We introduce you DroidSheep, an application that is used to sniff network connections and capture all kinds of data such as the users / passwords of certain services.
Spying on someone else’s network connections without authorization is illegal, as well as unethical, so use this information at your own risk, after all, human knowledge belongs to the world.
In RedesZone.net we already talked about DroidSheep: DroidSheep, application for Android phones that allows you to steal passwordsThis time we have tested it and we want you to know how it works.
We will also show you how it works DroidSheep Guard, an application that detects if someone is doing ARP-Spoofing with DroidSheep or another application, perfect for protect us from prying eyes.
Tutorial on how to use DroidSheep
DroidSheep is a sniffer that searches the network to which login cookies are connected for different websites, such as Facebook, Tuenti, Google, Amazon, Linkedin, Youtube, and several more. In order to avoid it, we must first know how it works.
Its main way of working is to do an ARP-Spoof in encrypted networks, or simply listen for log cookies in open networks.
The developers have stopped supporting the application some time ago for legal reasons as indicated on their website, but we can find the .apk installer by searching the internet. The Latest official version is v14 and we need to be ROOT.
There are fake versions that claim to be v15 and higher, but they are nothing more than that, fakes, as explained by the DroidSheep developers in their account Official Twitter.
Once we install the application, it will create an access icon in the applications menu, from which we will run the program. The first thing we will see will be a screen with a legal notice, which we must accept to continue using the program. Accepted the message, we are at the main screen of the program.
Here we can see 2 options at the bottom, one that says “ARP-spoofing” and another that is called “Generic mode” ·
Arp-Spoofing must be used in networks encrypted by a WPA-WPA2 key to be successful, but we will be detectable to any sniffing detector program. If we deactivate this option we will be undetectable, but it will only work in open networks or with WEP encryption.
Generic mode is an option that allows us to capture all log cookies instead of those of certain predefined websites, to greatly increase the number of websites that we can impersonate.
Once we have selected the options we want, click on the Start button and the program will begin to search for cookies from websites that travel through our local network. When some type of traffic occurs, the program will capture it, showing us the results listed in its main window.
When we have the webs captured in the program, we can click on them and a menu will appear with various options, such as opening a site by impersonating the identity, or saving cookies.
By clicking on open site, an integrated web browser will open and load the selected website with the data from the log of the person from whom we have captured the cookies.
We can also add the results to a black list so that they do not appear again in future searches, or remove results from the list.
In the DroidSheep website we can see some demonstration videos of how the program works.
Tutorial on how to use DroidSheep Guard
Now we are going to teach you how to detect an ARP-Spoof attack with an Android mobile or tablet, and prevent us from stealing the access data of our Facebook, Tuenti, amazon and similar accounts.
As we have seen previously in the DroidSheep tutorial, it is very easy to do an ARP-Spoof from an Android device, and that cookies can be stolen with the login data of our social networks, or what is worse, online shopping websites, such as amazon, or the mail.
To prevent this from happening, the same creators of DroidSheep they have created another application called DroidSheep Guard that performs a continuous review of the ARP table of the router to which we are connected and launches a warning when it detects any strange change in it.
DroidSheep Guard is available for free on the Play Store. Once downloaded, we execute it by clicking on the icon that has been created in the applications menu.
The first thing we see on the main screen is a sliding bar in which we can establish how often we want the program to check the ARP table. Normal, and by default, they are 60 times per minute, that is, one per second, but so that it does not consume excess battery we can set 1 time every 2 seconds, which will also be effective.
We also have 3 options below that bar.
“Autostart / stop depending WiFi”: This option allows the program to choose which networks to activate and which networks not to activate. Normally it is activated in public networks when it is deactivated in private networks.
“Disable WiFi on alert”: It allows that, when the program detects a threat, it automatically deactivates the Wi-Fi. Recommended to have activated.
“Show status icon in notification bar”: Shows an icon in the notification bar with the status of the program.
Click on the button «Start protection » and the application status will change to «running«, At the bottom it will show us the IP and MAC address of the gateway of our router.
As long as there is no intrusion, the program will keep checking the ARP table constantly. If we suffer an ARP-Spoof, the program will automatically notify us with a warning window.
In this window we can choose if we want to open DroidSheep Guard, ignore the warning (not recommended) or deactivate Wi-Fi if we do not have the option to do it automatically activated.
With this program we can prevent our email accounts from being stolen with a “man in the middle” attack.
To stop monitoring the ARP table we must click on the “Stop protection” button in DroidSheep Guard and it will automatically stop monitoring said table.