Sniffing Tools

4.4. Sniffing Tools

4.4.1. Dsniff

The dsniff suite has a collection of tools for active/passive sniffing, MitM attacks, and can also monitor the network for data such as passwords, emails, files, and much more.

It is important to understand that dsniff is no longer being actively developed and there will be no further enhancements.

Besides dsniff itself, which is able to capture plaintext passwords on a network, the package also contains the following tools:

• Passive

  • Filesnarf

  • Mailsnarf

  • Msgsnard

  • Urlsnarf

  • Webspy

• Active

  • Arpspoof

  • Dnsspoof

  • Macof

• MitM

  • Sshmitm

  • Webmitm

Dsniff itself is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP, popass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, and many more.

In this section we will focus on passive tools.

4.4.1.1. Dniff

The command structure for dsniff is the following: dsniff <options> where options include: - -c Perform half-duplex TCP stream reassembly, to handle asymmetrically routed traffic (such as when using arpspoof to intercept client traffic bound for the local gateway) - -d Enable debugging mode - -m Enable automatic protocol detection - -n Do not resolve IP addresses to hostnames - -p Process the contents of the given PCAP capture file - -i Specify the interface to listen on

As you can see from the options listed, dsniff is not only able to capture and save the authentications it sees on the wire, it is also able to analyze files in order to get the same information.

In other words, you can feed dsniff with a pcap (packet capture) file from Wireshark and let it analyze the traffic.

Example: In our example we run dsniff with root privileges. It will automaticaly attach itself to our main interface: eth0. Once the user logs in, dsniff lists the following as output. ``` stduser@els:~$ sudo dsniff dsniff: listening on eth0 ----------------- 12/30/15 04:32:21 tcp 192.168.1.6.43709 -> 192.168.1.1.60 (http) GET /login.cgi?username=admin&password=password HTTP/1.1 Host: 192.168.1.1

-----------------
12/30/15 04:33:23 tcp 192.168.1.6.43713 -> 192.168.1.1.60 (http)
GET /login.cgi?username=admin&password=password HTTP/1.1
Host: 192.168.1.1

