-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpassthecookie.html
199 lines (189 loc) · 10.9 KB
/
passthecookie.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
<html>
<title>Pass the Cookie and Pivot to the Clouds</title>
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
<style>
table {
font-size: 14px;
}
table, th, td {
border: 2px solid black;
border-collapse: collapse;
}
th, td {
padding: 12px;
text-align: left;
}
p
{
text-align: justify;
}
h2 {font-style: bold;}
</style>
<body>
<br>
<div class="w3-content" style="max-width:800px">
<header class="w3-container w3-blue-grey ">
<h1>Pivot to the Cloud using Pass the Cookie</h1>
</header>
<p>Web Applications and Services use cookies to authenticate sessions and users.</p>
<p><b>An adversary can pivot from a compromised host to Web Applications and Internet Services by stealing authentication cookies
from browsers and related processes. At the same time this technique bypasses most multi-factor authentication protocols.</b><p> The reason for this is that the final authentication token that the attacker steals is issued after all factors have been validated.
Many users persist cookies that are valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk and also in process memory. Additionally other applications on the targets machine might store sensitive authentication tokens in memory (e.g. apps which authenticate to cloud services). This pivoting technique can be extended to bearer tokens, JWT and the likes.</p>
Pass the Cookie is a post-exploitation technique to perform <a href="https://www.owasp.org/index.php/Session_hijacking_attack">session hijacking</a>. </p>
<b>So, let's Pass the Cookie and Pivot to the Clouds. </b><br><br>
<b>Update:</b> Pass the Cookie at the Chaos Communication Congress (35C3)</bold></p>
<a href="https://c3lt.de/35c3/talk/CK3DWH/"></a>
<iframe width="506" height="285" src="https://www.youtube-nocookie.com/embed/y24_QQjbHFA?start=6630&end=6999s" frameborder="0" allow="accelerometer; autoplay; encrypted-media; allowfullscreen"></iframe>
<br><br>
<h2>Attack Chain</h2>
<p>
<i><b>Disclaimer:</b> Always make sure you have proper authorization before pen testing.</i><br><br>
Pass the Cookie is done via the following steps (variations exist):
<ul>
<li>Acquire the cookie from the victims browser or other processes (e.g. via process dump, or accessing the cookie storage on disk)</li>
<li>Exfiltrate the necessary authentication cookies</li>
<li>Open Firefox on the attackers machine (or any other machine)</li>
<li>Navigate to the resource to access (the domain the cookie is valid for)</li>
<li>Use the Developer Console and set the cookie via <i>document.cookie="key=value"</i>, or use the UI</li>
<li>Refresh the page and observe being logged in as the victim.</li>
</ul>
</p>
The <a href="#Appendix">appendix</a> shows examples for Github and Google Cloud Platform by using Google Chrome to pass the cookie.
<br><br>
<h2>Detections</h2>
<p>
When it comes to detections a few things come to mind:
<ul>
<li>One can monitor on the client side for applications that perform process dumps on browser processes or others.</li>
<li>Monitor for unusual activity on critical web assets (like cloud provider management consoles, etc,..)</li>
<li>Monitor for login anomalies (location, time, unusual access patterns)</li>
<li>Leverage features that cloud providers and web apps provide (Threat Detection, Access logs,...)</li>
<li>Perform authorized adverserial emulation in your organization to test detections</li>
</ul>
</p>
<br>
<h2>Mitigations</h2> <p>
To protect from these attacks it's important to stay up to date with security patches, etc. to ensure your host does not get compromised. As seasoned security engineer you assume the worst, and here are some ideas on how to mitigate implications of an attack:
<ul>
<li>Regularly delete persistent cookies, so they get removed from hard drive to limit exposure.</li>
<li>Delete session cookies as well</li>
<li>Be the only Administrator on your machine</li>
<li>Leverage features that cloud providers offer (Threat Detection, IAM, RBAC, Firewalls,...)</li>
<li>Browse sensitive sites (high value assets) from isolated or dedicated machines</li>
<li>Seperateion of duties</li>
<li>Requiring further authentication proof for sensitive operations can help limit the damage</li>
<li>Requiring client side certificates makes it also more difficult to pass the cookie</li>
</ul>
</p>
<br>
<h2>Aquiring Cookies, Tools and Techniques</h2><p>
In case you don't won't to write your own toolset, there are a couple of options available to gain access to cookies:
<ul><li><a href="https://www.offensive-security.com/metasploit-unleashed/multiple-os-post-gather-modules/"><b>firefox_creds</b> - Access the SQL Lite Cookie Databases</a></li>
<li><a href="https://github.com/defaultnamehere/cookie_crimes"><b>cookie_crimes</b> - Neat way to grab cookies from Chrome on Macs (also Windows and Linux)</a></li>
<li><a href="https://docs.microsoft.com/en-us/sysinternals/downloads/procdump"><b>ProcDump</b> - Swiss army knife to dump strings from any process</a>
</ul>
There are also good articles online describing how to access and decrypt the cookies in the SQL Lite databases yourself - if you'd like to do your own research or tool.
