Monday, November 8, 2010

BlackSheep - A Tool to Detect Firesheep

UPDATE: see the requirements for the extension at the end of the post
UPDATE: an new version is available
UPDATE: BlackSheep for Linux is available here
UPDATE: If you use FileVault on MacOSX, you might be prompted for a password. See this thread for more information.

You've probably all heard of Firesheep by now, a Firefox add-on which lets anyone hijack a user's session to various popular web applications when they're using an open wireless network. While sniffing/stealing session credentials is nothing new, Firesheep exposes this capability to the masses by automating the process so that absolutely no technical know-how is required. Unfortunately, it is actually quite difficult to defend against Firesheep because most sites only permit SSL connections during the initial login, not while surfing other pages. As such, while your username and password are encrypted, your session ID is available to all other machines on the same network.

In a previous post, Mike showed how to detect the use of Firesheep on a local network by using Wireshark and Scapy. Well, today, we're releasing a new Firefox add-on which makes the detection of FireSheep available to everyone and we're calling it BlackSheep!

BlackSheep installed

BlackSheep is a Firefox add-on which warns users if someone is using Firesheep on their network. It also indicates the IP address of the machine that is spying on you.

BlackSheep warns that someone is using FireSheep

Install BlackSheep add-on for Firefox 3.x

How BlackSheep works

To understand how BlackSheep works, we first need to understand the details of FireSheep. FireSheep listens to the HTTP traffic on port 80. When it identifies a transaction to a known site (Facebook, Google, Yahoo!, etc.), it looks for specific cookie values which are then used to identify a specific user. This phase of the attack cannot be detected as it is done passively.

When FireSheep identifies a user session, it then makes a request to the same site using the user's cookie values in order to retrieve user information such as their name, picture, etc. This active network activity is however visible to others on the local network.

BlackSheep detects the active connection made by Firesheep. It does this by making HTTP requests to random sites handled by FireSheep every 5 minutes (configurable) with fake values. BlackSheep then listens to all HTTP requests on the network to detect if somebody else is using the same fake values.

Use Firesheep to combat.... Firesheep!

BlackSheep is based on the FireSheep source code. It reuses the same network listening back-end and the list of sites and corresponding cookies, etc. This ensures that the fake traffic generated by BlackSheep is what Firesheep is expecting.

BlackSheep in action

First, install BlackSheep here. If you already have FireSheep installed, make sure it is disabled, otherwise BlackSheep will detect that you are using FireSheep.

Then select the correct network interface in the options menu (same as FireSheep).

BlackSheep preferences menu

By default, BlackSheep generates fake traffic every 5 minutes. You can change this value in the option settings.

If Firesheep is detected, you will see the following warning in your current browser tab.

BlackSheep notification


Finally, here is a video of BlackSheep in action.



Install BlackSheep add-on for Firefox 3.x


Surf safe!

Requirements

In order to install BlackSheep, you need:
  • Mac OS X: 10.5 or newer on an Intel processor.
  • Windows: XP or newer. Install Winpcap first!
  • Linux:  available here
  • Firefox: 3.5 or newer. 32-bit only.



-- Julien

70 comments:

Anonymous said...

FYI, I installed it on Firefox 3.6.12 on a Windows XP laptop. When I click the Options button, I get an error saying "JavaScript Application
ReferenceError: Cc is not defined"

When I click OK on that window, the preference window comes up, but there is nothing to select for the Interface -- it's blank.

Not sure what all this means, but there you are!

Thank you for this add in.

Anonymous said...

Yup, I get the same error on the same FF version.

Anonymous said...

Hmm and same error with Firesheep. Iiinteresting.

Seth said...

Same here. The "Javascript ReferenceError: Cc is not defined" occurs and my interface combo box is empty.

Anonymous said...

I get the same error.

Anonymous said...

Figured it out -- install winpcap and it works.

Julien Sobrier said...

@all I've added the requirements. On Windows, you need Winpcap: http://www.winpcap.org/install/default.htm

Anonymous said...

I'm using Firefox 3.6.12 on OS10.4.11. This just crashes my browser, I can't even open Firefox to uninstall the damn thing. Where can I find it on my hard drive to delete it?

Anonymous said...

Please can you make it compatible with Firefox 4 Beta 7?
The release for Firefox 4 is only a couple of months away.

Asa Dotzler said...

