Methods of stealing cookie files
Such a hacking method as cookies is perfect and used by many hackers. If you also want to try it, but do not know what to do, read our recommendations.
What is cookies?
This is the information about visiting the user of a particular site. It is stored in a separate text document. There you can find a different information. Including logins, passwords, postal mailbox addresses and phone numbers. That is why hackers seek to get these documents. To steal the necessary materials, hackers are resorted to different methods.
Methods of stealing cookies
XSS vulnerability
It can be found and used on any site. When a specialist finds a vulnerability, he introduces a special code into it. Depending on the purpose of the codes are different, they are written under a specific resource. When the user comes to this page and updates it, all changes are applied. Code Start act - embedded in the victim's computer and collects all necessary information From browser.
To make the code, you can use any type of vulnerabilities - an error on the web resource in the browser or computer system.
There are 2 types of XSS attacks:
Passive - Aims on the script page. In this case, you need to look for vulnerable places in the page elements. For example, tab with dialogs, search box, video catalog, etc.
Active - They should be signed on the server. Particularly often on various forums, blogs and chat rooms.
How to make a person apply XSS?
The task is not easy, because often to activate the code you want to click on the link with it. You can disguise the link and send in the letter along with an interesting offer. For example, to offer a big discount in the online store. You can also implement it all in the picture. The user is likely to watch it and will not suspect anything.
Installing Sniffera
This is the introduction of specialized programs for tracking traffic on someone else's device. Sniffer allows you to intercept transmitted sessions with other people's data. So you can get all the logins and passwords, addresses, any important information transmitted by the user. At the same time, attacks are most often carried out on unprotected HTTP data. For this, unprotected Wi-Fi is well suited.
You can implement Sniffer in several ways:
- Copy traffic;
- Data analysis using attacks on traffic;
- Listening to interfaces;
- Implementing a sniffer into channel break.
All data is stored on a web server in original form. If you change them, it will be considered a substitution. All materials obtained can be used on another computer. So you will receive full access to the user's personal data. You can modify cookies using settings in the browser, addons or special programs. Editing is also possible in any standard notebook on PC.
Cookies with virus
Specialists advise not to use cookies, if there is no special need for it. If it is possible to turn them off, it is better to do it. All because cookies are very vulnerable. They often steal attackers. From these files you can get a huge number of personal confidential informationwhich will be used against a person. The most dangerous view of the files - those that remain in the system when the session is already completed.
Cookies often steal with the help of a viral utility. It is done quite simple. A virus is introduced into any safe utility that collects certain materials on the computer. The viral program will be associated with the server of its host. The program must be configured so that the browser uses it as a proxy server.
When the prog falls on the victim's PC, it will automatically start collecting all stored data and send them to you.
Viruses are different, they may also differ. Some allow you to fully control the browser and view any information. Others are able to steal protected materials. Third collect only unprotected data.
You may have difficulty with the introduction of a viral program on someone else's computer. You must force the user to download it and run. Here you can either send him a letter with reference to the program, or give the program for a safe and wait, when a person himself crashes it from your site.
How to protect cookies Files from theft?
Most of the web resources are not protected enough. Hackers easily find vulnerabilities and errors on these platforms.
Cook protection rules:
- Bind the computer ID to the current session. Then, when entering the site from an extraneous device, a new session will be started, the data from the previous will not work.
- Tie a session to the browser. The same principle will work as in the previous paragraph.
- Encrypt the parameters transmitted over the network. Then the information saved in the document cannot be understood. It will be useless for who intercepted it. This reception will not protect you 100%, some experts know how to decipher any materials.
- Create a separate folder for the individuals.
How to find out the password from someone else's account through cookies?
To get other people's authorization data, you must first get to the file in which they were saved.
For those who use Mozilla Firefox. You need to go to the Tools tab, which is in the main menu. Next, in the system settings you will find the "Protection" section, there and you should look for all important information about accounts in social networks. All passwords are hidden, so click on the "Display" button. Immediately you can install protection and deliver a special code. Then no one except you get this information.
Opera for general viewing is available only by user names. But in the menu you can find the password manager and view all stored on the computer. Full list is in the manager. In order to access passwords, you need to install additional extension.
IN Google Chrome. All these materials can be seen in extended settings. There is a tab with all stored cookies.
Unfortunately, standard browser Internet Explorer. Does not have such functions. To find out information about web platforms, which visits the PC owner, you need to download a special program. On the Internet it can be found for free, it is completely safe, but it is better to load it from proven sources. Do not forget that any program must be checked by antivirus. This is especially true of those utilities that work with passwords.
