About the dangers of open Wifi access points, about how passwords can be intercepted.
Today we’ll look at intercepting passwords over Wi-Fi and intercepting cookies over Wi-Fi using the program.
The attack will take place due to Sniffing.
Sniffing— sniff translates as “Sniff.” Sniffing allows you to analyze network activity on the Internet, view which sites the user visits and intercept passwords. But it can also be used for useful purposes, for listening to viruses that send any data to the Internet.
The method I will show is quite primitive and simple. In fact, you can use the program more strongly.
Official website of the program sniff.su (copy the link and open in a new tab), you can download it in the section "Download".
There is a version for Windows Unix systems and for android.
We will consider for Windows since this is the most popular system and the program here is the most advanced.
Your browser or antivirus may complain that the program is dangerous, but you yourself understand that this is a hack program, and it will always respond to such hacks.
The program is downloaded in a zip archive, you just need to unzip the program into a folder and use it, there is no need to install anything.
The program has the ability to organize various Mitm attacks on Wi-Fi networks.
The article is written purely for informational purposes, to show by example the dangers of open WiFi points You perform any specified actions at your own peril and risk. And I want to remind you about criminal liability for protecting other people’s data.
Service avi1 offers breathtakingly cheap prices for the opportunity to order subscribers to your Instagram profile. Achieve increased online popularity or sales right now, without spending a lot of effort and time.
Working with the Intercepter NG program
So, the program is launched via Intercepter-NG.exe.
The program has an English interface, but if you are a confident computer user, I think you will figure it out.
Below there will be a video on setting up (for those who prefer to watch rather than read).
— Select the desired network at the top if you have several of them.
— Switch the type Ethernet/WiFi, if you have Wi Fi, then you need to select the Wi FI icon (to the left of the network selection)
— Press the button Scan Mode(radar icon)
- Click in the empty field right click mouse and click on context menu Smart scan
— All connected devices to the network will appear
— Select the victim (you can select everyone while holding down the Shift key), just do not mark the router itself, its IP is usually 192.168.1.1
- Having selected, right-click and click Add to nat
- Go to the tab Nat
- IN Stealth ip It is advisable to change the last digit to any unoccupied one, this will hide your real IP.
- Put a tick on SSL Strip And SSL Mitm.
— Click Settings(gears on the right).
- Put a tick on Resurrection(This will allow you to intercept passwords and encrypted cookies HTTPS protocol) and Remove Spoof IP/Mac. You can check the box Cookie Killer, thanks to her, the victim will be kicked out of the current page, for example social network and the victim will have to re-enter the password, and we will intercept it. Compare the settings with the picture.
— Here the setup is complete, close the settings with a checkmark.
— The setup is complete, you can begin the attack.
— Press the button at the top Start/stop sniffing(triangle), in the same window click on the radiation icon at the bottom Start/Stop ARP Poison
— Go to the tab Password mode and right-click in the window and select Show Cookies(“This will allow cookies and passwords entered by victims to be shown”)
That's it, we're waiting for someone to enter the password.
Sometimes it happens that the Internet stops working, try to access the Internet yourself, if it doesn’t work, restart the program.
I noticed that it is not always possible to intercept a password, but in fact it works almost without failure.
That's all, we looked at intercepting passwords over Wi-Fi and intercepting cookies over Wi-Fi.
take care of yourself
The picture shows that the cookie contains the line wordpress_logged_in_263d663a02379b7624b1028a58464038=admin. This value is in unencrypted form in the cookie and can be easily intercepted using the Achilles utility, but in most cases in Achilles you can only see the hash of a particular entry. Before sending the request to the server, you can try to replace this line with any similar one (although in in this case there is no point) - the number of attempts is not limited. Then, by sending this request to the server using the Send button, you can receive a response from the server intended for the administrator.
In the previous example, you can use direct user ID spoofing. In addition, the name of the parameter, replacing the value of which provides additional features hacker, can be the following: user (for example, USER=JDOE), any expression with an ID string (for example, USER=JDOE or SESSIONID=BLAHBLAH), admin (for example, ADMIN=TRUE), session (for example, SESSION=ACTIVE), cart (for example, CART=FULL), as well as expressions such as TRUE, FALSE, ACTIVE, INACTIVE. Typically format cookies very much depends on the application for which they are used. However, these tips for finding application flaws using cookies apply to almost all formats.
Client-side countermeasures against cookie extraction
IN general case Users should be wary of Web sites that use cookies for authentication and to store sensitive data. It is also necessary to remember that a Web site that uses cookies for authentication must support at least the SSL protocol to encrypt the username and password, since in the absence of this protocol, the data is transmitted unencrypted, which makes it possible to intercept it using the simplest software to view data being sent over the network.
Kookaburra Software has developed a tool to facilitate the use of cookies. The tool is called CookiePal ( http://www.kburra.com/cpal.html (see www.kburra.com)). This program is intended to warn the user when a Web site attempts to install a cookie on the machine, and the user can allow or deny this action. Similar cookie blocking functions are available in all browsers today.
Another reason for regularly installing Web browser updates is that security flaws in these programs are constantly being identified. So, Bennet Haselton and Jamie McCarthy created a script that, after clicking on a link, retrieves cookies from the client's machine. As a result, all the contents of the cookies that are on the user's machine become available.
This kind of hack can also be done using the handle
To ensure that such things do not threaten our personal data, I do this myself and advise everyone to always update software that works with HTML code (e-mail clients, media players, browsers, etc.).
Many people prefer to simply block cookies, but most Web sites require cookies to be browsed. Conclusion - if in the near future an innovative technology appears that allows you to do without cookies, programmers and administrators will breathe a sigh of relief, but for now cookies remain a tasty morsel for a hacker! This is true, since a better alternative does not yet exist.