This seems just silly to me. The real bad guys aren't using Firesheep. They're using more sophisticated tools that probably do things like encrypt the request so you can't match on it.

Defending against Firesheep is shooting the messenger without actually doing anything about the real problem.

Benjamin said...

# Windows: XP or newer. Install Winpcap first!


if you dont have Winpcap, you will get "ReferenceError: Cc is not defined"

pogue said...

I don't see how this tool (or even FireSheep) can be useful, at least in Windows, since Winpcap doesn't support the majority of wireless adapters in the first place.

Which network adapters are supported by WinPcap? - Winpcap.org

Anonymous said...

same thing as a previous commenter - firefox now crashes as soon as i open it. where is blacksheep on my harddrive so i can delete it?

Anonymous said...

Are you going to publish the source code?

Matthias Vallentin said...

@Asa: detection can be of valuable use for network operators to locate users that violate the network policy. For example, if I was a hotspot provider I would like to know and perhaps take action if my customers use Firesheep.

I also wrote a detector for the Bro intrusion detection system. Unlike Blacksheep, it is completely passive: http://bit.ly/crqwVF

Anonymous said...

soon as i installed this firefox crashes on startup, i can't even get this uninstalled.
where does this hide so i can get rid of it..

Anonymous said...

Re: Blacksheep crashing OS X. goto: ~Library/Application Support/Firefox/Profiles/.default/extensions OR look up Zscaler in spotlight and delete the folder with Zscaler in the name. Hope this hleps.

Julien Sobrier said...

I'm looking at the issuers that were reported, including the crash.

If you need to remove the plugin wand Firefox does not start, go to /extensions (Linux: .mozilla/firefox/xxxx.default/extensions, On Windows C:\Users\Your_Name\AppData\Roaming\Mozilla\Firefox\Profiles\xxxx.default\extensions) and remove the folder jsobrier@zscaler.com.

Or start Firefox in safe mode (firefox -safe-mode), choose to disable all plugins, and uninstall BlackSheep.

I will release an update soon.

Anonymous said...

Hello,

Just FYI for the author, the addon seems to break some parts of managing the bookmarks functionality on Firefox.

Please see more detailed bug @

https://support.mozilla.com/en-US/questions/763469

Anonymous said...

Took me time to read all the comments, but I really enjoyed the article.chanel bags

Anonymous said...

Is the source code going to be released? I am curious if a detection event (Firesheep sniffer found) occurs, if something like FireSheperd can be executed.

http://notendur.hi.is/~gas15/FireShepherd/

Thanks for the plugin!

Julien Sobrier said...

To get the source code, unzip blacksheep-latest.xpi. Most of the new code is in chrome/content/overlay.js

To get the code of fireshee-backend.exe, go to Firesheep's repository: https://github.com/codebutler/firesheep/tree/master/backend/

roberts said...

"It also indicates the IP address of the machine that is spying on you."

So now, how 'bout we get this tidbit incorporated into something like DD-WRT (open source AP/wireless router firmware) to auto-magically block the MACs of the machine that turns up guilty?

I realize Starbucks isn't going to hack their AP config to provide this, but in situations where it can be done...

Matthias Vallentin said...

roberts, if you can get Bro running on DD-WRT, you're essentially done (modulo memory requirements). Blacksheep is an interactive detector for the browser, but if you want 24/7 network monitoring, take a look at a network intrusion detection system (NIDS) such as Bro which operates beyond simple pattern matching and can detect sidejacking attacks.

Julien Sobrier said...

It looks like the crashes on Mac happen with MacOSX 10.4 and lower. You need MacOSX 10.5 or higher.

Julien Sobrier said...

To all Mac users: You might get prompted for a password if you use FileValut. See https://github.com/codebutler/firesheep/issues#issue/9 for more details.

If you have a problem with the bookmarks, please get version 1.2: http://www.zscaler.com/research/plugins/firefox/blacksheep/blacksheep-latest.xpi

e.semog said...

Any chance for a stand-alone tool, or a port of the extension to Chrome? I don't use Firefox anymore. :(

e.semog said...

Any chance for a stand-alone tool, or a port of the extension to Chrome? I don't use Firefox anymore. :(

Anonymous said...

No installing for Firefox 4 Beta 64 Bit :-( Can you maked ???

Thanks GEORG

Anonymous said...

so...what to do if Blacksheep does tell you that someone is using Firesheep on your WiFi network?

