I'm a bit confused about the working principles of FireSheep. The official website describes session hijacking as almost a piece of cake. My question is, how does the cookie information routed towards the attacker's system without using some middle man technique? If I'm the attacker, the website won't send legitimate user's cookie directly to me, even if my (attacker's) NIC is configured in promiscuous mode, right? What am I missing here? Sorry, I don't have much experience in network security. Please tolerate if the question seems silly! I've already tried a lot of Google search, but couldn't find satisfactory answers! Thanks in advance!
Trying to answer from memory...
Firesheep uses libpcap and listens to packets in promiscuous mode. So it will be able to see any data on open wifi networks (read: unencrypted).
Remember that the "wifi cable" is the "air", and everybody with the right antenna can listen to that medium.
Since FireSheep attacks unencrypted HTTP traffic (without https), it is able to extract information, such as cookies, from that. It is just a matter of parsing the valuable information out of the raw frames it sniffs from the air.
It would be possible for FireSheep to decrypt and process data from pre-shared secret connections (WEP/WPA/WPA2), same as WireShark supports, although I don't think that this is implemented.
Related
I am using iptables string match + libnetfilter_queue library to monitor http requests and responses. But later on I realized that string match fails in case of https protocol as iptable captures packets at layer 3.
Now, i am reimplementing it using libpcap. So, is it possible to see what is in header/packet using libpcap in case of https protocol
HTTPS uses the SSL protocol which encrypts information at the application layer (the highest layer in the OSI model). As such, the answer is no, libpcap will not help you see the contents. If it were possible, it would pretty much defeat the purpose of using SSL in the first place.
No. If it was possible, HTTPS wouldn't be secure, which is its only reason for existence.
If you're watching the traffic between your machine and another machine, you may be able to decrypt the SSL traffic (after all, the browser on your machine can do so), but it's not easy - Wireshark can do it if it has the necessary key information, but the code to do that is somewhat complicated (I won't be able to help you figure it out, so you're on your own there), and it might not always be able to do the decryption.
If you're watching the traffic between two other machines, you'd need to get the keys from those machines (if you could do it without those keys, then, as others have noted, SSL wouldn't be very useful, as its whole purpose is to hide traffic from other people).
I'm working on an application that does VoIP, Cam-streaming and file transfers at the same time. Currently it runs under Windows, OS X, Android and iPhone/iPad. As you may understand, this can create quite some network traffic, especially if several people on the same LAN does it simultaneously. As a result, VoIP quality suffers.
I figure that the best theoretical solution is to ask the local wi-fi router politely if it can prioritize the VoIP traffic. Unfortunately, most of the traffic streams, including SIP for VoIP and Video is encrypted and sent over TCP. So the router has no way to figure out what TCP/UDP streams does what.
I have looked briefly at UPnP QoS. From the specifications, it's just what I need. But I don't know if it is widely available for today's home routers. I also don't know if it actually works the way I want. To put it simple: For VoIP, I want to specify a stream by it's endpoints, and tell the wi-fi router/home network to give it minimum latency.
So my questions are really:
Is it worth the effort to dig further into UPnP QoS?
Is this widely adapted by modern home LAN hardware (wi-fi routers)?
Are there better approaches to consider?
I also noted that Samsung has a patent pending for this, and I am concerned about the implications.
I have not found any really nice API's for UPnP and QoS, but I guess it's possible to cook something together with curl or boost::asio. If I do, is there any interest for a C++ Open Source library for this purpose?
Encryption doesn't play a part in QoS as encryption is (usually) at the application level not the TCP/IP level.
More likely your problems are related to http://www.bufferbloat.net/
this might be a dumb question...
I wrote a C++ client program that communicates with a web service over HTTPS with the help of the cURL library.
I am wondering if the person using the client can see clearly the traffic originating from his computer using some sniffing program?
Or would he see encrypted data?
Thanks!
Using a utility like netcat to sniff data on the wire, the user would only see encrypted data. The only way to see the raw data is to log it inside the app, before it's passed to cURL, OR to find it in the machine's active RAM (much more difficult since it's likely to be fragmented).
Not if your app checks for valid certificates.
If your users have the ability to use a proxy server with your app, they could use fiddler's decrypt https sessions function to do this, but it results in an invalid certificate which could be made to stop it from working when detected.
He would see the encrypted data. Sniffers only see the packets, so if HTTPS is working as it should, the packets should be encrypted, and that's all the program could see.
If you would like to try it yourself, learn about ettercap-ng.
I doubt that an average user would be able to do that...
BUT there are ways to do this like:
replacing the cURL library with a proxy (if you link dynamically)
running your program under a debugger and placing breakpoints on the cURL functions
replacing the cURL program with a proxy (if you use it as a commandline utility)
digging deep and diessecting the memory at runtime
From my POV it is improbable (since you need some skill + knowledge + some control over the client environment to pull that off) but possible...
The SSL/TLS protocol is typically implemented at the application layer, so the data is encrypted before it is sent.
If the user has access to the certificate key(s) used to encrypt/decrypt the data, then he/she can plug them into WireShark and it can then decode sniffed HTTPS packets off the wire.
I want to block internet access for the particular website like yahoo or gmail or any other. I researched a lot on google and came up with the library which offer packet sniffing and manipulation. I can read packet and get the destination ip and source ip address of the server and the client computer. as far as my understanding related to the topic is, to block the any url i need to send the FIN packet to the server which indicates to the server that I don't want any more packets. so I need to create a packet with destination ip address and send it to the server (like yahoo etc). can you help me on this, some code snippet or way around, or any other correct approach for this task.
Any help on this would be much appreciated.
Thanks
http://www.winpcap.org/docs/docs_40_2/html/main.html
Start with understanding on how to "trace" the packets, read filtered packets, what Raw IP is and then attempt on blocking/modifiying the packets. WinPcap is powerful, but may not be easy to adapt.
I've used http://netfiltersdk.com/ successfully. Its a commercial project but they have a demo version which you could use for your homework.
Remember you can apply your blocking rules on the Internet traffic which flows through your pipe. The key is to direct all traffic to pass through your pipe and your application which operates on that pipe decides what to pass and what to block. But here we have Winpcap which is used for sniffing, packet injection, statistics gathering e.t.c just like a spectator watching whats going on. Its not used to block a packet coming from Internet.
Windows knows when you have removed the network cable from your NIC. Is there a programmatic way to determine this via API in C++?
Note: I am not using .NET and this is for a closed LAN (not connected to Internet ever)
Raymond Chen blogged about something similar recently. Here is the relevant documentation. I think the MIB_IPADDR_DISCONNECTED flag is what you are looking for.
Use the Network List Manager api with the INetwork api.
You can register your app to receive callbacks when networks become connected/not connected.
Or you can get the list of networks and then check each of them to see if the machine is network connected or not
Remember that a windows machine will often have multiple networks set up (Ethernet, wifi, etc)
Remember that just because a network is connected, you may not have access to the internet. Eg you could have DNS or routing problems. Or you could be on a working network that is not connected to the internet.
Due to the above, many diagnostic tools also connect to a "known-good" internet server if they want to really know if they're connected or not. Something like google.com -- they spend a lot of money to make sure that their site is up all the time.
Finally, you can also have a semi-connected situation where packets are getting through but not enough to really enable communications to flow. To test this, don't just ping an internet site since that'd only be a pair of packets. Instead, open a TCP connection or something more than a ping.