Script for sniffing traffic.

[comaX]

Regarding saving the images, I had more success with 'tcpxtract', however am not
sure whether this is included in the stock BT5 ..

Might be an option to look into though.

It rings a bell, I'll see if it's included or not. Thanks for the suggestion !

comaX, why not grep through the /tmp files and pull out drift-........ or whatever? copy them all into [pwd]/driftnet/ if the users says so? Like the other options...
Also, even thoug I love ascii art, maybe you should update the current header?..

I thought about that... And was thinking that before "killall driftnet" I should add something like "cp /tmp/driftnet/* /anydir".
That should do the trick right ?
And it's funny you should mention the header, I feel like changing too !

Xplico is worth a look too.

I'll give it one then !

Thank you guys !

I'll probably push an update today

[VulpiArgenti]

"cp /tmp/driftnet/* /anydir" Should be: cp /tmp/driftnet* /anydir

I know you'd have worked it out - thought I would save you the trouble http://www.backtrack-linux.org/forum...lies/smile.png

[comaX]

It wasn't a mistake, I planned on saving temp files to /tmp/driftnet/ so I could just select everything in the folder. But you are right, since the names all begin with "driftnet", it's simpler your way, and it makes it useless to create another folder.

Since both are valid, I decided to use driftnet *and* tcpxtract (that is way better imho, segmentation faults apart). The user can choose !

I hardcoded the destination folder as /root/capture_$(date +%d%m%y). What do you think about that ?

I also changed the ASCII

Edit : oh, by the way, Xplico doesn't seem to be present for me (xplico: command not found), so I didn't dig much...

[Snayler]

AFAIK, Xplico needs to be installed first.

[comaX]

It's in fact already installed under /opt/xplico/bin/xplico, but there are no symlinks for it. I however don't understand what it does nor what is should do... And there is no man entry for it. If someone could give me a little explanation, I'd be glad !
(Yeah I googled it... but a simple user-point-of-view and how it could be used would be nice ! )

[Snayler]

It's in fact already installed under /opt/xplico/bin/xplico, but there are no symlinks for it. I however don't understand what it does nor what is should do... And there is no man entry for it. If someone could give me a little explanation, I'd be glad ! (Yeah I googled it... but a simple user-point-of-view and how it could be used would be nice ! )

Thanks for the pointer. Then it's a question of creating a symlink inside the /bin folder. From what I remember from 1/2 years ago (when I first/last used the app), it extracts data from a capture file (maybe also from a real-time capture, not sure). Data can be images, http contents, e-mails, sound files,...

[ShadowMaster]

Xplico seems to be completely stand-alone. I'm not sure how you would allow for the automation that the rest of the script thrives on...

[comaX]

Yeahp, from what I read on the internet about it, it's nice to have it to analyse further packets captures but I don't see how it would be relevant here. Anyway, it's always nice to have propositions of some tool.

What's your take on urlsnarf ? I don't quite see the point of having a list of GET HTTP blah blah www.mywebsite.com/folder/ressource.ext

[Snayler]

What's your take on urlsnarf ? I don't quite see the point of having a list of GET HTTP blah blah www.mywebsite.com/folder/ressource.ext

It's always interesting to demonstrate that an attacker can study your browsing habits and use that knowledge to exploit a computer/steal passwords (dns poisoning/phising/etc...).

[VulpiArgenti]

Xplico is an interesting (and powerful) tool. It's best run on a dump (live capture mode is not as useful). It's easiest used through its web GUI so I agree wouldn't integrate well with yamas - just mentioned it while we were discussing image extraction.