Hijacking Cookie Sessions

May 9, 2015 10:27 PM
Jun 23, 2015 05:27 PM

Let's say that we want to see what someone is doing on their computer? In this tutorial, we'll be hijacking cookie sessions to do just that!

Step 1: Preparing Kali

In order to do this, we need three tools:

  • Ettercap (duh)
  • Hamster
  • Ferret

Ferret is a nice little tool that runs with Hamster. It grabs session cookies that travel across the LAN. Hamster is a proxy that "manipulates" everything grabbed by Ferret. The only thing is that Ferret doesn't come with Kali 64-bit version. In order to install it, we need to add the i386 (32-bit) repository. Then we can install it. For convenience, run this 1-line script to install it:

dpkg --add-architecture i386 && apt-get update && apt-get install ferret-sidejack:i386

After you do that, let's move on.

Step 2: Setting Up the MitM Attack Vectors

Ettercap

We're going to use Ettercap to ARP poison the targets. Open it up and do:

  1. Sniff --> Unified Sniffing
  2. Hosts --> Scan for Hosts
  3. MitM --> Arp Poisoning and ONLY check Sniff Remote Connections
635667807706391189.jpg
  1. Start --> Start Sniffing

Hamster & Ferret

Now that Ferret is installed, all we have to do is run ferret -i interface. For instance, I'll be using Ethernet.

635667808517953583.jpg

You should quickly be getting output like this.

To run Hamster, just type hamster in a new terminal.

Step 3: Viewing the Cookie Sessions

To view the cookies that we have "sidejacked," simply open your web browser and type in the URL box localhost:1234 or anything of the equivilent (i.e., 127.0.0.1:1234). You should get a screen like this:

635667810706547388.jpg

Now we need to tell Hamster the interface to listen on. Go to adapters and enter the same interface you entered in Ferret.

635667811268891331.jpg

Press Submit Query and let the magic begin (you'll have to wait a while before you get lots of cookies).

Step 4: Viewing Cookies

After a while you'll start to see some IP addresses pop up (including yours). To view the cookies, simply click on the IP address.

635667813448924880.jpg

Just click on the URLs the view them. For example, I just was talking about stuff in a chat, but I left. I didn't trust one of the members and guess what? I was right.

635667817699828607.jpg

Now, I didn't see it in the chat, but I decided to sidejack him just in case, and guess what I found?

635667818463266675.jpg

So I know what he said, but he doesn't know I know it....

If you want to view the original cookies, just click that cookies button and replace hamster with localhost:1234 at the beginning of the URL, or you can open up the .pcap file in the home folder.

Mission Complete

Now we can view everything this guy says, and he won't ever know it. This same attack can also be used to hijack someone's session while they're logged in to a website, making things much faster than cracking passwords. Cool, eh?

I hope you found this as much fun as I did.

This was part of our C3 project.

C|H of C3

Comments

No Comments Exist

Be the first, drop a comment!