DSniff
Encyclopedia
Dsniff is a password sniffer
written by Dug Song and a package of utilities that parse many different application protocols and extract interesting information.
dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.http://www.monkey.org/~dugsong/dsniff/
and set of traffic analysis tools written by Dug Song. The application sniffs usernames and passwords, web pages being visited, contents of email, etc. Dsniff, as the name implies, is a network sniffer
, but designed for different testings. Furthermore, it can be used to crush the normal behavior of switched networks and cause network traffic from other hosts on the same network segment to be visible, not just traffic involving the host dsniff is running on.
It handles FTP, Telnet
, SMTP, HTTP, POP
, poppass, NNTP, IMAP, SNMP
, LDAP, Rlogin
, RIP
, OSPF, PPTP MS-CHAP
, NFS, VRRP, YP/NIS
, SOCKS
, X11, CVS
, IRC, AIM
, ICQ
, Napster
, PostgreSQL
, Meeting Maker
, Citrix ICA, Symantec pc Anywhere
, NAI Sniffer
, Microsoft
SMB
, Oracle
SQL*Net
, Sybase
and Microsoft SQL protocols.
The name "dsniff" refers both to the package as well as an included tool. "dsniff" the tool decodes passwords sent in cleartext across a switched
or unswitched Ethernet
network. Its man page explains that he wrote dsniff with "honest intentions - to audit my own network, and to demonstrate the insecurity of cleartext network protocols." He then requests, "Please do not abuse this software."
These are the files that are configured in dsniff folder /etc/dsniff/
/etc/dsniff/dnsspoof.hosts --> Sample hosts file. http://linux.die.net/man/8/dnsspoof
If no hostfile is specified, replies will forged for all address queries on the LAN with an answer of the local machine’s IP address.
/etc/dsniff/dsniff.magic --> Network protocol magic
/etc/dsniff/dsniff.services --> Default trigger table
The man page for dsniff explains all the flags. To learn more about using dsniff you can explore the Linux man page. http://linux.die.net/man/8/dsniff
This is a list of descriptions for the various dsniff programs. This text belong to the
dsniff “README” written by the author Dug Song.
See also: filesnarf http://www.ouah.org/dsniffintr.htm, macof http://www.ouah.org/dsniffintr.htm, mailsnarf http://www.ouah.org/dsniffintr.htm, msgsnarf http://www.ouah.org/dsniffintr.htm, sshmitm http://www.ouah.org/dsniffintr.htm, tcpnice http://www.ouah.org/dsniffintr.htm, urlsnarf http://www.ouah.org/dsniffintr.htm webmitm http://www.ouah.org/dsniffintr.htm, webspy http://www.ouah.org/dsniffintr.htm.
Other tools included with the package include:
----
Bandwidth Control
Tomasz Chmielewski's Bandwidth−Limiting−HOWTO http://tldp.org/HOWTO/Bandwidth-Limiting-HOWTO/index.html is a clear reference document for CBQ
(Class Based Queueing). CBQ
will let you to allocate bandwidth to particular network services. To learn more about CBQ
read more information in the link mentioned above.
Sniffer
Sniffer may refer to:* Packet analyzer , computer software or hardware that can intercept and log traffic passing over a digital network...
written by Dug Song and a package of utilities that parse many different application protocols and extract interesting information.
dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.http://www.monkey.org/~dugsong/dsniff/
Overview
dsniff is a packet snifferPacket sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
and set of traffic analysis tools written by Dug Song. The application sniffs usernames and passwords, web pages being visited, contents of email, etc. Dsniff, as the name implies, is a network sniffer
Sniffer
Sniffer may refer to:* Packet analyzer , computer software or hardware that can intercept and log traffic passing over a digital network...
, but designed for different testings. Furthermore, it can be used to crush the normal behavior of switched networks and cause network traffic from other hosts on the same network segment to be visible, not just traffic involving the host dsniff is running on.
It handles FTP, Telnet
TELNET
Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection...
