Monday, March 09, 2009

Hamster 2.0 and Ferret 2.0

I updated my Sidejacking tools Hamster and Ferret. You can get them from the site http://hamster.erratasec.com (or, if DNS hasn't propagated yet, you can grab a zip or tar from the main site).

Biggest change is that the tools now work on Linux and Mac OS X. Previously, Ferret was cross platform but Hamster was stuck on Windows. Hamster was written to be mostly portable, but I never got around to fixing the last few bugs on Linux.

Another change is that you can launch Ferret directly from within Hamster. Just tell Hamster what Interface you want to sniff, and it will go off and do it. Kinda makes you forget that Ferret exists. You also get status updates in the screen so you can keep track of how many packets you've captured (so that you know that it's actually working).


51 comments:

Brad said...

Robert,

Does this project have specific MS library dependencies? I can't get ferret to build in Visual Studio 2005 - there's a ton of errors related to strncpy_s (example: "error C2733: second C linkage of overloaded function 'strncpy_s' not allowed").

Looks really cool, though.

Robert Graham said...

No, it doesn't have any special dependencies.

The problem you are encountering is that there is no 'strncpy_s' in older compilers. I have my own. Thus, it's conflicting in the newer compilers. The trick is to go remove it, or add an #ifdef to see if there is a newer compiler.

I've focused on getting it working on Linux this last weekend. Right now, I'm compiling for Mac OS X (v2.0.1). After that I'll get it compiled on VisualStudio 2005 (v2.0.2). Should be up by tomorrow.

Robert Graham said...

I compiled and ran with Visual Studio 2005, it works fine except for those minor errors. Once I complete my testing with Mac OS X, then re-test with Linux, I'll push it up to the website. You'll see new directories ferret/build/vs05 and hamster/build/vs05. I haven't tested 64bit yet though.

mokum von Amsterdam said...

Good news! Does this mean the iPhone version of hamster is anywhere close too?
[BTW the osx bin version is 404]

Robert Graham said...

I'm not sure we can get promiscuous mode packets with the latest iPhone firmware.

mokum von Amsterdam said...

No need to publish, just an explaination of the OSX bin '404' remark.

It is about the link on the http://hamster.erratasec.com/ site.

Cheers and thanks again for the super work.

Robert Graham said...

Oh, that. It's because there is a bug on Mac OS X that I'm currently working on fixing, which is why the Mac OS X version links to 2.0.1 -- that will be the version when I fix this bug.

Robert Graham said...

Ok, I made my changes, and the Mac OS X binaries are up there now.

Lee said...

An alternative method that does not require the victim to use a proxy is described here:

http://www.go4expert.com/forums/printthread.php?t=15474

The method invloves ARP spoofing, but works just as well without cain if one has access to a SPAN port or network tap. Just copy the GX cookie from NetworkMiner and use it in your favourite browser.

mokum von Amsterdam said...

Require the victim to use a proxy?

Hmm, I think you misunderstood. Hamster just listens quiet passively to a datastream [or dump] and picks out the session cookie, no need for anyone to use a proxy... just sniff the traffic.

Ferret does what Network Miner & cookie Editor do combined.

The added feature from the link you sent is that one can pickup a datastream normally hidden by a switch. But it could make a lot of bells and whistles go 'ding!'

MadmanTM said...

wierd, i have tried to use it in windows, so i tell ferret to use my wireless adapter, then i load up hamster, but the adapter stays with ETH0.

is there a way to specify in windows the correct adapter that it's using?

thanks again.

Robert Graham said...

Good question.

The "eth0" is just the default value I put in the web page, it does not reflect a good choice.

Use ferret on the command line to find the adapter. Type "ferret -W" to get a list of Windows adapters. Windows puts annoying long names on adapters, so you can shorten it by using the index.

For example, on my machine, the index for the wireless adapter is '1'. Therefore, when I start hamster, I replace that 'eth0' with '1', and it works just fine.

In some future version, I'll get Hamster to scan the system lookign for adapters. The reason is doesn't is because it's designed to run also on Linux and Mac. Getting a list of adapters on those systems can be problematic -- they don't like to tell me about adapters that I can open in promiscuous mode that don't have IP addresses associated with them.

ocb said...

with my realtek under ubuntu (start with airmon-ng before)

hamster:
starting adapter wlan2
execle(ferret): No such file or directory

ferret:
-- Sniffing on interface "wlan2"
SNIFFING: wlan2
LINKTYPE: 119
ID-MAC=[00:07:

