Understanding Function: 2010

FireSheep

A few weeks ago a clever fellow named Eric Butler released a firefox plugin that, when active, sniffs the network for common web services so that it may hijack web sessions. That sounds like a bad thing, but his intentions are good. Session hijacking isn't a new exploit just cooked up a month ago. In fact information security professionals have been talking about it for years. The problem is the proof of concepts and pleas with web service providers for more secure web practices seems to have fallen on def ears. Firesheep makes executing this sort of attack beautifully simple. Load the plugin, click a button, and wait. As soon as an already authenticated user within your collision domain browses to an insecure web service the user, the website, and often times an avatar will appear in the Firesheep console. Depending on the service, facebook for example, clicking on one of these stolen sessions will take you to the victims homapage. Congratulations, you've successfully completed a man-in-the-middle attack with out even having to type.

Firesheep Homage

FireShepherd

In response to Firesheep, a student at the University of Iceland, Gunnar Sigurdsson, wrote a small app called FireShepherd. The app is pretty basic; once every couple of seconds the app makes a connection to Facebook and sends a fake HTTP request containing a forged session cookie. This cookie causes Firesheep to error out and stop sniffing, preventing a would be attacker from stealing your session data. There's been some reviews on the web pointing out some flaws with the app. By definition, Gunnar's app is a DoS against facebook. Do I believe that FireShepherd will DoS Facebook? Probably not. There's potential, but I doubt ii will get the number of users required to successfully DoS anybody. Regardless, it's completely unnecessary to ever make a full connection to break firesheep's sniffing session.

FireShepherd Homepage

CamelSpit

My first thought when I saw the reviews for FireShepherd was, why make a full connection anyway? I like Facebook. I use it all the time. Why would I want to DoS them? So I took Gunnar's forged cookie and set out to write a quick perl script to spoof the sniff-session-ending packet onto the wire.All one needs is perl, the RawIP module, and the will to run the app. The spoofed packet has a low ttl value which causes the packet to be dropped long before it reaches any webservice, but not before a would be attacker sniffs it off the wire ending their snoop session. I haven't tested it on a windows box, but it should work just fine on *nix systems. If anything it's at least a proof of concept demonstrating how to achieve Gunnar's goal with out negatively impacting a webservice.

CamelSpit Homepage

So a while back I was playing with map+grep+anonymous arrays when I realized how quickly code can manifest with the "right-to-left" flow you can use in perl. As fast as I could think, this code was on the page. Obviously I had to write a quick one liner to encode the message that is "$the_truth", but that was easy enough.

(Originally this was on one line, but it looks terrible on the blog that way... I've already spent, easily, 10 times the amount of time trying to format the code than I did writing the code)

use strict; 
use warnings; 
my $the_truth = "0a796177796e6120656d2065766f6c20756f7920747562202c6472656e2061206d49"; 

my $tell = sub { 
  return join("",
    map { chr(hex($_)) } 
    grep { $_ } 
    reverse(split(/(.{2})/, $_[0]))) 
}; 

print $tell->($the_truth);

Understanding Function

November 12, 2010

Web Session Hijacking

September 30, 2010

Synchronous getJSON jquery call

September 2, 2010

MySQL to CSV

August 31, 2010

So how do you really feel? (mmm perl)

July 31, 2010

About Me