Methods for stealing cookies. Experiment: how to steal personal data using free Wi-Fi How to intercept a wifi session

Many users do not realize that by filling out a login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in an unsecured form. Therefore, if the site you are trying to log into uses the HTTP protocol, then it is very easy to capture this traffic, analyze it using Wireshark, and then use special filters and programs to find and decrypt the password.

The best place to intercept passwords is the core of the network, where the traffic of all users goes to closed resources (for example, mail) or in front of the router to access the Internet, when registering on external resources. We set up a mirror and we are ready to feel like a hacker.

Step 1. Install and launch Wireshark to capture traffic

Sometimes, to do this, it is enough to select only the interface through which we plan to capture traffic and click the Start button. In our case, we are capturing over a wireless network.

Traffic capture has begun.

Step 2. Filtering captured POST traffic

We open the browser and try to log in to some resource using a username and password. Once the authorization process is complete and the site is opened, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. This is where most IT professionals give up because they don't know what to do next. But we know and are interested in specific packages that contain POST data that is generated on our local machine when filling out a form on the screen and sent to a remote server when we click the “Login” or “Authorization” button in the browser.

We enter a special filter in the window to display captured packets: http.request.method == “POST"

And we see, instead of thousands of packages, only one with the data we are looking for.

Step 3. Find the user's login and password

Quickly right-click and select the item from the menu Follow TCP Steam

After this, text will appear in a new window that restores the contents of the page in code. Let's find the fields “password” and “user”, which correspond to the password and username. In some cases, both fields will be easily readable and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources such as Mail.ru, Facebook, VKontakte, etc., then the password will be encrypted:

HTTP/1.1 302 Found

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Set-Cookie: password= ; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/

Location: loggedin.php

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

Thus, in our case:

Username: networkguru

Password:

Step 4. Determine the encoding type to decrypt the password

For example, go to the website http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the identification window. I was given a list of encoding protocols in order of priority:

Step 5. Decrypting the user password

At this stage we can use the hashcat utility:

~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

At the output we received a decrypted password: simplepassword

Thus, with the help of Wireshark, we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker, intercepting passwords that users enter in web forms. You can also find out passwords for user mailboxes using simple filters to display:

The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"
The IMAP protocol and filter will be: imap.request contains "login"
The protocol is SMTP and you will need to enter the following filter: smtp.req.command == "AUTH"

and more serious utilities for decrypting the encoding protocol.

Step 6: What if the traffic is encrypted and uses HTTPS?

There are several options to answer this question.

Option 1. Connect when the connection between the user and the server is broken and capture traffic at the moment the connection is established (SSL Handshake). When a connection is established, the session key can be intercepted.

Option 2: You can decrypt HTTPS traffic using the session key log file recorded by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file (FireFox based example) and you should receive that log file. Essentially, you need to steal the session key file from another user's hard drive (which is illegal). Well, then capture the traffic and use the resulting key to decrypt it.

Clarification. We're talking about the web browser of a person whose password they're trying to steal. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you are trying to decrypt the HTTPS traffic of other users without access to their computers, this will not work - that is both encryption and privacy.

After receiving the keys according to option 1 or 2, you need to register them in WireShark:

Go to the menu Edit - Preferences - Protocols - SSL.
Set the flag “Reassemble SSL records spanning multiple TCP segments”.
“RSA keys list” and click Edit.
Enter the data in all fields and write the path in the file with the key

WireShark can decrypt packets that are encrypted using the RSA algorithm. If the DHE/ECDHE, FS, ECC algorithms are used, the sniffer will not help us.

Option 3. Gain access to the web server that the user is using and obtain the key. But this is an even more difficult task. In corporate networks, for the purpose of debugging applications or content filtering, this option is implemented on a legal basis, but not for the purpose of intercepting user passwords.

BONUS

VIDEO: Wireshark Packet Sniffing Usernames, Passwords, and Web Pages

Internet users are so careless that losing confidential data is as easy as shelling pears. The publication 42.tut conducted an experiment to show how many “holes” there are in public Wi-Fi networks. The conclusion is disappointing: anyone without special skills and knowledge can create a complete dossier about a person using only an open wireless network.

