Tools

Tools

Here are a few tools.

Sniffit

Sniffit is an older sniffer, but it's useful nonetheless. Its homepage is at http://reptile.rug.ac.be/~ coder /sniffit/sniffit.html . It can be downloaded from http://reptiel.rug.ac.be/~coder/sniffit/files/sniffit.0.3.7.beta.tar.gz .

Figure 11-1 shows sniffit looking at the result of someone else's Telnet login. Figure 11-2 shows that person's "ls" command. Note that sniffit is apparently finished ”no updates have been made to the page in a year or so.

Figure 11-1. Sniffit intercepting a username and password.

Figure 11-2. Someone's been using "ls."

Compiling it was easy on my machine ”just a standard autoconf dealie.

Dsniff

Dug Song was kind enough to work up a great sniffer in the form of dsniff ”an entire package of sniffing- related tools. The homepage is at http://www. monkey .org/~dugsong/dsniff/ , and the package can be downloaded from http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz .

In order to install this, I had to install Berkeley DB, OpenSSL, libpcap, libnids, and libnet. Your system may or may not need all of these installed, or it may not need any of them. Some distributions ship with these packages, but, off the top of my head, I'm not sure which ones. Download dsniff and run the ./configure program to determine which of the following packages you'll need to install. The required packages have the following homepages and URLS:

Package Name

Homepage URL

Berkeley DB

http://www. sleepycat .com/

OpenSSL

http://www.openssl.org/

libpcap

http://www.tcpdump.org/

libnids

http://www.packetfactory.net/projects/libnids/

libnet

http://www.packetfactory.net/projects/libnet/

Required Packages
Berkeley DB

I grabbed version 3.2.9 of Berkeley DB and threw it into my /usr/src directory. This was a regular autoconf build, except for the fact that the configure script is found in the dist directory, and you have to be in the build_unix directory when you call it. So, to simplify, here's how I did it:

  tar zxvf db-3.2.9.tar.gz  
  cd db-3.2.9  
  cd build_unix  
  ../dist/configure  
  make  
  su -c"make install"  
  make clean # gotta save some disk space, eh?  

Compilation took about two minutes on my K6/2-450.

OpenSSL

For OpenSSL, I got version 0.9.6, the latest and greatest. It was a standard autoconf build procedure. Compilation took about 7 minutes, and installation took 1.5 more.

libpcap

For libpcap, version 0.6.1 was used. Again, a GNU autoconf-type build, and compilation took under 60 seconds.

libnids

I picked up libnids version 1.16. And while it should have been a regular autoconf build (which it was), I had to specify a command flag to get it to recognize libnids, so here's the complete build process:

  tar zxvf libnids-1.16.tar.gz  
  cd libnids-1.16  
  ./configure with-libpcap=/usr/src/libpcap-0.6.1  
  make  
  su -c"make install"  
  make clean  
  cd ../libpcap-0.6.1  
  make clean  

Apparently, libnids just can't find libpcap, because I couldn't get it to compile without explicitly declaring the libpcap build directory. Once I specified that, however, compilation took about a minute.

libnet

This one is version 1.0.1b. The autoconf-style build and installation took under a minute.

Dsniff Compilation

Dug was kind enough to use GNU Autoconf, and it was built and installed in under 60 seconds.

Figure 11-3 shows dsniff with some typical output. I had briefly considered putting in the live data I grabbed from root fest, but I decided against it for legal and practical reasons ”I can't find the screenshots I grabbed back then. Regardless, it was a prime example of people not thinking. I mean, really ”logging into your mail account from a hacker convention? And to top it off, after the presentation we fired up the sniffers again, figuring we'd get nothing. We got plenty. We got a couple of kids logging in to their mail servers, sending their passwords in clear text. And when we pointed it out, they yanked the network cables out of their machines. "How did you get past BlackICE?!" they screamed. Sniffing isn't affected by things like BlackICE. It works on the wire. Pulling the wire out of your computer isn't somehow going to protect your mail account from me ”I've already got that username and password!

Figure 11-3. Dsniff grabbing a POP login.

Anyway, dsniff is the Cadillac of sniffers. If you haven't looked at it, go get it now. Compile it. Run it on your own machine. Be afraid.

Msgsnarf is the instant-message (IM) grabber, allowing you to eavesdrop on any IM conversations. It works with most instant messengers, I'm sorry to say. Figure 11-4 presents a shot of msgsnarf in action, catching a posed conversation between my good friend Roger Hall and me.

Figure 11-4. Dsniff listening to an AIM conversation.

