Dsniff - packet analyzer

Dsniff: is a password sniffer which handles FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pc Anywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL protocols [2]. Dsniff, written by Dug Song[1], is a package of utilities that includes code to parse many different application protocols and extract interesting information. The information that can be obtained from this sniff application are: usernames and passwords, web pages being visited, contents of email, etc. Dsniff, as the name implies, is a network sniffer, but designed for different testings. Furthermore, it can be used to crush the normal behavior of switched networks and cause network traffic from other hosts on the same network segment to be visible, not just traffic involving the host dsniff is running on .

dsniff is a packet sniffer and set of traffic analysis tools written by Dug Song, a computer security researcher at the University of Michigan. Unlike tcpdump and other low-level packet sniffers, dsniff includes tools that parse information sent across the network, rather than simply capturing the raw data. The name "dsniff" refers both to the package as well as an included tool. "dsniff" the tool decodes passwords sent in cleartext across a switched or unswitched Ethernet network. Its man page explains that he wrote dsniff with "honest intentions - to audit my own network, and to demonstrate the insecurity of cleartext network protocols." He then requests, "Please do not abuse this software."

These are the files that are configured in dsniff folder /etc/dsniff/

/etc/dsniff/dnsspoof.hosts --> Sample hosts file. If no hostfile is specified, replies will forged for all address queries on the LAN with an answer of the local machine’s IP address. For example, to sniff Hotmail webmail passwords, create a dnsspoof hosts file such as:

1.2.3.4 *.passport.com

1.2.3.4 *.hotmail.com

Where 1.2.3.4 is the IP address of your attacking machine. Local clients attempting to connect to Hotmail will be sent to your machine instead, where webmitm[4] will present them with a self-signed certificate, and relay their sniffed traffic to the real Hotmail site .

/etc/dsniff/dsniff.magic --> Network protocol magic

/etc/dsniff/dsniff.services --> Default trigger table

The man page for dsniff explains all the flags. To learn more about using dsniff you can explore the Linux man page.

This is a list of descriptions for the various dsniff programs. This text belong to the dsniff “README” written by the author Dug Song.

Name	Description
ARP spoofing	Redirect packets from a target host (or all hosts) on the LAN intended for another local host by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e.g. fragrouter :-) must be turned on ahead of time.
dnsspoof	Forge replies to arbitrary DNS address / pointer queries on the LAN. this is useful in bypassing hostname-based access controls, or in implementing a variety of man-in-the middle attacks (HTTP, HTTPS, SSH, Kerberos, etc).
tcpkill	Kills specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3-whs for TCB creation). Can be effective for bandwidth control.