--------------------------------------

with my realtek under ubuntu, but with airmon-ng, and airtun-ng for décrypt wep packet in real time)

ferret:
-- Sniffing on interface "at0"
SNIFFING: at0
LINKTYPE: 1 Ethernet

(i think it's not able to sniff with this interface)

hamster: (the same probleme):

starting adapter at0
execle(ferret): No such file or directory

ocb said...

ok sorry, i have (don't start airodump before airtun)
ferret work

with at0:

proto="HTTP", op="GET", Host="forum.backtrack-fr.net", URL="/index.php", cookie="punbb_cookie=a%3A2%3A%7Bi%...

but the problem is hamster:

execle(ferret): No such file or directory
starting adapter at0
execle(ferret): No such file or directory
starting adapter wlan1
execle(ferret): No such file or directory

ocb said...

sorry it work verry good, (the error, is i havent use hamster and ferret in the same directory)

Robert Graham said...

Yes, the error message "execle(ferret): No such file or directory" means that ferret isn't in the same directory as hamster. They need to be together.

kregel said...

Hello, I'm testing Hamster 2.0 right now.
but, i've one problem right now. It keeps saying no cloned target.
I tried this with my eth0 interface, and also with my wlan0 interface running under backtrack 4 Beta. The packets increasing all the time, but it keeps saying "No cloned target".

Any ideas to make Hamster Ferret to work in my situation?

Robert Graham said...

No cloned target

In order to clone a target, you must click on one of the IP addresses on the screen.

If you don't see any IP addresses, then something else is wrong. If you take a packet capture (such as with Wireshark or tcpdump or with Ferret) and send it to me, I could probably figure out what is going wrong. Send to robert_david_graham at yahoo.com.

kregel said...

@Robert:

thankx for you reply. a list of ip addresses does not appear.

I'll try to send a dump tonight to you email-address: robert_david_graham at yahoo.com.

mauro said...

hey there, i´ve tried hamster and ferret at windows, it works great, but at ubuntu ferret shows a GUI... is it normal? i dont know how to work this way. shouldn't it be command line?

Anonymous said...

will future releases be able to sniff wifi out of the network?

Robert Graham said...

will future releases be able to sniff wifi out of the network?

Current versions can.

Sniffing wifi is a feature of your wifi adapter. Some support promiscuous mode, some don't. I'm currently testing adapters to figure out which support promiscuous mode on Windows.

Malgoth said...

Hello,
seems my Atheros AR5007EG doesn't support promiscuous mode =(
Is there anything I can do with that? Running WinXP SP3 on Samsung NC10 netbook.


C:\sidejacking>ferret -i 2
[0] ferret
[1] -i
[2] 2
-- FERRET 1.2.0 - 2008 (c) Errata Security
-- build = Mar 9 2009 13:00:50 (32-bits)
-- WinPcap version 4.1 beta5 (packet.dll version 4.1.0.1452), based on libpcap version 1.0.0
1 \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)
2 \Device\NPF_{70BD798A-F29C-4BF8-90DA-D23EEE2E5F83} (Atheros AR5007EG Wirele
ss Network Adapter)

-- Sniffing on interface "\Device\NPF_{70BD798A-F29C-4BF8-90DA-D23EEE2E5F83}"
\Device\NPF_{70BD798A-F29C-4BF8-90DA-D23EEE2E5F83}: failed to set hardware filter to promiscuous mode
timeout(1): unknown linktype = 0 (expected Ethernet or wifi)
-- graceful exit --

Anonymous said...

hi,

ferret gives error, will not load cookies gets segfault after running when compiled in ubuntu 64 bit; no compile errors when made.works fine in ubuntu 32 bit; other than that it is great thanx.

aerokid240 said...

Just wanted to say that i got this working in BackTrack 4. Wasn't working at first, ferret was able to sniff the cookies but hamster wasnt showing any hosts. I figured that hamster wasnt seeing the hamster.txt file and boy was i rgiht. Apparently the hamster.txt file must be in the same folder has the hamster executable. Hope everyone gets this working, great tool.

Dave said...

In response to the comment about ferret and hamster needing to be in the same directory -

I have them in the same directory (as well as all files from the http://hamster.erratasec.com/downloads/hamster-macosx-2.0.1.zip download), and I still get the same message.

Any other ideas?

Dave said...

Robert,

I get the following message after specifying the adapter I want to listen to:

"starting adapter en1
[...]
ERR:libpcap: no adapters found, are you sure you are root?

-- Sniffing on interface 'en1'
en1: (no devices found) /dev/bpf0: Permission denied
-- graceful exit --"

I'm not sure what to do with this. Can you help?

Robert Graham said...

I suspect the problem is that you are not root.

In order to debug Ferret, get a root prompt, and type "./ferret -i eth1". If you get the same error, then I have to debug it. The /dev/bpf0 confuses me. What version of Linux are you using? The latest Backtrack 4?

