Monday, September 26, 2011

What are session cookies? How they used to hack email accounts?


Once again welcome back a very interesting article about Session Cookies, which many hackers claiming to have used to hack email accounts or password of several other websites. In this tutorial you will learn how to hack yahoo account using session cookies.
Before we start any further let all you know what these session cookies are… sometimes which called Magic Cookie or Session ID?
However, if we try go in deep, there can be written whole article about these session id’s but in simple ways… these are the string stored when we tends to login our account. But with unfortunate with hackers luck these strings have very short span of life i.e. gets automatically deleted after a set period of time. Now the question where these strings are stored -  In any situation there are only two places where these keys gets stored first one is itself the server and the second one is the browser cookies. And the destruction takes place at three ways first is when you close your web browser, second is when you sign out of your account and third is if you left your account open for more than 20 minutes idle.
How this Cookies accessed on Local System?
As in this article we are using Yahoo account, so to get understand what this cookie is first you need to open yahoo.com and login to your account. After that you have login to yo ur account copy the below code written in bold and then paste in browser address bar.
javascript:alert(document.cookie);
This will open a popup box with a text something like this which is just not able to understand but we even not need to do so.. as only we need this code only.

How to hack email account using session cookies
Now create one fake account on yahoo.com and login in that account and retrieve the cookie in same manner and notice the changes in session ID’s.
Now come to the main point hacking using the session ids…. For hacking the session cookies we first need the session cookies of the victim and its quite simple to get the session cookies of the victim. You just need to send him one link as soon as he clicks on that we will get his session cookie.
Here you should note this point as we have already mentioned that session hacking removes the authentication on the server as we have the AUTO LOGIN cookie. In this type of attack when victim sign out , then hacker will also sign out. But in case of YAHOO its little bit different, when victim signout but attacker still have the access to his account. Yahoo maintains the session for 24 hours and then destroy the session ID’s from its server.
Now how to step further to steal Session Cookies … follow the steps behind…
1. Go to the Website and register there:
http://www.my3gb.com/register.jsp
2. Download the Cookie stealer files:
3. Now upload the four files on the website and create one empty directory naming Cookies as shown below:

4. Send the link of yahoo.php to victim. Now what will happen when user clicks on the yahoo.php is that its cookies are get stored into directory Cookies and simultaneously he is redirected to his account.
5. Now open the link Hacked.PHP to access the cookies. In my files the password is “password”. You need to put that to access the files.

6. You must have got the username of victim’s account. Simply Click on it and it would take you to inbox of victim’s yahoo account without asking for any password.

Now it doesn’t matter if victim signs out from his account, you would remain logged into it. 
Note: You can try this attack by using two browsers. Sign into yahoo account in one browser and run the code. Then sign in through other browser using stolen session.




Session Cookies are the string stored when we tends to login our account. But with unfortunate with hackers luck these strings have very short span of life i.e. gets automatically deleted after a set period of time. Now the question where these strings are stored -  In any situation there are only two places where these keys gets stored first one is itself the server and the second one is the browser cookies. And the destruction takes place at three ways first is when you close your web browser, second is when you sign out of your account and third is if you left your account open for more than 20 minutes idle. In general, cookies are used to maintain the sessions on the websites and store the remote address of the website.
Now when these session cookies are exploited in any ways to gain unauthorized access over any computer system or network then this whole process is termed as Session Hijacking. Sometime if said more technically it is called the HTTP Cookie Theft or Magic Cooke Theft… Nowadays several websites has started using HTTPS cookies simply called encrypted cookies. But we all know If encrypter exits so its decrypter also…
So now the question arises why the session cookie is hijacked and how it helps a hacker to gain access over to a system…
As it has already been mentioned that Session Cookies are the responsible keys to a person authentication so if any one gets these id… then he can easily bypass the authentication process and gain the access to the machine.  It would not require any reauthentication because the session is already active so the hacker can easily access the resources and sensitive information like passwords, bank details and much more. Isn’t this very terrific…
As we have got information what these “Session Cookies” are now let we see what are the ways…..
Session Hijacking involves two types of attacks :
1. Active attack
2. Passive attack
First Avtive Attack; in this type of attack Hackers tries to find an active session and takes control over it by forcing one of the parties makind offline forcibely. This is generally achieved by DDOS attack (Distributed Denial of service attack). Once if a hacker taken over this under his control then he can executes the commands on the system that either give him the sensitive information such as passwords or allow him to login at later time. Though the mentioned is the most common but there are also a hybrid attack , here the attacker watches a session for while and then becomes active by taking it over. Another way is to watch the session and periodically inject data into the active session without actually taking it over.
Now lets we Come to Passive attacks; in this type of attack a hacker Hijacks a session, but just sits back and watches and records all the traffic that is being sent from the computer or received by the computer. This is useful for finding the sensitive information like username passwords of websites, windows and much more…
As you learned the whole what Session hacking are and its types. Now its turn to Methods Involved; There are four main methods used to perpetrate a session hijack. These are:
  • Session fixation, where the attacker sets a user’s session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
  • Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
  • Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user’s computer or the server.
  • Cross-site scripting, where the attacker tricks the user’s computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.