Hijacked Session

WallyGUFC · 14-04-2011 11:29am #1

This is a test to see if Boards.ie sessions can be hijacked on a LAN

post here if it works.

Blame Phractal for this :P its a test we are running

(the account is logged in on the PC beside me, so I am borrowing it via a vuln. in the LAN)

w00t! 700th post on his account!

Phractal · 14-04-2011 11:33am

Thanks bro, it worked.

Not a Boards vuln, just a test to see if LAN session hijackingh works at all.

It does.

Basically it is to do with the IP address - we both come from the same one despite different computers.

We were also able to hijack each others Facebook, Twitter, and hotmail sessions.

Its a Local prioblem, NO tools used, I only noticed it when i went to login to facebook and auto logged in on his user account.

Fork() ing dodgy routers....

WallyGUFC · 14-04-2011 12:00pm

All good!:D

702 posts

Phractal · 14-04-2011 12:02pm

Wally, dont be a post whore :P

Anyways, this is a bit like the wired network firesheep except... no firesheep needed.

Procasinator · 14-04-2011 4:20pm

Well the server side can add in other checks besides IP to try and halt session hijacking (user agent, other tokens in the request, etc) but it won't stop someone who imitates the user properly.

How would you suggest it be fixed LAN side?

HTTPS for all traffic where session tokens exist (not just on initial login) seems to be the only way to really protect against this.

Edit: Unless you are talking about stopping the listening for session cookies in the first place by static IP, static ARP tables, etc countermeasures.

Phractal · 14-04-2011 8:39pm

Looks to me to be an ARP tables problem.

Masically the boxes all looked the same and I happened to be logging into everything at the same time as Wally, and somehow, the thing thought we were the same computer.

I still am baffled at how THAT happened (we were in college when it happened)

Though then again, it possibly was a big in the Novell crap they installed.... On the WiFi Firesheep is a bit scary - in fact it lags like hell 'cos of 1000 people on facebook :P

I'd say it was LAN side

Procasinator · 14-04-2011 9:16pm

Phractal wrote: »

Looks to me to be an ARP tables problem.

Masically the boxes all looked the same and I happened to be logging into everything at the same time as Wally, and somehow, the thing thought we were the same computer.

I still am baffled at how THAT happened (we were in college when it happened)

Though then again, it possibly was a big in the Novell crap they installed.... On the WiFi Firesheep is a bit scary - in fact it lags like hell 'cos of 1000 people on facebook :P

I'd say it was LAN side

That is weird. Only reason I could see that maybe happening is if they cache responses and didn't use session cookie in the lookup.

Phractal · 15-04-2011 12:34pm

It is VERY wierd. Seems that maybe the cache doesnt differenciate between one users session and another, so I can pull another users FB login, etc, by just wanting to look at the site.

Though another theory is that we did this using onl the browsers defaults and it automatically checks the 'remember me' type boxes, not to mention the thing is LAN booting so maybe something there?

Procasinator · 15-04-2011 12:53pm

Phractal wrote: »

Though another theory is that we did this using onl the browsers defaults and it automatically checks the 'remember me' type boxes

So you might have had his session already in Facebook (he never logged out/has password saved).

Phractal wrote: »

not to mention the thing is LAN booting so maybe something there?

Depending on how they do it, there could be something to that. Seems very silly, though.

Phractal · 15-04-2011 12:58pm

the issue is also that I was on a different actual computer to him.

Same LAN segment, different box.

So if stored sessions are being reproduced on EVERY box there... We canhas epic problem!

Hijacked Session

Comments