases, only the hash of a particular entry can be seen in Achilles. Before sending a request to the server, you can try to replace this string with any similar one (although in this case it makes no sense) - the number of attempts is not limited. Then, by sending this request to the server using the Send button, you can receive a response from the server intended for the administrator.
In the previous example, you can directly override the user ID. In addition, the name of the parameter, the substitution of the value of which provides additional opportunities for the hacker, can be the following: user (for example, USER \u003d JDOE), any expression with the ID string (for example, USER \u003d JDOE or SESSIONID \u003d BLAHBLAH), admin (for example, ADMIN \u003d TRUE), session (for example, SESSION \u003d ACTIVE), cart (for example, CART \u003d FULL), and expressions such as TRUE, FALSE, ACTIVE, INACTIVE. Typically, the format of cookies is very dependent on the application for which they are used. However, these tips for finding application flaws with cookies work for almost all formats.
Client-Side Countermeasures for Cookies
In general, the user should be careful about Web sites that use cookies to authenticate and store sensitive data. It should also be remembered that a Web site that uses cookies for authentication must support at least SSL to encrypt the username and password, since in the absence of this protocol, the data is transmitted unencrypted, which allows it to be intercepted using the simplest software to view the data being sent over the network.
Kookaburra Software has developed a tool to facilitate the use of cookies. The tool is called CookiePal ( http://www.kburra.com/cpal.html (see www.kburra.com)). This program is designed to alert the user when a Web site tries to install a cookie on a machine, and the user can allow or deny this action. Similar functions for blocking cookies are currently available in all browsers.
Another reason for the regular installation of web browser updates is the constantly revealed security flaws in these programs. For example, Bennet Haselton and Jamie McCarthy created a script that, after clicking a link, retrieves cookies from a client machine. As a result, the entire content of the cookies that are located on the user's machine becomes available.
A hack of this kind can also be done using the handle
In order to prevent such things from threatening our personal data, I do this myself and I advise everyone to always update the software that works with HTML code (e-mail clients, media players, browsers, etc.).
Many people prefer to simply block the receipt of cookies, however, most Web sites require cookies to be viewed. Conclusion - if in the near future there is an innovative technology that makes it possible to dispense with cookies, programmers and administrators will breathe a sigh of relief, and while the cookie remains a tasty morsel for a hacker! This is true, since there is no better alternative yet.
Server side countermeasures
In the case of recommendations on how to ensure server security, experts give one simple advice: do not use the cookie mechanism unnecessarily! It is especially necessary to be careful when using cookies that remain in the user's system after the end of the communication session.
It is, of course, important to understand that cookies can be used to secure Web servers to authenticate users. If, nevertheless, the application being developed needs to use cookies, then this mechanism should be configured in such a way that different keys with a short validity period are used for each session, and also try not to put information in these files that can be used by hackers for hacking (such as ADMIN \u003d TRUE).
In addition, to make your cookies more secure, you can use encryption to prevent the extraction of sensitive information. Of course, encryption does not solve all the security problems when working with cookie technology, but this method will prevent the most simple hacks described above.
How to steal cookies
This hacking method like stealing cookies works great and is used by many hackers. If you also want to try it, but do not know what to do, read our recommendations.
What are cookies?
This is information about a user's visit to a specific site. It is stored in a separate text document. There you can find a variety of information. Including logins, passwords, mailbox addresses and phone numbers. That is why crackers are eager to get hold of these documents. Hackers use different methods to steal the materials they need.
How to steal cookies
XSS vulnerability
It can be found and used on any site. When a specialist finds a vulnerability, he injects special code into it. Depending on the purpose, the codes are different, they are written for a specific resource. When a user visits this page and refreshes it, all changes are applied. The code take action - is injected into the victim's computer and collects all the necessary information from the browser.
To enter the code, you can use any type of vulnerability - an error on a web resource, in a browser or on a computer system.
There are 2 types of XSS attacks:
Passive - directed to the page script. In this case, you need to look for vulnerabilities in page elements. For example, a tab with dialogs, a search box, a video directory, etc.
Active - they should be looked for on the server. They are especially often on various forums, blogs and chats.
How to get a person to apply XSS?
The task is not easy, because often to activate the code, you need to click on the link with it. You can mask the link and send it in an email along with an interesting offer. For example, offer a big discount in an online store. You can also embed it all in a picture. The user is very likely to view it and not suspect anything.
Sniffer installation
This is the introduction of specialized programs for tracking traffic on someone else's device. Sniffer allows you to intercept transmitted sessions with other people's data. So you can get all the logins and passwords, addresses, any important information transmitted over the network by the user. In this case, attacks are most often carried out on unprotected HTTP data. Unsecured wi-fi works well for this.
