digip Posted January 13, 2008 Share Posted January 13, 2008 Two tools, which some of you may have heard of already, called Ferret and Hamster, are making their way around the internet. One is a packet sniffer that only looks for cookies and the other is a localhost proxy/pcap analyzer used to hijack user sessions. When combined together these little programs form a nice little function called Sidejacking. Similar to MITM attacks to take over another users account, only they do not rely on using an arp poison attack to sit between the user and the router. Instead, they use captured packets from the network to reconstruct both regular and session cookies to mask yourself as the targeted user. So easy, any one can figure it out. This works on both Wifi and any Ethernet LAN you may be on, although switched networks should not be affected since they do not rebroadcast to every device on the lan. If the target is not encrypting their taffic using SSL,TLS, SSH, etc, then any captured web traffic containing cookies can be used to authenticate as the user WITHOUT needing their login name or password or a means to decrypt any hashes. Since ferret is only looking for cookies to authenticate as the user, it cuts down on the amount of traffic needed to be captured by other programs like Wireshark, Ettercap, etc. Dumped pcap files (as hamster.txt) will be small in comparison to the long logs often seen by wireshark and other programs when doing MITM attacks. Filtering the captures for only cookie data using Wireshark works when saving the log to hamster.txt to be used by hamster.exe Hamster creates a little localhost proxy to view the visited websites of your targets, so all you have to do is click any links they visited through Hamsters browser interface and it passes the cookie back to the web server as if you were them, thus performing the Sidejack and logging you on as them. I tested it on my own network just to see how simple it was. I have to say, it is scary easy to perform and I can see people recompiling the sources into one tool at some point, taking out all the guess work and need to setup everything. A Script kiddies wet dreams in 1 click.... There is no need for me to post the link to these tools on hak5, as they are easy to find with google. Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 13, 2008 Share Posted January 13, 2008 Didn't read most of your post but nm. My response is: I'm not scared. I have the SSL for the gmail. If I have a session stolen they can only do a limited amount of damage before I spot it and click 'logout'. Quote Link to comment Share on other sites More sharing options...
digip Posted January 13, 2008 Author Share Posted January 13, 2008 Actually, just tried it using https and I was able to still logon due to session cookies being available. So it seems SSL does not thwart the attack as I had thought. I'll test it some more later using my laptops wifi when I get the chance to make sure. I am testing it on my pc only at the moment and this probably isnt the best way to see if SSL will block it. I think I will get the same results though and it will still be able to logon if the server or the user rebroadcasts the session data in the clear. Quote Link to comment Share on other sites More sharing options...
metatron Posted January 13, 2008 Share Posted January 13, 2008 This can be done easily with Wireshark and a cookie editor in Firefox. You have been able to do this for many years. Quote Link to comment Share on other sites More sharing options...
Deveant Posted January 13, 2008 Share Posted January 13, 2008 This can be done easily with Wireshark and a cookie editor in Firefox. You have been able to do this for many years. agreed, though its now easier for skiddies. Like only a few clicks easy. Wireshark required knowledge. Quote Link to comment Share on other sites More sharing options...
metatron Posted January 13, 2008 Share Posted January 13, 2008 This can be done easily with Wireshark and a cookie editor in Firefox. You have been able to do this for many years. agreed, though its now easier for skiddies. Like only a few clicks easy. Wireshark required knowledge. If you can read, you can use Wireshark. Quote Link to comment Share on other sites More sharing options...
SmoothCriminal Posted January 13, 2008 Share Posted January 13, 2008 Interesting stuff, good post. Quote Link to comment Share on other sites More sharing options...
digip Posted January 14, 2008 Author Share Posted January 14, 2008 This can be done easily with Wireshark and a cookie editor in Firefox. You have been able to do this for many years. My post wasn't anything new. Session stealing has been around longer than some of us have even been on the inernet. What was inseresting to me is how automated and easy these attacks are becoming. Pretty soon, XSS attacks will be a one click setup and all you have to do is type in the name of your target. Look at metasploit. Great tool to audit your LAN's Servers and Workstations, but it's also the same tool used by 12 year old kids who know how to read and open a web browser. Doesn't make them any more skilled, just that they know where to put the key in and how to step on the gas. Yes. Session stealing is nothing new and I totally agree with you on the wireshark comment. It is just to the point these days that everything is so easy, people walk around calling themselves "haxorz" and never once did anything themself that wasn't automated for them. Every tool used by people to hijack a wireless connection or users sessions was because someone, who was the real hacker, wrote it themself. We just all end up using their tools. I am not saying there isn't skill in learning how to do these things, but kids today do not need to learn about all the details under the hood in order to drive the cars they own. It's is also part of the problem and why there are so many people on here asking how to hack their school. Instead of learning how to do things and in turn educating themself, they end up running their mouths about how "l337" they are when they just discovered some tool that does everything for them. The real elite are the ones who wrote the tools. I have to admit I have used some of these tools in the past, but not because I want to hack someone or break into something. I am no saint when it comes to computers, but I have no desire to use these for ill intent. I do however like to learn about these things and see how they work. What picks my brain more is how it does it and learning about that is what has always intrigued me about computers. Its not the tool and what it does, but how it does it that makes me want to learn about it. I could care less about logging onto someones email or myspace page, but what I do want to know is what is the flaw, what is the hole, where is the weakness, how do you exploit it, and how do you defend against it. How does it all work has always been my goal and not "how many peepz can I pwn with my l337 haxor skillz". Quote Link to comment Share on other sites More sharing options...
insert handle Posted January 14, 2008 Share Posted January 14, 2008 this is like giving an angry monkey a gun, or giving an idiot control over a country. There should be some sort of lock and key, even if as simple as changing one line of code so that complete skiddies can't use it... Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted January 14, 2008 Share Posted January 14, 2008 if I'm not mistaken you need to be on the same network right? Quote Link to comment Share on other sites More sharing options...