This technique comes only to those who have physical access to the victim's computer. You can also find out someone else's password if a person logged in on the platform through your PC and saved his data.
Programs for theft of cookie files
On the Internet there was a lot of hacker forumJD, on which hackers communicate with each other. People enter there hoping to get free help. It is there that you can find a huge number of different programs for hacking. We want to warn you that you should not trust these programs. Utilities for remote stealing cookies from someone else's device - pacifiers, or viral programs. If you download this software to your PC, then most likely you will take a trap of the fraudster. Free Place Zhuliki Programs. Thus, they distribute viral software and receive control over other people's PCs. In general, such programs are divorce, you will understand this by their interface and content. If you are collecting how to use any software for mining files, then let it be sniffer. Of course, they are not so easy to use. Yes, and find a good sniffer on the Internet is not easy. But there is such a software from specialists who can sell it for money. Remember that scammers are a lot, everyone has their own tricks. Trying only to proven hackers who have a good reputation, there are reviews and there are our own website.
In conclusion, I would like to note that Cook's theft is a really powerful method, the effectiveness of which is very high. If you want to hack someone's profile in the social network or messenger, be sure to consider this option. Best of all this method works when you can use the sacrifice computer. It is much more difficult to get materials at a distance, but you can use our advice and try to apply this method in practice.
In chapter
Have you ever thought about how to personalize visitors on some Web nodes? This can be expressed, for example, in memorizing the contents of the "trolley" (if this node is intended for sale of goods) or in the method of filling the fields of some form. In the HTTP protocol underlying the functioning of the World Wide Web, there are no means that allow you to track events from one visit to the node to another, so a special addition was developed for the possibility of storing such "states". This mechanism described in the RFC 2109 document provides insertion into the transmitted queries and responses of HTTP special cookies data that allows WEB nodes to track their visitors.
Cookie data can be memorized for communication session time ( pER SESSION.), staying in random access memory Within one session and removing when closing the browser, or even after the specified period of time expires. In other cases, they are permanent ( persistent.), staying on the user's hard disk text File. Usually they are stored in the Cookies catalog (% WINDIR% \\ Cookies - in Win9x and% UserProfile% \\ Cookies - in NT / 2000). It is not difficult to guess that after the capture cookie files In the Internet, the hacker can issue an user this computer, or collect important information contained in these files. After reading the following sections, you will understand how easy it is to do.
Interception of cookies files
The most direct way is to intercept cookies when transmitting them over the network. The intercepted data can then be used when entering the appropriate server. Such a task can be solved using any package interception utility, but one of the best is the Nikula Lawrence program ( Laurentiu Nicula.) SpyNet / Peepnet. SpyNet includes two utilities that work in the complex. Program Capturenet. Performs the capture of the package itself and saves it on the disk, and the PEEPNet utility opens this file and converts it to a readable format. The following example is a fragment of the Restored PEEPNet Communication Session program during which the cookie file is used to authenticate and control access to the viewed pages (to save anonymity the names changed).
Get http://www.victim.net/images/logo.gif http / 1.0 accept: * / * referrer: http://www.victim.net/ host: www.victim.net cookie: jrunsessionid \u003d 96114024278141622; Cuid \u003d Torpm! zxtfrlrlpwtvfiseblahblah
The example shows a Cookie fragment placed in the server query http.. The most important field is cuid \u003d.which sets a unique identifier used when authenticating the user on a node www.victim.net. Suppose that after that a hacker visited the Victim.net node, received its own identifier and cookie (it is assumed that the node places cookie data not in virtual memory, but writes them on hDD). Then a hacker can open its own cookie file and replace the Cuid \u003d field identifier in it, taking it from the intercepted package. In this case, when entering the Victim.Net server, it will be perceived as a user whose cookies have been intercepted.
Program's ability Peepnet. Play the entire session or its fragment makes it much easier to implement the attacks of this type. Use the button Go Get IT! You can re-extract the pages that were viewed by the user using its Cookie data intercepted by the CaptureNet program. In the PEEPNET utility dialog box, you can see information about someone accomplished orders. At the same time, cookie data was used for authentication, intercepted by the CaptureNet program. Pay attention to the frame located in the lower right corner of the dialog box with the communication session data, and on the string that follows the Cookie line. These cookies used in authentication.
