Friday, September 30, 2011


Well I have posted lots of articles on Phishing and keylogging, but today I would like to throw some light on a very useful method which hackers use to hack gmail, facebook and other email accounts i.e. Stealing.  One of the reasons why I am writing this article as there are lots of newbies having lots of misconceptions related to cookie stealing and session hijacking, So I hope this tutorial cover all those misconception and if not all most of them.



What is a Cookie?

A cookie is a piece of code which is used to authenticate a user on a website, In other words when ever you login to a website such as Facebook, Gmail, Orkut etc your browser assigns you a cookie which basically tells the browser that for how long the user should be logged it, Apart of authentication purpose a cookie can be used for variety of different purposes, If you would like to know more about cookie stealing kindly google it up.

What is a Session Token?

After an authentication is completed , A webserver hands the browser a session token which is used because a webserver needs a way to recognize between different connections, If a hacker could capture your session token then it's a cakewalk for the hacker to hack into yourgmail, facebook or any other account.

What is a Session Hijacking Attack?

A session hijacking attack is basically an act of capturing session token and injecting it into your own browser to gain acess to victims account.


What is a Cookie Stealer?

A cookie stealer is basically a script used to steal victims authentication cookies, Now for a cookie stealing process to work the website or the webpage should be vulnerable to an XSS attack, This is the most common and widely known misconception among newbies.

How the stealing process work?

1. The attacker creates a PHP script and uploades it to a webhosting site.

2. The attacker then asks the victim to visit that particular link containing the PHP code.

3. Once the victim visits it his/her authentication cookie is saved in a .txt file.

4. Next the attacker uses a cookieinjector or a cookie editor, There are lots of firefox addons, google chrome extensions to do the work for you. Personally I use Cookie manager v1.5.1 as it's quite user friendly.



You can also use the webdeveloper toolbar to do the work for you.

5. The attacker replaces his own cookies with the victims cookies as a result of which the victims session is hijacking

Why it does not work on a website which is not vulnerable to XSS?
It's due to the browser's same origin policy, and according to it the browsers don't allow the javascripts to acess the cookies.


Gmail GX Cookie



By now I believe that I might have cleared lots of misconceptions related to cookie stealing, but all of those information is only good for you if you try to do it practically,  So let's get to the main topic.

In gmail the cookie which authenticates users is called a GX cookie, Now as we cannot use a cookie stealer as by now we don't know any XSS vulnerability in gmail, So if you are on a LAN  you can use wireshark or any other packet sniffer to steal gmail Unsecured GX cookie and use it to gain acess.

Will this hack always work?

Well this trick won't work on all Gmail accounts and as Gmail now offers End to End https://encryption, Which encrypts the session token so even if we could get our hands on the GX cookie it's useless, but if a user has turned off the End to End https:// encryption in gmail it can work for sure.



I hope you have liked the post uptill now, I will cover the method to steal gmail gx cookies and using it to hack gmail accounts in the next post, So stay tuned !.




In my previous post Gmail Cookie Stealing And Session Hijacking Part 1, I discussed all the basics and fundamentals in order to understand a Session Hijacking attack, If you have not read the part 1, Kindly read the part 1 first in order to get good grasp of the topic.

Well after a tremendous feedback and response of readers on Session hijacking, I thought to extend this topic and write more on it, In this tutorial I will explain you some methods to capture Gmail Gx cookies.


Gmail GX Cookie

In gmail the cookie which authenticates users is called a GX cookie, Now as we cannot use a cookie stealer since by now we don't know any XSS vulnerability in gmail.

Tools You will be required


1.Cain And Abel
2.Network Minner
3.Wireshark

How To Capture Cookies?


Now there are couple of ways you can use to capture unsecured Gmail cookie which depend on the type of network you are on.

Packet Sniffing


 If you are on a Hub based network you can use packet sniffing in order to capture local traffic. You may use any packet sniffer you want to capture cookies, but I would recommend you to either use wireshark or Network Miner because they are quite userfriendly.

Wireshark

Wireshark is my recommended choice if you are on a hub based network and are looking forward to capture an unsecured Gmail Gx Cookie. Here is how you can capture a gmail GX cookie via Wireshark.

Step 1 - First of all download wireshark from the official website and install it.

Step 2 - Next open up wireshark click on analyze and then click on interfaces.

Step 3 - Next choose the appropriate interface and click on start.


Step 4 - The wireshark will now start to capture the traffic, In the mean time log in to your gmail account but make sure that you have selected "Don't use https://" in Gmail account Settings.




