1
00:00:00,300 --> 00:00:01,950
Hello everyone and welcome back.

2
00:00:01,950 --> 00:00:09,900
And in this video I will show you a certain type of the attack which is called session fixation which

3
00:00:09,900 --> 00:00:16,740
is basically used when the owner of the website mis configured the website creation or basically anyone

4
00:00:16,740 --> 00:00:24,870
who created that Web site it allowed a net user becomes the that some of the information that user sends

5
00:00:24,870 --> 00:00:29,130
to the server becomes the I.D. of that session.

6
00:00:29,130 --> 00:00:35,970
Now before we get into that I just want to show you another attack which is mostly which most likely

7
00:00:35,970 --> 00:00:41,460
you will not come across especially not on some of the bigger web sites you might come across on it

8
00:00:41,610 --> 00:00:48,240
for some of these smaller Web sites since it is basically a flaw in the cookie itself.

9
00:00:48,240 --> 00:00:50,040
In the session itself.

10
00:00:50,040 --> 00:00:58,350
If such an I.D. is not random enough sometimes you can basically guess the session I.D. of some of the

11
00:00:58,410 --> 00:01:03,320
other user could just find a valid session I.D..

12
00:01:03,660 --> 00:01:11,280
So in order to show you what I am talking about just open up your suit and on your little machine uh

13
00:01:11,340 --> 00:01:12,310
which is the OS.

14
00:01:12,330 --> 00:01:17,080
Just go here on the always web code.

15
00:01:17,730 --> 00:01:21,180
If it asks you to log in just type your web code web code.

16
00:01:21,360 --> 00:01:30,440
And after that you want to go on to the session management flaws right here and here you want to go

17
00:01:30,530 --> 00:01:35,710
onto the hijack a session now as we can see right here.

18
00:01:35,730 --> 00:01:44,020
We are prompted in with the username and password.

19
00:01:44,070 --> 00:01:53,380
Now what we want to do is basically turn our intercept on and type here anything and send our post request.

20
00:01:53,400 --> 00:01:55,140
And as we can see it is right here.

21
00:01:56,100 --> 00:02:04,230
And what I'm talking about is this week I.D. Now it is called weak I.D. since data since it is purposely

22
00:02:04,230 --> 00:02:09,110
made weak for this attack and for the first time ever you looking in it.

23
00:02:09,120 --> 00:02:15,830
This might seem like a really random number but it isn't.

24
00:02:15,860 --> 00:02:18,300
It is actually really easy to guess it.

25
00:02:18,350 --> 00:02:24,140
I will just show you how you can generate a lot of cookie requests or different requests in order to

26
00:02:24,140 --> 00:02:27,790
see for example 10000 different cookies.

27
00:02:27,800 --> 00:02:35,240
And in order to compare them and see which values change in this session I.D. and which values don't

28
00:02:35,770 --> 00:02:42,290
And three do that you can basically try to guess the session I.D. with it but we won't be going through

29
00:02:42,290 --> 00:02:49,370
the entire text since it could take some time I'll just show you how you can check out the if the idea

30
00:02:49,370 --> 00:02:58,830
of that session is weak or not so once we do that we want to turn on our intercept of the invalid username

31
00:02:58,830 --> 00:03:00,400
and password of course.

32
00:03:00,400 --> 00:03:08,010
Now we've got to go to the target find the page that we send the user in a password to.

33
00:03:08,270 --> 00:03:14,670
So I'm not really sure where that is not even sure what type tactics username and password.

34
00:03:14,670 --> 00:03:20,480
So let me just find it right here it's not this which pages it.

35
00:03:20,510 --> 00:03:26,030
This is screens 72 menu 1 8.

36
00:03:26,260 --> 00:03:26,640
OK.

37
00:03:26,640 --> 00:03:29,350
So we want to find the web code.

38
00:03:29,530 --> 00:03:41,870
Here it is something with web wrote this just find package right here so we search for the bad code

39
00:03:41,870 --> 00:03:42,330
path.