We installed several applications for the experiment. They differ in functionality, but their essence is the same - to collect everything that passes through the network to which the device is connected. None of the programs position themselves as “pirated”, “hacker” or illegal - they can be downloaded online without any problems. The experiment was conducted in a shopping center with free Wi-Fi.

Interception

We connect to Wi-Fi: there is no password, the name of the network contains the word “free”. We start scanning, one of the programs immediately finds 15 connections to the network. For everyone you can see the IP address, MAC address, for some - the name of the device manufacturer: Sony, Samsung, Apple, LG, HTC...

We find the “victim” laptop among the devices. We connect to it - data that passes through the network begins to appear on the screen. All information is structured by time; there is even a built-in viewer of intercepted data.

User identification

We continue to watch. An online game has clearly started on his partner’s laptop: program commands are constantly being sent to the network, information about the situation on the battlefield is being received. You can see the nicknames of your opponents, their game levels and much more.

A message arrives from “VKontakte”. In one of the detailed message specifications, we find that the user ID is visible in each of them. If you paste it into the browser, the account of the person who received the message will open.

At this time, the “victim” is writing a response to the message, and clearly has no idea that we are staring at the photos on his account. One of the social network applications gives a signal - we can listen to this sound in the player.

Passwords and messages

Photos and sounds are not all that can be “transferred” to the available Wi-Fi. For example, one of the programs has a separate tab to track correspondence on social networks and instant messengers. Messages are decrypted and sorted by time of sending.

Showing someone else's correspondence is beyond good and evil. But it works. As an illustration, here is part of the dialogue of the author of the text, caught by the tracking computer from the “victim” device.

Another program separately “stores” all cookies and user information, including passwords. Fortunately, in encrypted form, but it immediately offers to install a utility that will decrypt them.

conclusions

Almost any information can be lost over Wi-Fi. Many public networks do not provide any protection at all, and sometimes even a password. This means that anyone can intercept the traffic of colleagues, friends or strangers.

The most reliable way out of this situation is one: do not transmit any important information through public networks. For example, do not send phone numbers and passwords in messages and do not pay with a payment card outside the home. The risk of losing personal data is extremely high.

Hello friends.

As promised, I continue about the Intercepter-ng program.

Today there will be a review in practice.

Warning: you should not change settings or mindlessly press settings. At best, it may simply not work or you will turn off Wi-Fi. I had a case where the router settings were reset. So don't think that everything is harmless.

And even with the same settings as mine, it doesn’t mean that everything will work smoothly. In any case, for serious cases you will have to study the operation of all protocols and modes.

Shall we get started?

Interception of cookies and passwords.

Let's start with the classic interception of passwords and cookies, in principle the process is the same as in the article intercepting passwords over Wi-Fi and intercepting cookies over Wi-Fi, but I will rewrite it again, with clarifications.

By the way, antiviruses can often fire such things and prevent data interception via Wi-FI

If the victim is on an Android or IOS device, you can only be content with what the victim enters only in the browser (passwords, websites, cookies); if the victim is using a social client for VK, then problems arise, they simply stop working. In the latest version of Intercepter NG, you can solve the problem by replacing the victim's certificate. More on this later.

First, decide what you need to get from the victim? Maybe you need passwords for social networks, or maybe just for websites. Maybe the cookies are enough for you to log in as the victim and do something right away, or you need passwords for future saving. Do you need to further analyze the images viewed by the victim and some pages, or do you not need this rubbish? Do you know that the victim has already entered the site (already authorized upon transition) or will he just enter his data?

If there is no need to receive images from the resources you visit, parts of media files and see some sites saved in an html file, disable it in Settings - Ressurection. This will slightly reduce the load on the router.

What can be activated in Settings - if you are connected via an ethernet cable, you need to activate Spoof Ip/mac. Also activate Cookie killer (helps reset cookies so that the victim can exit the site). Cookie killer is an SSL Strip Attack, so don’t forget to activate it.