There are several ways to implement sniffer:
- Copy traffic;
- Data analysis using traffic attacks;
- Listening to interfaces;
- Sniffer insertion into the channel gap.
All data is stored on the web server in its original form. If you change them, it will be considered a substitution. All received materials can be used on another computer. Thus, you will get full access to the user's personal data. You can modify cookies using browser settings, add-ons or special programs. Editing is also possible in any standard notebook on a pc.
Stealing cookies with a virus
Experts advise against using cookies unless there is a particular need for it. If it is possible to disable them, it is best to do so. This is because cookies are very vulnerable. They are often stolen by intruders. From these files, you can get a huge amount of personal confidential information that will be used against a person. The most dangerous kind of files are those that remain on the system when the session has already ended.
Cookies are often stolen using a virus utility. This is done quite simply. A virus is introduced into any safe utility that collects certain materials on the computer. The virus program will be connected to its host's server. The program must be configured so that the browser uses it as a proxy server.
When the program gets to the victim's PC, it will automatically start collecting all stored data and send it to you.
Viruses are different, and their functions may also differ. Some allow you to completely control the browser and view any information. Others are capable of stealing protected materials. Still others collect only unprotected data.
You may find it difficult to implement a virus program on someone else's computer. You need to force the user to download it and run it. Here you can either send him a letter with a link to the program, or pass the program off as safe and wait for the person to download it from your site.
How to protect cookies from theft?
Most of the web resources are not secure enough. Hackers easily find vulnerabilities and bugs on these platforms.
Cookie protection rules:
- Bind the computer id to the current session. Then, when you enter the site from an external device, a new session will be started, data from the previous one will not be retrieved.
- Bind the session to the browser. The same principle will work as in the previous paragraph.
- Encrypt the parameters transmitted over the network. Then the information stored in the document will be impossible to understand. It will be useless to the one who intercepted it. This technique will not protect you 100%, some experts are able to decipher any material.
- Create a separate folder for identifiers.
How to find out the password from someone else's account through cookies?
To get someone else's data for authorization, you must first get to the file in which they were saved.
For those who use Mozilla Firefox, you need to go to the tools tab, which is located in the main menu. Further in the system settings you will find the "Protection" section, where you should look for all the important information about accounts in social networks. All passwords are hidden, so click on the "display" button. Right there you can set protection and put a special code. Then no one except you will receive this information.
In Opera, only usernames are available for general viewing. But in the menu you can find a password manager and view all stored on your computer. See the manager for a complete list. In order to gain access to passwords, you need to install an additional extension.
In Google Chrome, all these materials can be seen in the advanced settings. There is a tab with all saved cookies.
Unfortunately, the standard Internet Explorer browser does not have these features. To find out information about the web platforms that the PC owner visits, you need to download a special program. It can be found on the Internet for free, it is completely safe, but it is better to download it from trusted sources. Do not forget that any program must be checked by an antivirus. This is especially true for those utilities that work with passwords.
This technique is only suitable for those who have physical access to the victim's computer. You can also find out someone else's password if a person is authorized on the platform through your PC and saved their data.
Programs to steal cookies
There are many hacker forums on the Internet where hackers communicate with each other. People go there hoping to get free help. It is there that you can find a huge number of different programs for hacking. We want to warn you that you should not trust these programs. Utilities for remotely stealing cookies from someone else's device are dummies or virus programs. If you download this software to your PC, then most likely you yourself will fall into the trap of a scammer. Swindlers place their programs for free. Thus, they spread viral software and gain control over other people's computers. In general, such programs are a scam, you will understand this by their interface and content. If you are going to use any software for extracting files, then let them be sniffers. Of course, using them is not so easy. And it's not easy to find a good sniffer on the Internet. But such software is available from specialists who can sell it to you for money. Remember that there are many scammers, each with their own tricks. You should only trust trusted hackers who have a good reputation, have reviews and have their own website.
In conclusion, I would like to note that stealing cookies is a really powerful method, the effectiveness of which is very high. If you want to hack someone's profile on a social network or messenger, be sure to consider this option. This method works best when you can use the victim's computer. Getting materials from a distance is much more difficult, but you can use our advice and try to apply this method in practice.
In section
“A smartphone with hacking tools? There is no such thing, ”we would have told you just recently. It was possible to launch some familiar tools for implementing attacks only on some Maemo. Now, many familiar tools have been ported to iOS and Android, and some hack-tools have been specially written for the mobile environment. Can a smartphone replace a laptop in penetration tests? We decided to check.
