Pages

1/19/2011

Updating Facebook Filter in Firesheep

I got a comment from Schuby in my another thread, saying that Firesheep doesn't capture Facebook cookie anymore, despite all the settings are correct.

With my curiosity, I checked it out by trying to capture my own Facebook cookie using Ethernet card on the same PC.

It doesn't work, really.


This makes me wonder that Facebook may change its protocol for connecting to it.
Therefore I switched to use Wireshark to try capturing the packages.
Here is  what I got:

In Firesheep's original facebook filter, it requires 3 parameters to be able to imitate other facebook users.
The three parameters are c_user , xs , sid.

Unfortunately, as you may have seen in th picture, there's no 'sid' parameter in the request message sent to facebook.
This is strange. I even tried with login request, logout request and requests to other facebook pages. It's still the same, no sign of 'sid' at all.

This confirms me that Facebook changes its authentication method.

Then, what is the new method? What are the parameters required in the process?

I started analyzing by finding what we have now. If looking close to the parameters sent to the facebook page. We can see that 'c_user' and 'xs' are still here.  And these parameters have been used before in the previous scheme. I guess Facebook is still using them. So I keep them.

Next is to find the replacement for 'sid'. (obviously, only 'c_user' and 'xs' alone do not work)
Here are our candidates :
  openid_p , datr , lu , made_write_conn , sct , W

*note that made_write_conn , sct , W contain the same value.

Which one to pick? and how many new parameters required?    :: I don't know
Only way to find out is to trial&error method.
Simply by just try to add each one into the filter and see if it works.

'openid_p' happens to be my first guess. It's because it contains the word 'id' as in 'sid'. If facebook changes something to represent ID in 'sid' , it might contain the letters 'id' in it  (I guess)

Now, How can I change the filter?

A filter in Filesheep is called a "handler". It resides in Firefox's extension folder after you installed it.
If you're using Firefox under your account, the handler folder is in
~/.mozilla/firefox/jjdjiquj.default/extensions/firesheep@codebutler.com/handlers/
but if you're running firefox using "sudo firefox" or under root's account, the folder is in
/root/.mozilla/firefox/jjdjiquj.default/extensions/firesheep@codebutler.com/handlers
Note that "jjdjiquj" is random, it will be different in your system.

In this folder, you'll find many javascript file (*.js) Each of them responsible for each website.
Our goal today is Facebook, so I'll open just "facebook.js"
name=handler name
url = default place to go after imitating
domains = capture anything under this domain
sessionCookieNames = required cookie parameter need to imitate   <--- and this is what we need to capture
identifyUser = function for Firesheep to identify who is the owner of the cookie we just captured.

Since 'sid' is no longer exist, I started to modify it to be 'openid_p'.

Save & run Firefox & Firesheep.

Well, this time Firesheep started and captured my Facebook account from another browser.
But I can't double click on the account to access that account from Firefox.

'openid_p' is wrong.  One down, five more to go.

It seems too many parameters left. I think it'd take too much time to try all out.
Therefore I did another wireshark capture and analyze it again.

When I looked at the response packet after I logged out from Facebook.
I noticed some parameters are deleted, but some are still alive.


Normally after you log out, it should not left any trace that give other people chance to login into your account, right?
From this I can eliminate 'lu', 'made_write_conn', 'W' because they are not deleted after logout.
The parameters like 'c_user' and 'xs' is deleted right away, this is a good behavior of important parameter.
Now I have narrowed down into one parameter left , it's "sct".
(I also notice the parameter called "presence". I think I would use it later if "sct" fails)

Time to test it out. I change inside the file "facebook.js", from "openid_p" to "sct".
Now it looks like this:

I tested it. And Now It's Working!!!




p.s. This is only done on my machine, no wireless involved.
I'll have to test it on an open wireless somewhere on other day.

Peace out.