It is also better if Promiscious mode is activated, which allows you to improve interception, but not all modules support it... Extreme mode can be done without it. With it, sometimes more ports are intercepted, but there is also extra information + load...

First, select from the top the interface through which you are connected to the Internet and the connection type: Wi-fi or Ethernet if connected via a cable to the router.

In Scan Mode, right-click on an empty field and click Smart scan. All devices on the network will be scanned; all that remains is to add the desired victims to Add nat.

Or you can set any one IP, go to settings - expert mode and check the box for Auto ARP poison, in this case the program will add everyone who is connected and connect to the network.

All we have to do is switch to Nat mode.

Click configure mitms , here we will need SSL mitm and SSL strip.

SSL mitm allows you to intercept data, although many browsers also respond to it by warning the victim.

SSL Strip allows the victim to switch from the Https secure protocol to HTTP, as well as for the cookie killer to work.

We don’t need anything else, click start arp poison (radiation icon) and wait for the victim’s activity.

In the password mode section, right-click and Show coolies. Then you can right-click on the cookie and go to the full url.

By the way, if the victim is on social networks, there is a chance that his active correspondence will appear in Messengers mode.

Http inject (slip a file to the victim).

Mmm, quite a sweet option.

You can slip it to the victim so that she downloads the file. We can only hope that the victim will launch the file. For plausibility, you can analyze which sites the victim visits and slip something like an update.

For example, if the victim is on VK, name the file vk.exe. Perhaps the victim will launch it, deciding that it is useful.

Let's get started.

Bruteforce mode.

Brute force and password guessing mode.

One of the ways to use it is to brute access to the router admin panel. Also some other protocols.

For Brutus you need

In the Target server, enter the router’s IP, telnet protocol, username - user name, in our case Admin.

At the bottom there is a button with a folder drawn on it, you click on it and open a list of passwords (in the folder with the program, misc/pwlist.txt there is a list of frequently used passwords, or you can use your own list).

After loading, press start (triangle) and go drink tea.

If there are matches (a password is selected), the program will stop.

You need to know the username. But if you want to access the router, try the standard one - admin.

How to produce brute.

Traffic changer (traffic substitution).

The function is more of a joke. You can change it so that the victim, when entering one site, goes to another that you enter.

In traffic mode, enter the request on the left, the result on the right, but with the same number of letters and symbols, otherwise it won’t work.

Example - on the left we will enter the query to be changed, on the right we will change test1 to test2. (check the box for Disable HTTP gzip).

After entering, press ADD and then OK.

Finally, a video on how to intercept data from iOS clients, because as you know, during a Mitm attack, their applications simply stop working.

I will soon make a video about what was written in the article.

It was Data interception via Wi-FI.

That's basically it. If you have anything to add, write, if you have something to correct, just write.

Until next time.

Have you ever wondered how some Web sites personalize their visitors? This can be expressed, for example, in remembering the contents of the “cart” (if this node is intended for selling goods) or in the way of filling out the fields of some form. The HTTP protocol that underlies the functioning of the World Wide Web does not have the means to track events from one visit to a site to another, so a special add-on was developed to be able to store such “states”. This mechanism, described in RFC 2109, inserts special pieces of cookie data into HTTP requests and responses that allow Web sites to track their visitors.

Cookie data may be stored for the duration of the communication session ( per session), remaining in RAM for one session and being deleted when the browser is closed, or even after a specified period of time has elapsed. In other cases they are permanent ( persistent), remaining on the user's hard drive as a text file. They are usually stored in the Cookies directory (%windir%\Cookies on Win9x and %userprofile%\Cookies on NT/2000). It is not difficult to guess that after capturing cookies on the Internet, an attacker can impersonate the user of a given computer, or collect important information contained in these files. After reading the following sections, you will understand how easy it is to do.