SmoothCriminal Posted January 14, 2008 Share Posted January 14, 2008 Thats what it sounds like. Maybe not after you have captured some cookies. Quote Link to comment Share on other sites More sharing options...
metatron Posted January 14, 2008 Share Posted January 14, 2008 This can be done easily with Wireshark and a cookie editor in Firefox. You have been able to do this for many years. Pretty soon, XSS attacks will be a one click setup and all you have to do is type in the name of your target. http://www.securitycompass.com/exploitme.shtml XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS). SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities. Quote Link to comment Share on other sites More sharing options...
digip Posted January 14, 2008 Author Share Posted January 14, 2008 if I'm not mistaken you need to be on the same network right? Well, yes if you want to do a MITM and then use that in combo with ferret and hamster, but no if your wireless card can see all wireless traffic. Most windows machines I have seen can not do this by default without certain wireless cards or something like AirPCap (http://www.cacetech.com/products/airpcap_family.htm?utm_source=Wireshark&utm_medium=cpc&utm_term=airpcap&utm_content=airpcap&utm_campaign=Wireshark_Product). Granted, a MITM attack pretty much will give you everything you want anyway. Using something like Cain + Ferret + Hamster just makes it easier to not have to go through wireshark logs and edit the cookies manually. Cain is usually just going to show you the passwords it finds, but since there are none in the event that they logon using just the cookies or are already logged onto the site Ferret and Hamster make it easy to just click the link of your targeted users and your automatically logged on to the page they are viewing. Quote Link to comment Share on other sites More sharing options...
HarshReality Posted January 21, 2008 Share Posted January 21, 2008 OK,m so how to we work this into switchblade? Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted January 21, 2008 Share Posted January 21, 2008 you dont because it's bad! @echo off copy %useerdir%/mozilla/cookies U3:/drive copy %useerdir%/IE/cookies U3:/drive echo mmmmm cookies Quote Link to comment Share on other sites More sharing options...
metatron Posted January 22, 2008 Share Posted January 22, 2008 Wifizoo is a little nicer. http://community.corest.com/~hochoa/wifizo...dex.html#whatis Quote Link to comment Share on other sites More sharing options...
dred Posted January 23, 2008 Share Posted January 23, 2008 Very interesting, I just wanted to add I dont think its wrong to use things like this in a controlled enviroment, I myself have alot of curiosity so I made a lab to test exploits and vulnerabiltys without harming anyone else.I think this is totally acceptable but soemtimes I feel wrong to have this curiosity or that i will be ridiculed here for shareing my findings. I say to each his own let indivduals take personal responsibilty for there actions but lets not put down someones actions unless its based on there intent. Trust me I have seen the post here how do i hack my school networks and that is dumb and I am happy that alot of you lead people with that mind state in the right direction.ultimately my point is I think we should allow people to test things here and share them of this nature, for good intent only, yes there will always be somebody that takes advantage, but freedom of information is good.So why not make it work with the switchblade its an idea and a project to explore and invent.. Quote Link to comment Share on other sites More sharing options...
digip Posted January 23, 2008 Author Share Posted January 23, 2008 Very interesting, I just wanted to add I dont think its wrong to use things like this in a controlled enviroment, I myself have alot of curiosity so I made a lab to test exploits and vulnerabiltys without harming anyone else.I think this is totally acceptable but soemtimes I feel wrong to have this curiosity or that i will be ridiculed here for shareing my findings. I say to each his own let indivduals take personal responsibilty for there actions but lets not put down someones actions unless its based on there intent. Trust me I have seen the post here how do i hack my school networks and that is dumb and I am happy that alot of you lead people with that mind state in the right direction.ultimately my point is I think we should allow people to test things here and share them of this nature, for good intent only, yes there will always be somebody that takes advantage, but freedom of information is good.So why not make it work with the switchblade its an idea and a project to explore and invent.. I have no problem with people using these tools. I just do not want to spoon feed 90% of the script kiddies on the forums, I want them to put in the effort and work to learn something instead of just wanting to pwn everything. As far as pentesting and research, I am all for it, even when its sniffing the neighbors wifi, so long as your not going to try compromising their info or acocunt and its all jsut for the learnign experience. I myself love reading about tools like this and for me it smore about the knowledge gained from learning the tools than it is about what I can do with them. If your up for some good reading that really picks my brain and keeps me busy, go through the Sans Daily Diary and its archives. Lots of good info to read through and a good place to learn about things like this. They also often have tools listed you can use in defending attacks and what not and for pentrsting your own networks. http://isc.sans.org/diaryarchive.html (Be sure you set up a dedicated box that is isolated from the rest of yoru network and one that your using just for testing when connecting to some of the sites they list as they will often give you links to sites with live virii and spyware as well as different attacks to gain root of a machine just by visiting the site!) Quote Link to comment Share on other sites More sharing options...
dred Posted January 23, 2008 Share Posted January 23, 2008 Thats nice to know soemone else shares my huge curiosity here, to bad there wasnt a vip section here for this stuff to keep away those who wish to use knowledge for harm..Nice post by the way man .. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.