Step 5  - Next set the filter to on the top left to http.cookie contains "Gx", What this filter will do is that it will filter out all the traffic for the gmail authentication cookies named as GX.

Step 6 - Once you have found the suitable line of Gmail GX cookie right click on it and click on Copy and then select Bytes (Printable Text Only)

Step 7 - Now you have successfully captured Gmail GX unsecured cookie.

Network Miner

You can also use network miner to capture, it's more easier and userfreindly than wireshark.



Note: You would need a Winpcap before capturing traffic from either Network Miner or Wireshark.

ARP Spoofing Or Man In The Middle Attack:


Now if you are on a switched based lan network, packet sniffing will probably not work for you as the traffic meant for the particular system will only reach it, So packetsniffing becomes useless in Switch based networks.

1. Cain And Abel.

Cain and Abel should be your only choice if you are on windows operating system, You can easily place your self between the victims computer and the gateway and capture all the traffic going through it and hence successfully launching a man in the middle attack, afterwards you can filter out cookie information from the captured traffic. Here is a screenshot of captured traffic from Cain and abel.





2.EtterCap

Now if you are on a linux machine, You should probably use Ettercap as it's one of the best sniffers I have ever played with, With Ettercap you can easily launch a Man in the middle attack(ARP Poisoning) and capture unsecured Gmail GX cookie.


How can I prevent this kind of attack?

So friends till now you might have known the importance of using https:// connections. In order to prevent these kinds of attacks always use a https:// connection or a VPN solution while logging in to your email accounts.

So friends this concludes the part 2 of my series on cookie stealing, In part 3 we will look on variety of different methods used to inject cookies in to our browser to gain access to the account.

So friends, This is the third part of my Gmail Session Hijacking and Cookie Stealing series onRHA, In the first part I introduced you to the basics and fundamentals of a Session Hijacking attack, In the second part I introduced you to the variety of methods used to capture session cookies. In this part I will tell you how to carry out a session hijacking attack once you have the session cookies.



Cookie Injection With A Firefox WebBrowser

Now there are variety of plugins used to inject cookies in your browser, depending on which browser you are using, I would recommend you the use of firefox browser as it supports vast number of cookie injection plugins.

Web Developer Toolbar

Webdeveloper toolbar is an addon for the firefox browser it makes the process of injecting cookies extremely easy. All you have to do is to install the webdeveloper toolbar, Click on the cookies drop down menu and click on the cookie you want to edit.


Once you have clicked on the edit cookie option, You will be brought to the following screen:


Next replace your cookie value with the victims cookie value.


Now if you have captured cookies using wireshark, then instead of using Webdeveloper toolbar, you can use Cookie injector to inject session cookies directly in to your browser. All you need to do is to press Alt+C after installing the cookie injector and then just paste the wireshark cookie dump and press ok. After you have done so, Just refresh your browser and you will be in victims account.


Note: In order to install Cookie injector script you would need to first install Greasmonkey plugin for firefox


CookieManger is one of my most preferred choice for performing a Session hijacking hijacking, Since it's very user friendly and extremely easy to use. You can view CookieManager's usage guide here.

Cookie Injection With Google Chrome



If you are too lazy to use firefox for cookie injection, then luckily there are few extensions on google chrome used to inject cookies into your browser and take control of the victims account. One of my favorite cookie injecting extensions is Cookie editor by Philip, It sports a very unfriendly interface.


Drawbacks of Session Hijacking Attack:

With so many advantages of a session hijacking attack there are some drawbacks that you also need to know.

1. First of all cookie stealing becomes useless if victim is using a https:// protocol for browsing and end to end encryption is enabled.

2. Most of the cookies expire once the victims clicks on the logout button and hence the attacker also logs out of the account.

3. Lots of websites do not sport parallel logins which also makes cookie stealing useless.

Protection Against A Session Hijacking Attack

The best way to protect yourself against a session hijacking attack is to use https:// connection each and every time you login to your Facebook, Gmail, Hotmail or any other email account. As your cookies would be encrypted so even if an attacker manages to capture your session cookies he won't be able to do any thing with your cookies.

So freinds, I hope you have enjoyed the Gmail Session hijacking and cookie stealing series, Depending on readers response I might make a tutorial on Facebook Session hijacking too. If you have any questions feel free to ask.

thank you.

Leave a Reply

Subscribe to Posts | Subscribe to Comments

- Copyright © .Hacking Cracking Tricks And Tutorials, Paid Scripts, Latest Exploits, 0Day Vulnerability, - Skyblue - Powered by Blogger - Designed by Johanes Djogan -