Scribd
Upload
10 views12 pages

Cookie Stealing Exploits Explained

This document summarizes an automated tool called CookieChaos that can steal HTTPS cookies by injecting images on unencrypted networks. It works by passively sniffing traffic to map IP addresses to domain names, then injecting image tags for HTTPS sites when any connection is made, causing cookies to be transmitted without encryption. The tool caches DNS responses, stores IP and host mappings, and injects tags to intercept cookies, writing them to a file that can be used to impersonate the user on that site. It provides an easy way to steal cookies without technical expertise compared to manual methods.

Uploaded by

Nikhin Valsan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views12 pages

Cookie Stealing Exploits Explained

This document summarizes an automated tool called CookieChaos that can steal HTTPS cookies by injecting images on unencrypted networks. It works by passively sniffing traffic to map IP addresses to domain names, then injecting image tags for HTTPS sites when any connection is made, causing cookies to be transmitted without encryption. The tool caches DNS responses, stores IP and host mappings, and injects tags to intercept cookies, writing them to a file that can be used to impersonate the user on that site. It provides an easy way to steal cookies without technical expertise compared to manual methods.

Uploaded by

Nikhin Valsan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

365-Day: https Cookie Stealing

Mike Perry Defcon 2007

Who am I?

Volunteer Tor developer

Work on Torbutton, TorFlow

Privacy advocate, censorship opponent Forward+Reverse engineer at Riverbed Flexitarian Random Hacker

Wrote a page-based malloc debugger Wrote an IRC bot that got quoted as a human in a major magazine

Why am I doing this?


Exploit is not new or complicated... However:

Vector is not narrow or wifi-only


Sophisticated attackers can drain bank accounts with custom cable/DSL modems It also harms safe Tor usage, and that pisses me off

Many sites are vulnerable, and don't seem to care. Response: Release a tool, lower the bar even more.

Encourage (correct and secure) SSL adoption

Cookie Basics

Variables set by websites in your browser

Used for authentication, tracking, storage Domain Path Expiration SSL bit (seldom used, this is where the fun begins)

Several properties that govern when transmitted


The 'SideJacking' Attack

Glorified sniffer

Sniffs cookies transmitted via plaintext http

Janky proxy based approach to do control+saving Completely passive: User must visit target site Able to save domain and path info

Path info may be too specific Can lead to issues Waay exceeds my PR abilities. Little help? :)

Admirable PR machine for such a simple hack

Active HTTP Cookie Hijacking

Like CSRF, but we want the data transmitted, not any particular result

In fact, the server can reject the request Yesterday: User logs in to [Link]. Checks "Remember me." Today: User visits [Link] via open wifi Today: We inject <img src="[Link] Today: Browser transmits yahoo cookies for image Today: We sniff cookies, write them to [Link] Tomorrow: Use [Link] to read their mail

Scenario:

Active HTTPS Cookie Hijacking

New Scenario:

Yesterday: User logs in to httpS://[Link] Today: User visits [Link] via open wifi Today: We inject <img src=[Link] Today: Browser transmits unprotected gmail GX cookie for http image fetch Today: We sniff cookies, write them to [Link] Tomorrow: Use [Link] to read their mail

User never even checks gmail on hostile network!

Vectors

Not just open wifi ARP poisoning DHCP spoofing DSL+Cable modem networks?

Possible to sniff+inject on cable networks?

Some use DOCSIS auth+encryption now, but many modes are weak One custom with TX/RX frequencies switched

May require two modems

'Manual' Attack

Aka: How people were owned for the past 365 days. Fire up wireshark Fire up airpwn/netsed with custom rule Copy cookies out of wireshark. Lame.

Introducing CookieChaos
Fully automated pylorcon tool for cookie gathering

Caches DNS responses Listens for 443 connections

Uses cache to map IP to domain name

Stores IP+host into injection queue Next time IP connects to ANY website:

Inject <img src=[Link]

Gathers any resulting cookies and writes [Link] file for use in Firefox

Ok, so there is some configuration..

Need cookie path for injection for some sites

No worries. List of paths for popular sites provided! No worries. Additional target list can be provided!

Might want to steal other non-ssl sites too

Demo

Demo

You might also like