Mailsnarf is a handy little gadget for violating the electronic privacy act ”it grabs all the SMTP traffic (that's e-mail for you newbies) and saves them into an mbox-format file, so you can browse them with elm or mutt. This actually has a good, legitimate purpose in a corporate environment ”you can grab everyone's mail and check for security leaks merely by grepping [*] through the mbox. This is part of the dsniff package, so once you get dsniff you've got mailsnarf too.

[*] Meaning, use the program grep to search the mailbox file. Execute man grep for more info , and see Chapter 15 .

URLsnarf is also part of the dsniff package; it provides a summary listing of all of the URLS that are being visited on your LAN. This is much better than using censorware for finding out where people are going on the net. We all know that censorware doesn't work ”it fails to block pornography, and it blocks lots of nonpornography (for more details, visit http://www.peacefire.org/ ). Using URLsnarf, you can find out which users are visiting sites that are non-work-friendly and have a nice talk with them off the record. This can help some poor slob keep his job.

A simple load of http://www.salon.com/ gave me all the URLs shown in Figure 11-5 .

Figure 11-5. Dsniff:URLSnarf grabbing URLs.

Supersniffer

Supersniffer is another pretty refined tool. This one is a lot more stealthy, and I'll cover why in a second. Its homepage is at http://users.dhp.com/~ajax/projects/ , and it can be downloaded from http://users.dhp.com/~ajax/code/ss/ss-1.3.tgz .

I'm not going to cover compilation here, or recommend using it. It's an advanced cracker tool, and frankly I think it's overcomplex. It has clever features for avoiding detection ”which puts it in a category with a disposable, silenced pistol . It has few legitimate uses. Look at the Web page, and play with it if you like. Be wary of it.

A couple of the features I believe compromise its legitimacy are:

·                 Ability to appear as if it were being run under a different user name ”making it easier to hide in plain view.

·                 Ability to detect users logging into the machine and to deactivate itself immediately.

·                 Ability to send all sniffed strings to a port on the machine, making the output easily accessible.

·                 Ability to compile without any " strings " in the binary, making it harder for an administrator to determine the purpose of the binary.

·                 By default, it only listens on Telnet, POP3, FTP, and login ports.

It also encrypts its output by default, but this is actually something I like ”if I leave a sniffer running on one of my machines, I'd prefer that the output logs not be visible to the entire world.

Figure 11-6 shows supersniffer's output. Like I said, this is an advanced cracker tool.

Figure 11-6. Supersniffer sample output.

TCPDump

TCPDump is the next -to-last tool I'll mention. Unless you've been completely bored with everything up to this point, don't mess with it. That said, it's a standard tool that is available on almost every flavor of Unix. It also requires a lot more knowledge of TCP/IP to use properly. And it requires libpcap. It allows the most detailed examination of the packets on the network, and it requires the most skill to make it function properly. It's included in all distributions of which I am aware, so I won't cover compilation here. You can get that from http://www.tcpdump.org/ .

Ethereal

Ethereal is the most versatile and complete sniffer program I've seen yet. To top it off, it's free. It sits on top of TCPDump and basically makes a nice, user-friendly interface for it. The homepage is at http://www.ethereal.org/ , and the download is at http://www.ethereal.org/distribution/ethereal-0.8.15.tar.gz .

Compiling Ethereal

Ethereal requires GTK-1.2 or greater (which you have if you have anything approaching a recent distribution), libpcap (which you can install using the info from the dsniff tool, previously in this chapter), and Perl (also included with any distribution). It's an autoconf-style package, and compilation only took about 7 minutes. Ethereal is actually very similar to the Windows tool NetXRay, but much easier to use and a tad more feature rich. Bear in mind, I have an old version of NetXRay, so my impressions may be wrong. Ethereal is good. (See Figures 11-7 through 11-11 .) Get it. Use it. Love it.

Figure 11-7. Ethereal main screen.

Figure 11-8. Ethereal can follow a particular TCP stream (Telnet data here).

Figure 11-9. Ethereal can also examine a single packet of data.

Figure 11-10. Ethereal presents overall capture statistics.

Figure 11-11. Telling Ethereal where to grab data and how much to grab.

Floppy Linux (MuLinux), the Sniffing Station

MuLinux is a rockin' multifloppy distribution available from http://sunsite.auc.dk/mulinux . It's full featured and includes both X-windows and sniffit. Using a copy of MuLinux, anyone with physical access to your network can create a sniffing station in a few minutes, and then leave with all the data. You'll have no evidence that you were even sniffed. See Chapter 15 , Tools You Should Know, for more uses of MuLinux.

 



Multitool Linux. Practical Uses for Open Source Software
Multitool Linux: Practical Uses for Open Source Software
ISBN: 0201734206
EAN: 2147483647
Year: 2002
Pages: 257

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net