Hello Mates,
Wanted to get everyone’s thoughts on how they maintain access to accounts that have been hijacked using session cookies. The cookies will expire at some point so how would you maintain access when all you have is the session cookie? I’ve investigated changing the expiration date, but it appears that, depending on the site, this can invalidate the cookie on the server side so I’ve been reluctant to try this approach.
Cheers,
Olly
Keep the session alive with constant traffic until they authenticate again and generate a new cookie? Depends on what kind of access you’re trying to get/keep and the user you can hijack.
Thanks mate. I’m trying to learn more about session cookies in general and the role in post-exploitation.
As an example, gmail cookies appear to expire in 1-2 years. This depends on the specific cookie since an active session comes with 7-8 cookies last I checked. I was trying to determine if a specific cookies’ expiry needed to be changed, but then wondered if this would invalidate or error out the session ID. I tried changing my own cookies and got a Chrome cookie mismatch error so was not sure what’s happening on the back end.
It makes sense to frequently use the site in question to prevent the session from expiring. I know my banking and tele sites log me out in 10 minutes if inactive, but was not sure if this common with all sites (from my gatherings, each site applies it differently).
This makes more sense - I think I see what you’re getting at now.
Shortest timeout I’ve ever run across was like two minutes and I think I just installed a Firefox add-on to auto refresh the page because I didn’t know what else to do at the time lol.
Instead of modifying the cookie, I’d encourage you to wait until you have a clear goal in mind and then ride the target session executing your desired actions via a script thus minimizing the amount of time you need access to the target. Naturally sustaining access is ideal, but if there aren’t any clear paths (using a privileged session to create a privileged account/session or elevate the authority of a normal account/session), automation is the next-best thing.
Thank you for the advice and I imagine my goals will change depending on the engagement. For example, being tasked to penetrate X level of defenses t vs a task that will take longer and require me to maintain account access for an unknown period of time. And if its that, then I would need to ride out the session cookie as long as possible.
This topic was automatically closed after 121 days. New replies are no longer allowed.