Search this site

Wednesday, September 21, 2011

What is DroidSheep? How to protect against DroidSheep attacks? What is session hijacking attack?

DroidSheep is an Android App, very similar in functionality to FireSheep, which is a FireFox extension developed by Eric Butler for the Firefox web browser, and is used for doing session hijacking attacks over the Wi-Fi hotspots that the laptop is connected to.
DroidSheep is used for session hijacking over the Wi-Fi hotspots that the mobile is connected to.

Picture given below shows the Menu of the DroidSheep:

So, DroidSheep is used in session hijacking attacks. But, what is session hijacking attack?

When we use our Internet Browser (Internet Explorer, FireFox, and Opera) or ay web application to browse or access our profile/user-account on websites such as Facebook, Amazon, Linkedin, Twitter, Flickr, DropBox etc., these websites usually ask to enter the credentials (username and password) in order to verify our identity. Generally, at the time of authentication/verification encrypted-HTTPS protocol is used and after this plain HTTP takes over to avoid performance issues.

Since HTTP is a stateless protocol, it treats each HTTP request (Web-Page request) as an independent web-page-request that is unrelated to any previous request.  In order to remember a user, the website’s web-server sends a cookie (a text message) to the browser. The cookie is then sent back to the web-server each time the browser requests a page from the web-server. In this way the web-server identifies users.

To maintain access control on user profile/user account a website’s web-server should ask for credentials (username and password) before giving access to users. To avoid entering the credentials at every web-page-request, the web-server adds a session-token or session-ID with the cookies. Now, this Session-ID is sent with any subsequent HTTP request.

The software involved in Session-jacking, sniffs/reads/monitors packets sent over a Wi-Fi hotspot or a wired network. To do so it puts its network adapter in promiscuous-mode and uses libpcap or Pcap packet libraries. When it gets session-ID or session-token of an authenticated/verified user on the same network, it just replays the packets to the web-server; the web-server thinks that the system running the session-hijacking software is the user identified by this ID or token. It allows the attacker to impersonate the victim user, even if the password itself is not compromised. The attacker can start browsing the profiles/accounts of the victim user.

DroidSheep has got one more feature which allow it to do the ARP-Spoofing attack for WPA protected Wi-Fi hotspots. ARP spoofing is a form of Man In The Middle (MITM) attack in which attacker sends spoofed/fake, ARP messages onto a LAN or WLAN (Wi-Fi hotspot) and associate its  identity (MAC address with the IP address) with the Gateway/Access-Point/Router’s identity. It then, acts as a proxy and sits between the router and users and relays (can read/modify the traffic) traffic between them.

How to protect against DroidSheep attacks?

1.     Some Websites, such as Gmail      provides setting 'Always use https':

2.     Use HTTPS End-to-End Encryption Applications

Many websites such as Facebook, Twitter, Flickr, DropBox, Google etc. use encrypted HTTPS at the time of authentication/verification only, after then plain HTTP takes over to avoid performance issues. HTTPS can provide end-to-end encryption and security between the web-application and the web-server. To force HTTPS protocol on your browser, we can use NoScript, Force-TLS or HTTPS Everywhere Add-On for FireFox, Use HTTPS or KB SSL Enforcer extension for Google, Redirect to HTTPS  for Opera, and User script for Internet Explorer. These applications search for HTTPS connections available on the  Web-sites and enforce the HTTPS end-to-end communication, if the HTTPS is not available, then they simply re-direct to  plain HTTP connections. Below are pictures of popular HTTPS enforcer applications:

'HTTPS-Everywhere' AddOn for Mozilla FireFox:

'Use HTTPS' extension for Google Chrome:

'Redirect to HTTPS' for Opera:

3.     Wi-Fi Protected Access (WPA) or more higher encryption should be used for Wi-Fi hotspot Access-Point, it provides strong encryption to user traffic. Attacker from outside, will have to decrypt the packets of the network.
4.     We can setup a Virtual Private Network (VPN) [free or commercial]: set VPN server at home or office. It will do the encryption for all our traffic over the Wi-Fi hotspot and access for us.
5.     Programs like ARPWatch and ARPOn can be used to detect ARP poisoning.