You no doubt have heard of Cookie Sniffing before. You sniff out a cookie, and you have their session, right? Sounds easy.
Firesheep made it incredibly easy, and you can do this easily with things like MiTMF or STELF. But what exactly are cookies, how do they work, and how can we exploit them? Let’s investigate.
To be a successful hacker we need to see the world through 3 viewpoints, a user’s perspective, a developers perspective, and a hackers perspective. The latter of the three will fall into place by itself, but the first two can be more tricky than you think.
A Users Perspective
Hi! My name is Larry, I’m a user and I use example.com for email. I put in my email address and password and I can log on, then I can see my emails. I can open several tabs, and still be logged in.
A Developers Perspective
There are two critical things to sessions (as is the case with pretty much anything web-app related), the client side and the server side.
The client side is whatever the user’s browser does, or store, We must be careful not to do anything too critical here since an attacker can easily modify their own browser, they control it.
// Set Cookie $name = "Gary Host"; $ttexpiry = time() + (86400 * 30); // 1 Day setcookie("fullname", "Gary Host", $ttexpiry, "/"); // Retrieve Cookie Data echo $_COOKIE["fullname"];
As we can see in this short snippet, we can create a cookie, with setcookie (this takes 4 arguments)
- Cookie ID - Or the thing we’ll refer to it as
- Value - The value we’ll get when we reference it
- Time To Expiry - How long the cookie will be valid and remain in the browser
- Path - Where the cookie will be valid in path etc “/” for the entire site
This snippet will output on the screen the words “Gary Host”. We can leave this page and come back later in the day and the words will still say that (even if the first 3 lines are removed).
Sessions in PHP work the same way, except the value in the cookie is not the user’s name, it is the Session ID of the user.
A Session ID is literally just a string unique to a user. This is generated randomly and associated to a particular account.
However, since the discovery of certain tools, developers have worked hard to mitigate this session snatching problem, so they implemented guards against this. On modern services, no longer just having the same session ID is enough to own their session.
Now they will generate hashes from data unique to the user, this may be a hash of the useragent, IP, and even resolution!
Now that we know about how a cookie works, and how sessions operate on a basic level, we can understand how to exploit it. We must strive to imitate everything on the victim’s computer. The most commonly used variables are the user agent, and resolution. Depending on the service, these will differ.
Data such as the user agent and resolution should be easy picking, especially with good recon. However if you have managed to steal the cookies, you will hopefully have found this in the logs. Whether you’re using BeEF, STELF or MITMf.
As for the IP, you might have to tunnel through their connection, unless you are on the same network. Again, BeEF and STELF allow you to do this via proxies.
Services also tend to use more cookies than just the session ID, watch out as these have been known in the past to be taken into account for session resume.
Stealing cookies may be a simple task, but using those cookies is another beast. An understanding of how cookies work, and how sessions use those cookies can be eye-opening for an attacker.
As with everything in the security world, knowing how a sysadmin and a developer thinks, helps you as a hacker know how to exploit it. The same way as a detective must know how a criminal thinks.
I hope this was of some use to you all! Especially those who will be trying out the new cookie dumping feature in STELF. If you have any questions drop a comment! And be sure to like this if you found this interesting!
Until next time!