Dave said...

Hi Robert,

Doing things as root got me past the problem. Thanks for your help.

Now the problem is that within seconds of telling hamster what adapter to pay attention to, I get the following message: "Hamster Proxy crashed or disconnected, err(readystate=1)". Is this a common problem too?

Dave

Dave said...

I couldn't figure out what the problem was, so I moved to a Windows machine. Now I feel like an idiot again, because I can't figure out how to identify the adapter names from the Windows command line. I know I used ifconfig on my Mac. Can anyone help?

Felix said...

If you type ferret -W in windows you will see your Adapters.


So I hope you can help me with my questions:

I testet ferret and hamster in windows XP and Backtrack4 pre final.
But I dont have success.

MY Steps in WINDOWS:
I captured the traffic with wireshark. The promiscuous mode works in Windows and BT4. I am using the Alfa USB Adapter 500 mW.

So after capturing I saved the file in wireshark to demo.pcap.

With ferret -r demo.pcap I extracted it in the hamster directory. Then I run hamster and turnend on the Proxy in Firefox.

If I go to http://hamster I can only see the IP as target from the PC I was running wireshark.

I cannot see the other Computers on which I logged in to googlemail or facebook. The other Computers are trcked in wireshark, but the IP doesn`t appear.

----------------

If I use it in BT4 without wireshark, like its described in the Turotial:
I see NO IP.

It often says 2 Targets but doesnt show the IP ;-(


Does it only works in Firefox and not in the Internet Explorer?

Does the victim have to close the Browser with X ? It seems so that it even doesnt wor if the victim used the Logout Button!

i hoped you can help me, cause I tested a long time without success.
I tested my german googlemail account, Ebay, xing and so on ...

Edward said...

it's fantastic tool.
thanks for this great job

o891 said...

Hi Robert,

firstly good effort. Very impressive.

Unfortunately I am having a problem. The target list only shows my own IP (tried on mac os x and bt4). Once it did show another vista machine, but whatever I did on vista (log into gmail, yahoo mail, fbook, etc) no cookies show up. Interestingly the only two cookies it shows are from the vista upnp media server.

The capture seems to work as the packet list keeps growing but the cookies from any non-local machine dont show up.

Do you know why that may be happening?

Thanks!
Oliver
oliver{AT}ethz{DOT}ch

David said...

I am using hamster on Backtrack 4, i run airmon-ng start wlan0 7, to set my card to monitor mode on ch 7
i then start hamster, and run firefox and select adapter mon0
I can see loads of packets and my own ip address but not my xp machine which i am logging on to my gmail account for testing.

I also noticed that after selecting adapter in hamster on the webpage, it changes the channel to 6, but my ap is on ch7.

Can any one help ?

Micah said...

@David, I have the same issue. It always changes the adapter to chan 6.

Primenumber said...

My mon0 device also switches to channel 6. Is there any way to change it once it's started?

Admin said...

@Dave,

Im using a MAC too.
I dont know why, in order for you to use bpf* devices (en0, en1,..) to have to manually correct the permissions.

try this, sudo chmod go+r /dev/bpf*
It works fine for me.
But the thing is, the permission will came back to default after you reboot your OS.

Logan said...

same issue, on mac os x. all files in same directory, ran as sudo. but hamster still says it cant locate ferret.

Logan said...

I dont know if my last comment went through, my internet cut out.


The Im running this on mac, Hamster and ferret are in the same, yet when i attempt to scan in hamster it says that ferret can not be found. I can run ferret on its own, but not through hamster.

please help.

Marisa Fagan said...

Hi Logan,

We are no longer officially supporting the Hamster/Ferret project, but if you would like to email me your contact information at marisa@erratasec.com I can let you know if your question gets answered in a future release.

There is a FAQ here: http://www.erratasec.com/research.html under the SIdeJacking.zip link.

Alexis said...

Hello,
I'd like to get some help, because I have a problem when I try to install ferret on linux (10.04), when I "make" (as root) I get many errors such as "../../src/module/pcaplive.c:321: error: for each function it appears in.)
../../src/module/pcaplive.c:322: error: ‘struct PCAPLIVE’ has no member named ‘freealldevs’
../../src/module/pcaplive.c:322: error: ‘null_PCAP_FREEALLDEVS’ undeclared (first use in this function)
../../src/module/pcaplive.c:323: error: ‘struct PCAPLIVE’ has no member named ‘lib_version’
../../src/module/pcaplive.c:324: error: ‘struct PCAPLIVE’ has no member named ‘lookupdev’
../../src/module/pcaplive.c:325: error: ‘struct PCAPLIVE’ has no member named ‘major_version’
../../src/module/pcaplive.c:326: error: ‘struct PCAPLIVE’ has no member named ‘minor_version’
../../src/module/pcaplive.c:327: error: ‘struct PCAPLIVE’ has no member named ‘open_live’
../../src/module/pcaplive.c:330: error: ‘struct PCAPLIVE’ has no member named ‘can_transmit’
". I don't know what to do ... (g++ package is isntalled)(P.S sorry for my approximative english)
Thank you !