Update (Apr 9, 2011):
 - I just had a chance to capture my phone (win mobile 6.5) : the filter used only [ 'datr', 'm_user' ] for domain "m.facebook.com"

31 comments:

  1. Okay so I've updated the facebook filter and I see my own local facebook access on the same computer but still no external facebook access, even on open wifi with the mon0 interface.

    My wireless card is a DWA-652 which is recognized by Ubuntu 10.10 as being a Atheros AR5008 which uses ath9k driver which according to:
    http://en.wikipedia.org/wiki/Comparison_of_open_source_wireless_drivers#Driver_capabilities
    it supports monitoring and it seems to work in wireshark.

    This is really frustrating.

    Thanks for your support ptantiku

    ReplyDelete
  2. yea, it's really frustrating.
    First, I don't think Atheros chipset will have any problem to capture it. I think we can drop this reason.

    If you think you can use wireshark to capture it, why don't you capture some http traffic and see the actual packet like I did? Or you can send it to me at anidear1 at gmail dot com

    ReplyDelete
  3. Some new developments...

    Okay so I created an open part of my network which I used to test out my ubuntu laptop running firesheep and I was able to capture my facebook activity on another laptop connected to the open wifi... YESSS!!!!

    However I was not able to capture facebook activity from my Android phone. After doing some packet sniffing using wireshark and looking at the cookie data from my phone facebook activity it does not appear in the same format as that used for desktop browsers (mozilla firefox).

    This leads me to believe that Firesheep is unable to capture from mobile devices because they use different methods for storing and retrieving the cookie data.

    I'm going to do some further analyzing with Wireshark and when i have something good I'll email it to you ptantiku.

    ReplyDelete
  4. ps. given the flexible design of firesheep it may be possible to create profiles for capturing the mobile facebook activity of phones like Android, iPhone, and Blackberry.

    ReplyDelete
  5. UPDATE: So I just realized that on my phone I was accessing the "touch.facebook.com" site and that firesheep probably isn't setup for that domain.

    So I tried accessing the full "facebook.com" site on my phone and firesheep caught it :D

    Question: How can I get firesheep to capture "touch.facebook.com" and "m.facebook.com" ???

    ReplyDelete
  6. The line "domains: ['facebook.com'];' means it covers every url that ends with "facebook.com". So there should be no problem with m/touch.facebook.com as I can capture it with my browser on my laptop.
    The only possible explanation left is that Android phone is using some kind of encryption while connecting to facebook. My guess is Facebook app uses Facebook Graph API which normally connects to Facebook using HTTPS (HTTP + TLS/SSL) which does not enable others to see it easily. If you can capture it, please tell me whether it's HTTP or HTTPS. If it's HTTPS, you'll see encrypted data and no one can read it.

    ReplyDelete
  7. I created two copies of the facebook.js file and modified their name, url and domain fields.
    facebook_touch.js:
    name: 'Facebook_touch',
    url: 'http://www.touch.facebook.com/home.php',
    domains: ['touch.facebook.com'],

    facebook_mobile.js:
    name: 'Facebook_mobile',
    url: 'http://www.m.facebook.com/home.php',
    domains: ['m.facebook.com'],

    I am now able to capture facebook activity when I access either of these sites from my Android web browser. The activity first shows up as an error in Firesheep and then right under the error the name and profile picture show up. So it IS WORKING.

    However I am still unable to capture from my facebook app on my phone so it may be as you suggest ptantiku and the app may be employing some kind of encryption. I'm going to use wireshark tomorrow and see if I can figure out how the app is sending/receiving data.

    Thanks for all your help.
    P.S. In regards to Firesheep first showing an error when capturing touch and mobile versions of the site, what do you think is causing that?

    ReplyDelete
  8. Hello! how can i save my firesheep captures? When i close firefox, all captures are gone and i have to start a new Capturing...

    ReplyDelete
  9. Haha, I don't know either.
    I guess the developer might forget to build it (or maybe it's intentional).

    For me, if I were to save that captured cookie, I would manually type it into a text file and also manually use the cookie later on.

