Firesheep and Monitor Mode

The Internet wireless community was set aflutter last week when Eric Butler, a freelance developer from Seattle, introduced Firesheep, a Firefox extension that is advertised as a way to perform sidejacking attacks over unencrypted wireless networks. The software is super slick and all, but what interests me is the way it handles frame capture. 

For those who may have missed it, Firesheep is a Firefox extension that allows users to view web sessions that are active on the channel. It works via a wired or wireless channel, but the prospect for wireless viewing received much more press because, A) nobody uses hubs anymore, and B) wireless vulnerabilities always get much more press.

The tool is slick and, as far as I can tell, a better name for it would be, "Screw Facebook". From the unscientific tests I've done, Firesheep users are able to gain limited access to other people's accounts on a number of popular sites, but the real eye opener is the ability to view and even post on other people's Facebook walls. This is a problem for Facebook users who frequent unencrypted WiFi networks, of course, but all of that has been dissected elsewhere. My interest is in how Firesheep does its sniffing, and more specifically the differences between Promiscuous mode and Monitor mode.

Promiscuous mode is used by Firesheep, so let's start with that. Many network interfaces can be put into Promiscuous mode. In fact, most NICs, both wired and wireless, may use it without having to load any special drivers. When an interface is put into Promiscuous mode, the network connection remains active. The difference between an active Promiscuous mode connection and a normal connection is that received frames that have a destination MAC address that fails to match the network interface's MAC address are kept instead of dropped. In the case of Firesheep, these kept frames are then examined with the goal of recovering information from cookies and other web-related information. The major limitation of Promiscuous mode is that the interface must have a connection to the physical network in order to make a capture.

Monitor mode, on the other hand, is used by sniffers like OmniPeek and AirMagnet. A number of network interfaces can be put into Monitor mode, but it usually requires a custom driver to make that happen. Some interfaces also cannot be placed into Monitor mode at all. For years Broadcom-based NICs were unable to be placed into Monitor mode due to Broadcom's policy on restricting the release of their driver code, but today that stance has softened (for example, KisMAC-ng can now be used with a Broadcom-based Apple Airport Extreme interface in Monitor mode1). When a network interface is placed into Monitor mode, it loses the ability to maintain an active connection. This is the major limitation of Monitor mode. This limitation is offset by having the ability to sniff on any physical channel even without a connection. From a hacker's perspective, this means that an interface running in Monitor mode can sniff secured networks, not just open ones.

For the purposes of what I do, Promiscuous mode is useless for the most part. It may be interesting to see Facebook walls in Firesheep, but to really analyze wireless networks I need lots of things that only Monitor mode can provide. This includes:

  • 802.11 Management and Control frames
  • Physical layer information such as rate, signal and channel
  • The ability to scan multiple channels quickly
  • 802.11 headers, for information like sequence numbers and Retry flags
I do recommend that folks check out Firesheep and also take a look at Promiscuous mode in Wireshark2, but for professional-grade WiFi sniffing you've got to get your wireless NIC into Monitor mode.

1I need to do a blog post about using KisMAC-ng with the Apple Airport Extreme adapter. That'll be added to the list along with the other half dozen posts that are in queue.

2Wireshark works with a Monitor mode-based interface in Windows by using an AirPcap USB adapter. The Linux version of Wireshark allows for a number of other wireless NICs to be put into Monitor mode.


  1. Interesting read. I have yet to actually mess around with the Firesheep plugin directly. When I had first read about it I was curious as to all the talk surrounding it. I would be very interested in a KisMAC-ng article. I've recently acquired a Macbook Pro and am still trying get all of my *NIX software working or find suitable alternatives.

  2. I think I have some KisMAC stuff in the archives, but I suppose a full breakdown is a good idea.


Post a Comment

Popular posts from this blog

Spectrum Deception

What's New (and Missing) in the WiFi for iPhone 6

Free Sniffing in Windows! (Kind Of)