Julien Sobrier said...

If you manage the network, you could block it: get its MAC address, and block it on the wireless router.

If you are a simple user: make sure you don't login to any site, or move to a new network.

Anonymous said...

another question:
what happens if BlackSheep says your IP address is the one responsible for using Firesheep on your WiFi network?

Does that simply mean some program (like a remote desktop app I was using) is getting picked up?

Anonymous said...

I updated to the latest version and still have bookmarking issues (i.e. when I choose Bookmark this Page it doesn't offer me a pop up window to control the placement of it or name it, etc...it does however, still add it to my list of bookmarks).

Julien Sobrier said...

about BlackSheep showing your IP address - Make sure you have version 1.3. There was a bug in 1.0 that could lead BlackSheep to detect itself as Firesheep.

Julien Sobrier said...

@e.semog I will look into making a stand-alone tool...

Julien Sobrier said...

@all the latest version works for 4.0 up to 4.0b8pre

MarXPacE said...

This application caused me no end of problems when I loaded it onto firefox. It crashed, stalled and slowed my system. The only way to deal with it is to go into the browser add-on menu and uninstall it. And that cured all the issues.

Anonymous said...

I'm receiving a false positive message. I just have two devices in my wirelees network my win7 PC and an iPhone. the extension says the PC's IP address is using firesheep, but I don't have it installed on my firefox 3.6.12;

Trond said...

The real problem is not hackers and script-kiddies but the lack of security. I think Firesheep and Blacksheep finally will make people and businesses take this seriously. Hacking WEP, WPA, WPA2, EAP, spoofing MAC-addresses, man-in-the-middle-attacks, injections, and all of this are actually old news. It makes lazy people easy targets. The encrypted networks are easy to hack, not because of the encryption levels, but how they exchange the encryption keys.. If a real hacker wants to get into your server and your're on WLAN - you have a problem!

Anonymous said...

BlackSheep seems to interfere with the Bookmarking function in Firefox 3.6.12 (Win7, Blacksheep version as of 11/15/2010). If I try to bookmark a tab that already exists the Edit window doesn't pop up; if I try to save a new Bookmark I get no option to choose a folder in which to save it. Everything is saved to the main Bookmark list. If I disable BlackSheep the Bookmark functions return.

Julien Sobrier said...

The bookmark issues has been reported by several people. I can't reproduce it, so I have not been able to find the root cause yet. You might want to update to the latest version (1.4); it does not fix the problem entirely, but it does improve it.

SDsc_rch said...

thx for putting this up

Anonymous said...

The bookmark problem for FF is also present on the Mac. Same version, 3.6.12, but on OS X 10.6.5.

Not fixed in v1.5 of the extension.

Patrick said...

Can you please fix this: http://img249.imageshack.us/img249/7554/46619099.png

I've been having that problem since version 1.0 of Blacksheep.

Whenever I select the Interface dropdown there is no option in it.

I'm using Tete009's Firefox builds btw.

Julien Sobrier said...

@Patrick I've seen this issue on Linux where firesheep-backend --list-interfaces would not show any interface, but not on Windows. On Mac and Linux, a list of most common interfaces is added in case none is found, but I Could not do the same on Windows as there is no standard names.

Anonymous said...

For those who are getting the ReferenceError: Cc is not defined message, you need to install WinPCap. It is listed as a requirement.

kk said...

I'm on a password protected network on a Mac, and it came up. Does that mean someone was able to get into my home network?

TuXi said...

Hi, thanks for this plugin !
However I have an issue with it: I just launched it and it seems that blacksheep has detected himself as a firesheep user...
Indeed the reported IP was mine, despite I am not using the firesheep addon...
Have you ever met this "glitch" ?

Julien Sobrier said...

@TuXi This could happen on older versions of BlackSheep, but I have not see this issue with 1.5

Anonymous said...

I am indeed using 1.5 with Firefox 3.6.13 on Mac OS 10.6.5 and just received a false positive of my own IP. I do not have Fire Sheep installed and no one else was on my network at the time (verified).

Julien Sobrier said...

I've found a problem with Windows Live. Every few requests, the Windows Live resets the TCP connection. This cause Firefox to re-issue the last request, so the same fake cookie value is sent twice.

I'm working on a fix. It will be part of BlackSheep 1.6

Julien Sobrier said...

Version 1.6 is available. It fixes a false detection, and covers the latest Firefox 4 beta versions.