ANDROID
Android is a popular platform not only for mere mortals, but also for the right people. The number of useful] [- utilities is simply off scale. For this, we can say thanks to the UNIX roots of the system - it greatly simplified the porting of many tools to Android. Alas, some of them are not allowed by Google in the Play Store, so you will have to install the corresponding APKs manually. Also, some utilities require maximum access to the system (for example, the iptables firewall), so you should take care of root access in advance. Each manufacturer uses its own technology, but finding the necessary instructions is quite simple. A decent set of HOWTOs has been put together by the LifeHacker resource (bit.ly/eWgDlu). However, if you could not find any model here, the XDA-Developers forum (www.xda-developers.com) always comes to the rescue, where you can find various information on virtually any Android phone model. One way or another, some of the utilities described below will work without root access.Package manager
BotBrew Let's start our overview with an unusual package manager. The developers call it "superuser utilities", and this is not far from the truth. After installing BotBrew, you get a repository from where you can download a huge number of familiar tools compiled for Android. Among them: Python and Ruby interpreters for running the many tools that are written on them, tcpdump sniffer and Nmap scanner for network analysis, Git and Subversion for working with version control systems, and much more.Network scanners
PIPS![](https://i0.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_PIPS.jpg)
![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_Fing.jpg)
![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_Net_Tools.jpg)
![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_Net_Tools.jpg)
Traffic manipulation
Shark for Root![](https://i1.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_Shark.png)
![](https://i0.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_FaceNIFF.jpg)
![](https://i1.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_DroidSheep.jpg)
![](https://i0.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_Network_Spoofer.png)
![](https://i0.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_ANTI.jpg)
Tunneling traffic
Total Commander![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/Android_TotalCommander.jpg)
![](https://i0.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_SSH_Tunnel.jpg)
Wireless network
Wifi Analyzer The built-in manager of wireless networks is not very informative. If you need to quickly get a complete picture of nearby access points, then the Wifi Analyzer utility is an excellent choice. It will not only show all nearby access points, but also display the channel on which they work, their MAC address and, most importantly, the type of encryption used (seeing the cherished letters "WEP", we can assume that access to the secure network is provided ). In addition, the utility is ideal if you need to find where the desired access point is physically located, thanks to a clear signal level indicator. WiFiKill This utility, according to its developer, can be useful when the wireless network is packed to capacity with clients who use the entire channel, and at this very moment you need a good connection and a stable connection. WiFiKill allows you to disconnect clients from the Internet both selectively and according to a specific criterion (for example, it is possible to joke over all apple trees). The program just performs an ARP spoofing attack and redirects all clients to themselves. This algorithm is foolishly simply implemented on the basis of iptables. Such is the control panel for wireless fast food networks :).Web application audit
HTTP Query Builder![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_HTTP_Query_Builder.jpg)
![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_RouterBruteForceADS.jpg)
![](https://i1.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_AnDOSid.jpg)
Miscellaneous utilities
Encode![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_Encode.png)
Remote access
ConnectBot Once you have access to a remote host, you need to be able to use it. And this requires clients. Let's start with SSH, where ConnectBot is already the de facto standard. In addition to a user-friendly interface, it provides the ability to organize secure tunnels via SSH connections. PocketCloud Remote RDP / VNC![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/Android_PocketCloud-Remote.jpeg)
![](https://i1.wp.com/xakep.ru/wp-content/uploads/2014/12/ANDROID_SNMP_MIB_Browser.jpg)
iOS
The iOS platform is no less popular among developers of security utilities. But if in the case of Android, root rights were needed only for some applications, then on Apple devices, jailbreak is almost always required. Fortunately, even the latest iDevice firmware (5.1.1) already has a jailbreak tool. Along with full access, you also get an alternative application manager Cydia, which already contains many utilities.Working with the system
MobileTerminal![](https://i1.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_MobileTerminal-187x280.jpg)
![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/iOS_iSSH.png)
Data interception
Pirni & Pirni Pro![](https://i0.wp.com/xakep.ru/wp-content/uploads/2014/12/iOS_Pirni-187x280.png)
![](https://i0.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_Intercepter-NG-249x280.jpg)
![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_Ettercap-NG1-187x280.png)
Analysis of wireless networks
WiFi Analyzer![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_WiFI-Analyzer-187x280.jpg)
Network scanners
