this method of session hijacking doesn't require any interaction with the target user. however, it does require the attacker to be positioned on the same local network as the victim and the traffic being observed must be unencrypted
#identify the session cookie/token name
root@oco:~$ BROWSER > {targetSite:port} > Storage > Cookies > {targetSite}
Name: {auth-session}
#Public WiFi / Physical Wall Ethernet Panel
root@oco:~$ sudo -E wireshark
* the -E option tells sudo to preserve the user's environment variables when
running the command
- normally, when you run a command with sudo, it resets certain environment
variables for security reasons. the -E option ensures that environment variables
(such as PATH, HOME, or any others set in your shell) are retained when
running wireshark.
WireShark > Capture
Filter: http
interface: interfaceID
start capture
* this method is not practical as the attacker must patiently wait until users actually logs in and interact with web sites
* additionally, this only works if the traffic is unecrypted
root@target:~$ BROWSER > {website...}
* user logs in to websites...
root@oco:~$ WireShark > Edit > Find Packet
Packet Type: Packet Bytes
...: Narrow & Wide
Case Sensitivity: Disabled
Type: String
Search: auth-session
...
WireShark > Packet Details > HTTP > HTTP/1.1 > right-click Set-Cookie > Copy > Value
root@oco:~$ BROWSER > New Private Windows > {targetSite:port} > F12 > Storage > Cookies > {targetFQDN}
Name: {auth-session}
Value: {cookieValue}
* refresh the target page to execute
