Thursday, February 25, 2010

More on cookies(sidejacking) and browsers

I spoke about sidejacking in recent posts and the advantage a hacker can gain with a users cookie. Cookies are used to authenticate users to a domain and cookies are stored locally somewhere on your computer. I wrote perl sniffers that can sniff the relevant cookies to pull of a sidejacking attack but its so much easier to just copy them to a thumb drive when you have physical access to the victims machine.

In IE, cookies are stored as simple text files that can be open with notepad or wordpad for easy viewing. The location of the stored cookies from IE is in "c:\documents and settings\user_name\cookies". Each text file represents a stored cookie. You cant just copy them onto your machine and hope to gain access to your victims account. There is an index.dat file that seems to be a very important file thats constantly in use and cant be opened while the operating system is running (this file contains the list of legit cookies that should be loaded in IE). However if you were to obtain those cookies, open them up in an editor and input them into your browser using a cookie editor, then you are just clicks away from pulling off a sidejacking attack.

In firefox, the cookies are not stored as individual text files, but rather in a database file called "cookies.sqlite". This file is located at "c:\documents and settings\user_name\application data\mozilla\firefox\profiles\xxxx.default". As it is a database file you will need a sqlite databse editor in order to read its contents. I use this free sqlite manager called SQLite Database Browser 2.0. For security reasons you wont be able to read this database file on its own. There is a "permissions.sqlite" file that also needs to be copied to the same directory as cookies.sqlite as well. So the cookies.sqlite and permissions.sqlite files are both needed in order to read the contents of the cookies.sqlite folder. Just copy both to the same folder together then you should be able to open them up in the sqlite browser program and read the cookie information.

Now we know where the cookies are stored, what can we do from here?
Well, if you have physical access to a users machine you can sneakily copy those cookie files to your thumb drives and process them when you get home to your attacking machine. Whats even more clever is to create an auto-run script that automates this process. So you would have a malicious usb thumb drive and when you plug it up to a victims machine, it copies the necessary cookies from the victims machine to the thumb drive in a few seconds (say 5 seconds). The attacker can takes those cookies home and munch on them as he grins in amazement as he reads his victims eamils without even logging in with the relevant user name and password.

No comments:

Post a Comment