HowTo: Extremely Powerful Linux Password Sniffer

Password Sniffer on Linux?

Yep, we all need to be informed of passwords being sniffed out! I would not entail those details and cover specific issues of identifying your network securities as that would be large enough to be covered here and case to case basis.

However, those two words are being mentioned here and repeated again, password sniffer, is no different from somebody stealing your identify or bank earnings.

This quick blog entry focuses awareness of the threat on packet sniffing in a switched environment, and briefly explores the effect having a switched network environment. But does not discuss more on packet sniffing operations and usage.

What is DSniff?

DSniff can be defined in two words - password sniffer.

What is NOT DSniff ?

DSniff is not tcpdump, ncap, it is not openssl, nor an exact replica of libpcap or related to ping commands.

More DSniff Network Penetration Testing Intentions

Dsniff was created with a clear intention of network auditing that includes network and host penetration testing from linux platform. DSniff can sniff passwords while packets are traveling on specific type of network. If you don't know what that means, stop here and go check your GMail for funny pictures.

Moreover, DSniff can handle passwords coming and being covered thru and by FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec
pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL auth info.

How DSniff Works?

Simply put, DSniff automatically detects and minimally parses each application protocols, only saving those interesting bits, that means DSniff sniffs out unique authentication login attempts from protocol frames only. Full TCP/IP reassembly is provided by libnids, a dependency requirement by DSniff, which would be installed as well.

THIS PROGRAM SHOULD NOT BE ABUSED, IT IS BEING HERE FOR THE PURPOSE OF NETWORK PENETRATION TESTING ONLY AND NOT FOR ANY ILLEGAL ACTIVITY THAT THIS MIGHT LEAD YOU.

Do not install this, you've been warned.

DSniff Installation on Fedora 8

Yes, Fedora 8 has it. Simply install it using the all time favorite software installer called yum.
DSniff currently supports three platforms OpenBSD (i386), Redhat Linux (i386), and Solaris (sparc). Others have reported success on FreeBSD, Debian Linux, Slackware Linux, AIX, and HP-UX.

# yum -y install dsniff

DSniff, when installed is composed of several binary linux tools for the purpose of further network auditing and security penetration testing. These DSniff tools have different penetration testing functions and are designed to work independently to each other making use of single but powerful libnids linux library.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here are several binaries included with DSniff.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

arpspoof

redirect packets from a target host (or all hosts) on the LAN intended for another local host by forging ARP replies. this is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e.g. fragrouter :-) must be turned on ahead of time.

dnsspoof

forge replies to arbitrary DNS address / pointer queries on the LAN. this is useful in bypassing hostname-based access controls, or in implementing a variety of man-in-the-middle attacks (HTTP, HTTPS, SSH, Kerberos, etc).

filesnarf

saves selected files sniffed from NFS traffic in the current working directory.

macof

flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). a straight C port of the original Perl Net::RawIP macof program.

mailsnarf

a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs selected messages sniffed from SMTP and POP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc.).

msgsnarf

record selected messages from sniffed AOL Instant Messenger, ICQ 2000, IRC, and Yahoo! Messenger chat sessions.

sshmitm

SSH monkey-in-the-middle. proxies and sniffs SSH traffic redirected by dnsspoof(8), capturing SSH password logins, and optionally hijacking interactive sessions. only SSH protocol version 1 is (or ever will be) supported - this program is far too evil already.

tcpkill

kills specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3-whs for TCB creation).

tcpnice

slow down specified TCP connections via "active" traffic shaping. forges tiny TCP window advertisements, and optionally ICMP source quench replies.

urlsnarf

output selected URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, etc.).

webmitm

HTTP / HTTPS monkey-in-the-middle. transparently proxies and sniffs web traffic redirected by dnsspoof(8), capturing most "secure" SSL-encrypted webmail logins and form submissions.

webspy

sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time (as the target surfs, your browser surfs along with them, automagically). a fun party trick.

DSniff Binary Usage

Sorry, I cannot go further with DSniff usage. But this might tire your eyes.

Webshots

Webshots for this is dangerous and being avoided.

Goodluck and enjoy.