Hello and welcome to this course in which we are discussing the use of Python for lateral movement. In this video, we're going to talk about using web cookies, which falls under the alternate authentication method in section of the miter attack framework. You're probably aware when you use the Internet, you have the option on many sites to keep me logged in or you may have noticed at least that when you go from one page to another within a website, they don't make you sign into every single page. The reason for this is cookies. When you have a keep me logged in or something where you're maintaining some level of authentication state across a website or potentially even across multiple different sessions. You're doing so via cookies, which are files stored on the local file system that contain authentication information. With that authentication information, your browser can send that along with a new request, and that web server at the other end is not going to request that you re-login with your username and password for each new request, new site, et cetra. However, the existence of these cookies can also be useful to us from a lateral movement perspective, especially as organizations are increasingly using cloud-based infrastructure. Because if we can gain access to an AWS or Google Cloud, et cetra, account, then you can have access to additional infrastructure within an organizations network, and potentially with a high level of permissions. In this video, we're going to talk about extracting Mozilla Firefox's cookie repository. By doing so, if we can identify those cookies, there's certainly ways to find out how to use those cookies and insert them into new requests to gain access to a website without explicitly authenticating. What we need to know to start out with Mozilla Firefox is where to find this collection of cookies. Mozilla Firefox stores cookies in an SQLite database. The location of this is dependent on a Firefox profile. In general, you're going to find it at a user directory, AppData, Roaming, Mozilla, Firefox, Profiles. Then there's going to be another folder based of the profile name, and then finally at the end you'll see and cookies.sqlite file. This requires a little bit of research or reconnaissance on a system, but we could easily implement this profile discovery just by checking the list of directories and the profiles page and iterating over each of them defined sets of cookies. In this case just hardcoded in the profile name of a particular profile on this system. One that uses Mozilla Firefox for a few different things. With this, we can get a Firefox path to the SQLite database that stores the cookie information on the system. We're then going to take advantage of Python's built-in SQLite 3 library, which gives us access to this database. We can use the Kinect command from this library to give ourselves a connection to this file and the database that contains, and then create a cursor that will name c using that connection. Once we have a cursor for the database, we have the ability to perform queries against the database. Internally, Mozilla Firefox has a mass underscore cookies database table where the cookie information is stored. We can say select star from there to get all information stored in that particular database. However, a computer is probably going to have a lot of cookie information on it. We need to be able to filter at some level to identify the things that are actually of interest, and so borrowed some information from the website listed here on some of the most useful interesting cookie values we should look at for lateral movement on a system. We see here that we've got Amazon, Google, Microsoft online, Facebook, OneLogin, GitHub, and live.com. These are the names of the cookies that store useful authentication information from each of these pages. What we're going to do is search through the contents of our Mozilla Firefox cookies database and look for these particular cookies. How will do that is once we've collected all of the data from the database, will iterate over the resulting list, giving us a bunch of individual cookies. Then we're going to iterate over our list of cookies here, focusing on the various domains. When we do cookie of 4.endswith domain, we're going to test whether or not the cookie that we've extracted from the database ends with one of these domain names, because maybe instead of.amazon.com, the actual cookie will say something like aws. amazon.com. It's still definitely what we want. But we don't want to specify only matching.amazon.com because that doesn't always happen. We look for things that end with a particular domain, and then if we find for that particular domain, we test to see if the particular cookie name is within the list of potential cookies of interest for that domain. We'll first test if we've got.amazon.com and then test to see if whatever the name of the particular cookie we're looking at is either aws-userInfo or aws-creds. If so, we're going to print out three pieces of information, the actual URL that it's associated with the name of the cookie. Then in this case, just going to print out the first 20 characters of the cookie because I don't really feel like providing my cookie values in this video. But you just remove this section to get the entire cookie value that could be used for authentication on the system. If we minimize this and go to a terminal, we can use Python to run this, and so this will extract all of the various cookie values of interest from Firefox's database. As we see here, we definitely have a number of different hits on this particular system. We have some google.com credentials, there's some stuff for Microsoft online, for a persistent authentication, more Google stuff. We have some amazon.com, there's your aws userInfo, aws credentials, and just a few more google.com credentials here. With these cookie data that we've extracted from the database, we could embed these into new user account or user requests to these particular URLs. If the cookies are still viable and active, that should allow access to that online user account without authentication being required. If that is the case, then this can be a very valuable tool for lateral movement because it might grant access to AWS Cloud Infrastructure, Google Cloud Infrastructure, web-based email, et cetra, which could provide additional credentials or other sensitive data belonging to a particular user on a system. Thank you.