This is a rather clever trick. In addition, utility Capturenet. It can provide a full traffic record in decrypted form, which is almost equivalent to the possibilities of professional class utilities, such as Network Associates, Inc. company Sniffer Pro However utility SpyNet. Even better - it can be free!
Countermeasures
The nodes in which cookies are used to authenticate and storing important identification data are used. One of the tools that help in ensuring protection is the KookaBurra Software Cookie Cookie program, which can be found on the Web site http://www.kburra.com/cpal.html. This software You can configure so that the user has been generated by warning messages about the Web node attempts to use the cookie mechanism. At the same time, you can "look behind the scenes" and decide whether to allow these actions. Internet Explorer has a built-in cookie support mechanism. To activate it, start the Internet Panel Options on the Security tab, go to the Security tab, select the Internet Zone element, set the Custom Level mode and for constant and temporary cookies. Set the switch to Prompt. Setting the use of cookies in the Netscape browser is performed using the command. Edit\u003e Preferences\u003e Advanced And setting the WARN ME BEFORE ACCEPTING A COOKIE or DISABLE COOKIES (Fig. 16.3). Taking the cookie file, you need to check whether it was written to the disk, and lend whether the Web node collects information about users.
Visiting a node on which cookies serve to authenticate, you need to make sure that the initially reported name and password are encrypted at least using the SSL protocol. Then this information will appear in the PEEPNet program at least in the form of a simple text.
The authors would prefer to completely abandon cookies if many often visited Web nodes did not require this mode. For example, Microsoft's Hotmail service has a cookie for registration worldwide. Because this service in the authentication process involves several different servers, it is not so easy to add them to the zone of reliable nodes (this process is described in the section "Reasonable use of safety zones: Common decision Problems of ActiveX elements "). In this case, the designation * .hotmail.com will help. Cookie files are far from perfect solution The incompleteness problems of the HTML protocol, however, alternative approaches appear to be even worse (for example, adding to uRL address identifier that can be stored on proxy servers). Until the idea appears better, the only output remains control over cookies using the methods listed above.
Capture cookies via URL
Imagine something terrible: Internet Explorer users click on specially designed hyperlinks and become potential victims, risking that their cookies will be intercepted. Bennet Hazelton ( Bennett Haselton.) and Jamie McCarthy ( Jamie McCarthy.) From the teenager organization PeaceFire, steady of freedom of communication via the Internet, published a scenario that embodies this idea to life. This script extracts cookies from a client computer if its user clicks on the link contained on this page. As a result, the contents of the cookie file becomes available for Web site operators.
This feature can be used in non-departious purposes by implementing the IFRAME descriptors to the HTML code of the Web page, the email in HTML format or messages from the newsgroup. In the following example, the proposed security counselor Richard M. Smith demonstrates the possibility of using the IFRAME descriptors together with the utility developed by Peacefire.
You can make a cusary electronic messagewhich "captured" would cookie files with hard disk The user and transmitted them to operators of the Peacefire.org node. To do this, it is necessary to put a link to this node many times as shown in example. Despite the fact that the guys from Peacefire look pretty pleasant people, it is unlikely that someone will like it if confidential data fall into their hands.
Countermeasures
Install the update module that you can find at http://www.microsoft.com/technet/security/bulletin/ms00-033.asp. You can also use the program. Cookie Pal or built-in Internet Explorer features, as described above.
Many users and do not realize that filling the username and password when registering or authorization on a closed Internet resource and pressing ENTER, these data can easily intercept. Very often they are transmitted over the network not in protected form. Therefore, if the site you are trying to log in, uses the HTTP protocol, it is very easy to capture this traffic, analyze it with Wireshark and then use special filters and programs to find and decrypt the password.
The best place to intercept passwords - the network core, where all users travel goes to closed resources (for example, mail) or before the router to access the Internet, when registered on external resources. Customize the mirror and we are ready to feel like a hacker.
Step 1. Install and run Wireshark to capture traffic
Sometimes it is enough to choose only the interface through which we plan to capture traffic, and click the Start button. In our case, we make the capture on the wireless network.
Traffic capture began.
Step 2. Filtration captured POST traffic
Open the browser and try to log in on any resource using the login and password. Upon completion of the authorization process and opening of the site, we stop the capture of traffic in Wireshark. Next, open the analyzer of the protocols and see a large number of Packages. It is at this stage that most IT professionals give up, as they do not know what to do next. But we know and we are interested in specific packages that contain POST data that are formed on our local machine when filling out the form on the screen and go to remote server. When you click the "Login" or "Authorization" button in the browser.