Cookie interception

The most direct method is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. This problem can be solved using any packet interception utility, but one of the best is Lavrenty Nikula’s program ( Laurentiu Nicula) SpyNet/PeepNet. SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and stores it on disk, and the PeepNet utility opens the file and converts it into a human-readable format. The following example is a fragment of a communication session reconstructed by PeepNet, during which the cookie serves to authenticate and control access to the pages viewed (names have been changed to maintain anonymity).

GET http://www.victim.net/images/logo.gif HTTP/1.0 Accept: */* Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid=96114024278141622; cuid=TORPM!ZXTFRLRlpWTVFISEblahblah

The example above shows a cookie fragment placed in an HTTP request coming to the server. The most important is the field cuid=, which specifies a unique identifier used for user authentication on the www.victim.net node. Let's say that after this the attacker visited the victim.net node, received his own identifier and a cookie (assuming that the node does not place the cookie data in virtual memory, but writes it to the hard drive). The attacker can then open his own cookie and replace the cuid= field ID with it from the captured packet. In this case, when logging into the victim.net server, he will be perceived as the user whose cookie data was intercepted.

Program ability PeepNet replaying the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. Using a button Go get it! You can re-fetch the pages a user viewed using their cookie data previously captured by CaptureNet. In the PeepNet utility dialog box you can see information about someone’s completed orders. This uses cookie data intercepted by CaptureNet for authentication. Note the frame located in the lower right corner of the session data dialog box and the line that follows the Cookie: line. This is the cookie data used for authentication.

It's a pretty neat trick. In addition, the utility CaptureNet can provide a complete decrypted record of traffic, which is almost equivalent to the capabilities of professional-grade utilities such as Sniffer Pro from Network Associates, Inc. However, the utility SpyNet Even better - you can get it for free!

Countermeasures

You should be wary of sites that use cookies for authentication and storing sensitive identification information. One tool that can help with security is Kookaburra Software's Cookie Pal, which can be found at http://www.kburra.com/cpal.html. This software product can be configured to generate warning messages for the user when a Web site attempts to use the cookie mechanism. In this case, you can "look behind the scenes" and decide whether these actions should be allowed. Internet Explorer has a built-in cookie mechanism. To enable it, launch the Internet Options applet in Control Panel, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and for permanent and temporary cookie data, set the switch to Prompt. Setting up the use of cookies in the Netscape browser is done using the command Edit › Preferences › Advanced and setting the Warn me before accepting a cookie or Disable cookies mode (Fig. 16.3). When you accept a cookie, you need to check whether it is written to disk and see if the Web site collects information about users.

When visiting a site that uses cookies for authentication, you must ensure that the username and password you initially provide are at least SSL encrypted. Then this information will appear in the PeepNet program window, at least not in the form of plain text.

The authors would prefer to avoid cookies entirely if many frequently visited Web sites did not require this option. For example, for Microsoft's worldwide popular Hotmail service, cookies are required for registration. Because this service uses several different servers during the authentication process, adding them to the Trusted Sites zone is not that easy (this process is described in the section "Using Security Zones Wisely: A Common Solution to the Activex Control Problem"). In this case, the designation *.hotmail.com will help. Cookies are not a perfect solution to the problem of HTML protocol incompleteness, but alternative approaches appear to be even worse (for example, adding an identifier to the URL, which can be stored on proxy servers). Until a better idea comes along, your only option is to control your cookies using the methods listed above.

Capture cookies via URL

Let's imagine something terrible: Internet Explorer users click on specially crafted hyperlinks and become potential victims, risking their cookies being intercepted. Bennett Haselton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) from the teen organization Peacefire, which advocates for freedom of communication via the Internet, published a script that brings this idea to life. This script retrieves cookies from the client computer when its user clicks on a link contained on this page. As a result, the contents of the cookie become available to Web site operators.

This feature can be exploited for nefarious purposes by embedding IFRAME tags in the HTML of a Web page, HTML email, or newsgroup post. The following example, provided by security consultant Richard M. Smith, demonstrates the ability to use IFRAME handles with a utility developed by Peacefire.