40
00:03:42,350 --> 00:03:47,450
Here it is.

41
00:03:47,990 --> 00:03:50,460
You just see it snuck this one.

42
00:03:50,460 --> 00:03:51,100
It's not.

43
00:03:51,120 --> 00:03:52,760
It's one stone.

44
00:03:52,770 --> 00:03:54,880
This one it's not this one.

45
00:03:54,900 --> 00:03:55,710
Sure it is.

46
00:03:55,710 --> 00:03:59,970
It's this one as we can see our ears and ESF Gs.

47
00:03:59,990 --> 00:04:05,930
So what we want to do from here is you want to right click on the packet and send it to sequencer.

48
00:04:06,740 --> 00:04:10,580
So once you go to the sequencer it will light up this part right here.

49
00:04:10,580 --> 00:04:18,980
So just click on the sequencer and you will see that it already set the form a field to be weak idea

50
00:04:19,520 --> 00:04:20,490
right here.

51
00:04:20,510 --> 00:04:25,440
So what you want to do it gives you a bunch of other options.

52
00:04:25,450 --> 00:04:29,600
Twenty seconds your session I.D. And once you do that

53
00:04:32,880 --> 00:04:42,300
and click on the start to capture it will basically gather a lot of cookie values and it see the value

54
00:04:42,340 --> 00:04:47,380
cookies is random enough or it or if it can be predicted.

55
00:04:47,590 --> 00:04:54,960
So let's go and start to capture and as we can see right here it would start sending a bunch of packets

56
00:04:55,080 --> 00:04:57,390
and gathering different cookie values.

57
00:04:57,630 --> 00:05:04,110
And once and Katter's enough it can tell us if the cookie value is random enough for it to be well protected

58
00:05:05,400 --> 00:05:13,140
if it is not random enough we will be able to cast another valid cookie value which can basically make

59
00:05:13,140 --> 00:05:16,200
you enter someone else's session.

60
00:05:16,200 --> 00:05:22,230
So for example if I sent the wrong user name and password and I scanned the cookie and sent a bunch

61
00:05:22,230 --> 00:05:28,110
of other requests and scanned the other cookies and find out that the randomness of the numbers is not

62
00:05:28,290 --> 00:05:37,190
high I can guess someone else's cookie session and basically enter their for example profile on on Facebook

63
00:05:37,190 --> 00:05:45,300
for example without even knowing the user name or password but this is the attack that you most likely

64
00:05:45,300 --> 00:05:56,330
will never ever encounter since it really must be mis configured website in order for this to be possible.

65
00:05:56,490 --> 00:06:02,550
Today's websites have cookie values that you cannot possibly predict since they are really really random

66
00:06:04,090 --> 00:06:09,630
and once this finishes or we do not even need to wait for it to finish I think we can click here analyze.

67
00:06:09,700 --> 00:06:16,870
Now you can see that the overall result the overall quality of randomness within the sample is estimated

68
00:06:16,870 --> 00:06:26,370
to be extremely poor so as we can see it says that the randomness of the cookie is extremely poor.

69
00:06:26,380 --> 00:06:35,080
Significance level Figo for example to the count you can see some of the characters sets which basically

70
00:06:35,080 --> 00:06:44,760
just show you how many characters appear and where the but just find right here if there is anything

71
00:06:45,090 --> 00:06:53,120
interesting for us basically this uh the entropy is the value of the randomness.

72
00:06:53,120 --> 00:06:58,910
And if you want to you can check out other options and outputs as well.

73
00:06:58,910 --> 00:07:06,290
But I just want to show you this that you can scan for the weakness of the website I.D. with this method.

74
00:07:06,290 --> 00:07:10,760
We won't be pursuing the attacks since there is no point as I said this is the attack that you most

75
00:07:10,760 --> 00:07:13,000
likely will never encounter.

76
00:07:13,010 --> 00:07:19,850
So let me just close this and let us go on to the attack that they want to show you which was the session

77
00:07:19,940 --> 00:07:21,830
fixation attack.

