Home > Facebook Session Hijacking on a Switched LAN

Facebook Session Hijacking on a Switched LAN

Exploiting a fundamental weakness of Ethernet
By 12/12/10 [Last Edited by Joseph 27/02/11]
BOOKMARK
LOGIN
REGISTER
Note: This only works on people who are connected on the same (V)LAN as you, i.e. your campus network! This allows you to 'Frape' or 'Facebook Rape' people in your university accommodation for example, without having to be anywhere near their computer! Yet again: This will only work for people on the same network as you, not someone else across the internet.

Introduction

Using a Firefox plugin called Firesheep, plus other tools, you can hijack another network user's Facebook/Twitter/etc session with ease. Firesheep works by inspecting the unencrypted session cookies that are used to persist a user's session, and then allows you to also take on that cookie to find yourself logged on as the target! However, in order for the user's traffic to be inspected on a switched wired network, a trick called ARP table poisoning needs to be used...

What is ARP (Address Resolution Protocol)?

Address Resolution Protocol (ARP) is a protocol that associates MAC addresses (like the hardware serial number of your network card) to IP addresses. In simple terms, ARP works by broadcasting something along the lines of 'Who is X.X.X.X, tell Y.Y.Y.Y', where X.X.X.X is the IP address of the computer being queried, and Y.Y.Y.Y is the IP address of the computer making the query. The computer Y.Y.Y.Y will respond directly (i.e. not broadcast, but instead unicast), saying X.X.X.X is hh:hh:hh:hh:hh:hh (the MAC address of the machine with the IP address X.X.X.X).

ARP Table Poisoning

Now, you may have spotted that there is no authentication, or any mechanism to determine if the response is indeed valid, or legitimate. The reason for this probably stems from the fact that Ethernet started off as a research project, with no intention of it ending up being used all over the world. Now, what if when computer Y.Y.Y.Y broadcasts a query asking for X.X.X.X's MAC, and a computer at Z.Z.Z.Z sends Y.Y.Y.Y it's MAC, claiming to be X.X.X.X? Well, Y.Y.Y.Y ends up having Z.Z.Z.Z's MAC in it's ARP table associated with X.X.X.X. Simple! So now any traffic intended for X.X.X.X being sent from Y.Y.Y.Y ends up going to Z.Z.Z.Z instead! Z.Z.Z.Z could be running a piece of software which could then route the traffic to X.X.X.X, so both X.X.X.X and Y.Y.Y.Y think they are talking to each other like nothing has happened, but in reality Z.Z.Z.Z is sitting in the middle, eavesdropping (or sniffing), adjusting the data, etc.

In Practice

I tried to keep the explanation simple, but it's not really totally necessary to understand it. In practice, it's much easier.

Software Required

This is the software stack I will be explaining how to use:

Temporarily Disabling Windows Firewall

This is necessary for Cain & Abel to work correctly when doing it's magic
Note: Run from the command prompt (on Vista/7 you may need to run from an elevated command prompt)
For Windows XP:

net stop SharedAccess

For Windows Vista/7:

net stop MpsSvc

Discovering your Network Gateway IP

From the command prompt, run the following command, and note down the IP address 'Default Gateway':

ipconfig

Discovering your Target(s)

Discovering your target who's running Windows is made easy due to NetBIOS host names of computers being named NAMEHERE-PC under Windows Vista/7 by default! Simply open up 'Network', and let Windows enumerate all the hosts it can find on the subnet. Note the names of the targets. Now run the following commands to find the target's IP address by querying the target's NetBIOS name table, then listing the local NetBIOS cache (replacing COMPUTERNAME with the target, 2NDCOMPUTERNAME with the second target, and so on): 

nbtstat -a COMPUTERNAME
nbtstat -a 2NDCOMPUTERNAME
nbtstat -c

Method

Open up Cain, and select the Sniffer tab:



In the window, right click and select 'Scan MAC Addresses', select 'All hosts in my subnet', and hit OK:



You should now be presented with a list of hosts on your network. Now switch to the APR tab along the bottom. Click the + symbol on the toolbar. Now select the host you want to target on the left, and the IP address of the default gateway on the right (you should of noted this down earlier). If you want, you can select multiple targets by repeatedly pressing +, selecting a target and gateway, then confirming:



Now click the little radioactive symbol on the toolbar to start the ARP table poisoning attack and the router. You should see a list of routing information appear:



Now open Firefox, and click Start Capturing on the Firesheep side pane (you may need to enable it in the view menu). Also you may need to open Firesheep settings to select the correct network adaptor. If the target is on Facebook, you should be able to double click their name, and off you go!: