SNIFFING THE TRAFFIC WITH DSNIFF
So we have successfully poisoned the ARP cache; now, we will learn about a couple of sniffers that capture the traffic. We will take a look at dsniff first, which, as mentioned before, is a Swiss army knife of command line sniffing tools.
To run dsniff, we will execute “dsniff” command inside our terminal. What this would do
is capture any clear text password going across the network. So while running dsniff, I logged in to an ftp account, and since ftp is a plain text protocol, dsniff managed to capture it.
To run dsniff, we will execute “dsniff” command inside our terminal. What this would do
is capture any clear text password going across the network. So while running dsniff, I logged in to an ftp account, and since ftp is a plain text protocol, dsniff managed to capture it.
SNIFFING PICTURES WITH DRIFNET
If we want to see what the victim is viewing in his browser, we have a great tool called “driftnet,” which comes preinstalled with BackTrack. We can use it to capture all the images that victim is browsing through. We can do it by executing the following command:
root@bt:~# driftnet –v
root@bt:~# driftnet –v
This is what the output will be like: we can clearly see that the victim is browsing google.com. The “facebook hacked” image is basically from my blog, since I accessed my blog from the victim’s browser to demonstrate this tool.
URLSNARF AND WEBSPY
Urlsnarf and webspy is part of the dsniff toolset; urlsnarf tells us about the URL that the victim has visited, whereas the webspy tool will open up all the web pages that the victim has visited in our browser.
An example of attacker running urlsnarf to sniff the URLs that victim has visited. The web-
snarf works the same way; however, we need to specify additional arguments. Here is how the command would look like:
root@bt:~# webspy –i eth0 192.168.75.142
snarf works the same way; however, we need to specify additional arguments. Here is how the command would look like:
root@bt:~# webspy –i eth0 192.168.75.142
where eth0 is the interface and 192.168.75.142 is the IP address of the victim.
As urlsnarf keeps track of the URL’s visited by the victim, as soon as the victims connects to a new url using his browser or browser would automatically connect to it too, we would know what pages the victim is curently on. As you can see from the above screenshot, the victim (on his machine) has connected to facebook.com and our browser has automatically opened up Facebook.
As urlsnarf keeps track of the URL’s visited by the victim, as soon as the victims connects to a new url using his browser or browser would automatically connect to it too, we would know what pages the victim is curently on. As you can see from the above screenshot, the victim (on his machine) has connected to facebook.com and our browser has automatically opened up Facebook.
SNIFFING WITH WIRESHARK
If you have read the “Network Sniffing” post, you would have seen Wireshark in
action, where I demonstrated the TCP/IP three-way handshake and how port scanning works. Wireshark, previously known as Ethereal, is one of the best packet sniffers ever. It’s not only used by hackers and penetration testers, but also by network administrators to sort out problems within a network. Since Wireshark is an extensive tool, it’s not possible for me to cover every aspect of this tool in this post; however, I will give a quick overview. We will use Wireshark to capture plain text passwords sent across the wire. So let us begin:
action, where I demonstrated the TCP/IP three-way handshake and how port scanning works. Wireshark, previously known as Ethereal, is one of the best packet sniffers ever. It’s not only used by hackers and penetration testers, but also by network administrators to sort out problems within a network. Since Wireshark is an extensive tool, it’s not possible for me to cover every aspect of this tool in this post; however, I will give a quick overview. We will use Wireshark to capture plain text passwords sent across the wire. So let us begin:
Step 1—Launch Wireshark by executing “Wireshark” command from the terminal. Once
launched, click on the “Capture” button at the top and click on the “Analyze” button.
launched, click on the “Capture” button at the top and click on the “Analyze” button.
Step 2—Next, select the interface you would like to sniff on and click “Start”; in my case, it
is eth0.
is eth0.
Step 3—Wireshark will start capturing all the packets going across the network. On the victim’s machine. I will log into a website that supports http authentication and will stop the capture on my attacker machine once I have logged in.
Step 4—Since we have so many packets, we need to ask Wireshark to filter out only HTTP
POST requests. So, inside of the filter tab, we will type “http.request.method==POST.”
The first request you see is a “POST” request performed to the destination 75.98.17.25 from our victim, which has a source IP 192.168.75.142.150.
POST requests. So, inside of the filter tab, we will type “http.request.method==POST.”
The first request you see is a “POST” request performed to the destination 75.98.17.25 from our victim, which has a source IP 192.168.75.142.150.
Step 5—Next, we will right-click on the packet and click on “Follow tcp stream,” which will show us the original post request generated from the victim’s browser. The output would look something like the following:
As you can see, the POST request contains the username “admin” and the password “pass.” There are many different types of filters in Wireshark used to filter out different types of traffic.
We have already discussed some of them. Personally, I would suggest you to take a look at theWireshark manual available at wireshark.org.
No comments:
Post a Comment