BlackSheep plugin to detect FireSheep users

Following on from my previous post, another plugin has been released to combat the FireSheep plugin… cleverly named BlackSheep.
Unlike the FireShepherd standalone program, Blacksheep is also a firefox plugin that sends out a fake session ID’s onto the network. BlackSheep then monitors the network for anyone else using the fake session ID. As the session ID is fake, anyone else using the ID mush running instance of FireSheep (or another session capturing tool).
BlackSheep can be downloaded from http://www.zscaler.com/blacksheep.html.
This is a much better way of protecting yourself against the FireSheep epidemic as it doesn’t rely on a false sense of security like FireShepherd. Unfortunately the actual vulnerability is within the Web 2.0 websites that use non-ssl encrypted sessions to exchange session cookies. Whereas FireShepherd just used a DOS attack on the FireSheep plugin (with no guarantee that the user hasn’t modified FireSheep to protect against this), BlackSheep tells the user of any active active FireSheep users on the network.
Advertisements

Herding FireSheep with FireShepherd

FireShepherd offers a temporary solution to the current threat of people sniffing Web 2.0 cookies with the FireSheep plugin.

The description of FireShepherd provided by the author is:
“FireShepherd, a small console program that floods the nearby wireless network with packets designed to turn off FireSheep, effectively shutting down nearby FireSheep programs every 0.5 sec or so, making you and the people around you secure from most people using FireSheep.”
The sourcecode for this little utility is very simple and can be downloaded here:
It works by preparing a HTTP GET packet:

GET /packetSniffingKillsKittens HTTP/1.1
User-Agent: Mozilla
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: is,en;q=0.7,en-us;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: lsd=spsse; c_user=666660000; sct=01010101; sid=0; xs=3randomhashyes666666666; asdf=??????????????!!!!!!!!!!!!!!!!!!!![MALFORMED_DATA]

This packet is sent onto the network to be sniffed by FireSheep. By providing a malformed cookie to be captured, the current version of FireSheep causes an error and ceases sniffing.
This by no means provides a perminent fix to the current issue of session-hijacking, but provides a DOS attack until a workaround (or another version of FireSheep) is released.