Overview

What is dsniff?

dsniff is a tool for sniffing passwords from plaintext traffic. It comes as part of a suite of sniffing/snarfing tools that work like dsniff but extract other types of information (images, emails, URLs, etc.).

From the original readme:

dsniff
	password sniffer. handles FTP, Telnet, SMTP, HTTP, POP,
	poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP
	MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ,
	Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec
	pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase
	and Microsoft SQL auth info.

	dsniff automatically detects and minimally parses each
	application protocol, only saving the interesting bits, and
	uses Berkeley DB as its output file format, only logging
	unique authentication attempts. full TCP/IP reassembly is
	provided by libnids(3) (likewise for the following tools as
	well).

dsniff can only sniff plaintext traffic, not encrypted traffic. As SSL-protected communications have become cheaper and more common everywhere (modern browsers, websites, networks, backend communication) in the past 15 years, the usefulness of dsniff on its own has diminished.

But SSL will never be implemented everywhere, and SSL itself has weaknesses. There are other tools to attack and remove the SSL layer, which makes communications vulnerable to dsniff.

How to use dsniff?

dsniff can be used in offline mode (pulling information from pcap files) or online mode.

To use dsniff to sniff live traffic, the machine running dsniff must be able to see traffic to/from the victim machine, unencrypted. (To use dsniff by itself to eavesdrop on communications, you don't have to control the traffic, just see it. To use dsniff with tools that actually modify the traffic, the machine running dsniff needs to control the traffic passing to/from the victim machine.)

An attacker can view or control traffic to a victim by using a man in the middle MITM attack. There are many types of MITM attacks, but one example might be an ARP spoofing attack, where the attacker sits between the network gateway and the victim, and tricks the gateway into thinking it is the victim, and tricks the victim into thinking it is the gateway.

Again, encrypted traffic is not visible to dsniff, so if the communications layer is protected with SSL, an SSL-stripping attack is needed in addition to the MITM attack, to strip the SSL layer. Then dsniff can see the traffic.

Tools

Dsniff Suite of Tools

dsniff sniffs for passwords, but there are other tools for sniffing other goodies:

filesnarf - saves selected files sniffed from NFS traffic.
msgsnarf – record selected messages from different Instant Messengers.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
urlsnarf – output selected URLs sniffed from HTTP traffic
webspy – sends URLs sniffed from a client to your local browser

additionally, dsniff comes with other tools that can be used to carry out a MITM attack in order to use dsniff:

Arpspoof – Send out unrequested (and possibly forged) arp replies.
Dnsspoof – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
Macof - flood the local network with random MAC addresses.
Sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
Sshow – SSH traffic analyser.
Tcpkill – kills specified in-progress TCP connections.
Tcpnice – slow down specified TCP connections via “active” traffic shaping.
Webmitm - HTTP / HTTPS monkey-in-the-middle. transparently proxies.

in case of SSL-encrypted traffic, attempt to strip the SSL layer using:

Installing

# apt-get install dsniff

That will install all of the utilities above.

References

Software

original: https://www.monkey.org/~dugsong/dsniff/

working Mac version: https://github.com/ggreer/dsniff

Information and Guides

Dsniff/PlasticForkGuide_HackBB

https://www.soldierx.com/tutorials/Sniffing-Various-Passwords-MITM-DSNIFF-and-SSL-Strip

Flags

Dsniff

From charlesreid1

Contents