</p><p>It is possible to craft an insidious email that would "grab" cookies from the user's hard drive and transmit them to the operators of peacefire.org. To do this, you need to place a link to this node in it many times as shown in the example. Despite the fact that the guys from Peacefire seem like pretty nice people, it’s unlikely that anyone would be happy if they got their hands on confidential data.</p> <h3>Countermeasures</h3> <p>Install the updater, which can be found at http://www.microsoft.com/technet/security/bulletin/ms00-033.asp. You can also use the program <b>Cookie Pal</b> or built-in Internet Explorer capabilities as described above.</p> <blockquote class="messageText SelectQuoteContainer ugc baseHtml"> <b>Interceptor</b> is a multifunctional network tool that allows you to obtain data from traffic (passwords, instant messenger messages, correspondence, etc.) and implement various MiTM attacks. <p>Intercepter program interface <br><span><b>Main functionality</b> </p><ul><li>Interception of instant messenger messages.</li> <li>Interception of cookies and passwords.</li> <li>Interception of activity (pages, files, data).</li> <li>Ability to spoof file downloads by adding malicious files. Can be used in conjunction with other utilities.</li> <li>Replacing Https certificates with Http.</li> </ul><span><b>Operating modes</b> </span><br><b>Messengers Mode</b>– allows you to check correspondence that was sent in unencrypted form. It was used to intercept messages in such instant messengers as ICQ, AIM, JABBER messages. <p><b>Ressurection Mode</b>– recovery of useful data from traffic, from protocols that transmit traffic in clear text. When the victim views files, pages, data, they can be partially or completely intercepted. Additionally, you can specify the size of the files so as not to download the program in small parts. This information can be used for analysis.</p><p><b>Password Mode</b>– mode for working with cookies. In this way, it is possible to gain access to the victim's visited files.</p><p><b>Scan mode</b>– main mode for testing. To start scanning, you need to right-click Smart Scan. After scanning, the window will display all network participants, their operating system and other parameters.</p><p>Additionally, in this mode you can scan ports. You must use the Scan Ports function. Of course, there are much more functional utilities for this, but the presence of this function is an important point.</p><p>If we are interested in a targeted attack on the network, then after scanning we need to add the target IP to Nat using the command (Add to Nat). In another window it will be possible to carry out other attacks.</p><p><b>Nat Mode.</b> The main mode, which allows you to carry out a number of attacks via ARP. This is the main window that allows targeted attacks.</p><p><b>DHCP mode.</b> This is a mode that allows you to raise your DHCP server to implement DHCP attacks in the middle. <br><span><br><b>Some types of attacks that can be carried out</b><br><b><i>Site spoofing</i> </b> </p><p>To spoof the victim’s website, you need to go to Target, after which you need to specify the site and its substitution. This way you can replace quite a lot of sites. It all depends on how high-quality the fake is.</p><p>Site spoofing <br></p><p>Example for VK.com <br></p><p>Selecting MiTM attack <br><br> </p><p>Changing the injection rule <br>As a result, the victim opens a fake website when requesting vk.com. And in password mode there should be the victim’s login and password:</p><p>To carry out a targeted attack, you need to select a victim from the list and add it to the target. This can be done using the right mouse button.</p><p>Adding MiTm attacks <br>Now you can use Ressurection Mode to recover various data from traffic.</p><p>Victim files and information via MiTm attack <br><span><b><i>Traffic spoofing</i> </b> </p><p>Specifying Settings <br>After this, the victim’s request will change from “trust” to “loser”.</p><p>Additionally, you can kill cookies so that the victim logs out of all accounts and logs in again. This will allow you to intercept logins and passwords.</p><p>Destroying cookies <br><span><br><b>How to see a potential sniffer on the network using Intercepter?</b> </span><br>Using the Promisc Detection option, you can detect a device that is scanning on the local network. After scanning, the status column will show “Sniffer”. This is the first way to detect scanning on a local network.