Sunday, August 05, 2007

SideJacking with Hamster

NOTE: you can download the program at http://www.erratasec.com/sidejacking.zip; make sure to read the instructions.

Others have done a better job blogging on my Hamster/SideJacking stuff than I could, so I'll just link to their sites: [DarkReading] [Brian Krebs] [tgdaily] [George Ou] (George has screenshots).

This isn't really "new" in theory. Man-in-the-middle on public WiFi's can do this sort of thing. Also, stealing cookies via XSS (Cross Site Scripting) can also do this for the hacker. What makes this interesting is that it's point-and-click easy with a sniffer on WiFi hotspots.

I played around with the "Wall of Sheep" yesterday at DefCon. I was owning more accounts using my tools than everyone else using Dsniff and EtterCap. I spent most of my time hunting for people using HotMail or Yahoo! Mail - I could have gotten a lot more accounts if I focused just on Gmail instead (it's like 20-to-one the ratio of DefCon attendees using Gmail vs. other online e-mail accounts).

I gave out my tools to a bunch of people personally, I'll be officially posting the tools on Monday afternoon to our website. Also, you can do this manually by using a traditional packet-sniffer and a tool like the Edit Cookies add-on for Firefox.

While copying/replaying cookies sounds easy, there are some additional tricks to it that I've found in practice. One trick is that URLs also contain unique identifiers. In order to sidejack a HotMail or Yahoo! Mail connection, you have to know which URL to use. The other is that when starting in the middle of a session, you see the "Cookie:" commands the browser sends to the server, but not the "Set-Cookie:" commands the server sent in the opposite direction. Sometimes things don't work because when I clone cookies sent with the path /aaa/bbb, I won't know that I should also send them with the path /aaa/ccc. I've found that when you gain access to a site, but the access is flaky, if you start browsing around the site, you'll eventually get the correct "Set-Cookie:" from the server, then everything will work correctly.

40 comments:

a. said...

Great Presentation. I'm wondering if you did try some kind of "responsible disclosure" process or not. Though the problems aren't really unknown, presenting them at Black Hat and practically inviting people to grab session cookies is a whole new ball game. Any replies from owners of affected applications?

ia said...

where should i go for a copy of your ferret's nice interface which is shown on presentations ? the tool itself seems to be working but i coulnt managed to find the treeview like interface , any hint is appreciated

Robert Graham said...

We didn't bother with "disclosure" because the vendor most affected (Gmail) is also the vendor that has a "fix" (go to https://mail.google.com/mail).

Unknown said...

It turns out that Gmail is NOT secured against this attack. The authentication cookie for gmail is the 'GX' cookie. It can be transmitted for any type of connection. So you can inject content elements or a meta-refresh tag for http://mail.google.com even for users that have logged in to https://mail.google.com. For more details on this vulnerability (which I discussed in my black hat handout and in my talk on Securing the Tor Network) see my bugtraq post on the topic.

I did informally talk to some Google people who told me Google was aware of this issue.. They did not specify when a fix would be released.

Unknown said...

I should also add that I was told that this vulnerability and other ssl vs non-ssl issues are one of the reasons gmail is still 'beta'. I assume they do not have the capacity to ssl encrypt everything.

Rahul said...

hey Robert, great pesentation and great exposure. i am not able to locate your tool Hamster anywhere on your site. would you pls guide me where can i get it. thanks.

mokum von Amsterdam said...

Nice tool set.
I walked my wife through the process of getting it up and running [she's a 1.000 clicks from here] and she just loves it too.
Her friends where less happy with the display of their own inboxes on someone else screen :P

Matt Steer said...

I agree with andreas, Im not too sure about this, while the attack is nothing new, these two tools have opened up the window of opportunity to a whole range of 'Script Kiddies' which in my opinion is a bad play.

On the other side of the card, this should get companys to do somthing that should have been done a long time ago... force people to use SSL when accessing information that the customer would like to keep secure.

