{"id":2992,"date":"2010-11-25T10:19:08","date_gmt":"2010-11-25T10:19:08","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=2992"},"modified":"2015-09-09T19:37:22","modified_gmt":"2015-09-09T11:37:22","slug":"blacksheep-detect-users-of-firesheep-on-the-network","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2010\/11\/blacksheep-detect-users-of-firesheep-on-the-network\/","title":{"rendered":"BlackSheep – Detect Users Of FireSheep On The Network"},"content":{"rendered":"

As you surely know, things blew up recently at Toorcon 12 with the release of the much talked about Firefox plugin called Firesheep<\/a>.<\/p>\n

There were various discussions about how to mitigate against it like using Firefox plug-ins to force SSL connections (where available). Microsoft also tried to secure Hotmail with SSL but kinda b0rked that too<\/a>.<\/p>\n

For the 1 person in the World left that doesn’t know, Firesheep allowed any user to seamlessly hijack the web session of another user on the same local network. Although such attacks are not new, the ease of use presented by Firesheep brought session hijacking to the masses.<\/p>\n

BlackSheep, also a Firefox plugin is designed to combat Firesheep. BlackSheep does this by dropping \u2018fake\u2019 session ID information on the wire and then monitors traffic to see if it has been hijacked. While Firesheep is largely passive, once it identifies session information for a targeted domain, it then makes a subsequent request to that same domain, using the hijacked session information in order to obtain the name of the hijacked user along with an image of the person, if available. It is this request that BlackSheep identifies in order to detect the presence of Firesheep on the network. When identified, the user will be receive the following warning message:<\/p>\n