Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: HOWTO: Use dsniff, driftnet, urlsnarf, msgsnarf with 802.11 capture files.

  1. #1
    Just burned his ISO
    Join Date
    Aug 2006
    Posts
    1

    Default HOWTO: Use dsniff, driftnet, urlsnarf, msgsnarf with 802.11 capture files.

    So you captured some wifi data (802.11) with airodump-ng like this, for example:

    slax ~ # airmon-ng start ath0
    slax ~ # airodump-ng -w dump -c 11 ath0

    (Or you captured with kismet, etc.)

    Now you want to go back and pull out passwords, urls, instant messages and images from your capture file: dump.cap.

    It used to be no problem to get passwords from a capture with dsniff, but with Backtrack v.1.0 Final, dsniff will read just fine from a network interface, but it won't read from a file anymore (at least dsniff on my HDD install has this problem):

    slax ~ # dsniff -r dump.cap
    dsniff: record_init: Invalid argument

    And the other fun programs (driftnet, msgsnarf, urlsnarf, etc.) don't read files at all, they only work in real time listening on network interfaces. Driftnet won't even listen on 802.11 interfaces in rfmon mode:

    slax ~ # driftnet -i ath0
    driftnet: unknown data link type 119

    The solution: Use tcpreplay to play back the packets on a network interface so all the fun programs can work.

    One problem: tcpreplay is broken in Backtrack v.1.0 Final. If tcpreplay in your version of Backtrack is broken and you're using the HDD installed version of Backtrack, its easy to fix:

    Dowload the latest stable release of tcpreplay (currently tcpreplay-2.3.5.tar.gz) here:
    http://tcpreplay.synfin.net/trac/wiki/Download

    Install like usual:
    slax ~ # tar xzvf tcpreplay-2.3.5.tar.gz
    slax ~ # cd tcpreplay-2.3.5
    slax tcpreplay-2.3.5 # ./configure
    slax tcpreplay-2.3.5 # make
    slax tcpreplay-2.3.5 # make install
    slax tcpreplay-2.3.5 # cd
    slax ~ #

    Another small problem, tcpreplay doesn't understand 802.11 headers:

    slax ~ # tcpreplay -i lo dump.cap
    sending on: lo
    validate_l2(): Unsupported datalink type: 802.11 (0x69)

    No to worry, airdecap-ng can convert the capture to straight ethernet. Normally you use this program to decrypt encrypted 802.11 data, but you can also use it just to strip the 802.11 headers:

    slax ~ # airdecap-ng dump.cap
    Total number of packets read 256828
    Total number of WEP data packets 315
    Total number of WPA data packets 0
    Number of plaintext data packets 42287
    Number of decrypted WEP packets 0
    Number of decrypted WPA packets 0

    This creates a file named dump-dec.cap. If you need to decrypt the data as well, just include the necessary parameters (for example -e and -w) in the airdecap-ng command.

    Now we're going to replay the data on the local loopback ethernet interface (lo). This gives us an interface to send the data on without actually sending it out over the air or on the local network.

    First start your programs to listen on the local interface (in different sessions of course, so you can see the output of each):

    slax ~ # dsniff -i lo
    slax ~ # driftnet -i lo
    slax ~ # urlsnarf -i lo
    slax ~ # msgsnarf -i lo

    Then run tcpreplay (the -R option speeds up the replay):

    slax ~ # tcpreplay -i lo -R dump-dec.cap
    sending on: lo
    42287 packets (20751892 bytes) sent in 4.67 seconds
    4435909.0 bytes/sec 33.84 megabits/sec 9039 packets/sec

    Each sniffer sees the packets as they are replayed on the local interface. Hopefully, you will get a lot of interesting data!

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    55

    Default

    yeah i was interested in doing that also... your guide goes beyond the two i wrote:

    HOWTO: strip out pictures from ethereal captures in seconds
    http://forums.remote-exploit.org/sho...ight=tcpreplay

    playing back ethereal captures at topspeed using TCPreplay
    http://forums.remote-exploit.org/sho...ight=tcpreplay

    my methods rely on using a live connection to pull the images. your way is much better, seeing as you can do it off-line. great guide hiwire!

  3. #3
    Junior Member
    Join Date
    Jun 2006
    Posts
    61

    Default

    yeah it is. this the first time I seen it but this is one that should be put in a library 2. Now all you have todo is set up a laptop somewhere, and just get data, and you can go over it at another time =D
    ::gets out all those old cap files I have and goes over them::
    "Only in America :P - where else can you find a company that makes a buggy product and makes tons of money from it, have people exploit the heck out of it and then make tonnes MORE money from selling their existing customers "upgrades" that induce MORE bugs?" -markds

  4. #4
    Just burned his ISO
    Join Date
    Aug 2006
    Posts
    4

    Default nice guide

    nice guide there but you can also just use tcpdump to do the trick
    note that this applies only to msn

    tcpdump -n -s 0 -i ath0 msn.cap and port 1863

    and then

    tcpdump -A -n -r msn.cap | more

    or if you want to use airodump-ng:

    tcpdump -A -n -r dump.cap and port 1863 | more

    if tcpdump doesn't understand 802.11 headers just do the
    same thing with airdecap-ng, but it's unlikely

  5. #5
    Just burned his ISO
    Join Date
    Jul 2006
    Posts
    13

    Default

    I take it this doesn't work for encypt. packets though =[

  6. #6
    Junior Member
    Join Date
    Jan 2006
    Posts
    34

    Default

    Quote Originally Posted by Mr.Octopus
    I take it this doesn't work for encypt. packets though =[
    As long as if you got the WEP key it'll work

  7. #7
    Just burned his ISO
    Join Date
    Jul 2006
    Posts
    13

    Default

    As i imagined, so is there anything to insert the WEP key into un-decrypted packets and 'decrypt' them 'on-the-fly' that anyone knows about - now that would be a nice feature

  8. #8
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    1

    Default

    Mr. Octopus,
    The Docs are your friend. Kismet will do this 'on-the-fly' as you speak of, just takes a little simple tweaking in the config file.

    Has anyone rigged up a script that allows this to be run in real-time, stripping each packet of it's 802.11 header and sending it directly to lo and thus driftnet?

  9. #9
    Junior Member
    Join Date
    Oct 2006
    Posts
    37

    Default

    Thanks for this tutorial ! But something is going wrong here, I started urlsnarf, dsniff, driftnet and msgsnarf and let them listen on lo .

    I have a big dump (over 600 Mb) and removed the 802.11 haeders with airdecap.

    I let tcpreplay run with the file airdecap created, but only driftnet revealed one tiny picture

    urlsnarf, dsniff and msgsnarf didn't show a thing.
    The dump i used is quite big and gathered over a couple of days, so there must be more in it then just one picture.

    What am i doing wrong here..?

  10. #10
    Just burned his ISO
    Join Date
    Aug 2006
    Posts
    2

    Default

    When i try to run tcpreplay, this error came out
    anyone know what was the problem?
    Thanks

    Code:
    BT tcpreplay # tcpreplay
    tcpreplay: error while loading shared libraries: libopts.25: cannot open shared object file: No such file or directory
    Updated: I have this problem when using version 3, i have then downloaded version 2. And what have been taught here worked! Thanks for the guide.

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •