Ubuntu, Firesheep, aircrack-ng and WPA
Following some tinkering I’ve been doing with airtun-ng (and a bugfix I made to ticket #667 to support decrypting WPA CCMP AES QoS packets) it is (now) possible to live capture/sniff WPA traffic providing the WPA handshake is observed. In effect this allows firesheep (and sidejacking in general) to work on a WPA (PSK) network.
Step 1: Firesheep
Firstly you need to get firesheep completely setup, this is outside the scope of this guide – there are excellent instructions provided on the infamous github pull request #70. Once firesheep is setup and you’re able to pick an interface you should proceed.
Step 2: aircrack-ng
Now we can move onto patching aircrack-ng to support WPA networks, to do this you need to do do a checkout from svn, patch the code and then compile it yourself.
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
$ cd aircrack-ng/src
$ wget http://trac.aircrack-ng.org/raw-attachment/ticket/667/ticket-667.patch
$ wget http://trac.aircrack-ng.org/raw-attachment/ticket/74/airtun-ng-wpa.patch
$ patch -p0 < ticket-667.patch
$ patch -p0 < airtun-ng-wpa.patch
$ sudo apt-get build-dep aircrack-ng
$ cd ..
With any luck this should now compile successfully and your new binaries should be located in the src/ directory.
Step 3: Bringing it all together
Now we’re ready to use aircrack to live capture off WPA networks and feed the data into firesheep for analysis…
Open up a terminal and run (change adapter names and substitute values as appropriate):-
$ sudo airmon-ng start wlan0 CHANNEL
$ sudo src/airtun-ng -a BSSID -e ESSID -p WPAPSK mon0
Note: Used airmon-ng from the standard package installed version since I couldn’t find it in svn and didn’t investigate too much/far!
This should start a tap interface on at0 (or similar) on which the decrypted traffic is fed. Now open another console and run (change IP address if it conflicts with your local subnet):-
$ sudo ifconfig at0 10.10.10.10 up
The IP address is needed since in my experience Firesheep appears to require it. Now open up Firesheep, go into preferences, pick the at0 interface and hit the Start Capture button.
Now on your other wireless client.. disconnect and reconnect to the wireless network (so that the WPA handshake can be observed) and login to Facebook. With any luck Firesheep should see the session and double clicking on that session should access your Facebook account via sidejacking.
If this doesn’t work use wireshark to monitor the traffic on at0 to see if you’re getting any data at all, the eapol packets for the handshake should be visible.
That’s all folks!