Other opinions everyone please!

Rahul said...

hey thanks for the toolset.

Robert Graham said...

Amazon.com is vulnerable. I'm not sure if you can buy anything, but it'd should be fun to browse alternative lifestyle literature so that such things popup as suggestions. Gay literature comes to mind, but if your friend is a die hard Democrat, making sure Ann Coulter is at the top of the suggestion list would be a fun thing to do.

Glenn Fleishman said...

When's the software coming out? The blog said "Monday," and I'd like to point folks to the download.

Glenn Fleishman said...

Foolish me: I missed the new ZIP link at the top of this post; I was looking at your downloads section on the main site.

Luke Rodgers said...

Will you folks be releasing the source code, as you originally did with ferret, so that people might be able to run it on platforms other than windows?

IHateHackers said...

You should be ashamed of yourself, hacking other peoples' personal stuff. You're a rude person.

Asshat Security said...

Ok, it's time to put and end to this side-jacking nonsense once and for all. It is called session hijacking and that has been the case since the mid nineties. You can dress it up in a nice pink dress and call it Wendy all you want, it is still session hijacking.

Unknown said...

Great job Robert! I am very happy to see that all is going fine for you and Errata. Everybody talk about you. Receive all my encouragement.
Cheers.
-ben. (from Paris)

Unknown said...

Hi I finally got it working and it is Fantastic!! For everyone start Ferret first and wait for it so show activity in the command window, it will create the hamster.txt file on it's own THEN start Hamster after Ferret finds something. I tried starting Hamster right after and it just kept saying it couldn't find Hamster.txt. IT WORKS and is a fantastic tool. Thanks and great presentation at DEFCON!! WOOT WOOT

Unknown said...

Hi I finally got it working and it is Fantastic!! For everyone start Ferret first and wait for it so show activity in the command window, it will create the hamster.txt file on it's own THEN start Hamster after Ferret finds something. I tried starting Hamster right after and it just kept saying it couldn't find Hamster.txt. IT WORKS and is a fantastic tool. Thanks and great presentation at DEFCON!! WOOT WOOT

Craig said...

Hi
I was unsuccessful in trying to run this but I want to ensure that I'm doing it right.

1- Running at home with wpa. I wanted to ensure that it is capturing the wpa handshake so I disconnected client machine and reconnected. Does hamster and ferret work with a wirless wpa network, or strictly unauthenticated?

2. Would it work in a network which does captive portal where you need to sign on first?

3.I am using an atheros based wireless card. Not sure why you would need rfmon mode if you need to be authenticated to the network not running in promiscuous mode?

Anyone have thoughts on above?

Thank you
Craig

Unknown said...

Why I can't run hamster? I use Vista but there is some problem...
There is a screenshot
http://img468.imageshack.us/img468/915/problemax0.jpg

Dark Floyd said...

Dear mates,

I HAVE GOT A PROBLEM AND HOPEFULLY ANYONE COULD ADVISE ME or Mr. Graham, could you please advise me on that?

I have bought a USB WiFi adapter and connect to my home AP, trying to sniff the network traffic.

I start up another machine, this target is connected to the same AP as the sniffing laptop. However, my sniffing laptop could not capture any traffics from the target but with the following output only:

rdware/index/Linksys_Wireless-G_USB_Network_Adapter.htm&dc_aff_id=&keys=router;Networking%20product;so
=1;1;1;1;1;1&index=0&cbl=0&ab=0&onf=1&omk=1&resultNum=1&time=5500&dc_aff_id=&bt=1&mod=2&rId=564_119368
360733; imprs=11"
proto="MS-BROWSE", op="domain", domain="WORKGROUP", hostname="YOUR-CB5E0316B2", ip.src=[192.168.1.100]
ID-IP=[169.254.72.178], macaddr=[00:0e:35:b2:f6:32]
ID-MAC=[00:0e:35:b2:f6:32], ip=[169.254.72.178]
ID-IP=[192.168.1.100], Multicast-groups=[239.255.255.250], groupname="SSDP"
ID-IP=[169.254.72.178], name="YOUR-CB5E0316B2<00>", type="NetBIOS"
ID-MAC=[00:0e:35:b2:f6:32], proto="DHCP", op="Hostname", hostname="your-cb5e0316b2"
ID-MAC=[00:0e:35:b2:f6:32], System="Windows 2k/XP/..."
ID-IP=[192.168.1.1], macaddr=[00:18:39:cc:87:01]
ID-MAC=[00:18:39:cc:87:01], ip=[192.168.1.1]
proto="DHCP", server=[192.168.1.1], op="offer", leasetime=86400
proto="DHCP", server=[192.168.1.1], op="offer", router=[192.168.1.1]
proto="DHCP", server=[192.168.1.1], op="offer", dns-server=[61.10.1.146]
proto="DHCP", server=[192.168.1.1], op="offer", dns-server=[203.83.112.1]
proto="DHCP", server=[192.168.1.1], op="offer", dns-server=[203.83.113.1]
proto="DHCP", server=[192.168.1.1], op="offer", domainname="voip.hkcable.com.hk"
ID-MAC=[00:0e:35:b2:f6:32], proto="DHCP", op="Request-IP", ip=[192.168.1.101]
ID-MAC=[00:0e:35:b2:f6:32], Hostname="your-cb5e0316b2.", proto="DHCP", op="FQDN"
ID-IP=[192.168.1.101], macaddr=[00:0e:35:b2:f6:32]
ID-MAC=[00:0e:35:b2:f6:32], ip=[192.168.1.101]
ID-IP=[192.168.1.101], Multicast-groups=[239.255.255.250], groupname="SSDP"
ID-MAC=[00:12:17:5f:81:a0], proto="DHCP", op="Hostname", hostname="your-cb5e0316b2"
ID-MAC=[00:12:17:5f:81:a0], System="Windows 2k/XP/..."
ID-IP=[192.168.1.100], macaddr=[00:12:17:5f:81:a0]
ID-MAC=[00:12:17:5f:81:a0], ip=[192.168.1.100]

If I surf the web with my sniffing laptop, it could capture the traffics and cookies if I use the Built-in Wifi adapter (Intel) and USB Wifi adapter (Realtrek) at the same time.

What's going on with my setting, am I set something wrongly?

If my AP is hidding its SSID, will it be affected? If the target laptop connects to AP with its built-in Intel Pro wireless adapter, will it be okay?

I do feel thankful to all of your help and advices.

Regards,
Anthony Lai, Hong Kong

Anonymous said...

Only certain network cards are supported.

My Ralink internal card = not supported,
My Orinoco Gold = Supported partially

If you are not getting any output when visiting gmail etc then your cards are not supported.

Also I only get traffic for my local machine which is pointless to me, i thought I could test my network to check if it was vuln, This is what I mean when I say the Orinoco Gold is partially supported.

AEL said...

Hey thanks for the copy of Hampster. It was just what I needed for my hacker expo today.

I wrote about netbios hacking in my June 4 post on:
http://AnEliteLeader.blogspot.com/2007/06/netbios-hacking-artcrime-of.html

I just thought your readers might find it interesting.

GK said...

Graham,
Does this work if you dont use wi-fi network. Suppose, I have a normal desktop and I cant sniff the traffic outside my netowrk. If i want to hack gmail account outside the network but somewhere on the internet , how do we do this.

Rob said...

I am doing research on what I can do to protect our corporate network from the vulnerability side jacking/cookie stealing exploits. I want my users to be able to log into our network, authenticate against our radius server and be able to securely surf whatever websites and me not have to worry about session hijacking. Is it possible to lock down all wireless connections so once the user authenticates their credentials on LDAP it generates something like a random RSA Key to encrypt all wireless traffic passed between the device and AP? All points of view are welcome.