Scany What program does any pentester use anywhere in the world, regardless of goals and objectives? Network scanner. And in the case of iOS, it will most likely be the most powerful Scany toolkit. With a set of built-in utilities, you can quickly get a detailed picture of network devices and, for example, open ports. In addition, the package includes network testing utilities such as ping, traceroute, nslookup. Fing However, many people prefer Fing. The scanner has a fairly simple and limited functionality, but it is quite enough for the first acquaintance with the network, say, a cafeteria :). The results display information about available services on remote machines, MAC addresses and host names connected to the scanned network. Nikto It would seem that everyone has forgotten about Nikto, but why? After all, this web-based vulnerability scanner, written in a scripting language (namely Perl), you can easily install through Cydia. This means that you can easily launch it on your jailbroken device from the terminal. Nikto will be happy to provide you with additional information on the tested web resource. In addition, you can add your own search signatures to its knowledge base with your own hands. sqlmap This powerful tool for automatic exploitation of SQL vulnerabilities is written in Python, which means that by installing the interpreter, it can be used without any problems directly from a mobile device.Remote control
SNMP Scan![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_SNMP-Scan.jpg)
![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_iTap_Mobile_RDP.jpg)
Password recovery
Hydra![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_Hydra-187x280.jpg)
![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_PassMule.jpg)
Exploiting vulnerabilities
Metasploit![](https://i2.wp.com/xakep.ru/wp-content/uploads/2014/12/IOS_Metasploit.png)
Hello, I would like to devote this short article, rather even a short description, to the simplest way to intercept cookies on a wi-fi network. What cookies are and why they are needed, I will not tell you here, if a person has an idea of \u200b\u200bintercepting "baked goods"; on a wireless network, I think he should know what it is and why he needs it. I can only say one thing, with the help of these files you can get access to other people's accounts on various sites that require users to go through the authentication process (for example, mail.ru, vkontakte.ru, etc.).
So let's get started. First, we need to find the wireless network itself, with an open gateway for Internet access, and it is desirable that this network has a lot of clients. For example, any network in large shopping malls, airports, various coffee houses is suitable, in such places people usually use wi-fi access to the Internet, to read mail, check accounts on various dating sites, view livejournal and all kinds of forums. This is all, just what we need. Having decided on the choice of the network location, having studied the certain hours of the maximum number of clients, we will proceed directly to the hostilities. For this we need a laptop with a wi-fi adapter and a certain set of programs. In my case, I used an Acer Aspire 3610 laptop, a D-Link DWL G650 client wi-fi card and the BackTrack3 OS installed.
I advise you to use this OS, since it already includes the entire set of programs that you may need, and the most important advantage is that you do not need to install Backtrack on your hard disk, you can boot this OS directly from a cd-disk or flash drive.
Now let's move on to the required software. I used kismet to detect networks, and WifiZoo to intercept cookies. I will dwell on the second program in detail. WifiZoo is a passive ethernet scanner and collects quite a lot of useful information such as: pop3, smtp traffic, http cookies / authinfo, msn, ftp credentials, telnet network traffic, nbt, etc. The only drawback of this program is the lack of Channel hopping mode, WifiZoo just listens on the wireless interface, and cannot, so to speak, jump from channel to channel. But this disadvantage is compensated for by another program, Kismet, which supports this mode. To run WifiZoo you need:
- python
- scapy
- Kismet
So we launch the program, first we launch Kismet, to support the channel hopping mode, then we launch WifiZoo directly, you should see the following window:
Now all that remains is to sit and wait until you intercept something, everything that the program intercepts can be found in the logs, which are located in the directory with the program / logs /. You can also launch the GUI interface, which automatically rises to http at 127.0.0.1:8000
I will not write about all the features of this wonderful program, I think you yourself will figure out the rest of the possibilities, and since at the moment we are only interested in cookies. Click on the link labeled cookies and see what we intercepted:
Have you ever wondered how visitors are personalized on some Web sites? This can be expressed, for example, in memorizing the contents of the "cart" (if this site is intended for the sale of goods) or in the way of filling in the fields of some form. The HTTP protocol, which is the basis of the World Wide Web, does not have a means to track events from one site visit to the next, so a special add-on was developed to be able to store these "states". This mechanism, described in RFC 2109, inserts special pieces of cookie data into HTTP requests and responses to enable Web sites to track their visitors.
Cookie data can be remembered for the duration of the communication session ( per session), remaining in RAM for one session and deleted when the browser is closed, or even after a specified period of time has elapsed. In other cases, they are permanent ( persistent), remaining on the user's hard disk as a text file. They are usually stored in the Cookies directory (% windir% \\ Cookies in Win9x and% userprofile% \\ Cookies in NT / 2000). It is not hard to guess that after capturing cookies on the Internet, an attacker can impersonate a user of this computer, or collect important information contained in these files. As you read the following sections, you will see how easy it is to do this.
