14.1 Dsniff

URL: www.monkey.org/~dugsong/dsniff/

Client OS: UNIX

Target OS: TCP/IP networks

Price: Free

Description:  Dsniff actually consists of a collection of tools for sniffing passwords, e-mail, and HTTP traffic. (The nomenclature is confusing because one of the tools, the password sniffer, is also called dsniff.) Dsniff's tools include dsniff, arpredirect, macof, tcpkill, tcpnice, filesnarf, mailsnarf, urlsnarf, and webspy. Dsniff is a very effective sniffer for both switched and shared networks. It can sniff across switched networks using arpredirect and macof, a utility that floods switches in an attempt to cause them to fail to an open state. In addition, Dsniff can be used to capture authentication information for FTP, telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase, and Microsoft SQL.

Dsniff's ability to sniff across switches reinforces the need to encrypt all authentication processes. Dsniff uses arpredirect to capture network traffic intended for other systems. Dsniff spoofs ARP replies and tricks the sending system into thinking it is the intended recipient of the message. Dsniff then forwards the traffic to the true destination using IP forwarding. Dsniff's ability to sniff across switches is complicated by the fact it can potentially cause a denial-of-service condition on the network being sniffed. Therefore, you must be careful when using this tool during penetration testing. If you intend to use arpredirect or macof, you should first test it in a nonproduction environment. In addition, arpredirect and macof are not totally passive and can therefore be detected.

Use:  Dsniff can be installed on a UNIX or NT platform. You must enable IP forwarding on the system if you intend to use arpredirect. On Windows NT systems, you need to install a packet capture driver before using the tool. On UNIX systems you need to install three additional packages in order for the tool to work properly. The packet drivers and additional packages needed for the installation on your specific system can be found on Dsniff's Web site.

Dsniff, the individual utility, is the password sniffer portion of the tool. It automatically detects and captures the minimum amount of the protocol to gather interesting information. The tool looks for and recognizes passwords for a variety of systems and applications.

arpredirect is the tool that enables sniffing across switched network segments. arpredirect spoofs ARP replies, convincing the sending system that the sniffer is the intended recipient. arpredirect then forwards the packet to its intended host after having captured a copy of the packet. This is a major breakthrough in sniffing technology. Prior to the advent of this tool, sniffing on switched networks was virtually impossible unless you could obtain access to the actual switch device. However, if the network is very busy your system may have trouble keeping up with the flow of network traffic. If this happens you could cause a denial-of-service condition on the network.

macof is a tool that attempts to flood the network with random MAC addresses in the hopes of causing a switch to fail into an open state in repeating mode. This would enable the sniffer to sniff across the switch. Be careful using this utility since it could cause a denial-of-service condition on the target network or switch. Try testing the tool in a nonproduction environment before using it during testing.

tcpkill can be used to kill specific, in-progress TCP connections. tcpnice attempts to slow in-progress TCP network traffic. This is useful when trying to sniff fast networks where the sniffer would normally have a difficult time keeping up with the traffic.

filesnarf can be used to capture network file system traffic. mailsnarf enables you to capture e-mail traffic for later viewing. urlsnarf captures selected HTTP traffic that can be viewed via a Web browser. webspy enables you to surf along with the person whose traffic you are sniffing. The tool actually sends the sniffed URL traffic to your browser so you can view the HTTP traffic in real time.

Benefits:  Dsniff is an excellent tool for sniffing passwords on a network and attempting to sniff on a switched network. The collection of utilities enables you to target passwords, e-mail, and HTTP traffic.

Cons:  The documentation is very limited. Also, the packet drivers can be difficult to load if you are not familiar with them. Installing the additional packages and compiling the source code on UNIX can be difficult. Finally, the same functions that are designed to enable you to sniff across switches can cause denial-of-service conditions on the network.