Gmail Cookie Stealing And Session Hijacking Part 2

In my previous post Gmail Cookie Stealing And Session Hijacking Part 1, I discussed all the basics and fundamentals in order to understand a Session Hijacking attack, If you have not read the part 1, Kindly read the part 1 first in order to get good grasp of the topic.

Well after a tremendous feedback and response of readers on Session hijacking, I thought to extend this topic and write more on it, In this tutorial I will explain you some methods to capture Gmail Gx cookies.

Gmail GX Cookie

In gmail the cookie which authenticates users is called a GX cookie, Now as we cannot use a cookie stealer since by now we don’t know any XSS vulnerability in gmail.

Tools You will be required

1.Cain And Abel
2.Network Minner

How To Capture Cookies?

Now there are couple of ways you can use to capture unsecured Gmail cookie which depend on the type of network you are on.

Packet Sniffing

 If you are on a Hub based network you can use packet sniffing in order to capture local traffic. You may use any packet sniffer you want to capture cookies, but I would recommend you to either use wireshark or Network Miner because they are quite userfriendly.


Wireshark is my recommended choice if you are on a hub based network and are looking forward to capture an unsecured Gmail Gx Cookie. Here is how you can capture a gmail GX cookie via Wireshark.

Step 1 – First of all download wireshark from the official website and install it.

Step 2 – Next open up wireshark click on analyze and then click on interfaces.

Step 3 – Next choose the appropriate interface and click on start.

Step 4 – The wireshark will now start to capture the traffic, In the mean time log in to your gmail account but make sure that you have selected “Don’t use https://” in Gmail account Settings.

Step 5  – Next set the filter to on the top left to http.cookie contains “Gx”, What this filter will do is that it will filter out all the traffic for the gmail authentication cookies named as GX.

Step 6 – Once you have found the suitable line of Gmail GX cookie right click on it and click on Copy and then select Bytes (Printable Text Only)

Step 7 – Now you have successfully captured Gmail GX unsecured cookie.

Network Miner

You can also use network miner to capture, it’s more easier and userfreindly than wireshark.

Note: You would need a Winpcap before capturing traffic from either Network Miner or Wireshark.

ARP Spoofing Or Man In The Middle Attack:

Now if you are on a switched based lan network, packet sniffing will probably not work for you as the traffic meant for the particular system will only reach it, So packetsniffing becomes useless in Switch based networks.

1. Cain And Abel.

Cain and Abel should be your only choice if you are on windows operating system, You can easily place your self between the victims computer and the gateway and capture all the traffic going through it and hence successfully launching a man in the middle attack, afterwards you can filter out cookie information from the captured traffic. Here is a screenshot of captured traffic from Cain and abel.

Now if you are on a linux machine, You should probably use Ettercap as it’s one of the best sniffers I have ever played with, With Ettercap you can easily launch a Man in the middle attack(ARP Poisoning) and capture unsecured Gmail GX cookie.
How can I prevent this kind of attack?
So friends till now you might have known the importance of using https:// connections. In order to prevent these kinds of attacks always use a https:// connection or a VPN solution while logging in to your email accounts.
So friends this concludes the part 2 of my series on cookie stealing, In part 3 we will look on variety of different methods used to inject cookies in to our browser to gain access to the account.

– See more at:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s