78
00:07:21,830 --> 00:07:25,880
Now this session fixation attack is done through link.

79
00:07:26,190 --> 00:07:28,310
And now I will show you how to do it.

80
00:07:28,520 --> 00:07:35,530
So it is under the same a subsection which is the session management force and just click here on the

81
00:07:35,530 --> 00:07:37,560
session fixation.

82
00:07:37,560 --> 00:07:43,150
Now it will say right here you are a hacker Joe and you want to steal the session from jail.

83
00:07:43,170 --> 00:07:49,590
Send a prepared email to the victim which looks like an official e-mail from the bank.

84
00:07:49,590 --> 00:07:53,070
So basically as you can see we have an example of the e-mail.

85
00:07:53,100 --> 00:08:02,730
And here we want to send something within a link that will make us be able to hack another account without

86
00:08:02,730 --> 00:08:05,120
knowing the user name or password.

87
00:08:06,910 --> 00:08:14,110
Now we know that this page right here is vulnerable to the session I.D. being imported into the link

88
00:08:14,110 --> 00:08:14,830
itself.

89
00:08:14,830 --> 00:08:16,030
Sending it to someone.

90
00:08:16,060 --> 00:08:21,910
And if someone clicks on that link it will have already premade session I.D. that you typed into the

91
00:08:21,910 --> 00:08:22,360
link.

92
00:08:22,870 --> 00:08:29,860
And once you know that session I.D. you can basically log in or basically just enter their account without

93
00:08:29,950 --> 00:08:32,590
using username or password.

94
00:08:32,590 --> 00:08:34,520
So let me show you how that is done.

95
00:08:34,540 --> 00:08:41,590
If we go right here and if we look at the contents of the e-mail we can see that there is a link referring

96
00:08:41,590 --> 00:08:52,470
to the Web to quote attack screen 56 menu one or eighteen hundred what you want to do is basically you

97
00:08:52,470 --> 00:08:59,160
want to add this sign after the eighteen hundred and after that you want to type your I.D. which stands

98
00:08:59,160 --> 00:09:02,350
for session I.D. equals and then type you.

99
00:09:02,370 --> 00:09:03,420
Any random number.

100
00:09:03,450 --> 00:09:16,320
So for me I will type your 5 5 5 and we also want to put the entire link between quotes so a traffic

101
00:09:17,040 --> 00:09:20,460
indicates the code stands for referring to a certain page.

102
00:09:20,460 --> 00:09:23,890
So when someone clicks on this it will lead them to this page.

103
00:09:24,030 --> 00:09:29,520
But we added the session I.D. so it bleed into the same page but it will have the session I.D. already

104
00:09:29,520 --> 00:09:31,840
pre configured by us in the link.

105
00:09:32,880 --> 00:09:37,500
So once you do that you want to make sure that the page is correct.

106
00:09:37,530 --> 00:09:45,330
So as we can see pet goat attack is the same as here but the web code is capital W and capital G right

107
00:09:45,330 --> 00:09:45,590
here.

108
00:09:45,590 --> 00:09:51,590
So we want to change that in doing as well so capital G capital W.

109
00:09:51,600 --> 00:09:57,570
And once we do that you can send the email we specify that will take session a D or not fake our session

110
00:09:57,570 --> 00:10:00,670
I.D. for the victim to be 5 5 5.

111
00:10:00,720 --> 00:10:08,760
So if you click some link and log in with that session I.D. we will be able to to access that account.

112
00:10:08,760 --> 00:10:16,040
So if we send an e mail as an attacker we can see we can turn the intercept off.

113
00:10:16,170 --> 00:10:23,370
So let us just turn this off right here and we get to this stage two of this attack as we can see you

114
00:10:23,370 --> 00:10:24,930
completed stage 1.

115
00:10:25,020 --> 00:10:26,600
Now we are acting as a victim.

116
00:10:26,610 --> 00:10:31,760
So let's say the victim received this e-mail which was the e-mail that we sent right now.