Interception of cookies
The most direct way is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. This problem can be solved using any packet capture utility, but one of the best is the program of Lavrenty Nikula ( Laurentiu nicula) SpyNet / PeepNet... SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and saves it to disk, and PeepNet opens the file and converts it to a readable format. The following example is a snippet of a communication session recovered by PeepNet, during which a cookie is used to authenticate and control access to the pages being viewed (names have been changed to preserve anonymity).
GET http://www.victim.net/images/logo.gif HTTP / 1.0 Accept: * / * Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid \u003d 96114024278141622; cuid \u003d TORPM! ZXTFRLRlpWTVFISEblahblah
In the example above, you can see a piece of cookie placed in an HTTP request to the server. The most important is the field cuid \u003d, which specifies a unique identifier used to authenticate a user on the www.victim.net site. Let's say that the attacker then visited victim.net, received his own ID and cookie (it is assumed that the site does not place the cookie data in virtual memory, but writes it to the hard disk). The attacker can then open his own cookie and replace the field identifier cuid \u003d with it from the intercepted packet. In this case, when entering the victim.net server, it will be perceived as the user whose cookie data was intercepted.
Program ability PeepNet replaying the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. Using the button Go get it! you can re-fetch pages that were viewed by the user using their cookie data previously captured by CaptureNet. In the dialog window of the PeepNet utility, you can see information about someone's executed orders. The cookie data captured by the CaptureNet program is used for authentication. Notice the frame in the lower-right corner of the session data dialog and the line that follows the Cookie: line. This is the cookie used for authentication.
This is a pretty neat trick. Also, the utility CaptureNet can provide a complete record of traffic in decrypted form, which is almost equivalent to the capabilities of professional-grade utilities such as Sniffer Pro from Network Associates, Inc. However, the utility SpyNet Better yet, get it for free!
Countermeasures
Watch out for sites that use cookies to authenticate and store sensitive credentials. Kookaburra Software's Cookie Pal is one of the security tools that can be found at http://www.kburra.com/cpal.html. The software can be configured to generate warning messages for the user when a Web site attempts to use the cookie mechanism. In doing so, you can "look behind the scenes" and decide whether to allow these actions. Internet Explorer has a built-in cookie support mechanism. To activate it, launch the Internet Options applet in the Control Panel, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and for persistent and temporary cookie data, set the radio button to Prompt. To configure the use of cookies in the Netscape browser, use the command Edit ›Preferences› Advanced and setting Warn me before accepting a cookie or Disable cookies (Figure 16.3). When you accept a cookie, you need to check if it has been written to disk and see if the Web site is collecting information about users.
When visiting a site where cookies are used for authentication, you need to make sure that the initially provided username and password are encrypted at least using SSL. This information will then appear in the PeepNet window at least not in plain text.
The authors would prefer to opt out of cookies entirely if many of the Web sites they visit do not require this mode. For example, Microsoft's worldwide popular Hotmail service requires cookies to be registered. Since this service uses several different servers in the authentication process, adding them to the Trusted Sites zone is not easy (this process is described in "Using Secure Zones wisely: General Troubleshooting Activex Elements"). In this case, the * .hotmail.com designation will help. Cookies are far from the ideal solution to the HTML incompleteness problem, but alternative approaches seem to be even worse (for example, adding an identifier to the URL that may be stored on proxy servers). Until a better idea emerges, the only way out is to control cookies using the methods listed above.
Capturing cookies via URL
Imagine something horrible: Internet Explorer users click on specially designed hyperlinks and become potential victims, at the risk of their cookies being intercepted. Bennett Hazelton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) of Peacefire, a teenage organization that promotes freedom of communication over the Internet, published a script that brings this idea to life. This script retrieves cookies from a client computer when its user clicks on a link contained on this page. As a result, the contents of the cookie are made available to the operators of the Web site.
This capability can be misused by embedding IFRAMEs in the HTML of a Web page, HTML email, or newsgroup post. The following example, provided by security consultant Richard M. Smith, demonstrates the use of IFRAMEs with a utility developed by Peacefire.
It is possible to compose an insidious email message that "grabs" cookies from a user's hard drive and passes them on to peacefire.org operators. To do this, many times you need to place a link to this node in it as shown in the example. Despite the fact that the guys at Peacefire look pretty nice people, hardly anyone will like it if they get their hands on sensitive data.
Countermeasures
Install the update module, which can be found at http://www.microsoft.com/technet/security/bulletin/ms00-033.asp. You can also use the program Cookie pal or the built-in capabilities of Internet Explorer, as described above.