Droidsheep

Method of Attack:

  • ARP Poisoning/Spoofing

Tools Required:

  • Android device with ROOT access.
  • DroidSheep APK
  • A Wireless Network

Time to Complete: Less than 10 Minutes

The app can be downloaded at: http://www.box.com/s/ipsluzrbotp6is01aj2b

I am going to give a simple but effective demonstration on how to hijack an internet session over a wireless network using an android smartphone. This is just one of many ways to perform an ARP spoofing attack but I wanted to show just how trivial this technique has become, and how to better protect yourself from malicious attacks.

What is ARP? In a very simplified summary

ARP stands for Address Resolution Protocol is used to associate an IP address with a physical address or MAC address. A host (laptop/smartphone/tablet) that needs to obtain a physical address broadcasts an ARP request over the network, and the host (router/default gateway) that has the IP address in the broadcast then replies with its physical address, or MAC address.

What is ARP Poisoning/Spoofing?

ARP Poisoning, or also known as ARP Spoofing is a technique used by both malicious (black hat) and ethical (white hat) hackers to intercept internet traffic from other hosts. The attacker performing the ARP poisoning attack will send spoofed (fake) messages across the wireless or wired network that will associate its own MAC address with the IP address of the Router (default gateway). This means that any network traffic going through the router (Facebook, Yahoo, Paypal.. ANYTHING) will be intercepted by the attacker and then forwarded off to its original destination. This means that from the victims point of view, they have no idea that their network traffic has been compromised, making this one of the most destructive hacking techniques used today. This method can be used for a breeding ground for other attacks as well. such as Denial of Service (DoS), Man in the Middle, or Session Hijacking. In this instance, we will use ARP Poisoning/Spoofing to perform a Session Hijacking attack.

Time to begin our attack

Step 1: Download and install the DroidSheep app

  • Visit http://www.box.com/s/ipsluzrbotp6is01aj2b and download the app.
  • Install it on your phone.
  • If there are any problems during the install please comment on the forum site [Droid Forum – Hijack Internet Session Tutorial][1] and I can help

Step 2: Join your phone to your test wireless network

  • Join a wireless network of your choice, I am assuming that you are doing this in a controlled environment and not at some public wi-fi at your local coffee shop.
  • Make sure your phone has access to the internet by trying to get to google.com or something.

Step 3: Start your ARP Poisoning/Spoofing Attack

  • Open up the DroidSheep application that we installed in Step 1.
  • Check Accept for the DroidSheep Terms and Conditions and tap OK.
  • To monitor ALL traffic sent, make sure both the “ARP-Spoofing” and “Generic mode” options are both checked. Then tap “Start”
  • At this point, you have tricked the other hosts on the network that your phone is the router (default gateway) and all unencrypted traffic will now be intercepted through your phone.

Step 4: Start browsing the Internet on another device

  • Now that your phone is intercepting ALL unencrypted traffic over your network, lets test to see if it works
  • On your laptop or different device, try browsing to various websites like Google, Facebook, Yahoo, or whatever you would normally do when you turn on your computer.
  • Take a look at your phone, all the internet traffic you have been browsing should be shown on the screen and is vulnerable for attack.

Step 5: Hijack an internet session

droidsheep-screen

  • Now of days, most login passwords are encrypted and this process will not work to get a username and password, however it is common that after the login, the rest of your session is NOT encrypted still leaving you vulnerable for attack.
  • If you tap any of the sites that show up on your phone, you can open it up and hijack the session without the users knowledge, in this case I hijacked my own Facebook profile.

facebook-screen

Step 6: Protect yourself from attack

  • Now that you know that any “http” connection can be spoofed and hijacked, I will show you how to at least protect your Facebook account from malicious attack.
  • After you login to Facebook, go to Account Settings.
  • Select the Security Tab
  • Click Edit located next to Secured Browsing and make sure the option for HTTPS is checked.
  • That’s it, there are more security settings to make certain that you are secure but this is the big step that will prevent the ARP spoofing attacks on your profile.

HTTP vs HTTPS

HTTP URLs start with “http://” and by default use port 80, where HTTPS URLs begin with “https://” and use port 443 by default. HTTP is subject to many attacks like we described in this tutorial and HTTPS was developed to prevent those attacks from happening.

HTTPS (Hypertext Transfer Protocol Secure) is used with SSL (Secure Sockets Layer) to encrypt communication data and secure your information while browsing the internet. A wide variety of websites have already converted from the unsecured HTTP, to HTTPS providing higher security for their viewers.

Other Quick ways to stay safe

  • Browse with Mozilla Firefox or Chrome, there are many add-ons that will default to a HTTPS connection when one is available.
  • Make sure that there is a locked padlock icon next to the URL, this means that the site you are on is encrypted with 128 bit or 256 bit encryption.
  • With newer browsers, if a connection is secure it will turn the URL green so you know that you are browsing safe and securely.
  • From your phone, you can download an app from the Google Marketplace called DroidSheep Guard that will notify you if there are any changes in your ARP-Table, you can get the app here: [DroidSheep Guard][4]

So like I said, it isn’t just Facebook that doesn’t encrypt your entire session, there are thousands of sites out there that are only partially secure leaving sessions vulnerable, so whenever you come across a website where you are entering or saving personal data to, make sure that your are on a HTTPS connection or else someone might be intercepting your session and stealing your identity.