Anonymous said...

Installed on a windows 7 64 bit laptop. No problems but I don't know if it is working or not.

Julien Sobrier said...

The best way to test BlackSheep is to open 2 Firefox instances: one with Firesheep, one with BlackSheep in "Demo" mode. This is what I did in the video.

Silivrenion said...

This leaves a false sense of security. If you've been on for five minutes, long enough for Blacksheep to pick it up, you've already been had. Fixing Firesheep is not the answer.. the answer is getting websites to use HTTPS more readily.

Bug Tracker said...

Hi, I'm using Windows 7 - 32 bit + Firefox 3.6.13 & I found some bugs on BlackSheep 1.7, it makes almost firefox shortcut malfunction like Ctrl+W (close tab), Ctrl+D (bookmark still function but the menu that usually appear after pushing Ctrl+D/clicking "star icon" on top-right @URL bar is missing), and another shortcut too. Hope next release could fix this bugs & one more question, should I'm running firefox with full privilages (Run as administrator) when blacksheep addon installed? Thx before & great addons, keep moving =)

Elusis said...

Why isn't my BlackSheep plugin updating automatically? I just got a positive hit from 10.0.1.3 yesterday, and found today the remarks about false positives in Firefox 3.6.x for Mac, supposedly corrected in v1.6. But I still had 1.4 running because it had never updated.

Julien Sobrier said...

@Elusis I have not been able to figure out why updated for BlackSheep do not work, but work for other plugins we've released.

Anonymous said...

I've installed both Firesheep and Blacksheep to replicate the demo in the video. I see the list of sites that Firesheep is picking up, most of which have error messages. However, I don't see the Blacksheep notification in Firefox telling me that I am listening in with Firesheep. Is there a setup problem or is it because I am running both on the same session?
Thanks!

Anonymous said...

This plugin affects Bookmark toolbar in FF 4.0

Julien Sobrier said...

Some users have reported issues with the bookmark (even in 3.6) after installing BlackSheep. I have not been able to replicate the issue so far.

Julien Sobrier said...

@Anonymous Make sure Firesheep and BlackSheep are listening on the same interface. Also, with version 1.7, make sure you have checked the "Demo" option is BlackSheep, otherwise it will ignore traffic coming from your own IP address.

Claas said...

Hi @ all,
wanted to install Blacksheep on my laptop (Win7 Pro, 64 bit) to have some basic protection against Firesheep. I use FF 4.0 and have some problems as some other users that the bookmark toolbar disappeared from FF (however that shows up again when dis-/enabling it).
However I can't select any interface within Blacksheep options (Yes, Winpcap is installed) - assume with this interface field being blank I will have no use of Blacksheep?
Thx for some advice on that
Claas

Anonymous said...

I'm running XP (SP3) with Firefox 4.01. I've downloaded WinPcap first, then Blacksheep.

In the Options window, the Interface pull down menu is blank and no other option is available.

Does something need to be configured with WinPcap in order to be able to select something in the Interface menu of Blacksheep?

Please advise.

Anonymous said...

Neither Firesheep nor Blacksheep are compatible with Firefox 5.0. Are upgrades coming?

Julien Sobrier said...

BlackSheep 1.7. is compatible with Firefox 5.x You can get it at http://www.zscaler.com/researchtools.html

Anonymous said...

Is BlackSheep 1.7.2 compatible with Firefox 7? In the options window, the interface pull down menu is blank. It was working fine in Firefox 3.6 and WinPcap. Thanks!

Anonymous said...

I have same problem as Anonymous of Oct 15, 2011, i.e. "With Firefox 7.1, in the options window, the interface pull down menu is blank." WinPcap is installed.

Liz P said...

Hi - just installed version 1.7.2, Firefox 13.0.1 on Mac 10.5.8 and am experiencing the bookmarking problem mentioned by others. It is not possible to add a new bookmark or to edit an existing bookmark in the address bar. I use Xmarks to share bookmark collections so this is a nuisance. Very glad you have made this add-on though! Many thanks.

Liz P said...

Hi - just installed version 1.7.2, Firefox 13.0.1 on Mac 10.5.8 and am experiencing the bookmarking problem mentioned by others. It is not possible to add a new bookmark or to edit an existing bookmark in the address bar. I use Xmarks to share bookmark collections so this is a nuisance. Very glad you have made this add-on though! Many thanks.