We enter in the Special Filter window to display captured packages: http.request.method \u003d\u003d "POST "
And we see instead of thousands of packets, just one with the we encountered the data.
Step 3. Find a username and password of the user
Quick click right mouse button and choose from the item item Follow TCP Steam
After that, the new window will appear in the new window, which in the code restores the contents of the page. We find the fields "Password" and "User" that match the password and username. In some cases, both fields will be easily readable and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources like: Mail.Ru, Facebook, VKontakte, etc., the password will be encoded:
HTTP / 1.1 302 Found
Server: Apache / 2.2.15 (CENTOS)
X-POWERED-BY: PHP / 5.3.3
P3P: CP \u003d "NOI ADM DEV PSAI COM NAV OUR OTRO STP IND DEM"
Set-Cookie: Password \u003d ; EXPIRES \u003d THU, 07-NOV-2024 23:52:21 GMT; path \u003d /
Location: Loggedin.php.
Content-Length: 0
Connection: Close.
Content-Type: text / html; Charset \u003d UTF-8
Thus, in our case:
Username: NetworkGuru
Password:
Step 4. Definition of coding type for password decryption
We go through, for example, to the site http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the Identification window. I was issued a list of coding protocols in order of priority:
Step 5. Deciphering user password
At this stage we can use the HashCat utility:
~ # hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
At the exit we received a decrypted password: SimplePassword
Thus, with Wireshark, we can not only solve problems in the work of applications and services, but also to try yourself as a hacker, intercepting passwords that users are introduced in web forms. You can also find out the passwords for postal boxes Users using unnecessary filters to display:
- POP protocol and filter looks like this: pop.request.command \u003d\u003d "User" || pop.request.command \u003d\u003d "PASS"
- IMAP protocol And the filter will be: imap.request contains "login"
- SMTP protocol And the next filter is required: smtp.req.command \u003d\u003d "AUTH"
and more serious utilities for decoding the coding protocol.
Step 6. What if the traffic is encrypted and is used by https?
To answer this question there are several options.
Option 1. Connect to break the connection between the user and the server and capture traffic at the time of establishing the connection (SSL Handshake). At the time of installation, you can intercept the session key.
Option 2. You can decrypt HTTPS traffic using session key log file recorded by Firefox or Chrome. To do this, the browser must be configured to record these encryption keys to the log file (sample Firefox), and you must receive this log file. In fact, you need to kidnap the file with the key session from the hard disk of another user (which is illegal). Well, further capture traffic and apply the resulting key to decrypt it.
Clarification. We are talking about a person's web browser who have to steal the password. If we mean the decryption of our own HTTPS traffic and want to work out, then this strategy will work. If you are trying to decrypt HTTPS traffic of other users without access to their computers, it will not work - it is also encryption, and personal space.
After receiving the keys by option 1 or 2, you must register them in Wireshark:
- We go to the Edit menu - Preferences - Protocols - SSL.
- We put the flag "Reassemble SSL Records Spanning Multiple TCP Segments".
- RSA KEYS LIST and press Edit.
- Enter data to all fields and prescribe the path to the key file
Hello, this small article, rather even short description I would like to devote yourself simple way Intercept cookies Files in wi-Fi network. What is cookies and why they are needed, I here to tell Nebudu, if a person wondered the idea of \u200b\u200bintercepting "baking"; In a wireless network, I think he should know what it is and why he needs it. I will only say one thing, using these files you can access someone else's accounts on various sites requiring users to pass the authentication process (for example Mail.ru, vkontakte.ru, etc.).
So proceed. First, we need to find the wireless network itself, with an open Internet access gateway, and it is desirable that this network has enough customers. For example, any network is suitable in large shopping centers, airports, various coffee houses, in such places, people usually use Wi-Fi Internet access, to read mail, account checks on various dating sites, view LJ and all kinds of forums. It's all, just what we need. Deciding with the choice of network location by studying certain clocks of the maximum number of clients, we turn directly to the combat actions. To do this, we need a laptop, with wi-Fi adapterand a certain set of programs. In my case, I used a laptop Acer Aspire. 3610, Customer Wi-Fi card D-Link DWL G650 and installed backtrack3.
