Archives

All posts for the month April, 2012

It’s been a little while huh. Well I’ve decided to release the finished v0.1 beta of my sessionlist tool.

A little about it and why I created it.

HTTP is a simple protocol, and many use it to create “program-like” websites. With asynchronous requests available in almost every browser (including mobile ones) it’s no surprise that many people create a zillion and one sites for almost any purpose. The underlying issue with HTTP is that it is stateless. How do you create the illusion of program state in a naturally stateless protocol? The correct answer is to create a new protocol that is designed for this purpose however that didn’t happen. Instead we have silly hacks that allow us to pretend to have state while using HTTP. How is this accomplished? Well, we pass variables and their values back and forth with every single request! It will cause overhead but they’re websites not real programs! To make this more manageable many web scripting languages support sessions which can reduce the overhead by storing a session id in browser cookies instead of all the variables/values and use the session id to look up server stored variable/values. Of course now all you need to facilitate authentication is the session id.

So if a website relies on cookies to store authentication details, be it via session id or other state information, a user can simply nab this information and present it as if they were the user and they should be authenticated as if they logged in with valid credentials.

Sessionlist v0.1 is a network sniffer that simply observes cookies sent over HTTP (via port 80 or user configured port via cmd line) and keeps track of them. It will save a list of sites and cookie data along with user-agent strings which should be sufficient to effectively spoof the user who generated the traffic. All you need is a plugin that allows you to set your own user agent and cookie data. I personally have found Firefox’s modify headers plugin to work perfectly but I’m sure others are fine as well. Using this tool to sniff traffic you can basically collect authentication data as it passes over the wire (or air). This will work on unencrypted HTTP traffic but if you’re familiar with SSL MITM attacks you can make this work on those sites as well. Generally for wireless sniffing you don’t need to perform any MITM attack but if you’re on a switched network then obviously a regular MITM attack will be needed. There are many tools that perform those functionalities so use your favorite.

As mentioned before this tool is a beta so there are bound to be bugs so please let me know as you find them so I can squash them and make this a better tool! I’ve included 32 and 64 bit builds. I may release this tool as open source sometime in the future.

The release archive is signed with my public pgp key which you can find on my about page. Click [here] for that. Once you’ve imported my public key simply run:

gpg [thefile.gpg]

If the signature is good then you’re set. If the signature fails then you are probably dealing with a tampered file (or you incorrectly imported my key somehow).

All feedback is appreciated and enjoy!

UPDATE:

Released version 1.0 with MORE bug fixes and UI changes! Threading issues have been fixed as well!

sessionlistv1.0

Older versions:

(v0.2 changelog)

Released version 0.2 with minor bug fixes and a much better capture engine (removed idiotic threading crap; until another version pthread will remain linked).

sessionlistv0.2

sessionlistv0.1