, SMTP, HTTP, POP
Post Office Protocol
In computing, the Post Office Protocol is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. POP and IMAP are the two most prevalent Internet standard protocols for e-mail retrieval. Virtually all modern...
, poppass, NNTP, IMAP, SNMP
Simple Network Management Protocol
Simple Network Management Protocol is an "Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more." It is used mostly in network management systems to monitor...
, LDAP, Rlogin
Rlogin
rlogin is a software utility for Unix-like computer operating systems that allows users to log in on another host via a network, communicating via TCP port 513.It was first distributed as part of the 4.2BSD release....
, RIP
Routing Information Protocol
The Routing Information Protocol is a distance-vector routing protocol, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15....
, OSPF, PPTP MS-CHAP
Challenge-handshake authentication protocol
In computing, the Challenge-Handshake Authentication Protocol authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. CHAP is specified in RFC 1994....
, NFS, VRRP, YP/NIS
Network Information Service
The Network Information Service, or NIS is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network...
, SOCKS
SOCKS
SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS5 additionally provides authentication so only authorized users may access a server...
, X11, CVS
Concurrent Versions System
The Concurrent Versions System , also known as the Concurrent Versioning System, is a client-server free software revision control system in the field of software development. Version control system software keeps track of all work and all changes in a set of files, and allows several developers ...
, IRC, AIM
AOL Instant Messenger
AOL Instant Messenger is an instant messaging and presence computer program which uses the proprietary OSCAR instant messaging protocol and the TOC protocol to allow registered users to communicate in real time. It was released by AOL in May 1997...
, ICQ
ICQ
ICQ is an instant messaging computer program, which was first developed and popularized by the Israeli company Mirabilis, then bought by America Online, and since April 2010 owned by Mail.ru Group. The name ICQ is a homophone for the phrase "I seek you"...
, Napster
Napster
Napster is an online music store and a Best Buy company. It was originally founded as a pioneering peer-to-peer file sharing Internet service that emphasized sharing audio files that were typically digitally encoded music as MP3 format files...
, PostgreSQL
PostgreSQL
PostgreSQL, often simply Postgres, is an object-relational database management system available for many platforms including Linux, FreeBSD, Solaris, MS Windows and Mac OS X. It is released under the PostgreSQL License, which is an MIT-style license, and is thus free and open source software...
, Meeting Maker
Meeting Maker
Meeting Maker is a cross-platform personal calendar and group scheduling software application from PeopleCube. The product dates back to 1990, when it was originally Mac-only software created by Callisto Corporation and published by ON Technology. It was released for Microsoft Windows as Meeting...
, Citrix ICA, Symantec pc Anywhere
PcAnywhere
pcAnywhere is a suite of computer programs by Symantec which allows a user of the pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host if both are connected to the internet or the same LAN and the password is known...
, NAI Sniffer
Sniffer
Sniffer may refer to:* Packet analyzer , computer software or hardware that can intercept and log traffic passing over a digital network...
, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
SMB
Server Message Block
In computer networking, Server Message Block , also known as Common Internet File System operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an...
, Oracle
Oracle Corporation
Oracle Corporation is an American multinational computer technology corporation that specializes in developing and marketing hardware systems and enterprise software products – particularly database management systems...
SQL*Net
Oracle Database
The Oracle Database is an object-relational database management system produced and marketed by Oracle Corporation....
, Sybase
Sybase
Sybase, an SAP company, is an enterprise software and services company offering software to manage, analyze, and mobilize information, using relational databases, analytics and data warehousing solutions and mobile applications development platforms....
and Microsoft SQL protocols.
The name "dsniff" refers both to the package as well as an included tool. "dsniff" the tool decodes passwords sent in cleartext across a switched
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
or unswitched Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
network. Its man page explains that he wrote dsniff with "honest intentions - to audit my own network, and to demonstrate the insecurity of cleartext network protocols." He then requests, "Please do not abuse this software."