I advise you to use this OS, since it already includes the entire set of programs that may be needed, and most importantly, the most important thing is that you do not need to put backtrack on your hard disk, you can download this OS directly from the CD or Flash drive
We now turn to the necessary software. I used Kismet to detect networks, and WiFizoo, to intercept cookies. Stop in detail on the second program. WiFizoo is a passive ether scanner and collects quite a lot useful information, such as: POP3, SMTP Traffic, HTTP Cookies / Authinfo, MSN, FTP Credentials, Telnet Network Traffic, NBT, etc. The only drawback of this program is the lack of Channel Hopping mode, WiFizoo simply listens to the wireless interface, and can not, if you can express it to jump from the channel on the channel. But this deficiency is compensated by another program, Kismet, which supports this mode. To launch WiFizoo you need:
- python
- scapy
- Kismet.
Thus, run the program, to start start Kismet, to support Channel Hopping mode, then run directly WiFizoo, this window should appear in front of you:
Now it remains only to sit and wait for you so much to intercept, all that intercepts the program can be found in the logs that are located in the directory with the program / Logs /. You can also launch the GUI interface that automatically rises to HTTP by adding 127.0.0.1:8000
I will not write about all the features of this wonderful program, I think you yourself will figure out the rest of the opportunities, and since in this moment We are only interested in cookies. Click on the link with the inscription Cookies and see what we intercepted:
The picture shows that the Wordpress_logged_in_263d663a02379b762464038 \u003d admin is present in the cookie. This value is in an unencrypted form in the cookie and it is easy to intercept using the Achilles utility, but usually in most cases in Achilles you can see only a hash of a particular record. Before sending a request to the server, you can try to replace this line to any similar (although in this case There is no sense) - the number of attempts is not limited. Then, sending this request to the server using the Send button, you can get an answer from the server intended for the administrator.
In the previous example, you can use the direct submenu of the user ID. In addition, the name of the parameter, the substitution of the value of which provides additional features Hakera, it may be as follows: User (for example, User \u003d jdoe), any expression with a string ID (for example, user \u003d jdoe or sessionid \u003d blahblah), admin (for example, admin \u003d true), session (for example, session \u003d active), Cart (for example, Cart \u003d Full), as well as expressions such as True, False, Active, Inactive. Typically, cookie file format is very dependent on the application, for the needs of which they are used. However, the following applications for searching for applications using cookies are suitable for almost all formats.
Measures to counteract information from the cookie files performed on the client side
In general, the user must carefully relate to Web sites using cookies for authentication and storing important data. It should also be remembered that the WEB unit that uses the cookie files must support at least the SSL protocol to encrypt the username and password, since in the absence of this protocol data is transmitted in unencrypted form, which allows you to intercept them using the simplest software To view data sent over the network.
Kookaburra Software has developed a tool that facilitates the use of cookies. Cookiepal is called ( http://www.kburra.com/cpal.html (see www.kburra.com)). This program It is intended to warn the user when you try to install a cookie on the machine, while the user can enable or disable this action. Similar functions of blocking cookies today are in all browsers.
Another reason for the regular installation of Web browser updates is constantly detected with the seizures of the security system of these programs. So, Benet Haselton (Bennet Haselton) and Jamie McCarthy (Jamie McCarthy) created a script that after clicking on the link retrieves cookies from the client machine. As a result, all the contents of cookies that are on the user's machine becomes available.
Hacking such a kind can also be carried out using a descriptor
In order for such things to do not threaten our personal data, I do it yourself and I always advise everyone to update software, working with HTML code (e-mail customers, media players, browsers, etc.).
Many prefer to simply block the receipt of cookies, however, most Web nodes need cookie support. Conclusion - if in the near future will appear innovative technologyallowing you to do without cookie, programmers and administrators with relief sighed, but for now, cookie remains a gathering piece for hacker! This is true, since there is no better alternative yet.
Counteractions performed on the server side
In the case of recommendations to ensure the security of the server, specialists give one simple advice: do not use cookie without any particular need! It is especially necessary to be careful when using cookies that remain in the user system after completing the communication session.
Of course, it is important to understand that cookies can be used to ensure the security of Web servers to implement user authorization. If you still have a developed application, you need to use cookies, then this mechanism should be configured in such a way that with each session various keys with a short period of action, as well as try not to put in these files information that can be used hackers for hacking (such as Admin \u003d True).
In addition, to ensure greater security when working with cookies, you can use their encryption to prevent extraction. important information. Of course, encryption does not solve all security problems when working with cookies, however, this method will prevent the simplest hacks described above.