</p>
<br>
<h2 id="CheatSheetTemp">Pass The Cookie - Cheat Sheet</h2>
<p>Below is a list of some "cookies of interest" for valuable web applications your organization might use. An adversary might be after those and you could emulate to see if your organization catches the attack. This list might change over time or have inaccuracies - feel to provide feedback or help amend.</p>
<table class="w3-table w3-bordered w3-striped">
<tr class="w3-blue-grey">
<th>Application</th><th>Cookie Name</th><th>Domain</th><th>Notes</th></tr>
<tr><td>Amazon Web Services</td><td>aws-userInfo<br>aws-creds</td><td>.amazon.com</td><td>https://console.aws.amazon.com</td></tr>
<tr><td>Google Cloud Platform</td><td>OSID, HSID, SID, SSID<br>APISID, SAPISID, LSID</td><td>.google.com</td><td>https://console.cloud.google.com<br><br>OSID has to be set on console.cloud.google.com, <br>others on .google.com<br><br>LSID needed for cross app auth (e.g. GCP to Gmail).</td></tr>
<tr><td>Microsoft Online</td><td>ESTSAUTHPERSISTENT</td><td>.microsoftonline.com</td><td></td></tr>
<tr><td>Facebook for Work</td><td>c_user<br> xs</td><td>.facebook.com</td><td>Also works for regular Facebook</td></tr>
<tr><td>OneLogin</td><td>sub_session_onelogin.com</td><td>.onelogin.com</td><td></td></tr>
<tr><td>GitHub</td><td>user_session</td><td>.github.com</td><td></td></tr>
<tr><td>Hotmail, Calendar, People</td><td>RPSSecAuth</td><td>.live.com</td><td>Access to hotmail,... (No OneDrive)</td></tr>
<tr><td>Gmail</td><td>OSID, HSID, SID, SSID<br>APISID, SAPISID, LSID</td><td>.google.com</td><td>https://mail.google.com<br><br>For basic mail access only first 4 seem needed.</td></tr>
</table>
<br>
<i><p>Notice: When setting cookies through the web console, each cookie has to be set individually via <i>document.cookie=""</i>. You can always view the currently set cookies via document.cookie
<br><br><i>Also when setting cookies ensure to set them on the correct domain. If in doubt you can try setting them on the root domain.</i>
</i></p></p><br>
<h2>Conclusion</h2>
<p>
Pass the Cookie is a powerful post-exploitation technique to pivot from on-premise machines to cloud assets. It can be leveraged to bypass 2FA techniques as the cookie is in the end still a single factor.
<br><br>Hopefully this was helpful, so you can build better detections, improvements and tests into your infrastructure to catch malicious activity.
If you have any questions or ideas feel free to send me an email at wunderwuzzi23@outlook.com, or create a <a href="https://github.com/wunderwuzzi23/blog/issues">ticket</a>.
</p>
<p>
<br>
<div class="right"></div>
<footer class="w3-container w3-blue-grey"><p><br></p>
</footer>
<br>
<h2 id="Appendix">Appendix - Pass the Cookie Examples</h2>
<h3>Example 1) Google Cloud Platform, Gmail,...</h3>
<div class="w3-row-padding w3-section">
<div class="w3-full">
<div class="w3-card">
<div class="w3-container">
<p>Browse to www.google.com in private mode. We aren't logged in.</p>
</div>
<img src="kekse/step1.jpg" alt="not logged in" style="width:100%">
</div>
<br>
<div class="w3-card">
<div class="w3-container">
<p>Open Developer Console and set the appropriate cookies (see cheat sheet for cookie details)<p>
</div>
<img src="kekse/step2.jpg" alt="applying cookie" style="width:100%">
</div>
<br>
<div class="w3-card">
<div class="w3-container">
<p>Switch to the Applications tab and look at the cookies. You can see that they got set on www.google.com, which is not what we want.</p>
</div>
<img src="kekse/step3.jpg" alt="logged in" style="width:100%">
</div>
<br>
<div class="w3-card">
<div class="w3-container">
<p>Update the domain setting of the cookies to .google.com. The cookie for OSID has to be set to console.cloud.google.com for GCP (it works on .google.com as well, but you might observe cookie mismatch errors later if you want to go to different services outside of GCP). So this can be a bit of a hiccup at times.</p>
</div>
<img src="kekse/step4.jpg" alt="logged in" style="width:100%">
</div>
<br>
<div class="w3-card">
<div class="w3-container">
<p>Finally, navigate to https://console.cloud.google.com and observe being magically logged in. If you set the LSID cookie you can also go to GMail or the Accounts settings page. </p>
</div>
<img src="kekse/step5.jpg" alt="logged in" style="width:100%">
</div>
</div>
<br><br>
<h3>Example 2): Pass the Cookie on Github</h3>
<div class="w3-row-padding w3-section">
<div class="w3-full">
<div class="w3-card">
<div class="w3-container">
<p>Browse to the website and observe not being authenticated. No cookies.</p>
</div>
<img src="kekse/GH1.png" alt="not logged in" style="width:100%">
</div>
<br>
<div class="w3-card">
<div class="w3-container">
<p>Set the appropriate cookie for the website domain (e.g via developer tools of the browser).</p>
</div>
<img src="kekse/GH2.1.png" alt="applying cookie" style="width:100%">
</div>
<br>
<div class="w3-card">
<div class="w3-container">
<p>Refresh the page and observe being authenticated. :) </p>
</div>
<img src="kekse/GH3.png" alt="logged in" style="width:100%">
</div>
</div>
</div><br>
<p>wunderwuzzi23@outlook.com
<br>December 2018</p>
<p>This page uses <a href="https://www.w3schools.com/w3css/default.asp" target="_blank">w3.css</a></p>
</div>
</Adding>
</body>
</html>