-----------------

```

Although dsniff is a valid tool, if we want to inspect deeper the traffic and the credentials sent in the network, there are more powerful tools that we can use.

4.4.2. Wireshark

Steps on working with Wireshark:

1. Select Interface First we start Wireshark and select the interface to use for the sniffing. Be sure to select the correct interface. In case you are attached to the network via Wi-Fi, you will probably use the wireless LAN interface wlan0.

Then, since in our test we are looking at a web application, we will set the capture filter to only watch HTTP traffic.

1. Pick a Log File In addition to the previous settings, we also want to save our results to a file called eth0_packet_configure_http. Notice that all these options can be configured by clicking on the capture option button.

2. Start the Capture Notice that with the filter selected, we will see every packet sent and received to and from port 80 (HTTP). If we want to display only HTTP traffic, we can add the word http in the expression field.

3. Filter Packets Depending on the authentication mechanism implemented on the target web application, we will have to apply specific filters in order to get only the meaningful packets.

   For example, if the application implements a basic HTTP authentication mechanism, we can use the http.authbasic filter, which will list all the packets containing credentials sent to the application.

   We can apply filters in 2 different ways:

   1. Write the filter in the filter field

   2. Click on Expression and Select HTTP -> http.authasic - Credentials

4. Study Packets We can inspect the packet in the bottom panel of Wireshark, or we can right click on the packet and select Show Packet in a New Window.

Then, look for the major heading named Hypertext Transfer Protocol

Once there we have to open the child node named Authorization: Basic , and look for the Credentials line. Here we can find the credentials used for the authentication.

4.4.3. TCP DumpManual

tcpdump is a powerful packet sniffer that runs via command line. It allows the user to intercept and display and display TCP/IP and other packets being transmitted or received over a network, to which the computer is attached.

Much like Wireshark, tcpdump has the ability to filter the traffic and save the packets to a file for later analysis.

We will now cover some basic capabilities

Basic syntax: tcpdump [options] [filterexpression]

In our example, we want to see all traffic on our main network interface (eth0), so we will use the following command: sudo tcp dump -i eth0

This states that we want to run tcpdump as root and monitor the eth0 network interface. Since no other options have been added, we will see all packets transmitted.
  ```
  stduser@els:~$ sudo tcpdump -i eth0
  [sudo] password for stduser:
  tcpdump: verbose input surpressed, use -v or -vv for full protocol decode
  listening on rth0, link-type EN10B (Ethernet), capture size 262144 bytes
  09:18:02.133182 IP 192.68.103.1.17500 > 192.168.102.255.17500: UDP, length 200
  09:18:02.854919 IP 192.68.103.147.56976 > 192.168.102.2.domain: 53964+ 255.102.168.192.in+addr.arpa. (46)
  09:18:02.864964 IP 192.68.103.2.domain > 192.168.102.147.56976: 53964 NXDOMAIN 0/0/0 (46)
  09:18:02.865051 IP 192.68.103.147.59910 > 192.168.102.2.domain: 12279+ PTR? 1.102.168.192.in-addr.arpa. (44)
  09:18:02.875296 IP 192.68.103.2.domain > 192.168.102.147.59910: 12279 NXDomain 0/0/0 (44)
  09:18:03.848147 IP 192.68.103.147.48873 > 192.168.102.2.domain: 27140+ PTR? 2.102.168.192.in.addr.arpa. (44)
  09:18:03.858098 IP 192.68.103.2.domain > 192.168.102.147.48873: 27140  NXDomain 0/0/0 (44)
  09:18:03.858183 IP 192.68.103.147.50818 > 192.168.102.2.domain: 50563+ PTR? 147.102.168.192.in-addr.arpa. (46)
  09:18:03.867137 IP 192.68.103.2.17500 > 192.168.102.147.50818: 50563 NXDomain 0/0/0 (44)
  ```

We can inspect in more detail by using adding parameters to our previous command:
  ```
  -xxAXXSs 0 dst 192.168.102.139
  ```

Description (see image for example):
- `-s 0` we set the MTU size to 0, in order to get the entire packet
-  `-dst` Shows only the communications with the destination specified
-  `-A` Print each packet (minus its link level header) in ACII
-  `-XX` When parsing and printing, in addition to printing the headers of each packet, print the data of each packet including its link level header, in hex
-  `-xx` When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex
-  `-S` Print absolute, rather than relative, TCP sequence numbers
-  `-s` Snaf snaplen, bytes of data from each packet rather than the default of 68 <br>
    68 bytes is adequate for IP, ICMP, TCP, and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with **[|proto]**, where is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and effectively decreases the amount of packet buffering. This may cause packets to be lost. Setting snaplen to 0 means to use the required length to catch whole packets.

From the output we can see that only the traffic aimed to the host **192.168.102.139** is displayed. Indeed, we can see part of the way handshake (SYN and ACK) and then the packet containing the data sent to the server.

We can also see that the traffic is sent to a webserver, indeed the destination address and port are displayed as follows:
```
09:57:32.763851 IP 192.168.102.147.43357 > 192.168.102.139.http: Flags [S],
seq 661243647, win 29200, options [mss 1460, sackOK,TS val 6706799 ecr 0, nop, wscale 7], length 0
        0x0000: 000c 2978 6331 000c 29d3 f371 0800 4500 ..)xc..)..q..E.
```

The previous output may contain a lot of information. If we want a simpler output, we can just remove some of the parameters, and run the following command (see image):<br>
  ```
  sudo tcpdump -i eth0 -vvvASs 0 dst 192.168.102.139
  ```

  Here we removed all the hexadecimal output but we increased the output verbosity with the `-vvv` argument.

As you can see in the output, the data contains the same **Authorization** header seen before with Wireshark.

  The only difference is that Wireshark automatically decodes the base64 encoded text for us. So, when using tcpdump, we will have to decode the information manually.

  There are different tools and web applications that we can use to do that. We can use BurpSuite, the web browser console, command line, or online tools such as [bsae64decode](https://www.base64decode.org/).

If you are running on a Windows machine, you can use Windup.