These are the files that are configured in dsniff folder /etc/dsniff/
/etc/dsniff/dnsspoof.hosts --> Sample hosts file. http://linux.die.net/man/8/dnsspoof
If no hostfile is specified, replies will forged for all address queries on the LAN with an answer of the local machine’s IP address.
/etc/dsniff/dsniff.magic --> Network protocol magic
/etc/dsniff/dsniff.services --> Default trigger table
The man page for dsniff explains all the flags. To learn more about using dsniff you can explore the Linux man page. http://linux.die.net/man/8/dsniff
This is a list of descriptions for the various dsniff programs. This text belong to the
dsniff “README” written by the author Dug Song.
| Name | Description |
|---|---|
| arpspoofing ARP spoofing ARP spoofing ARP spoofing, also known as ARP cache poisoning or ARP poison routing , is a technique used to attack a local-area network . ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether... |
Redirect packets from a target host (or all hosts) on the LAN intended for another local host by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e.g. fragrouter :-) must be turned on ahead of time. |
| dnsspoof | Forge replies to arbitrary DNS address / pointer queries on the LAN. this is useful in bypassing hostname-based access controls, or in implementing a variety of man-in-the middle attacks (HTTP, HTTPS, SSH, Kerberos, etc). |
| tcpkill Tcpkill Tcpkill can be used to kill connections to or from a particular host, network, port, or combination of all. These programs take standard Berkeley Packet Filter filters... |
Kills specified in-progress TCP Transmission Control Protocol The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP... connections (useful for libnids-based applications which require a full TCP Transmission Control Protocol The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP... 3-whs for TCB creation). Can be effective for bandwidth control. |
See also: filesnarf http://www.ouah.org/dsniffintr.htm, macof http://www.ouah.org/dsniffintr.htm, mailsnarf http://www.ouah.org/dsniffintr.htm, msgsnarf http://www.ouah.org/dsniffintr.htm, sshmitm http://www.ouah.org/dsniffintr.htm, tcpnice http://www.ouah.org/dsniffintr.htm, urlsnarf http://www.ouah.org/dsniffintr.htm webmitm http://www.ouah.org/dsniffintr.htm, webspy http://www.ouah.org/dsniffintr.htm.
Other tools included with the package include:
- "webspy", a program which intercepts URLs sent by a specific IP address and directs your web browser to connect to the same URL. This results in your browser opening up the same web pages as the target being sniffed.
- "sshmitm" and "webmitm", programs designed to intercept SSHSecure ShellSecure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
version 1 communications and web traffic respectively with a man-in-the-middle attack - "msgsnarf", a program designed to intercept Instant Messenger and IRC conversations
- "macof", a program designed to break poorly-designed Ethernet switchNetwork switchA network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
es by flooding them with packets with bogus MAC addressMAC addressA Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
es (MAC floodingMAC floodingIn computer networking, MAC flooding is a technique employed to compromise the security of network switches.Switches maintain a CAM Table that maps individual MAC addresses on the network to the physical ports on the switch...
).
----
Bandwidth Control
Tomasz Chmielewski's Bandwidth−Limiting−HOWTO http://tldp.org/HOWTO/Bandwidth-Limiting-HOWTO/index.html is a clear reference document for CBQ
Class Based Queueing
Class-based queueing is a network router queueing method that allows traffic to share bandwidth equally, after being grouped by classes. The classes can be based upon a variety of parameters, such as priority, interface, or originating program....
(Class Based Queueing). CBQ
Class Based Queueing
Class-based queueing is a network router queueing method that allows traffic to share bandwidth equally, after being grouped by classes. The classes can be based upon a variety of parameters, such as priority, interface, or originating program....
will let you to allocate bandwidth to particular network services. To learn more about CBQ
Class Based Queueing
Class-based queueing is a network router queueing method that allows traffic to share bandwidth equally, after being grouped by classes. The classes can be based upon a variety of parameters, such as priority, interface, or originating program....
read more information in the link mentioned above.