We all know that we can sniff passwords in our networks easily even if its sent over HTTPS (ie: SSL encrypted) , the problem is most of users these days save their passwords in their favourite website (the “keep me logged in feature”) , when you do this the website authenticates the users using their cookies not using their password , this means the password is not sent over the network and therefore we can’t sniff it , instead we can sniff the user’s cookies and inject it into our browser.
In the past I used to use a tool called Hamster , however this tool is outdated now and the download link on its official website is broken , the one in backtrack keeps crashing and doesn’t always work.
Another famous tool to do this is a firefox plugin called firesheep , again its old and there is no official release for linux.
Cookie Cadger is a great program written in java , its very easy to use and best of all , it always works , every time I run a test it works perfectly.
To run Cookie Cadger you will need Wireshark , Java 7 and a new version of Firefox.
PS: you can use sslstrip with this attack to downgrade HTTPS connections to HTTP