Informazioni personali

Cerca nel blog

Translate

martedì 2 novembre 2010

Firesheep overview

http://rcm.amazon.com/e/cm?t=portadiferro-20&o=1&p=8&l=bpl&asins=1565925092&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifrSearch Amazon.com for facebook hacking
There have been a lot of talking around firesheep firefox extension lately. So I wonder what the hell is this add on about?
I could have read all the readable or just done the most unsecure and stupid thing: trying it directly…. and you can wonder what I have done
Let’s start to install firseheep.
to install something you usually need to have it, first I tried to search the Firesheep add on (Google search)

Not an easy search since a lot of links comes out, the most just related to articles but at the end I found the right site.
http://codebutler.github.com/firesheep/
I downloaded an XPI file that I opened with Firefox in order to load the extension.

once the extension is loaded you can go to option and configure the interface you want to sniff

and the website you want to monitor:

now the most is done.
the extension is available on Firefox as a side bar

Once activated it will be at your left. to start the capture just click on Start capturing.
All the configuration parameters can be found on the bottom left of the sidebar. You can also add scripts to add more site to be monitored.
Once you stop something like that will be displayed on your left tab:

those are accountidentities that were accessing sites while you were sniffing.
you just have to click on one identity to access the site using the identity sniffed.
it’s simple as at. so an question? I got a couple (with answers too)
What exactly will firesheeep do?
Well it just simply sniff the traffic providing a simple interface for the user. You can have similar results with wireshark, for example, but you should manually trace the connection and find the username and password related to the site. everything would be logged, but firesheep makes everything easier and at anyone hands.

Firesheep monitors the unsecured network, such as you’d find in just about any public Wi-Fi environment, and watches for cookies being used by browsers to access websites. Firesheep collects the data within these cookies, enabling someone to access the website with exactly the same credentials. In very simple terms, you can very quickly and easily access the most popular social networking websites using someone else’s credentials – you basically take over complete access to their account!
The scariest thing about this add on is that it is terribly simple to install and use but it has limitation and it is not a whole hacking suites (luckily)
On windows (form windows XP up to the newest Windows 7) it need WinPcap 4.1.2 to work and it work only with the current version of firefox, so the beta 4 will not be suitable for this. At the same time it is not (still) available a Linux version so this add on is suitable just for mac and windows. And honestly on Mac it is easier to deal
Why it need wireless connection?
While you can think that firesheep works on wireless LAN because those are less secure, the reason is much more simpler than that. Without encryption a wireless LAN connection act like an old hub, so the collision domain cover all the hosts, that are able to see all the traffic.
Usually in a wired network you are directly connected to a switch and so your network interface, even without encryption, can see only it’s traffic (and eventually the broadcastmulticast one that is not interesting for firesheep purpose).
How can I protect myself?
Well once we understood how this work we can do a couple of considerations: the firesheep add on sniff http traffic so any redirecting technique like proxy agent of pac file to redirect to a proxy will be useless unless able to force an encryption between the device and the proxy.
The problem is that even if you don’t go directly to a website but pass through a proxy the traffic will be, anyway, http. Firesheep is looking for http traffic and will search for cookie transmitted, so it does not really care if you will use an intermediate security host (proxy or whatever) or not.
At the same time the intermediate security host can not detect any intrusion, since nothing is changed in the user traffic, it is simply sniffed without any change on the traffic itself.
In terms of products, the be clear, you would be protected either using something like the  scansafe agent Anywhere+ (because it encrypt all the traffic from the device to the scansafe cloud service), or anyconnect with it’s ssl tunnel and wsa integration.
You would not be protected by a not encrypting agent like the webroot one or proxy browser configurations like in Zscaler, MacAfee or Websense just because  you would anyway send http traffic that firesheep can sniff.
Is fireheep breaking the law?
Write the code or install the add on is legal, the use you do with the add on could be, on the other hands, a fraud. remember that stealing another user credentials is braking it’s privacy and this can led to penal consequences in several countries.

Just for fun:

this is the script used for facebook, the main parameters are the domain and url, and the cookie names to search for during the sniffing activities.

// Authors:
//   Eric Butler
register({
  name: ‘Facebook’,
  url: ‘http://www.facebook.com/home.php’,
  domains: [ ‘facebook.com’ ],
  sessionCookieNames: [ ‘xs’, ‘c_user’, ‘sid’ ],

  identifyUser: function () {
    var resp = this.httpGet(this.siteUrl);
    this.userName   = resp.body.querySelector(‘#navAccountName’).innerHTML;
    this.userAvatar = resp.body.querySelector(‘#navAccountPic img’).src;
  }
});

Basically you could find what kind of info you need to feed firesheep (or to do the same stuffs using tcpdump or wireshark) just monitoring your own traffic.

OK I admit that on wireshark the job could be a little tedious

Using httpwatch for example you can directly find the cookies involved clicking on the Cookies tab

So nothing really news under the sun with firesheep, just a very easy interface that expose something we all should know (at least who work in this area).

Do we really need something like firesheep to realize how easy can be starling credentials? if so welcome firesheep to give us a little more awareness.

hope you enjoyed the ride
cheers 

Nessun commento:

Posta un commento