Re: Firesheep/Cain& Able

[Alex Keller <alkeller () SFSU EDU>]

re: Has anyone run Firesheep to see that it does what it claims?

for a switched wired network you will need to perform ARP poisoning
otherwise your adapter will only see unicast (and broadcast) traffic
intended for it. for wireless (unencrypted) on the Windows side it will
require a wireless card (and driver) that supports promiscuous mode,
unfortunately the majority of onboard wireless adapters on Windows
laptops don't support this feature. my testing indicates Firesheep works
out of the box for wireless hijacking on Intel based iMacs and MacBooks
running 10.6.x.

there are some troubleshooting tips here (a third the way down the page):
http://codebutler.com/

best,
alex







On 11/2/2010 11:08 AM, Foerst, Daniel P. wrote:
> Hey all,
>
>  
>
> Has anyone run Firesheep to see that it does what it claims? I have
> run it both on a Windows XP box (with WinPCAP) and OS X and in each
> case I have not gathered any data outside of sites that I have visited
> myself. Perhaps I am misunderstanding what this application does. I am
> connected to an open network, heck both laptops are on the same
> network, same ssid, same AP even.
>
>  
>
> Thanks!
>
>  
>
> -dan
>
>  
>
> *From:* The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Isac Balder
> *Sent:* Monday, November 01, 2010 12:39 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Firesheep/Cain& Able
>
>  
>
> If you like to fight fire with fire there is fireshepherd.
>
> http://notendur.hi.is/~gas15/FireShepherd/
> <http://notendur.hi.is/%7Egas15/FireShepherd/>
>
>  
>
>  
>
> What should be routing best practices, disable arp poisoning.  (or at
> least detect and mitigate against)
>
> On Cisco 'ip arp inspection vlan 1'
>
> http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211/Configure-Your-Catalyst-for-a-More-Secure-Layer-2.htm
>
>  
>
>  
>
> Inform and educate users of sites that allow CSRF, XSS, etc.
>
>  
>
>
> I.B.
>
> "top posting cause yahoo makes me..."
>
> --- On *Mon, 11/1/10, Hudson, Edward /<ewhudson () CSUCHICO EDU
> <mailto:ewhudson () CSUCHICO EDU>>/* wrote:
>
>
> From: Hudson, Edward <ewhudson () CSUCHICO EDU
> <mailto:ewhudson () CSUCHICO EDU>>
> Subject: [SECURITY] Firesheep/Cain& Able
> To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Monday, November 1, 2010, 10:40 AM
>
> In light of the recent attention to “Firesheep” I am wondering if
> anyone is having issues and how they are addressing?
>
> When used in conjunction with “Cain&Able” it appears able to sniff
> both wired and wireless traffic for login credentials and execute ARP
> Poisoning.
>
> TIA
>
> EH
>
>  
>
> Ed Hudson, CISM
>
> Information Security Office
> California State University, Chico
> www.csuchico.edu/ires/security <http://www.csuchico.edu/ires/security>
> Office: (530) 898-6307
>
> Cell: 707-799-3250
>
> ewhudson () csuchico edu <mailto:ewhudson () csuchico edu>
>
>  
>
>  
>
>  

-- 
Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu