http://codebutler.com/firesheep
http://github.com/codebutler/firesheep
I've been nagging about the importance of end to end encryption for seemingly ages now. Thank god for people like this highlighting the importance.
Install this firefox addon, connect to an unencrypted WAP, and let the session hijacking begin
SSL, The Elephant In The Room
18 posts • Page 1 of 2 • 1, 2
SSL, The Elephant In The Room
by thetan on Sun Oct 24, 2010 8:58 pm
([msg=48050]see SSL, The Elephant In The Room[/msg])
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP
“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
-
thetan - Contributor
- Posts: 657
- Joined: Thu Dec 17, 2009 6:58 pm
- Location: Various Bay Area Cities, California
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by Goatboy on Sun Oct 24, 2010 11:25 pm
([msg=48057]see Re: SSL, The Elephant In The Room[/msg])
Doesn't really work well, but it's a very early release so I can understand. My results:
Attacker comp: Desktop running Windows Vista, using a fairly generic Buffalo USB wireless card (no promisc)
Victim comp: Laptop running Ubuntu 10.04, using built-in wireless card (no promisc)
Test 1: Start capture on Attacker, visit Facebook on Victim. Both machines contained cookie data from my personal FB.
Result: N/A (Unable to tell if it worked, derp)
Test 2: Start capture on Attacker, visit dummy Facebook on Victim. Attacker has my personal FB cookies, Victim should now have dummy FB cookies.
Result: Fail. Unable to gain access on Attacker comp.
Test 3: All FB cookies on both computers have been erased. Start capture on Attacker, log in to Facebook as Victim on dummy account.
Result: Fail. Unable to gain access on Attacker comp.
Test 4: All cookies erased on both machines. Both have been restarted, and individually connected to the network. Attacker has Firefox open on blank tab, Victim opens Firefox and logs into dummy FB account.
Result: Fail. Unable to gain access on Attacker comp.
Although these tests are far from scientific, I think they are somewhat revealing. I'd like to see other people post their results as well, perhaps with a bit more scrutiny as to the scientific method. I also tried Tests 1 and 2 with a higher-end Alfa wireless card (promisc, packet injection, etc) and it still did not work. I made sure to select the correct driver to use before each test, and even tried a few that shouldn't work, just for the hell of it.
Attacker comp: Desktop running Windows Vista, using a fairly generic Buffalo USB wireless card (no promisc)
Victim comp: Laptop running Ubuntu 10.04, using built-in wireless card (no promisc)
Test 1: Start capture on Attacker, visit Facebook on Victim. Both machines contained cookie data from my personal FB.
Result: N/A (Unable to tell if it worked, derp)
Test 2: Start capture on Attacker, visit dummy Facebook on Victim. Attacker has my personal FB cookies, Victim should now have dummy FB cookies.
Result: Fail. Unable to gain access on Attacker comp.
Test 3: All FB cookies on both computers have been erased. Start capture on Attacker, log in to Facebook as Victim on dummy account.
Result: Fail. Unable to gain access on Attacker comp.
Test 4: All cookies erased on both machines. Both have been restarted, and individually connected to the network. Attacker has Firefox open on blank tab, Victim opens Firefox and logs into dummy FB account.
Result: Fail. Unable to gain access on Attacker comp.
Although these tests are far from scientific, I think they are somewhat revealing. I'd like to see other people post their results as well, perhaps with a bit more scrutiny as to the scientific method. I also tried Tests 1 and 2 with a higher-end Alfa wireless card (promisc, packet injection, etc) and it still did not work. I made sure to select the correct driver to use before each test, and even tried a few that shouldn't work, just for the hell of it.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
-
Goatboy - Expert
- Posts: 2863
- Joined: Mon Jul 07, 2008 9:35 pm
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by thetan on Mon Oct 25, 2010 3:36 pm
([msg=48090]see Re: SSL, The Elephant In The Room[/msg])
Worked fine for me at work on my laptop :-/
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP
“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
-
thetan - Contributor
- Posts: 657
- Joined: Thu Dec 17, 2009 6:58 pm
- Location: Various Bay Area Cities, California
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by Goatboy on Mon Oct 25, 2010 3:40 pm
([msg=48091]see Re: SSL, The Elephant In The Room[/msg])
That's because you are God encased in a mortal shell.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
-
Goatboy - Expert
- Posts: 2863
- Joined: Mon Jul 07, 2008 9:35 pm
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by thetan on Tue Oct 26, 2010 4:30 pm
([msg=48156]see Re: SSL, The Elephant In The Room[/msg])
And in the wake of firesheep comes yet another similar system
This time it's called "idiocy"
http://jonty.co.uk/idiocy
http://github.com/jonty/idiocy
This time it's called "idiocy"
http://jonty.co.uk/idiocy
http://github.com/jonty/idiocy
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP
“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
-
thetan - Contributor
- Posts: 657
- Joined: Thu Dec 17, 2009 6:58 pm
- Location: Various Bay Area Cities, California
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by tgoe on Tue Oct 26, 2010 10:59 pm
([msg=48185]see Re: SSL, The Elephant In The Room[/msg])
zomg, idiocy should be renamed juicy.
-
tgoe - Contributor
- Posts: 715
- Joined: Sun Sep 28, 2008 2:33 pm
- Location: q3dm7
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by Goatboy on Tue Oct 26, 2010 11:09 pm
([msg=48186]see Re: SSL, The Elephant In The Room[/msg])
tgoe wrote:zomg, idiocy should be renamed juicy.
wat
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
-
Goatboy - Expert
- Posts: 2863
- Joined: Mon Jul 07, 2008 9:35 pm
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by sanddbox on Tue Oct 26, 2010 11:21 pm
([msg=48187]see Re: SSL, The Elephant In The Room[/msg])
wat
HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
-
sanddbox - Expert
- Posts: 2344
- Joined: Sat Jul 04, 2009 5:20 pm
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by tgoe on Tue Oct 26, 2010 11:44 pm
([msg=48188]see Re: SSL, The Elephant In The Room[/msg])
lol I officially resign from my post.
-
tgoe - Contributor
- Posts: 715
- Joined: Sun Sep 28, 2008 2:33 pm
- Location: q3dm7
- Blog: View Blog (0)
Re: SSL, The Elephant In The Room
by thetan on Thu Oct 28, 2010 2:20 pm
([msg=48264]see Re: SSL, The Elephant In The Room[/msg])
tgoe wrote:lol I officially resign from my post.
I believe this only furthers the confusion.
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP
“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
-
thetan - Contributor
- Posts: 657
- Joined: Thu Dec 17, 2009 6:58 pm
- Location: Various Bay Area Cities, California
- Blog: View Blog (0)
18 posts • Page 1 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 0 guests