</p><p>Sniffer Detection <br><b>SDR HackRF Device <br></b><br></p><p><b> <br></b></p><b>HackRF <br>SDR is a kind of radio receiver that allows you to work with different radio frequency parameters. Thus, it is possible to intercept the signal of Wi-Fi, GSM, LTE, etc.</b><p>HackRF is a full SDR device for $300. The author of the project, Michael Ossman, is developing successful devices in this direction. The Ubertooth Bluetooth sniffer was previously developed and successfully implemented. HackRF is a successful project that has raised more than 600 thousand on Kickstarter. 500 of these devices have already been sold for beta testing.</p><p>HackRF operates in the frequency range from 30 MHz to 6 GHz. The sampling frequency is 20 MHz, which allows you to intercept signals from Wi-FI and LTE networks. <br><span><br><b>How to protect yourself at the local level?</b> </span><br>First, let's use SoftPerfect WiFi Guard software. There is a portable version that takes no more than 4 MB. It allows you to scan your network and display what devices are displayed on it. It has settings that allow you to select the network card and the maximum number of devices to be scanned. Additionally, you can set the scanning interval. <br><br></p><p><b> <br></b></p><b>SoftPerfect WiFi Guard program interface <br>After scanning, the program sends notifications of how many unknown devices there are. This allows us to add and mark trusted users and notice if someone has connected and starts listening to traffic. Notifications will be sent after each scanning interval. This allows you to disable a specific scammer on the router if there are suspicious activities. <br></b><br><p><b> <br></b></p><b>SoftPerfect WiFi Guard program settings <br></b><br><p><b> <br></b></p><b>Ability to add comments for users <br></b><br><p><b> <br></b></p><b>Notification window for unfamiliar devices after each specified scanning interval</b><p><b>Conclusion</b> <br>Thus, we examined in practice how to use software to intercept data within a network. We looked at several specific attacks that allow you to obtain login data, as well as other information. Additionally, we looked at SoftPerfect WiFi Guard, which allows you to protect your local network from eavesdropping traffic at a primitive level. <br></p></blockquote> <script>document.write("<img style='display:none;' src='//counter.yadro.ru/hit;artfast_after?t44.1;r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth? screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+";h"+escape(document.title.substring(0,150))+ ";"+Math.random()+ "border='0' width='1' height='1' loading=lazy loading=lazy>");</script> </div> </div> </div> </div> <aside role="complementary"> <div class="block cat-list"> <div class="block-title"> <h3>Categories</h3> </div> <div class="block-content"> <ul> <li> <a href="https://rustrackers.ru/en/category/internet/">Internet</a> </li> <li> <a href="https://rustrackers.ru/en/category/windows-10/">Windows 10</a> </li> <li> <a href="https://rustrackers.ru/en/category/multimedia/">Multimedia</a> </li> <li> <a href="https://rustrackers.ru/en/category/utilities/">Utilities</a> </li> <li> <a href="https://rustrackers.ru/en/category/network-and-internet/">Network and Internet</a> </li> <li> <a href="https://rustrackers.ru/en/category/system-programs/">System programs</a> </li> <li> <a href="https://rustrackers.ru/en/category/configuring-programs/">Setting up programs</a> </li> <li> <a href="https://rustrackers.ru/en/category/os-problems/">OS problems</a> </li> </ul> </div> </div> <div> </div> </aside> </div> </div> </section> </div> <footer class="b-footer"> <div class="container"> <div class="b-footer-content"> <p>rustrackers.ru - Free programs for your PC</p> </div> </div> </footer> <div id="back-top" class="back-top bounce-out"> <a href="#" title="Top"></a> </div> <script src="/bitrix/templates/newit_siteblog_response/site_files/js/libs/jquery/jquery.js"></script> <script src="/bitrix/templates/newit_siteblog_response/site_files/js/vendor/jquery.colorbox-min.js"></script> <script src="/bitrix/templates/newit_siteblog_response/site_files/js/scripts.min.js"></script> <script src="/bitrix/templates/newit_siteblog_response/site_files/js/custom/custom.js"></script> </body> </html>