Project 11: Cookie Replay (15 pts.)

What you need

Purpose

To see how cookies are used by websites for authentication, and perform a CSRF (Cross-Site Request Forgery) attackdirect.

Note: URL Changed

Originally this project used "attack.samsclass.info" but now you must use "attackdirect.samsclass.info" instead because the other URL has been upgraded to HTTPS.

Installing Chrome

If you don't already have the Chrome browser, get it here:

https://www.google.com/chrome/browser/desktop/

Installing Wireshark

If you don't already have Wireshark, get it here:

https://www.wireshark.org/

Installing the EditThisCookie Chrome Extension

In Chrome, go to:

http://www.editthiscookie.com/

At the bottom of the page, in the "Get it now" section, click "for Google Chrome".

A box pops up asking "Add "EditThisCookie"?". Click the "Add extension" button.

Logging in to a Test Site

In Chrome, go to

http://attackdirect.samsclass.info/cookielogin/

Log in with a Name of root and a Password of toor

A "Message Board" page appears, saying "Welcome Linux Root User", as shown below.

Viewing Cookies with EditThisCookie

In Chrome, at the top right, click the little yellow cookie icon, as indicated by the blue arrow in the image below.

Find the AUTH value, outlined in red in the image below. This cookie indicates that a user has logged in.

Sniffing with Wireshark

Start Wireshark. In the top left portion of the screen, cick "Interface List", as shown below.

In the "Wireshark: Capture Interfaces" box, check the interface that goes to the Internet, as shown below. If you're not sure which interface to use, check them all.

Then click the Start button.

Refreshing the Message Board

In Chrome, on the Message Board page, at the top left of the browser winow, click the Refresh button (it looks like a curved arrow).

Stopping the Capture

In Wireshark, click Capture, Stop.

Finding the Authorization Cookie

Near the top of the Wireshark window, in the Filter bar, type:

http.cookie

Press Enter. This shows only HTTP requests that contain cookies. Even when filtered this way, I found a lot of packets, as shown below.

In the Filter bar, change the filter to:

http.cookie && frame contains samsclass

Press Enter. This shows only a few requests.

Find a request labelled "GET /cookielogin/messageboard.php" in the top pane, and click it to select it, as shown below.

In the middle pane of Wireshark, expand "Hypertext Transfer Protocol" and expand "[truncated]Cookie".

You should see several Cookie pairs, including the one that sets AUTH to a long hexadecimal value, as outlined in the image below.

Saving the Screen Image

Make sure you can see AUTH=63a9f0ea7bb98050796b649e85481845.

Save a FULL DESKTOP image with the filename Proj 11a from Your Name.

Copying the Cookie Value

In Wireshark, in the middle pane, right-click AUTH=63a9f0ea7bb98050796b649e85481845 and click Copy, Value.

Logging Out from the Message Board

In Chrome, scroll to the bottom of the message board and click the Logout button.

A page appears, saying "You are now logged out!".

In Chrome, go to this URL:

http://attackdirect.samsclass.info/cookielogin/messageboard.php

You see the message: "INVALID FAIL", as shown below.

Saving the Screen Image

Make sure you can see the message: "INVALID FAIL".

Save a FULL DESKTOP image with the filename Proj 11b from Your Name.

Pasting in the Stolen Cookie

In Chrome, at the top right, click the little yellow cookie icon. AUTH now has the value INVALID, as shown below.

Click in the box showing INVALID, erase that text, and paste in the contents of your clipboard. Remove the "AUTH=" at the start of the data, so only the long hexadecimal string remains, as shown below.

Then click the green checkmark at the bottom of the EditThisCookie window to save your change.

Performing the CSRF attackdirect

In Chrome, refresh the page.

You see the message "Welcome Linux Root User", as shown below.

You got into the user's account without entering a password, using a stolen cookie. This is called Cross-Site Request Forgery (CSRF).

Saving the Screen Image

Make sure you can see the message: "Welcome Linux Root User".

Save a FULL DESKTOP image with the filename Proj 11c from Your Name.

Turning in Your Project

Email the images to cnit.123@gmail.com with a Subject line of Proj 11 from Your Name.

Source

http://www.wildhacker.com/2012/04/hack-account-password-facebook-cookie.html


Posted 10-13-16