SESSION HIJACKING

TRAFFIC SNIFFING

this method of session hijacking doesn't require any interaction with the target user. however, it does require the attacker to be positioned on the same local network as the victim and the traffic being observed must be unencrypted

#identify the session cookie/token name
root@oco:~$ BROWSER > {targetSite:port} > Storage > Cookies > {targetSite}
 Name: {auth-session}

#Public WiFi / Physical Wall Ethernet Panel
root@oco:~$ sudo -E wireshark

 * the -E option tells sudo to preserve the user's environment variables when 
   running the command
    - normally, when you run a command with sudo, it resets certain environment 
      variables for security reasons. the -E option ensures that environment variables
      (such as PATH, HOME, or any others set in your shell) are retained when 
      running wireshark.
      
WireShark > Capture
 Filter: http
 interface: interfaceID
 start capture

 * this method is not practical as the attacker must patiently wait until users actually logs in and interact with web sites
 * additionally, this only works if the traffic is unecrypted
 
root@target:~$ BROWSER > {website...}
 * user logs in to websites...
 
root@oco:~$ WireShark > Edit > Find Packet
 Packet Type: Packet Bytes
 ...: Narrow & Wide
 Case Sensitivity: Disabled
 Type: String
 Search: auth-session
 
 ...
WireShark > Packet Details > HTTP > HTTP/1.1 > right-click Set-Cookie > Copy > Value

root@oco:~$ BROWSER > New Private Windows > {targetSite:port} > F12 > Storage > Cookies > {targetFQDN}
 Name: {auth-session}
 Value: {cookieValue}
 
 * refresh the target page to execute

MITIGATION

Last updated