Forced HTTP session breaks with MiTM
As a rule, when intercepting traffic by means of mitm, there are two different possibilities.
get access to a certain web resource accessed by the attacker. It is most preferable to intercept the moment of authorization and get a login and password in clear text, which will allow access to this resource at any time.
The second, the least preferred option is intercepting cookies already active in the session, we don’t receive the login and password, but
but we can substitute these same cookies into your browser and get access to the resource for the duration of the session.
The disadvantages of the second method are obvious, and rather simple steps can be taken to eliminate them. Since the attacker has full control over the victim’s traffic, he can forcibly “overdue” the victim’s cookies by forcing it to go to the authorization page, which will allow to intercept the login \ password in the open form.
The logic of work is as follows. After the start of the attack, the cookies transmitted from the client to the server and back are monitored.
Cookies from the server are listed as whitelisted. When meeting cookies from a client that are not on the white list, an HTTP response is sent, in which all transmitted cookies are reset as follows:
')
Set-Cookie:% cookiename% =; path = /; domain =% domain%; Expires = Thu, 01 Jan-2000 00:00:01 GMT
With a successful scenario (different resources and browsers can work with cookies in different ways), they will be redirected to the authorization page. Dropped cookies are whitelisted and then quietly skipped, i.e. after re-entering the resource, no breaks occur anymore.
The idea was borrowed from the sslstrip utility; no other references or implementations were found.
The described cookie killer appeared in Intercepter-NG 0.9.5, a demonstration of the work is presented in the following video.
In addition to the cookie killer, a new version has DNS spoofing, ARP “cell” to isolate some hosts from others,
support for new Wireshark format - pcapng, etc. Additional information on the project website.
get access to a certain web resource accessed by the attacker. It is most preferable to intercept the moment of authorization and get a login and password in clear text, which will allow access to this resource at any time.
The second, the least preferred option is intercepting cookies already active in the session, we don’t receive the login and password, but
but we can substitute these same cookies into your browser and get access to the resource for the duration of the session.
The disadvantages of the second method are obvious, and rather simple steps can be taken to eliminate them. Since the attacker has full control over the victim’s traffic, he can forcibly “overdue” the victim’s cookies by forcing it to go to the authorization page, which will allow to intercept the login \ password in the open form.
The logic of work is as follows. After the start of the attack, the cookies transmitted from the client to the server and back are monitored.
Cookies from the server are listed as whitelisted. When meeting cookies from a client that are not on the white list, an HTTP response is sent, in which all transmitted cookies are reset as follows:
')
Set-Cookie:% cookiename% =; path = /; domain =% domain%; Expires = Thu, 01 Jan-2000 00:00:01 GMT
With a successful scenario (different resources and browsers can work with cookies in different ways), they will be redirected to the authorization page. Dropped cookies are whitelisted and then quietly skipped, i.e. after re-entering the resource, no breaks occur anymore.
The idea was borrowed from the sslstrip utility; no other references or implementations were found.
The described cookie killer appeared in Intercepter-NG 0.9.5, a demonstration of the work is presented in the following video.
In addition to the cookie killer, a new version has DNS spoofing, ARP “cell” to isolate some hosts from others,
support for new Wireshark format - pcapng, etc. Additional information on the project website.
Source: https://habr.com/ru/post/151696/
All Articles