117
00:10:31,920 --> 00:10:37,410
And this is the link that we specified the session I.D. as you can see down here in the left corner

118
00:10:37,410 --> 00:10:44,340
of the page we can see the entire link and we can also see our session I.D. specified as as I.D. equals

119
00:10:44,340 --> 00:10:45,780
five five five.

120
00:10:45,900 --> 00:10:53,430
So let's say the victim gets this e-mail and it looks like a legit email and it clicks on this.

121
00:10:53,730 --> 00:11:00,060
It will lead her or him to a log in page where it will ask them for username a password just as any

122
00:11:00,060 --> 00:11:01,200
other page.

123
00:11:01,200 --> 00:11:08,130
But if we can see right here on the link we already have our session I.D. specified and as soon as someone

124
00:11:08,130 --> 00:11:13,580
types here and logs in we will be able to access that account.

125
00:11:13,600 --> 00:11:17,140
Now we also want to ask act as a victim right here.

126
00:11:17,140 --> 00:11:22,420
And as we can see State Street the bank has asked you to verify your data log in to see if your details

127
00:11:22,510 --> 00:11:25,590
are correct your user name is changed in your password.

128
00:11:25,590 --> 00:11:26,300
It starts up.

129
00:11:26,710 --> 00:11:35,710
So just typed you Jane and Tarzan his password and you click here on Dan's safe now.

130
00:11:35,730 --> 00:11:42,740
It says it is time to steal the session now use following link to reach good Hill's financial your hacker

131
00:11:42,750 --> 00:11:49,890
Joe you completed stage 3 so we know that the Jane has logged into the bank account and what we want

132
00:11:49,890 --> 00:11:54,150
to do we want to basically go to our lock screen.

133
00:11:54,150 --> 00:12:01,860
So this is just a regular lock screen and we as a hacker want to log into that session that we do not

134
00:12:01,860 --> 00:12:04,650
know the user name and password for that session.

135
00:12:04,650 --> 00:12:11,820
We only know the session I.D. So what we want to do is turn the intercept on and right here we type

136
00:12:11,830 --> 00:12:12,020
here.

137
00:12:12,030 --> 00:12:16,110
Anything which is not correct so just type your anything random.

138
00:12:16,260 --> 00:12:20,700
And here we will have the request both request.

139
00:12:20,880 --> 00:12:26,630
Now if you were to just forward this it will save wrongly name or password since this is of wrong username

140
00:12:26,700 --> 00:12:28,160
or password.

141
00:12:28,260 --> 00:12:35,420
But what we want to do right here is we want to go up and find the link as we can see right here this

142
00:12:35,550 --> 00:12:38,330
link and under that essay.

143
00:12:38,820 --> 00:12:46,650
We want to change that to the session of our victim and we know that because we set it in the link to

144
00:12:46,650 --> 00:12:55,860
be 5 5 5 and now if we forward this packet it will basically log in into the victim's account without

145
00:12:55,950 --> 00:13:01,560
us even knowing the username password as we can see with type something random random user name random

146
00:13:01,560 --> 00:13:02,090
password.

147
00:13:02,130 --> 00:13:08,880
And if you click here forward we can see congratulations you have successfully completed session and

148
00:13:08,880 --> 00:13:11,700
we are in victim's account first name.

149
00:13:11,700 --> 00:13:16,050
Jane last name plane credit card type and see credit card number.

150
00:13:16,050 --> 00:13:17,070
And then this.

151
00:13:18,360 --> 00:13:21,300
So this is an attack that you might encounter.

152
00:13:22,200 --> 00:13:28,710
So that's why it's called the session fixation since we even before our victim has logged in.

153
00:13:28,710 --> 00:13:36,330
We already fixed the session in the link in order for us to know it later on once the target has logged

154
00:13:36,450 --> 00:13:42,430
in with that session so that's a motive for this attack.

155
00:13:42,430 --> 00:13:45,450
In the next tutorials we will continue with the pursuit.

156
00:13:45,490 --> 00:13:50,470
And from now on I hope you're having a great day and take care.

157
00:13:50,570 --> 00:13:50,830
By.