The following is an extract from a document I wrote a while ago which was written to try and highlight the importance of encryption:
I’ve played with this type of thing before but it I believe Firesheep, although it may be used with questionable motives, has highlighted to the world quite well the importance of securing your web traffic by creating an exploit packaged so that it can be used by absolutley anyone.
On this train of thought I decided that in order to assert this point a little closer to home and show how easy it is to produce the same kind of attack on products I work with all the time.
Citrix Web Interface was my first victim as it’s a product I use a lot and is all too rarely deployed via HTTPS leaving cookies available for the stealing.
[warning]The point of this article is to stress the importance of encrypting your Web Interface site. Encrypt your Web Interface site. This will prevent attackers form being able to see inside your packets when communicating with the Web Interface site.[/warning]
Tools
The following tools will help to demo this method:
Firefox
3.6.12 or higher – Web Browser
Firefox
Add and Edit Cookies plugin – Cookie editing tool
Wireshark – Packet
Sniffer
Grabbing the cookies
With a small amount of imagination you can fairly easily gain access ot packets flowing across your network and these little packets contain a wealth of information.
Once you have the packets flowing the following Wireshark filter will remove alot of the packets we’re simply not interested in.
http.set_cookie && ip.dst==<web interface IP>
Set the interface you wish to monitor and apply this filter. Then on your victim machine open the web interface and login.
You’ll notice that a number of cookies are set pre and post logon. In this case we only need two cookies to effectively steal our victim workstations session.
These are:
ASP.NET_SessionId (Pre logon)
WIAuthId (Post Logon)
These will look something like this
These can be copied out by right clicking the Set-Cookie line in Wireshark and going to ‘Copy > Value’ which will produce the following output:
ASP.NET_SessionId=k553u345atgkoftyfoinbhj5; path=/; HttpOnly
WIAuthId=8A6243080432j56f098e39B3FFB79C10A; path=/Citrix/DesktopWeb/; HttpOnly
Deploying the Cookies
Now you have this data it’s time to see if it really was that easy.
Open up Firefox and open up your Add/Edit Cookie plugin. This will allow you to add in the two intercepted cookie values to your current Firefox session.
The following screenshot shows an example (the Host field will either be the IP of the Web Interface Server):
Once you’ve added both cookie values, open Firefox and browse to your web interface site.
You should now be logged on as the user the packets were originally intercepted from.