Nima said...

Hi all
I'm using hamster in Backtrack4 R1. Hamster finds the cookies of Gmail but when I want to load the Gmail (e.g. mail.google.com) in the browser that its proxy has been set to 127.0.0.1:1234 it says: Firefox can't find the server at www.google.com. Even I can load the page www.google.com with grabbed cookies by hamster and the other websites through that browser but I can not go to Gmail. What's the problem?
I guess Google detects Hamster proxy and block it.

Louis said...

Hello, first, please excuse my english : I am French.
As you can imagine, I have a problem with Hamster/Ferret.

Ferret :

louisabraham:~ louisabraham$ sudo /Users/louisabraham/hamster-macosx-2.0.1/ferret -i 3
Password:
[0] /Users/louisabraham/hamster-macosx-2.0.1/ferret
[1] -i
[2] 3
-- FERRET 1.2.0 - 2008 (c) Errata Security
-- build = Mar 9 2009 14:41:47 (32-bits)
-- libpcap version 1.0.0
1 en0 (No description available)
2 vnic0 (No description available)
3 en1 (No description available)
4 vnic1 (No description available)
5 en2 (No description available)
6 lo0 (No description available)

-- Sniffing on interface "en1"
SNIFFING: en1
LINKTYPE: 1 Ethernet
proto="CUPS", ip.src=[192.168.0.12], type=482901
proto="CUPS", ip.src=[192.168.0.12], state=0
proto="CUPS", ip.src=[192.168.0.12], uri="e"
proto="CUPS", ip.src=[192.168.0.12], location="3"
proto="CUPS", ip.src=[192.168.0.12], info="ipp://192.168.0.12:631/printers/Photosmart_C309a_series__0FF278_"
proto="CUPS", ip.src=[192.168.0.12], model=""

And, then :

Error reading capture file header
./sniff-2011-02-27-eth.pcap: Resource busy

A lot of times : the capture .txt file is 2.3 Mo heavy.

So it is normal that Hamster "echoes" :
louisabraham:~ louisabraham$ /Users/louisabraham/hamster-macosx-2.0.1/hamster
--- HAMPSTER 2.0 side-jacking tool ---
Set browser to use proxy http://127.0.0.1:1234
DEBUG: set_ports_option(1234)
DEBUG: mg_open_listening_port(1234)
Proxy: listening on 127.0.0.1:1234
begining thread
starting adapter en1
execle(ferret): No such file or directory

And Ferret and Hamster are in the same directory as you can see in the command lines.

Can you help me please ?

Mac OS X 10.4.6

L. ABRAHAM

e_tietze said...

I've just downloaded Hamster and Ferret for OSX. I'm running them as root through terminal. They are in the same directory. I keep getting execle(ferret): No such file or directory error message everytime I choose an adapter to monitor. Am I missing something?

Dan Cooper said...

Is it too late to try these tools out? The download links are dead.

Anonymous said...

@Dan Cooper

it's not too late, the .zip link works. I found 2.0 for windows last year but i can't remember where i got them. The ones in the .zip link I believe are for linux. It's a nice program , very easy commands, which reminds me , the guy who asked about the net adaptor problem, 'ferret -w' should list your adaptors and use the number next tot he one u want to use.

Anonymous said...

Backtrack5 r1 still had the tools, they are very nice. I am tweaking Ubuntu12.04 and wishing those tools were available. It is nice to show the SoHo how vulnerable they can be, especially on an insecure wireless connection. Most of my customers do not believe it until they see it.

Jeroen Jacobs said...

Great stuff! I managed to compile Ferret and Hamster on a PandaBoard now (has a ARM cpu) without problems.

One quick question: Is it possible to have hamster bind on all available ip addresses instead of 127.0.0.1? My pandaboard has no gui, so I can't use a browser on the machine itself.

Logicfish said...

The DNS hasn't propagated yet. ahem.

Anonymous said...

Ferret & Hamster for win
(compiled on VS6):
http://www.sendspace.com/file/13ogi2

Puky said...

Same question as Jeroen Jacobs, i'm using Hamster on RaspberryPi and would like to access the proxy from another machine without the need of an SSH tunnel.

Great tool!! 5 years later and it still rocks.