banner
毅种循环

毅种循环

请将那贻笑罪过以逐字吟咏 如对冰川投以游丝般倾诉

telegram session hijacking

On May 16, 2018, Talos published an article about Telegrab, a malicious software that can hijack Telegram sessions. The principle is very simple: if an attacker can copy the session token of a desktop user, they can hijack the session. The attacker does not need any other information besides the locally stored information. It doesn't matter if the information is encrypted or not, as long as the attacker copies it, they can use this new information to create a shadow session.

Practical Environment#

Sometimes, for certain purposes, when you have permission to access a target PC, you need to continuously monitor the target's personal communication to obtain more useful information. This is where session hijacking comes into play.

Directory Structure#

Telegram user data is generally stored in the tdata folder located in the same directory as telegram.exe. The directory structure of a valid Telegram login user is as follows:
Directory Structure
The key files are as follows:

  • The settingss file mainly stores the user's page-related configurations, including background images, colors, language packs, and other configuration information.
  • The D877F783D5D3EF8Cs file mainly stores the user's userId and the encryption key used for data communication with the Telegram cloud.
  • The D877F783D5D3EF8C/maps file, the lskSelfSerialized field stores the user's basic information, including user ID, avatar, name, registered phone number, last online time, and other information. The other fields mainly store the filenames of some configuration or resource files, which correspond one-to-one with the files listed in the D877F783D5D3EF8C folder mentioned at the beginning of the article.
  • The configs file mainly stores some basic configurations for user chats and communication with the Telegram cloud, including the IP and port of the Telegram cloud, and the message recall time limit.

I won't analyze how TG specifically encrypts and saves this information due to limited capabilities.

Session Hijacking Process#

As we all know, Telegram supports multi-device login by default, and there is no device cross-verification to obtain the key for decryption. This feature becomes the perfect prerequisite for session hijacking, requiring only the tdata file.

The session hijacking methods circulating on the internet now involve copying the entire tdata folder for session hijacking. However, for a Telegram account that has been used for a long time, the size of tdata can become very large (in the order of MB or even GB), which can be very limiting in practical situations.

In the case of strong concealment, it is not wise to take drastic actions to copy GBs of data.

Now that we have the ability to interpret most of the tdata files, we can select the most critical files (which store the session) to reduce the size of the copied files, making session hijacking more convenient.

The key files that can successfully perform session hijacking are:

  • tdata/key_datas
  • tdata/D877F783D5D3EF8Cs
  • tdata/D877F783D5D3EF8C

key_datas stores the keys, D877F783D5D3EF8Cs stores the communication keys for pulling information from the cloud, and D877F783D5D3EF8C stores the user's basic information.
Key Files

Session Hijacking Start#

After obtaining the above three files, I used two different virtual machines to complete the hijacking process.

I exported the target's three resource files from the machine at 192.168.59.129 and saved them in the TG on the machine at 192.168.59.138, then opened TG on 138.
Copying Files

The message records were successfully synchronized between the two machines. New messages can also be received, and there are no suspicious devices when checking the currently logged-in devices on the phone. This indicates that the shadow account was successful and the session hijacking was successful.
Successful Hijacking

Hijacking with Passcode#

Note:
If local password authentication is enabled and successful, you still need to enter the password after session hijacking. Also, this local key is not synchronized with the cloud, so you can only find other ways to obtain this key.
Passcode

In this case, you have to find another way, such as using keylogging on the PC.

References#

https://www.anquanke.com/post/id/167866 Side Channel Attacks on WhatsApp, Telegram, and Signal Applications
https://www.dongzt.cn/archives/514.html Identity Credential Theft of Telegram Desktop on Windows
http://www.ctfiot.com/23645.html Exploration of Telegram Session Hijacking

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.