The cookie factory - [ Sevagas]

The cookie factory

Sniffing cookies can be an easy and undetectable way to steal passwords and more.

Article published on 2 June 2010

last modification on 29 May 2016

by Emeric Nasi

License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.

Everyone who has been using the World Wide Web has heard about cookies.
Among the advanced users it is common to know they are dangerous and should be disabled. The problem you would face then is that most major Internet sites requires cookies, so you would turn cookies on again...
In fact cookies are not “bad”, they just need proper usage.
However they really are a potential danger. Some cookies are used to "remember" user’s credentials and/or store sessions data.
If an attacker can gets his hands on important cookies, he can use them to steal forum, emails and other sessions ID and thus access illegally to your accounts.
Reusing other’s cookies to hijack their sessions is called “cookie forging”.

I How to forge cookies?

It is quite simple in fact. There are several available tools one can use for that.
The first one you need is a sniffer, tcpdump will do, wireshark is nicer. And you can also use tools dedicated to this job like urlsnarf that displays all requested urls and cookies.

Note : Man in the middle techniques like arp spoofing can be used too, but in this case the attacker can do much more than just forging cookies so I won’t talk about it here, and leave it to another article.

The next tool you need is a cookie editor for your navigator. There are firefox plug-ins that are aimed at doing that.
When you have all the tools, all you need is an access to the local network you want to spy. A company internal network is probably secured and use switches so sniffing on Ethernet is not possible. But do they have a Wifi?
In college I had a teacher who said that Wifi was getting back 10 years in the past compared to switched networks. If you only look at the security part he was right.
Think about it, just access to a public Wifi place like airports, railway stations, hamburger places... These places are a Wifi sniffing kingdom for all the script-kiddies on the planet!Another important security issue of Wifi is that you can sniff Wifi datas without even being connected to the network. My favorite Wifi hacking tools is the aircrack-ng toolbox.
Example using Linux :

$ airmon-ng start wlan0 # monitor mode
$ airodump-ng --bssid xx:xx:xx:xx:xx:xx -c xx  mon0 # Sniff a particular wifi lan
# On an other shell session :
$ airtun-ng -a xx:xx:xx:xx:xx:xx mon0 # Redirect Wifi  packets to interface at0
# On another shell session
$ ifconfig at0 up # Now you can sniff all lan data
### OR ###
$ ifconfig at0 Ip_valid_for_the_local_network netmask netmask_of_the_local_network up # Now you can sniff all lan data AND inject packets

All you have to do is run these command lines and wait...

The attacker will not have to wait long, he will soon grab a lot of cookies.
Some of them will allow him to steal a session on a forum or a small site.
Others, and this is more concerning, will allow him to hijack email accounts.
The next step is simple, use the cookie editor to edit your cookies, and try to forge them so you have the same session cookies as your victim.
Not all cookies are necessary to do that, in the next section I show how to hijack major sites session with minimum cookies.

II Steal major sites sessions

Note: This list is voluntarily eight month old so it won’t be too easy to just use this article just as a script-kidding tutorial. After 8 months, these major site should have increase their cookie security. Or did they... ?

Steal a Gmail account session :
- Forge the cookie : GX
- Go to Gmail page

Steal a Facebook session :
- Connect to http://www.facebook.com/ to automatically grab required cookies.
- Forge the cookie : xs
- Forge the cookie : c_user
- Actualize Facebook page

Steal a Yahoo mail session :
- Forge the cookie : T
- Forge the cookie : Y
- Use the menu and the "mail" link to access to the email account.

Steal a Hotmail session :
- Go to http://login.live.com
- Forge the cookie : RPSTAuth
- Go to http://mail.live.com

III How to protect against that?

The basic rules:
First, you should never check a box that says "Stay connected a few days" or "Keep my session open".
Second always disconnect from any site you previously logged on before you close your navigator.
When you are using a public network, never open a navigator if you are not sure you already disconnect from all the sites you visited the last time you opened it.
If you didn’t, your navigator will send back to the site the most important cookies to identify itself so you don’t have to log into it again. The problem is; these cookies are send unencrypted.
Now these rules may not be enough if the site you connect on doesn’t have a good cookie security policy.

More secured rules (add to the previous ones) :
Avoid to open a session when using a public Wifi. If you do not have the choice, at least be sure that the sites you log on have a good cookie protection. That means, the most important cookies needed to access to your sessions are passed thought an encrypted SSL tunnel (the way Yahoo and other major sites do).

I How to forge cookies?

II Steal major sites sessions

III How to protect against that?

Also in this section