Sidejacking with Hamster and FerretSidejacking is the process of sniffing cookie information, then replaying them against websites in order to clone a victim’s session. We use the term “sidejacking” to distinguish this technique from man-in-the-middle hijacking. Whereas man-in-the-middle hijacking interferes with the original session, sidejacking does not. The victim continues to use his/her session blissfully unaware that we are also in his/her account (although signs such as additional e-mails in the ‘sent’ folders might give a clue).

Sidejacking without HamsterAll you need to do in order to sidejack is sniff cookies off the wire and edit cookies. This can be done with a wide variety of tools.

You should be comfortable with using a packet-sniffer like Wireshark/Ethereal. For example, the following is a screenshot of sniffing the cookie for Slashdot:

Another useful tool is an extension for Firefox called “Edit Cookies”. The following screens show what it looks like:

Once you can make your cookies the same in the browser that you sniffed from the wire, then you have sidejacked the person’s session. Note that the above information is correct, so that you can successfully sidejack our Slashdot test account.

Installing Ferret and HamsterThese are COMMAND-LINE tools. I haven’t made an install program for them yet, so you have to do this manually.

Unzip the tools, such as into the directory C:\sidejacking.

Ferret is a command-line packet sniffer with typical options. You need to figure out which interface to use to sniff on using the “-W” command-line option:

In the above screenshot, I want to sniff on wireless, so I would use interface #4.

There is one major problem with the Intel® PRO/Wireless 2200BG: it doesn’t do promiscuous mode. This means that unlike most other wifi adapters, you can’t use it for sidejacking. To get around this, you would need to buy a cheap USB wifi adapter (usually $20).

Another installation step is to set you’re a browser’s proxy to Hamster, which will be on port 3128. I strongly recommend that you DON’T use your normal browser, because Hamster totally screws up the cookies in the browser. There are 3 options I have used:

1. used Internet Explorer for sidejacking, because Firefox is my default browser2. created a second account called “hamster” on my computer, and did the browsing

from that account3. used the alternate “profile” feature of Firefox to have two profiles running at the

same time

Firefox allows two profiles to be running at the same time. You can launch them from the command line as follows:

(BTW, I never install software in the default path, on your machine it’s probably c:\Program Files\Mozilla Firefox\firefox.exe).

The following screen will popup:

You won’t have “Hamster” as an option the first time you do this, you’ll have to create that alternate profile and select it. Note that the profile doesn’t even share extensions, so if you installed “Edit Cookies” on your main profile, you’ll have to go back and install it again for this profile.

In Firefox, go to the [Tools / Options] menu. Select the [General] options (the one of the far left, it’s also the default).

In this box, change your Home Page to http://hamster/ so that it pops up automatically when you launch the browser. There is no machine named “hamster”, of course, the proxy interprets that as a special name to give you console information.

Select the [Connection Settings…] button. You should get a screen that looks like this:

Set your proxy as shown and click ok.

Running Ferret and HamsterTo run Ferret, run it on the command-line using the interface you chose:

ferret.exe –i 4

You might also want to capture packets at the same time:

ferret.exe –i 4 sniffer.mode=most sniffer.directory=\pcaps The advantage of sniffing packets at the same time is that you can later replay them through Ferret in order to generate a hamster.txt. The cookies last for a long time. It’s been 4 days since DefCon, but half the cookies I captured during the Wall of Sheep are still valid. To run a packet capture, do something like:

ferret -r \pcaps\sniff-2007-08-04-eth.pcap

While Ferret is running in one window, run Hamster in another window. Hamster has no command-line options. You can use the “start” feature to start them both up in their own windows:

At this point, Ferret will be dumping cookies to “c:\sidejacking\hamster.txt”, and Hamster will be reading from that file to get the cookies. Note that you can run Hamster from that ‘hamster.txt’ file even without running Ferret at the same time.

Using the Hamster consoleOpen your special console browser and go to the pseudo-website http://hamster/.

As Ferret is running in the background, it will be updating this list. You’ll need to manually refresh it to see if any information has been added.

In the right-hand window, you’ll get a list of targets. Most targets will have just the IP address. Some will have additional identifying information that Ferret finds. This identifying information is only names associated with the IP address, it’s not cookie information.

When you click on an IP address, you “clone” it. At this point, all the cookie are set for that IP address. Keep that in mind – a lot of problems people have is because they set the current IP address to something else, thereby erasing the cookies of a site they want to access.

Cloning an IP address by clicking on it will cause the window to the left to be filled in, as in the following example:

You have three options here. You can view the raw cookies for this IP address (discussed below). You can click on a URL that has a HIGHER probability of being Sidejacked. Or you can choose from the URLs below, which have a lower probability of being Sidejacked.

At this point, just click the URL. For example, I clicked on the http://slashdot.org URL in the above example, and the following window popped up:

The name “sidejacking” in the mid-left of that screenshot is because I created a test account with the username of “sidejacking”. This shows how I’ve successfully cloned the cookies to get to that Slashdot account.

Clicking on the Gmail one, I get the following screen:

Again, the username is sidejacking@gmail.com, as this is a test account. You can see that I’ve done little with it other than use this e-mail account for setting up my test Slashdot and Facebook accounts.

And here is the Facebook account:

Why Ferret/Hamster suckWhen things work well, its point-and-click. They don’t always work well.

The first thing that sucks is you have to figure out which interface to sniff on and make sure that you have a proper wifi adapter. I recommend downloading Wireshark and make sure that you’ve got the packet sniffing working with that product before you start Ferret.

Both Ferret and Hamster will crash or hang. You’ll be restarting the programs a lot. Right now, Ferret overwrites ‘hamster.txt’ every time it restarts, so if you’ve got a good session, make copies of it (or log to sniffer files, and recreate it).

The Hamster proxy is really slow. You’ll click on a link and have to wait patiently sometimes. Check the Hamster console window in order to see what’s going on.

Cloning sites is finicky. Sometimes you have to choose the right URL from the list, and choosing the wrong URL will cause the server to reset the cookies, locking you (and the original person) out from the account until a re-login. It takes practice to figure out what you can, and cannot, clone.

Finally, when the original session cookies expire, you can’t clone them. This is rarely a problem in a live environment, but if you work from capture files, it becomes more difficult.

Send me captures!Websites are finicky, and require a little bit of manual cookie editing. I’ve put code into Hamster to automatically do this for sites I know about, but there are many more that I don’t know about.

If you’ve got a packet capture, and Ferret/Hamster don’t seem to work on that capture, ZIP it up and e-mail it to me. I’ll try to figure out what’s wrong and fix the code.

Send them to sidejacking@gmail.com. Please only send captures of accounts that you yourself have created and are testing with, not other people’s information.

Summary1. Download and install Winpcap.2. Unzip the tools into a directory such as C:\sidejacking3. Open a command-line (cmd.exe) and change to that directory (cd c:\sidejacking)4. Use ‘ferret –W’ to figure out which interface you want to sniff5. Use ‘ferret –i <n>’ to start sniffing cookies6. Use ‘hamster’ (no command-line options) in the same directory as hamster.txt to

start the proxy7. Set up a browser to use the proxy at 127.0.0.1:31288. In that browser, go to http://hamster to go to the proxy console window.9. Select a victim, then click on a URL to sidejack it.