feature discussion - sessions

[audibleblink]

Hey @ustayready , I've got a GitHub module that I want to submit a PR for but I got to thinking...

Since GitHub users are more technically savvy than the average gmail user, I chose to not downgrade GitHub logins to SMS. This means that, in a best-case scenario, I've got 30 second to steal an entered 2FA token.

My GitHub modules instead logs in with the provided creds/OTP and stores the all 'Set-Cookie' values from a successful authentication. From there, timing is less of an issue. I can pop the session cookies into my browser some hours later and still get access to the target's github account.

My point: What do you think about baking this functionality into credsniper core as opposed to at the module level? Maybe default behaviour or by adding a --sessions option? I'm happy to do it, just asking if it's the sort of direction you'd be OK with taking for CredSniper

[ustayready]

This is a great idea. I was hoping to streamline the Gmail module to do something similar but I ran into some inconsistencies with the way Google handled authentication. I didn't have much time then but would love to revisit it now.

So, if I understand you right what you mean is if the --sessions flag is provided that CredSniper knows to auth and capture the session tokens? If so, I suppose that could just be handled in it's current state by using the creds and persisting the session information. The only addition would be to include the flag so people can turn it off if they want (or on depending on what the default is) and capturing the session information in the same way we captured creds/2fa.

I like this idea.