Session Hijacking with internal cookies and over LAN

[Techknowledge]

Let's say two users A and B are using same computer to access facebook or any session led websites where cookies are left on the machine/computer. How can A or B, use the cookies of each other to access the session of the other person. Can you please share an example, by giving location of the cookies and then practical example of using the cookie to gain access to an application/site A or B visited, irrespectively.

Also, could you please advise if I'm connected on a LAN with other 10 machines too. How can I sniff their packets (what tool) and is it possible to also Hijack their sessions (how?). I would like to learn to ensure I also stay protected by seeing how practically this works.

 

[PrincessFrosty]

Cookies are used to auth and you can steal them out of browsers cookie cache/db, or across the wire if SSL isn't used to encrypt them. Once you have someones session cookie you can masquerade as them.

I'm not going to give you tools to do it however.

 

[Techknowledge]

Thanks for the response PrincessFrosty. How can I masquerade manually for example. Can I put the cookie in my browser cache/db after I get it and just browse and site where it picks it up? This is what I wish to know.

 

[John Connor]

You are looking for answers as to how someone could steal your season, correct? The anwser is yes, cookies can be stolen. Primaly with the use of scripts. You should use Firefox and install Noscript. In Noscript's options turn on allow base 2nd level domains so that Noscrip isn't so cumbersome.

Another method is to sniff cookies on the network what is commonly called a man in the middle attack. For this install Comodo Firewall and chose to protect the ARP cache among the other advanced options.

Phising is something else that can be done. To prevent that use OpenDNS and for passwords install the addon for Firefox called PWDhash.

Here's another 2 cents worth of advice. If you use the addon Greasemonkey for Firefox and install user scripts, be sure to look at the code and press Control F and search for the term cookie. If the script has nothing to do with cookies and you find text named 'cookie' chances are that scrip will hijack your season cookies.

Edit-

I forgot one other thing in regards to a man in the middle attack. DNS poisoning. Try these two sites and see if you are vulnerable. I would go into your control panel | Services and disable the DNS client service. This breaks DNS, but it can prevent DNS poisoning attempts.

http://ketil.froyn.name/poison.html

https://www.dns-oarc.net/oarc/services/dnsentropy

 

[PrincessFrosty]

Good response from John, I would add that both wirelessly and on wired networks you don't even need to MITM attack the users unless you're somehow trying to downgrade their encrypted session (HTTPS) to regular HTTP.

Network sniffing tools set to promiscuous mode can simply watch all the traffic on a LAN or WLAN connection and grab the cookies there.

Techknowledge, to answer your question directly, cookies are just small text files on the disk or blocks of text sometimes stored in a browser cookie db, if you can extract them and then insert them into your own browser that's all is required, it depends on the browser.

Generally speaking, due to the nature of session timeout on connections (cookies only last so long before server rejects them) you'd have scripts and automated procedures to sniff the cookie and hijack it automatically, manual attacks aren't very practical.

 

[Techknowledge]

Thanks for you for the excellent explanation. This is clear. On a different note though, I just discovered that network sniffing and like utilities for example wireshark and all, is no longer very helpful as today and modern networks use switches instead of hubs and also wifi networks no longer operates like hub but switches where packets are not sent to every machine but to dedicated machines. So sniffers only work over old network technologies like hubs, but not in switches or todays wifi. Correct me if I am wrong.

 

[PrincessFrosty]

It depends on the hardware, hubs are always vulnerable and some switches might be.

Some switches keep an internal look up table of what logical address exists on what physical cable (port) and redirect traffic only on that port to avoid leaking that data to other ports. Some cheap "switches" aren't very good and don't really do this properly or reliably.

This is where you might "upgrade" your network sniffing to a MITM attack using ARP poisoning. ARP packets are sent by devices on the network to request and respond to addressing queries, basically asking who is where on the network. You can poison the ARP table on devices and even on switches to tell them you are an address that you're really not (this requires MAC and IP spoofing)

You may or may not need to do a MITM attack here, if the switch behaves in a way which allows it to broadcast data onto multiple ports for the same address (essentially it's unsure where the device is) then it's still passive. But if it's strict and only allows to identify addresses on one specific port then ARP poisoning it will essentially DOS the target and require that you forward on packets (this becomes a MITM attack where you're essentially inserting yourself as a new hop between the targets)

More expensive switches have protection against ARP poisoning, so how successful network sniffing is depends on the type, and quality of the hardware being used.