.

Firesheep Details??

<<

scuccii

Newbie
Newbie

Posts: 17

Joined: Mon Sep 27, 2010 9:41 pm

Post Tue Nov 02, 2010 3:40 pm

Firesheep Details??

Okay - I'm not sure that this is the right forum for this, but I'm curious as to how firesheep works.

I tested the application on my wireless router which I downgraded to wep which allowed this vulnerablity to work. My understanding of this is that for sites that aren't completely HTTPS or HTTP this tool will allow you to hijack there session.

My question is how is this taking place? Are these for sites that secure your credentials intially at logon and than aren't HTTPS afterwards? Is the information being sniffed by cookies being sent over the wireless? How can you defend against this?

I understand the networking here since the AP acts like a hub, I was more intereted as to what was being sniffed out with this tool.

thanks.
<<

putosusio

Newbie
Newbie

Posts: 26

Joined: Wed Aug 12, 2009 8:20 pm

Post Tue Nov 02, 2010 7:10 pm

Re: Firesheep Details??

See if this helps answer your questions, http://www.schneier.com/blog/archives/2 ... sheep.html

If not, how about you do a write up about it for the EH community answering the questions you posted. I know I'd be interested to know more.
Its not the fixing that's the hard part, its knowing what needs fixing.
<<

scuccii

Newbie
Newbie

Posts: 17

Joined: Mon Sep 27, 2010 9:41 pm

Post Tue Nov 02, 2010 10:31 pm

Re: Firesheep Details??

I'm very interested in this and if anyone can help with some of the more "fine" details on how this tool works please let me know.

I'm assuming that this is based off the cookies that are being thrown up to the open wifi "hub".

I saw many responses to "HTTP everywhere", which is another interesting topic. Many of this is new to me and I'd love to hear more about these topics from any of the more "seasoned" members.
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Wed Nov 03, 2010 9:55 am

Re: Firesheep Details??

I will try to give a full picture on firesheep..

Wireless packets are encrypted using WEP/WPA keys. On a public wifi connection, the packets that are sent and back forth are unencrypted. The unencrypted wifi packets are perfectly normal and not the focus of the problem here.

A wireless card set in promiscuous mode would be able to sniff all the packets in the network. As by default HTTP packets are not encrypted, session cookies can be stolen making it possible to hijack sessions. Okay this scenario has been known for several years now, but the tool to make this look easy was not available. Firesheep exactly did that. The focus of the problem is popular sites(Facebook, Twitter) not offering HTTPS by default and the author made the tool and made it public to force these sites.

Remember that the scenario is same for all other tcp protocols that do not use SSL layer - ftp, pop, smtp, imap etc and so on. Believe me its not hard to write a tool for sniffing passwords and I am sure there are plenty available now(cain and abel?).

Regarding the working.. I think its pretty simple
1)Steal the cookie from HTTP requests
2)Send a new request to the site with the stolen cookie
Last edited by dante on Wed Nov 03, 2010 12:14 pm, edited 1 time in total.
<<

scuccii

Newbie
Newbie

Posts: 17

Joined: Mon Sep 27, 2010 9:41 pm

Post Wed Nov 03, 2010 4:57 pm

Re: Firesheep Details??

Thank You!!

So once a site has HTTPS the credentials are safe from there? Are you encrypted the entire time you're on the site? Or are there sites that go between HTTP and HTTPS?

When you're going through HTTPS are the cookies being sent through a the SSL tunnel? Is this right?
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Thu Nov 04, 2010 9:13 am

Re: Firesheep Details??

scuccii wrote:So once a site has HTTPS the credentials are safe from there?

Yes and No. If it steps down to HTTP and pass the cookies in HTTP,  its still vulnerable to session hijacking. For instance, you might think that static images does not require HTTPS, but the request to static images will still contain the cookie header and if it is transmitted in HTTP, then it is vulnerable to session hijacking.

Yes, there are sites that goes between HTTP and HTTPS.

scuccii wrote:When you're going through HTTPS are the cookies being sent through a the SSL tunnel? Is this right?


Yes.
<<

putosusio

Newbie
Newbie

Posts: 26

Joined: Wed Aug 12, 2009 8:20 pm

Post Tue Nov 09, 2010 4:42 am

Re: Firesheep Details??

The more secure sites stay in https, for example banking and e commerce sites. Usually social networking, some email sites, and forums don't because security isn't a concern. A good way to protect yourself is to use different passwords for different sites, even if they're off by just a character or two.
Its not the fixing that's the hard part, its knowing what needs fixing.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software