Description: I hope nobody has posted this method yet (I would like to claim that its the first on here). This will show you how to gain access to FB accounts through LDM (live data manipulation). Very simple and easy to do with wireshark, cookie manager and Cain and Abel. Basically a cookie replication.
Tags: hack , facebook , cookie , LDM , blacksaber , bl4cks4b3r , status , comment , remove , edit , delete , gain , access , control , wireshark , cain , abel , arp , poison , tcp , follow ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Bl4ckS4b3r this is seams to be good the proof is in the pudding thou, hope you are first to get this up here, if not well the thing about first is you have no one too chase, now im going to piss off the wife and do this all day today!
Lol
the victim has to be on the same wireless network right?
Correct, unless you can setup a PHP file to grab cookie info and use mailto.
lol congrats on rediscovering simple session jacking! too bad no one uses facebook over http anymore.. ohh the days gone by of easy LAN sniffing and password/cookie extraction from unencrypted traffic! If anyone *DOES* still use http you should immediately set your FB account to only use secure connections. Also, using firefox plugins like https everywhere makes things like this 100% obsolete. Good to know your history though! Thanks for taking the time to make the video!
Oh... you dont know how to session jack over https? Lol, hey man you can join our forum and learn how, I'm always happy to help those new to this world :)
If you post a video actually hijacking an encrypted session I will join any forum you want lol.. maybe i missed the 's' at the end of http in your video though haha
Well, I am not your genie, but Ill grant you a wish.
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking/
There are many newer methods, this one is a few years old but still works. Dont be so ignorant next time.
Sorry for my ignorance, I didn't realize that facebook was still vulnerable to that. I was pretty sure they don't allow cleartext cookies sent during https sessions anymore. As far as i can tell the attack you link to only affects sites that are misconfigured to allow cookies to be sent without encryption over the wire. As far as I know the major sites ie gmail, facebook, twitter, are not vulnerable to this type of attack anymore. I could always be ignorant and wrong about that though... I have seen companies leave simple misconfigurations like that alone for a long time.. not sure about 4 years but hey, who knows... again, I'd be excited to see a PoC demo against facebook or gmail.. is that something you'd be interested in providing?
Ha not here. The attack I just showed I did 5 minutes ago on facebook and for twitter, they still work. I dont think they will ever change it because most people wouldnt understand why their cookies (keep me logged in ect) werent working. I dont have the only https browsing checked as I browse multiple websites and wouldnt be able to access some.
hmm interesting.. I just attempted to the same thing and over https no cookie data or cleartext is readable whatsoever. Wireshark shows only TLS packets heading for facebook and thats all encrypted and unreadable. Again, maybe I'm missing something.. a few years back I wrote a tool using sslstrip that force redirected any https requests to http and sniffed the session data. It was great until they started offering end to end encryption... that breaks the ability to expose any data over the local wire. It still works over http though similar to what you've shown. For https attacks, using tools such as sslsniff is it possible to use forged certs or maybe obtain real ones if you're super crafty and don't mind risking your freedom tryign to extract them from the ca's. It can also generate it's own certs on the fly (if you don't mind users recieving warning but hey, they click yes anyway so maybe it's nitpicking), it supports NULL Prefix and OCSP attacks, and is one of the only reliable ways that I am aware to defeat ssl/tls. It does require more than just running the tool though.. I also do recall a new tool a few months ago that's able to compromise an ssl/tls connection but it still had issues. I'm still interested to find out how you're extracting session data over a forced https session. While facebook does default to non-secured browsing many users are using the https settings or browsers tools that do the same like https everywhere and forcetls. If you've got somthign to get past that, that'd be a nugget of gold! just my .02 cents...
On your own router/modem? Did you setup specific firewall settings? Your own firewall/browser settings? ;) if you leave stuff stock/generic, most browsers (including IE and FF) will just redirect to http. Now if your using chrome it might not since chrome is not as dull "minded" as FF and IE. There are a lot of variables that go into successful attacks, which is why testers typically dont run into similar situations. I assume your certified, or on the way to becoming, so I'm sure you know that.
As I'm also sure your aware of, you can two way arp spoof and use a SSL stripper (such as moxie) to do the same.
Yes I tested it in a local environment... wouldn't want to be unlawfully capturing data in a non-scoped engagement of course ;) While you are correct that browsers will go for the http request unless otherwise instructed or redirected to an https connection, there are many ways for users to ensure their session is being carried out over a secure socket. In the case of facebook, as you may know there is a specific security setting that allows users to always browse over https. This was offered as a direct result of attacks like you have demonstrated in the nicely done video above. There are other tools which have automated this in the past though, like firesheep, hamster & ferret, etc. I'm sure you've heard of them or probably even used them at some point. They are essentially just snagging live sessions off the wire but doing it transparently without the packet capturing and copy pastign to a cookie manager. Any user who wishes to avoid this attack can simply use facebooks https only setting or they can use tools available for all modern broswers that redirect to https when avilable (My favorite being https everywhere for firefox).. If you try to get in the middle of that by using moxies sslstrip you will probably just cause an endless redirect loop which I suppose is a very nice DoS method. Although messing around with arpspoof too much will do the same thing after quietly corrupting your routers arp tables... lots of hours of testing lost there!
Anyway, I'm not trying to be a dick or anything I just thought the comment about being the first to expose this type of vulnerability was kinda funny. You did a good job on making the video though so i'm trying not to troll too hard...
Yeah no its all good, when users try that I move to my strongest skill and use SE. Not a shitty cloning app either, modified custom pages with php header-redir-links ect. That way the user can ill submit their info into my DB.
nice