CSE 466 – Computer Systems Security

CSE 466 – Computer Systems Security

Project 1: Sidejacking Webmail accounts (Yahoo, etc)

Due on: Sep 16^th, 2009, Start of Class,
Method of submission: Print out

Projects are to be done in groups of TWO

Warning: These instructions are meant to provide you training with security issues. You are advised to implement this project on your personal machines, or on Virtual Machines assigned to you in a laboratory. Stealing passwords/cookies/information from any other real machine is a BAD idea – it is a criminal offense. At the least you may be banned permanently from the laboratory if you use this program to steal password of Admin or other accounts on a real machine in the laboratory. These instructions are intended to train computer security professionals, not to help criminals.

Sidejacking is essentially stealing of session cookies of users. This allows an attacker to masquerade as the user to the authenticating machine. In this project we will see how to steal cookies from a google mail account and use it to log in from a different machine on the same LAN.

There are two ways of doing this project. Instructions are being given out for both; you can choose to do it in any one way. This can be done on the ASU wifi network. However, for the purpose of this class, we will refrain from doing so, because if you accidentally steal a wrong cookie, you may face serious consequences. For this class, all our hacking experiments will be performed on a Virtual Machine, in the laboratory designated for this course. (The location and times for the lab will be announced later, you possibly may have to meet the TA to set up accounts for the same.)

You will have to familiarize yourself with the terms Host machine and Guest Machine. Guest machines (XP/2000/Ubuntu) are operating systems running on top of VMware. The VMware runs on top of the Host Machine (Windows or Linux). There are two free products:

VMWare Player http://www.vmware.com/products/player/
VMWare Server: http://www.vmware.com/products/server/

(The VMWare for Macintosh is VMWare Fusion [paid product with free trial option]. The PC images work with VMWare Fusion)

Read to end, to find information on getting VMWare images.

Method 1: Sidejack using Win 2000 and Windows XP, utilizing cookie editor. (Easy)

Start VM ware, start a Win XP machine and a Win 2000 machine on it. The Administrator password for the Windows 2000 machine is ‘dasgupta’. Install Firefox if required on both machines, and install cookie editor plugin for Firefox on both machines. Log in to a gmail/ASU Gmail account on win 2000 in Firefox. Log in to a different Gmail account on Win XP machine using Firefox. Move back to the 2000 machine, open cookie editor under tools in Firefox. In the filter box type mail.google.com and hit refresh. This will show up cookie entries for the gmail account. Copy the Content under the name ‘GX’.

Move back to the Win XP machine. Open cookie editor, and this time, paste the contents copied from the 2000 machine into the XP machine and refresh Firefox. This should make the google mail of the account on the 2000 machine appear.

Deliverables: Screenshots of the two different mail logins, captures of cookie editor on both machine, Stolen google mail session.

Method 2: Sidejack using WinXp and Win 2000 using network sniffing (Hard)

Start Win Xp and Win 2000 on Vmware. 2000 will serve as the target machine and Xp will serve as the attacker machine. Install Nmap on the XP machine, download it from nmap.org. This provides WinPCap required for sidejacking. This tool is essentially made for Linux, but there are stable versions for Windows available on the website.

After this software completes installation, go to http://www.erratasec.com/sidejacking.zip, extract the folder. Open CMD, and run: ferret –I 0 which is present inside the sidejacking folder. This essentially sniffs the network interface and displays output on its terminal. Do not close the command terminal.

Open the sidejacking folder and start Hamster.exe, unblock it in Windows Firewall if required. This opens another command window, do not close it. Enter the IP address of the 2000 VM in it.

Open Firefox on XP, and go to Tools->options->advanced->network. Click on settings, check the Manual Proxy Configuration radio button. Enter HTTP proxy 127.0.0.1, port 3128. Click on OK. Then go to http://hamster in firefox on XP.

On the 2000 machine, log in to your gmail account. Move back to the XP machine and refresh the firefox page. This should show a session of gmail on the XP machine. Click on the session link. Then on the left frame, you should see a link mail.google.com/mail.

Click on it. This should give you the authenticated gmail session on the 2000 machine. (We are currently on XP).

Once you are done, restore the proxy settings to the previous state on Firefox.

Deliverables: Screenshots of the Hamster page where you enter the IP of the target machine, authenticated mail session on the 2000 machine. Hamster page showing session link on target machine. Google mail session on the XP machine.

Note: If you are using your personal gmail accounts for the hack, then you may choose to blank out the sections of the screenshots that shows the contents of your mail. The top frame and left frame on the gmail page are sufficient.

Getting VMWare Images:

The VMWare images will be handed out on DVDs (a few copies) in class on Wednesday (Sept 2^nd). Please make copies.

The sizes are:
Ubuntu: 1.3GB
Win2000: 380 KB
WinXP: 980MB

Total: 2.66GB (big)

The Ubuntu image is freely copy-able and usable. The Win200 and WinXP images are copyrighted software and are to be used only for this class project. They are old, unpatched versions that are not to be patched or used for anything useful other than this class. They are to be destroyed after you are done with class projects.