Anonymous said...

Hi man... This entry is something old but still I will comment, researching about you and hamster I noticed that the only thing that is mentioned is gmail accounts, and I was testing on the LAN of my home and two friends opened their accounts Hotmail and I can open their sessions jejejeje surprised me a lot .. I read and send emails from their accounts, but what experiences have you had with yahoo and hotmail accounts?

Unknown said...

I'm trying to build a laptop to run hamster and ferret. What would be an out of box laptop that can do it? I am using the old Macbook Pro Core duo with the atheros 5006x card. I thought it would work, but ferret said that it cannot log on to promiscouous mode. Any input on that? Here's my config.

Atheros 5006x, WinXP SP3, Winpcap 4.1 beta 5, hamster, ferret

Unknown said...

I'm trying to build a laptop to run hamster and ferret. What would be an out of box laptop that can do it? I am looking for an right out of the box, all in one solution.. I am using the old Macbook Pro Core duo with the atheros 5006x card. I thought it would work, but ferret said that it cannot log on to promiscouous mode. Any input on that? Here's my config.

Atheros 5006x, WinXP SP3, Winpcap 4.1 beta 5, hamster, ferret

Robert Graham said...

I don't know what you mean by "it cannot log on to promiscouous mode". I suggest you quote the exact error message, and which program gave it.

Anonymous said...

Wow. With all that's out there involving computers and the internet; so many great things to read or watch... you choose THIS? I'm a computer/internet fiend more than anyone I know, but I can't imagine the shame I'd feel if I became a part of this. Maybe it's just that I can't understand the thrill of "beating the system." What I do understand is that there are better ways to live. But hey, if you can't shake it, go ahead and take a look at my emails to friends while planning partys and trips... you can live vicariously. Have a blast... I'm just gonna try to forget I ever saw this cause it makes me sad.

Anonymous said...

can this be run on Vista?

Chris said...

It can be done on wireless networks but if you're using WEP or WPA, you'll have to capture the packets with Wireshark or Airodump and then decrypt the packets and save them to a file.

In Wireshark, go to Edit, Preferences, Protocols, IEEE802.11. Then check "Enable Decryption" and follow its instructions for entering your WEP/WPA keys.

If you have captured them with Airodump (or even Wireshark), you can decrypt them by typing 'airdecap-ng -w [wepkey] file.cap'. I don't recall if it's the same command for WPA, but the manpage will tell you. :)

thierry said...

bonjour,je viens de me faire piraté mon compte yahoo.fr.On m'a changer mon mot de passe,la question secrete,et le mail de secour.pouve vous m'aider a retrouver mon compte? merci.petanqueur@gmail.com

thierry said...

pouvez vous m'aider ?

Unknown said...

hii, i've tried the softwares (hamster+ferret)..

but it seems not work on my network
nb: my network is using an authentified proxy with user and password..

can it fix for later version?
thx, i'll so appreciate if it can works on such as environment :)

AstroGrad said...

Hi,

I finally got ferret and hamster running on my Mac OS X. However, I cannot see any 'targets' other than my own IP. I was wondering what I am missing?

info: I am connected to my router wirelessly. First, I am running "$sudo ./ferret -i 2" and then "$sudo ./hamster". In the web interface on hamster, I chose the adapter en1.

Your help is appreciated!
Thanks,
-AG

sibaram said...

Hi,

When I am trying to run the command "ferret -W" under c:/sidejacking folder it gives an error. The error is as follows:- "ferret.exe has stopped working. Check online for the solution." My winpcap version is 4.1.2. What should I do in this case? Please help.

downlaod usb security said...

Does this work if you dont use wi-fi network. Suppose, I have a normal desktop and I cant sniff the traffic outside my netowrk. If i want to hack gmail account outside the network but somewhere on the internet , how do we do this.

milad said...
This comment has been removed by a blog administrator.
felisha green said...
This comment has been removed by a blog administrator.