I'm not an expert on wifi security, but here is what I found while doing some research:

"Wireshark can decrypt WEP and WPA/WPA2 in pre-shared (or personal) mode. WPA/WPA2 enterprise mode decryption is not yet supported."

Since Wireshark and Firesheep both use WinPcap, I assume this applies to both.

Also, while testing on an unsecured network, I found Firesheep was easily able to grab my HN session off my Android phone.

I think that only applies to being able to decrypt packets after you've acquired the key, I'm not sure if it applies here...

Yes, you need the key to decrypt, but getting the key is not difficult for WEP [0], and only moderately difficult [1][2] for WPA PSK, if I understand correctly.

[0] http://www.cyberciti.biz/tips/howto-crack-wirless-wep-104.ht... "The actual computation takes about 3 seconds"

[1] http://www.renderlab.net/projects/WPA-tables/ "computed hash tables for the 1000 most common SSIDs against a million common passphrases"

[2] http://securityandthe.net/2008/10/12/russian-researchers-ach... "This means that a WPA or WPA2 key could be cracked in days or weeks instead of years."

On the contrary, it is moderately difficult for WEP and almost impossible for WPA, if the key is long, and very very hard otherwise.

For WEP, the actual cracking is the easiest part, it's gathering all the IVs that's a hassle.

For WPA, the rainbow tables only cover common SSIDs and passwords, which doesn't really give you a very high probability of cracking it. The research in the third link you posted hasn't been made practical yet, as far as I know.

If you have a WLAN NIC that supports traffic injection, gathering IV:s can be done in a few minutes.

http://www.aircrack-ng.org/doku.php?id=simple_wep_crack

I know, I've been doing it for a while. It still isn't trivial, you need to get the handshake, do the replay attack, gather enough IVs, crack them, etc. It takes 5 minutes, but it's not plug and play.

It is more than "moderately difficult" to recover WPA keys; what you're looking at are tools and techniques used to crack passphrases for WPA.

Can you explain what makes it more than moderately difficult? Are you saying that getting the ssid and passphrase is not enough to get the key, or am I misunderstanding?

WEP can be broken given enough packets since it sends a portion of the key in each packet enabling the user to simply collect packets and break the key. There's a lot an attacker can do such as fake authentication with the server to force it send more of the necessary packets, etc.

WPA on the other hand cannot be broken like this. WPA is broken by capturing the handshake between the router and a user. This handshake can then be brute forced with a dictionary. The reason it's so difficult to crack is because the encryption key is salted with the essid of the router making rainbow tables extremely difficult to pre-compute. However, if the user uses a standard essid that came with the router, then pre-computed rainbow tables can most likely be found for it. They can be computed though while capturing the handshake, and I find it's beneficial to create the rainbow tables if you have a large dictionary.

Take a look at aircrack-ng for a lot more detail. This is just a basic overview of it all.

When people talk about WEP insecurity, they are talking about fundamental flaws in the protocol that make the passphrase almost irrelevant.

Since I can't edit my comment, I'll reply. I tested this and it only appears to work on unsecured wifi networks. I can't find any other usecase where my network adapter will receive packets not meant for me.

Convincing an ethernet switch to send you packets that are not meant for you is, unfortunately, easy.

This is a concept that many people should really think about, since many belive that a switched network is "secure".

Hmm, how is it done? I guess you could send requests with fake IPs but real MACs?

Take a look at Ettercap's man page. That'll give you a nice list of making a network behave like this.

ettercap does ARP poisoning, if I remember correctly, for MITM attacks. I was wondering if there was a way to set it to the equivalent of promiscuous mode, not spoof IPs.

Yes, Ettercap, by default, is in promiscuous mode. It does quite a bit more than just ARP poisoning though, it can also do DHCP and ICMP spoofing among others.

Here's the man page: http://linux.die.net/man/8/ettercap

I meant set the router in a sort of promiscuous mode (i.e. make it send you all the packets, regardless of their original destination), not the adapter. These types of poisoning are very useful, but they're not what you need for Firesheep. With a poisoning attack, you override the packet's destination and it's up to you to send (it's an active attack). Firesheep just monitors passively, which is why I was wondering if it worked anywhere.

I agree with you, I'm just saying that the type of passive monitoring Firesheep does only works on unsecured wifi networks and is, thus, not very useful.

Well, setting your adapter into promiscuous mode will allow you to capture all the packets. By using Ettercap though to put your adapter into promiscuous mode, it will handle the packet forwarding for you. Therefore, you can use Firesheep to monitor the entire network pretty easily.

From what I've seen it should capture them from everyone on the network, since Firesheep is simply capturing packets from whatever the adapter sees over TCP port 80. I haven't tried that yet, so you might be right.

Also, an attacker can simply use SSLStrip and get the cleartext passwords for online services anyway. This isn't anything novel, since there have been plenty of attacks that allow you to session hijack rather easily (i.e. hamster). You can even simply monitor in Wireshark and manually enter the session information into your cookies.