    ReplyDelete
  10. I have updated my filter but I can only capture facebook from my computer, not from other computers on the network. Any sugestions?

    ReplyDelete
  11. If it's wire network(with switch) or wireless network(that use WPA,WPA2 encryption), you can't capture anything from the network. it's normal.

    ReplyDelete
  12. Is there any way around the WPA2?

    ReplyDelete
  13. Hello,
    Do you guys know how to get wireshark running properly on a macbook pro so i can do wireless sniffing? Ive downloaded it but can not for thelife of me get interfaces to show up for capture.

    ReplyDelete
  14. if you know the password of the WPA/WPA2 encrypted network you can use it to decrypt the connections with wireshark and find out cookie informations. If you generate a cookie out of this information you can get somebody's facebook account even in WPA2 encrypted networks

    ReplyDelete
  15. In wireless dont work?He only capture my own cookies

    ReplyDelete
  16. Hey, just thought I'd add this..
    If you download/have Cain and Abel, turn on the sniffer and then turn on ARP poisoning.
    Look up a tutorial or something how to ARP poison a wireless network. This way you won't end up getting your own cookies and just them.
    tl;dr
    Download Cain and Abel
    Turn on ARP packet routing

    ReplyDelete
  17. Is it possible to have this explained in a non computer geek language..?

    ReplyDelete
  18. You mean the blog post? or the comment above?

    ReplyDelete
  19. the blog post hahaha

    ReplyDelete
  20. Does the filter still work ? I can't get it to capture or even show up a facebook account even on the same machine

    ReplyDelete
  21. I have tried the above changes on wlan0 and mon0 interface but still get nothing. Even when i log in from the same machine i get nothing :(

    ReplyDelete
  22. Hi,
    It is an awesome post!
    Can you please clarify how to get WPA/WPA2 encrypted wi-fi when I know the wi-fi password?
    Thank You.

    ReplyDelete
  23. Maybe u should read this:
    http://serverfault.com/questions/149888/wep-wpa-wpa2-and-wifi-sniffing

    ReplyDelete
  24. Thanks a lot for the quick reply. I had a look on the link.
    As in one previous comment in this post komek suggested, it is possible to get the cookies from WPA/WPA2 encrypted wi-fi. I followed your guidline (and tweaked a bit) and successfully set firesheep up in ubuntu 10.10. It is getting everything from my machine only.
    But the wi-fi I am testing on have WPA2 excryption with common password for everyone which I know too. Can you help me out with cracking that using firesheep? I am willing to learn and try things on my own.
    Thanks a lot again! :)

    ReplyDelete
  25. Update: google updated its protocol I think, it is showing "error" in the name of the profile it is sniffing.

    ReplyDelete
  26. Knowing just the password isn't enough, in WPA & WPA2 they also encrypt "each connection" separately with a randomly generated session key. The session key is generated by exchanging some numbers and calculating it at the establishing state of each connection. Unless you can capture the exchanging numbers, calculating it yourself, and use it to decrypt any packet in the specific session, you're limited to only decrypt your own traffic (which has already done by-default by your wifi card+driver and known session key).

    ReplyDelete
  27. i cant find the facebook.js file not the firesheep
    add-on to.

    ReplyDelete
  28. can you try searching for it? It should be somewhere under your home (~) directory.
    If not, here is the link to download the original file
    https://github.com/codebutler/firesheep/blob/master/xpi/handlers/facebook.js

    ReplyDelete
  29. I am able to capture Facebook sessions now, but they all show up as "error" with a blank avatar. Is it possible to make the plugin change this to the correct information?

    ReplyDelete
  30. - Complete new for this stuff- the way to fix firesheep so it starts capturing facebooks again)
    - isnt it possible for you to put the change u have made in the firesheep file up for a download? so u just need to replace those files?

    (else please make a understandable guide for newbie's) please

    thanks!

    ReplyDelete