Analyzing / Monitoring network captures with dsniff
Tutorial provided by
| Keeper |
If you readily have access to the network, be it open or encrypted with WEP or WPA, the capture files can show a lot of information on what the target network was up to.
The toolsuite dsniff, consists of dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf and webspy.
I'll be looking at:
urlsnarf shows the websites (urls) which were visited
driftnet can show pics of websites visited... (ooffff...)
dsniff can show passwords used in webforms
mailsnarf shows downloaded emails
Basically what we are doing is:
> capturing network traffic using airodump
> decrypting the network traffic using airdecap
> replaying the network traffic using tcpreplay
and using the above tools to check out the network session.
First stop is to identify our network that we want to monitor.
Code:
airmon-ng
airmon-ng start wlan0
airodump-ng mon0
Locate the network, specify channel, bssid and output file.
Code:
airodump-ng mon0 -c 4 --bssid 00:11:22:33:44:55 -w wpa
As we are capturing from a WPA network, and want to decrypt lateron, a handshake needs to be in the capture file.
(The packets will only be decrypted as from the moment the handshake is obtained)
So after starting the airodump capture, start a new console and deauth a user forcing that user to reconnect ensuring the handshake will be in the capture file ;
(Here i did the deauth attack twice just to be sure the capture would be included)
Code:
aireplay-ng mon0 -0 -5 -a 00:11:22:33:44:55 -c 55:44:33:22:11:00
In airodump we will see the handshake captured in the top right of the screen.
Now we (the target PC) happily browse away and after a while stop the airodump capture.
To decrypt the WPA capture file, we will use airdecap-ng.
Tto correctly decrypt we need the network ESSID, the capture file with handshake and the WPA passphrase.
Code:
airdecap-ng -e ESSID -p 'wpa_password' wpa-01.cap
If successfull, you will see x amount of packages decrypted and there will be a new file; wpa-01-dec.cap
This is the decrypted cap file.
Now to see what results we were able to obtain !
Open a new console and startup urlsnarf, specifying the local interface:
Code:
urlsnarf -i lo
To replay the network session, we use tcpreplay on the local interface using the decrypted file:
Code:
tcpreplay -i lo wpa-01-dec.cap
In the console running urlsnarf you will see details coming by of the websites visited.
To speed up the replay, you can use the -t option to go as fast as is possible.
Code:
tcpreplay -i lo -t wpa-01-dec.cap
When the replay is completed it simply stops and you can close the close the other consoles after checking what you wanted to check.
You can run the tools together ;
Open up seperate consoles for each tool, again specifying the local interface.
Code:
dsniff -i lo
Code:
mailsnarf -i lo
Code:
driftnet -i lo
(driftnet opens up a seperate driftnet window showing the pictures)
Then when those are up, open a console and run tcpreplay -i lo wpa-01-dec.cap.
After visiting several sites, entering passwords to sites, checking my email on Outlook Express, checking several semi-decent sites ... *cough* ... my results were ;
urlsnarf
works well in showing the urls visited, nothing to remark on there.
Below the results of checking out one of UK's "finest" newspapers...
driftnet
Did not show the amount of pics I was expecting to see.. but does show quite a few, it depends on the sort of sites visited, will need to do some more checking on this one.
Below he result of browsing through said newspaper in the driftnet window.. What class.. !
If NSFW.. emigrate.. ;)
dsniff
Only worked on 1 out 5 passworded sites I tried, not too impressed, but quite relieved to be honest !
The results from a browser game I am into:
mailsnarf
sometimes showed emails I downloaded from Outlook Express, sometimes didn't.
When I had several mails it showed them, when I only 1 to download, it didnt, part of a result of the time it did work:
All in all not a flawless result, but definately interesting and entertaining !.
As yet I have been unable to get webspy working using tcpreplay, a shame as webspy is reportedly able to
show realtime internet use in a browser window, which I had hoped would be able to be done using tcpreplay as well.
0 comments:
Post a Comment