Server-side countermeasures
In case of recommendations for ensuring server security, experts give one simple piece of advice: do not use the cookie mechanism unless absolutely necessary! Particular care must be taken when using cookies that remain on the user's system after the end of the communication session.
Of course, it is important to understand that cookies can be used to provide security to Web servers for user authentication. If your application does need to use cookies, you should configure the cookie mechanism to use different short-lived keys for each session, and try not to put information in these files that could be used by hackers for hacking (such as ADMIN=TRUE).
Additionally, to make your use of cookies more secure, you can use cookie encryption to prevent sensitive information from being extracted. Of course, encryption does not solve all security problems when working with cookie technology, but this method will prevent the most simple hacks, described above.
Have you ever wondered how some Web sites personalize their visitors? This can be expressed, for example, in remembering the contents of the “cart” (if this node is intended for selling goods) or in the way of filling out the fields of some form. The HTTP protocol that underlies the functioning of the World Wide Web does not have the means to track events from one visit to a site to another, so a special add-on was developed to be able to store such “states”. This mechanism, described in RFC 2109, inserts special pieces of cookie data into HTTP requests and responses that allow Web sites to track their visitors.
Cookie data may be stored for the duration of the communication session ( per session), while remaining in random access memory during one session and being deleted when the browser is closed, or even after a specified period of time has elapsed. In other cases they are permanent ( persistent), remaining on the user's hard drive as text file. They are usually stored in the Cookies directory (%windir%\Cookies on Win9x and %userprofile%\Cookies on NT/2000). It is not difficult to guess that after capturing cookies on the Internet, an attacker can impersonate the user of this computer, or collect contained in these files important information. After reading the following sections, you will understand how easy it is to do.
Cookie interception
The most direct method is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. This problem can be solved using any packet interception utility, but one of the best is Lavrenty Nikula’s program ( Laurentiu Nicula) SpyNet/PeepNet. SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and stores it on disk, and the PeepNet utility opens the file and converts it into a human-readable format. The following example is a fragment of a communication session reconstructed by PeepNet, during which the cookie serves to authenticate and control access to the pages viewed (names have been changed to maintain anonymity).
GET http://www.victim.net/images/logo.gif HTTP/1.0 Accept: */* Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid=96114024278141622; cuid=TORPM!ZXTFRLRlpWTVFISEblahblah
The example above shows a cookie fragment placed in an HTTP request coming to the server. The most important is the field cuid=, which specifies unique identificator, used for user authentication on the www.victim.net node. Let's say that after this the attacker visited the victim.net node, received his own identifier and a cookie (it is assumed that the node does not place the cookie data in virtual memory, but writes it to HDD). The attacker can then open his own cookie and replace the cuid= field ID with it from the captured packet. In this case, when logging into the victim.net server, he will be perceived as the user whose cookie data was intercepted.
Program ability PeepNet replaying the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. Using a button Go get it! You can re-fetch the pages a user viewed using their cookie data previously captured by CaptureNet. In the PeepNet utility dialog box you can see information about someone’s completed orders. This uses cookie data intercepted by CaptureNet for authentication. Note the frame located in the lower right corner of the session data dialog box and the line that follows the Cookie: line. This is the cookie data used for authentication.
It's a pretty neat trick. In addition, the utility CaptureNet can provide a complete decrypted record of traffic, which is almost equivalent to the capabilities of professional-grade utilities such as Network Associates, Inc.'s Sniffer Pro. However, the utility SpyNet Even better - you can get it for free!
Countermeasures
You should be wary of sites that use cookies for authentication and storing sensitive identification information. One tool that can help with security is Kookaburra Software's Cookie Pal, which can be found at http://www.kburra.com/cpal.html. This software You can configure it to generate warning messages for the user when a Web site attempts to use the cookie mechanism. In this case, you can "look behind the scenes" and decide whether these actions should be allowed. IN Internet Explorer There is a built-in cookie support mechanism. To enable it, launch the Internet Options applet in Control Panel, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and for permanent and temporary cookie data, set the switch to Prompt. Setting up the use of cookies in the Netscape browser is done using the command Edit › Preferences › Advanced and setting the Warn me before accepting a cookie or Disable cookies mode (Fig. 16.3). When you accept a cookie, you need to check whether it is written to disk and see if the Web site collects information about users.
When visiting a site that uses cookies for authentication, you must ensure that the username and password you initially provide are at least SSL encrypted. Then this information will appear in the PeepNet program window, at least not in the form of plain text.
The authors would prefer to avoid cookies entirely if many frequently visited Web sites did not require this option. For example, for the worldwide popular Hotmail service Microsoft Cookies are required for registration. Because this service uses several different servers during the authentication process, adding them to the Trusted Sites zone is not that easy (this process is described in the section "Using Security Zones Wisely: A Common Solution to the Activex Control Problem"). In this case, the designation *.hotmail.com will help. Cookies are not a perfect solution to the problem of HTML protocol incompleteness, but alternative approaches seem to be even worse (for example, adding an identifier to the URL, which can be stored on proxy servers). Until a better idea comes along, your only option is to control your cookies using the methods listed above.
Capture cookies via URL
Let's imagine something terrible: Internet Explorer users click on specially crafted hyperlinks and become potential victims, risking their cookies being intercepted. Bennett Haselton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) from the teen organization Peacefire, which advocates for freedom of communication via the Internet, published a script that brings this idea to life. This script retrieves cookies from client computer if its user clicks on a link contained on that page. As a result, the contents of the cookie become available to Web site operators.
This feature can be exploited for nefarious purposes by embedding IFRAME tags in the HTML of a Web page, HTML email, or newsgroup post. The following example, provided by security consultant Richard M. Smith, demonstrates the ability to use IFRAME handles with a utility developed by Peacefire.